Installation and
Operation Manual
SecFlow-1p
Industrial IoT Gateway
Version 5.0
© 2019–2022 RAD Data Communications Ltd.
This manual contains information that is proprietary to RAD Data Communications Ltd. ("RAD"). No part
of this publication may be reproduced in any form whatsoever without prior written approval by RAD
Data Communications.
Right, title and interest, all information, copyrights, patents, know-how, trade secrets, and other
intellectual property or other proprietary rights relating to this manual and to the SecFlow-1p and any
software components contained therein are proprietary products of RAD protected under international
copyright law and shall be and remain solely with RAD.
The SecFlow-1p product name is owned by RAD. No right, license, or interest to such trademark is
granted hereunder, and you agree that no such right, license, or interest shall be asserted by you with
respect to such trademark. The RAD name, logo, logotype, and the product names Airmux, IPmux,
MiNID, MiCLK, Optimux, and SecFlow are registered trademarks of RAD Data Communications Ltd. All
other trademarks are the property of their respective holders.
You shall not copy, reverse compile, or reverse assemble all or any portion of the Manual or the
SecFlow-1p. You are prohibited from, and shall not, directly or indirectly, develop, market, distribute,
license, or sell any product that supports substantially similar functionality as the SecFlow-1p, based on
or derived in any way from the SecFlow-1p. Your undertaking in this paragraph shall survive the
termination of this Agreement.
This Agreement is effective upon your opening of the SecFlow-1p package and shall continue until
terminated. RAD may terminate this Agreement upon the breach by you of any term hereof. Upon such
termination by RAD, you agree to return to RAD the SecFlow-1p and all copies and portions thereof.
Contact Information
For further information, contact RAD at the address below, or contact your local business partner.
International Headquarters
North American Headquarters
24 Raoul Wallenberg St., Tel Aviv 6971923, Israel
Tel 972-3-6458181 | Fax 972-3-7604732
Email market@rad.com
900 Corporate Drive, Mahwah, NJ 07430, USA
Tel 201-529-1100 | Toll Free: 800-444-7234 | Fax: 201-529-5777
Email market@radusa.com
www.rad.com | radcare-online.rad.com
Publication No. 768-205-05/22
Limited Warranty
RAD warrants to DISTRIBUTOR that the hardware in the SecFlow-1p to be delivered hereunder shall be
free of defects in material and workmanship under normal use and service for a period of twelve (12)
months following the date of shipment to DISTRIBUTOR.
If, during the warranty period, any component part of the equipment becomes defective by reason of
material or workmanship, and DISTRIBUTOR immediately notifies RAD of such defect, RAD shall have the
option to choose the appropriate corrective action: a) supply a replacement part, or b) request return of
equipment to its plant for repair, or c) perform necessary repair at the equipment's location. In the
event that RAD requests the return of equipment, each party shall pay one-way shipping costs.
RAD shall be released from all obligations under its warranty in the event that the equipment has been
subjected to misuse, neglect, accident, or improper installation, or if repairs or modifications were made
by persons other than RAD's own authorized service personnel, unless such repairs by others were made
with the written consent of RAD.
The above warranty is in lieu of all other warranties, expressed or implied. There are no warranties
which extend beyond the face hereof, including, but not limited to, warranties of merchantability and
fitness for a particular purpose, and in no event shall RAD be liable for consequential damages.
RAD shall not be liable to any person for any special or indirect damages, including, but not limited to,
lost profits from any cause whatsoever arising from or in any way connected with the manufacture, sale,
handling, repair, maintenance, or use of the SecFlow-1p, and in no event shall RAD's liability exceed the
purchase price of the SecFlow-1p.
DISTRIBUTOR shall be responsible to its customers for any and all warranties which it makes relating to
SecFlow-1p and for ensuring that replacements and other adjustments required in connection with the
said warranties are satisfactory.
Software components in the SecFlow-1p are provided "as is" and without warranty of any kind. RAD
disclaims all warranties including the implied warranties of merchantability and fitness for a particular
purpose. RAD shall not be liable for any loss of use, interruption of business, or indirect, special,
incidental or consequential damages of any kind. In spite of the above, RAD shall do its best to provide
error-free software products and shall offer free Software updates during the warranty period under
this Agreement.
RAD's cumulative liability to you or any other party for any loss or damages resulting from any claims,
demands, or actions arising out of or relating to this Agreement and the SecFlow-1p shall not exceed the
sum paid to RAD for the purchase of the SecFlow-1p. In no event shall RAD be liable for any indirect,
incidental, consequential, special, or exemplary damages or lost profits, even if RAD has been advised of
the possibility of such damages.
This Agreement shall be construed and governed in accordance with the laws of the State of Israel.
Safety and Disposal (English)
General Safety Instructions
The following instructions serve as a general guide for the safe installation and operation of
telecommunications products. Additional instructions, if applicable, are included inside the manual.
This equipment is not suitable for use in locations where children are likely to be present.
Safety Symbols
This symbol indicates potential safety hazards regarding product operation
or maintenance to the equipment.
This symbol may appear on the equipment or in the text. It indicates
potential safety hazards regarding product operation or maintenance to
operator or service personnel.
Warning
Danger of electric shock! Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.
Hot surface! Contact may cause burn. Do not touch.
Protective ground: the marked lug or terminal should be connected to the
building protective ground bus (to be performed by skilled personnel only).
Safety and Disposal (English)
6
Some products may be equipped with a laser diode. In such cases, a label
with the laser class and other warnings as applicable is attached near the
optical transmitter. The laser warning symbol may be also attached.
Please observe the following precautions:
Before turning on the equipment, make sure that the fiber-optic cable is
intact and is connected to the transmitter.
• Do not attempt to adjust the laser drive current.
• Do not use broken or unterminated fiber-optic cables/connectors or look
straight at the laser beam.
• The use of optical devices with the equipment increases eye hazard.
• Use of controls, adjustments, or performing procedures other than those
specified herein may result in hazardous radiation exposure.
ATTENTION: The laser beam may be invisible!
•
Some products may be equipped with a replaceable battery. There is danger
of explosion if batteries are mishandled or incorrectly replaced. On systems
with replaceable batteries, replace only with the same manufacturer and
type or equivalent type recommended by the manufacturer per the
instructions provided in the product service manual. Do not disassemble
batteries or attempt to recharge them outside the system. Do not dispose of
batteries in fire. Dispose of batteries properly in accordance with the
manufacturer’s instructions and local regulations.
In some cases, the users may insert their own SFP laser transceivers into the product. Users are alerted
that RAD cannot be held responsible for any damage that may result if non-compliant transceivers are
used. In particular, users are warned to use only agency approved products that comply with the local
laser safety regulations for Class 1 laser products.
Always observe standard safety precautions during installation, operation, and maintenance of this
product. Only qualified, authorized, and skilled service personnel should carry out adjustment,
maintenance, or repairs to this product. No installation, adjustment, maintenance, or repairs should be
performed by either the operator or the user.
Handling Energized Products
General Safety Practices
Do not touch or tamper with the power supply when the power cord is connected. Line voltages may be
present inside certain products even when the power switch (if installed) is in the OFF position or a fuse
Safety and Disposal (English)
7
is blown. For DC-powered products, although the voltages levels are usually not hazardous, energy
hazards may still exist.
Before working on equipment connected to power lines or telecommunication lines, remove jewelry or
any other metallic object that may come into contact with energized parts.
Unless otherwise specified, all products are intended to be grounded during normal use. Grounding is
provided by connecting the mains plug to a wall socket with a protective ground terminal. If a ground
lug is provided on the product, it should be connected to the protective ground at all times, by a wire of
diameter 18 AWG or wider. Rack-mounted equipment should be mounted only in grounded racks and
cabinets. These procedures should be performed by skilled personnel only.
Always make the ground connection first and disconnect it last. Do not connect telecommunication
cables to ungrounded equipment. Make sure that all other cables are disconnected before
disconnecting the ground.
Some products may have panels secured by thumbscrews with a slotted head. These panels may cover
hazardous circuits or parts, such as power supplies. These thumbscrews should therefore always be
tightened securely with a screwdriver after both initial installation and subsequent access to the panels.
Before connecting or disconnecting the AC or DC mains connector to/from the
device, the user should validate that the Power switch in the control panel is set to
OFF.
Warning
The Power switch can be activated only after the AC or DC mains connector is
connected to the device.
Connecting AC Mains
Make sure that the electrical installation complies with local codes.
Always connect the AC plug to a wall socket with a protective ground.
The maximum permissible current capability of the branch distribution circuit that supplies power to the
product is 16A (20A for USA and Canada). The circuit breaker in the building installation should have
high breaking capacity and must operate at short-circuit current exceeding 35A (40A for USA and
Canada).
Always connect the power cord first to the equipment and then to the wall socket. If a power switch is
provided in the equipment, set it to the OFF position. If the power cord cannot be readily disconnected
in case of emergency, make sure that a readily accessible circuit breaker or emergency switch is installed
in the building installation.
In cases when the power distribution system is IT type, the switch must disconnect both poles
simultaneously.
Safety and Disposal (English)
Note
8
The Denmark power cord is not provided with the equipment and should
comply with IEC and the local electrical code.
Connecting DC Power
Unless otherwise specified in the manual, the DC input to the equipment is floating in reference to the
ground. Any single pole can be externally grounded.
Due to the high current capability of DC power systems, when connecting the DC supply, pay attention
to avoid short-circuits and fire hazards.
Make sure that the DC power supply is electrically isolated from any AC source and that the installation
complies with the local codes.
The maximum permissible current capability of the branch distribution circuit that supplies power to the
product is 16A (20A for USA and Canada). The circuit breaker in the building installation should have
high breaking capacity and must operate at short-circuit current exceeding 35A (40A for USA and
Canada).
Before connecting the DC supply wires, ensure that power is removed from the DC circuit. Locate the
circuit breaker of the panel board that services the equipment and switch it to the OFF position. When
connecting the DC supply wires, first connect the ground wire to the corresponding terminal, then the
positive pole, and last the negative pole. Switch the circuit breaker back to the ON position.
A readily accessible disconnect device that is suitably rated and approved should be incorporated in the
building installation.
If the DC power supply is floating, the switch must disconnect both poles simultaneously.
Connecting Data and Telecommunication Cables
Data and telecommunication interfaces are classified according to their safety status.
The following table lists the status of several standard interfaces. If the status of a given port differs
from the standard one, a notice is given in the manual.
Safety and Disposal (English)
Ports
Safety Status
V.11, V.28, V.35, V.36, RS-530, X.21,
10BASE-T, 100BASE-T, 1000BASE-T,
Unbalanced E1, E2, E3, STM, DS-2, DS-3,
S-Interface ISDN, Analog voice E&M
ES1
9
Electrical energy source class 1
Ports which do not present a safety hazard. Usually up to
30 VAC or 60 VDC.
xDSL (without feeding voltage),
Balanced E1, T1, Sub E1/T1, POE
Input DC Voltage up to 60 VDC
FXS, FXO
ES2
Electrical energy source class 2
ES3
Electrical energy source class 3
Input DC Voltage up to 72 VDC
AC power source declared
Always connect a given port to a port of the same safety status. If in doubt, seek the assistance of a
qualified safety engineer.
Always make sure that the equipment is grounded before connecting telecommunication cables. Do not
disconnect the ground connection before disconnecting all telecommunication cables.
Some SELV and non-SELV circuits use the same connectors. Use caution when connecting cables. Extra
caution should be exercised during thunderstorms.
When using shielded or coaxial cables, verify that there is a good ground connection at both ends. The
grounding and bonding of the ground connections should comply with the local codes.
The telecommunication wiring in the building may be damaged or present a fire hazard in case of
contact between exposed external wires and the AC power lines. In order to reduce the risk, there are
restrictions on the diameter of wires in the telecom cables, between the equipment and the mating
connectors.
To reduce the risk of fire, use only No. 26 AWG or larger telecommunication
line cords.
Warning
Some ports are suitable for connection to intra-building or non-exposed wiring or cabling only. In such
cases, a notice is given in the installation instructions.
Do not attempt to tamper with any carrier-provided equipment or connection hardware.
Safety and Disposal (English)
10
Electromagnetic Compatibility (EMC)
The equipment is designed and approved to comply with the electromagnetic regulations of major
regulatory bodies. The following instructions may enhance the performance of the equipment and
provide better protection against excessive emission and better immunity against disturbances.
A good ground connection is essential. When installing the equipment in a rack, make sure to remove all
traces of paint from the mounting points. Use suitable lock-washers and torque. If an external grounding
lug is provided, connect it to the ground bus using braided wire as short as possible.
The equipment is designed to comply with EMC requirements when connecting it with unshielded
twisted pair (UTP) cables with the exception of 1000BaseT ports that must always use shielded twisted
pair cables of good quality (CAT 5E or higher). However, the use of shielded wires is always
recommended, especially for high-rate data. In some cases, when unshielded wires are used, ferrite
cores should be installed on certain cables. In such cases, special instructions are provided in the
manual.
Disconnect all wires which are not in permanent use, such as cables used for one-time configuration.
The compliance of the equipment with the regulations for conducted emission on the data lines is
dependent on the cable quality. The emission is tested for UTP with 80 dB longitudinal conversion loss
(LCL).
Unless otherwise specified or described in the manual, ES1 and ES2 electrical energy sources provide
protection against surges on the data lines. Primary protectors should be provided in the building
installation.
The equipment is designed to provide adequate protection against electrostatic discharge (ESD).
However, it is good working practice to use caution when connecting cables terminated with plastic
connectors (without a grounded metal hood, such as flat cables) to sensitive data lines. Before
connecting such cables, discharge yourself by touching ground or wear an ESD preventive wrist strap.
FCC-15 User Information
This equipment has been tested and found to comply with the limits of the Class A digital device,
pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against
harmful interference when the equipment is operated in a commercial environment. This equipment
generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with
the Installation and Operation Manual, may cause harmful interference to the radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference, in which case
the user will be required to correct the interference at his own expense.
Safety and Disposal (English)
11
Canadian Emission Requirements
This Class A digital apparatus meets all the requirements of the Canadian Interference-Causing
Equipment Regulations.
Warning per EN 55032 (CISPR 32)
This equipment is compliant with Class A of CISPR 32. In a residential
environment, this equipment may cause radio interference.
Warning
Product Disposal
To facilitate the reuse, recycling and other forms of recovery of waste
equipment in protecting the environment, the owner of this RAD product is
required to refrain from disposing of this product as unsorted municipal
waste at the end of its life cycle. Upon termination of the unit’s use,
customers should provide for its collection for reuse, recycling, or other form
of environmentally conscientious disposal.
Sécurité et élimination (français)
Instructions générales de sécurité
Les instructions suivantes servent de guide général d'installation et d'opération sécurisées des produits
de télécommunications. Des instructions supplémentaires sont éventuellement indiquées dans le
manuel.
Cet équipement ne convient pas pour une utilisation dans des endroits où des enfants sont
susceptibles d’être présents.
Symboles de sécurité
Ce symbole indique des dangers potentiels pour la sécurité relatifs au
fonctionnement du produit ou la maintenance de l'équipement.
Ce symbole peut apparaitre sur l'équipement ou dans le texte. Il indique des
risques potentiels de sécurité pour l'opérateur ou le personnel de service,
quant à l’utilisation du produit ou à sa maintenance.
Avertissement
Danger de choc électrique ! Evitez tout contact avec la surface marquée tant
que le produit est sous tension ou connecté à des lignes externes de
télécommunications.
Surface chaude! Tout contact peux causer des brulures. Ne pas toucher.
Mise à la terre de protection : la cosse ou la borne marquée devrait être
connectée à la prise de terre de protection du bâtiment (à effectuer
uniquement par du personnel qualifié).
Sécurité et élimination (français)
13
Certains produits peuvent être équipés d'une diode laser. Dans de tels cas,
une étiquette indiquant la classe laser (ainsi que d'autres avertissements le
cas échéant) sera jointe près du transmetteur optique. Le symbole
d'avertissement laser peut aussi être joint.
Veuillez observer les précautions suivantes :
Avant la mise en marche de l'équipement, assurez-vous que le câble de
fibre optique est intact et qu'il est connecté au transmetteur.
• Ne tentez pas d'ajuster le courant de la commande laser.
• N'utilisez pas des câbles ou connecteurs de fibre optique cassés ou sans
terminaison et n'observez pas directement un rayon laser.
• L'usage de périphériques optiques avec l'équipement augmentera le
risque pour les yeux.
• L'usage de contrôles, ajustages ou procédures autres que celles
spécifiées ici pourrait résulter en une dangereuse exposition aux
radiations.
ATTENTION : Le rayon laser peut être invisible !
•
Certains produits peuvent être équipés d'une pile remplaçable. Il existe un
risque d'explosion si les piles sont manipulées ou remplacées de manière
incorrecte. Sur les systèmes dotés de piles remplaçables, remplacez celles-ci
uniquement par des piles de même marque et de même type ou un type
équivalent recommandé par le fabricant conformément aux instructions
fournies dans le manuel d'entretien du produit. Ne démontez pas les piles et
n'essayez pas de les recharger en dehors du système. Ne jetez pas les piles
au feu. Jetez les piles conformément aux instructions du fabricant et aux
réglementations locales.
Les utilisateurs pourront, dans certains cas, insérer leurs propres émetteurs-récepteurs Laser SFP dans le
produit. Les utilisateurs sont avertis que RAD ne pourra pas être tenue responsable de tout dommage
pouvant résulter de l'utilisation d'émetteurs-récepteurs non conformes. Plus particulièrement, les
utilisateurs sont avertis de n'utiliser que des produits approuvés par l'agence et conformes à la
réglementation locale de sécurité laser pour les produits laser de classe 1.
Respectez toujours les précautions standards de sécurité durant l'installation, l'opération et la
maintenance de ce produit. Seul le personnel de service qualifié, autorisé et compétent devrait
effectuer l'ajustage, la maintenance ou les réparations de ce produit. Aucune opération d'installation,
d'ajustage, de maintenance ou de réparation ne devrait être effectuée par l'opérateur ou l'utilisateur.
Sécurité et élimination (français)
14
Manipuler des produits sous tension
Règles générales de sécurité
Ne pas toucher ou altérer l'alimentation en courant lorsque le câble d'alimentation est branché. Des
tensions de lignes peuvent être présentes dans certains produits, même lorsque le commutateur (s'il est
installé) est en position OFF ou si le fusible est rompu. Pour les produits alimentés par CC, les niveaux de
tension ne sont généralement pas dangereux mais des risques de courant peuvent toujours exister.
Avant de travailler sur un équipement connecté aux lignes de tension ou de télécommunications, retirez
vos bijoux ou tout autre objet métallique pouvant venir en contact avec les pièces sous tension.
Sauf s'il en est autrement indiqué, tous les produits sont destinés à être mis à la terre durant l'usage
normal. La mise à la terre est fournie par la connexion de la fiche principale à une prise murale équipée
d'une borne protectrice de mise à la terre. Si une cosse de mise à la terre est fournie avec le produit, elle
devrait être connectée à tout moment à une mise à la terre de protection par un conducteur de
diamètre 18 AWG ou plus. L'équipement monté en châssis ne devrait être monté que sur des châssis et
dans des armoires mises à la terre. Ces procédures doivent être effectuées uniquement par du
personnel qualifié.
Branchez toujours la mise à la terre en premier et débranchez-la en dernier. Ne branchez pas des câbles
de télécommunications à un équipement qui n'est pas mis à la terre. Assurez-vous que tous les autres
câbles sont débranchés avant de déconnecter la mise à la terre.
Certains produits peuvent avoir des panneaux sécurisés par des vis papillons avec une tête fendue. Ces
panneaux peuvent couvrir des circuits ou des composants dangereux, tels que les alimentations
électriques. Ces vis papillons devront par conséquent être solidement serrées avec un tournevis après
chaque installation initiale et chaque accès ultérieur aux panneaux.
Avertissement
Avant de brancher ou de débrancher le connecteur secteur AC ou DC de
l'appareil, l'utilisateur doit vérifier que l'interrupteur d'alimentation du
panneau de commande soit bien sur OFF.
L'interrupteur d'alimentation ne peut être activé qu'après que le connecteur
secteur AC ou DC soit connecté à l'appareil.
Connexion au courant du secteur
Assurez-vous que l'installation électrique est conforme à la réglementation locale.
Sécurité et élimination (français)
15
Branchez toujours la fiche de secteur à une prise murale équipée d'une borne protectrice de mise à la
terre.
La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant le
produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du bâtiment
devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de court-circuit
dépassant 35A (40A aux Etats-Unis et Canada).
Branchez toujours le câble d'alimentation en premier à l'équipement puis à la prise murale. Si un
commutateur est fourni avec l'équipement, fixez-le en position OFF. Si le câble d'alimentation ne peut
pas être facilement débranché en cas d'urgence, assurez-vous qu'un coupe-circuit ou un disjoncteur
d'urgence facilement accessible est installé dans le bâtiment.
Le disjoncteur devrait déconnecter simultanément les deux pôles si le système de distribution de
courant est de type IT.
Note
Le cordon d'alimentation du Danemark n'est pas fourni avec l'équipement et
doit être conforme à la CEI et au code électrique local.
Connexion d'alimentation CC
Sauf s'il en est autrement spécifié dans le manuel, l'entrée CC de l'équipement est flottante par rapport
à la mise à la terre. Tout pôle doit être mis à la terre en externe.
A cause de la capacité de courant des systèmes à alimentation CC, des précautions devraient être prises
lors de la connexion de l'alimentation CC pour éviter des courts-circuits et des risques d'incendie.
Assurez-vous que l'alimentation CC est isolée de toute source de courant CA (secteur) et que
l'installation est conforme à la réglementation locale.
La capacité maximale permissible en courant du circuit de distribution de la connexion alimentant le
produit est de 16A (20A aux Etats-Unis et Canada). Le coupe-circuit dans l'installation du bâtiment
devrait avoir une capacité élevée de rupture et devrait fonctionner sur courant de court-circuit
dépassant 35A (40A aux Etats-Unis et Canada).
Avant la connexion des câbles d'alimentation en courant CC, assurez-vous que le circuit CC n'est pas
sous tension. Localisez le coupe-circuit dans le tableau desservant l'équipement et fixez-le en position
OFF. Lors de la connexion de câbles d'alimentation CC, connectez d'abord le conducteur de mise à la
terre à la borne correspondante, puis le pôle positif et en dernier, le pôle négatif. Remettez le coupecircuit en position ON.
Un disjoncteur facilement accessible, adapté et approuvé devrait être intégré à l'installation du
bâtiment.
Sécurité et élimination (français)
16
Le disjoncteur devrait déconnecter simultanément les deux pôles si l'alimentation en courant CC est
flottante.
Connexion de câbles de données et de télécommunications
Les interfaces de données et de télécommunications sont classées selon leur niveau de sécurité.
Le tableau suivant liste les statuts de plusieurs interfaces standards. Si le statut d’un port donné diffère
d’un standard, une notification sera fournie dans le manuel.
Ports
Niveau de sécurité
V.11, V.28, V.35, V.36, RS-530, X.21,
10BASE-T, 100BASE-T, 1000BASE-T,
asymétrique E1, E2, E3, STM, DS-2, DS3, S-Interface ISDN (RNIS), Voix
analogique E&M
ES1
Source d'énergie électrique de classe 1
Ports qui ne présentent pas un danger pour la sécurité.
Généralement jusqu’à 30 VAC (courant alternatif) ou 60 VDC
(courant continu).
xDSL (sans tension d’alimentation),
symétrique E1, T1, Sub E1/T1, POE
Tension d'entrée DC jusqu'à 60 VDC
FXS, FXO
ES2
Source d'énergie électrique de classe 2
ES3
Source d'énergie électrique de classe 3
Tension d'entrée DC jusqu'à 72 VDC
Source d'énergie CA déclarée
Toujours connecter un port donné à un port de même niveau de sécurité. En cas de doute, solliciter
l’assistance d’un ingénieur de sécurité qualifié.
Toujours s’assurer que l’équipement est relié à la terre avant de connecter des câbles de
télécommunications. Ne pas déconnecter la connexion à la terre avant la déconnexion de tous les câbles
de télécommunications.
Certains circuits SELV et non-SELV utilisent les memes connecteurs. Soyez prudents lors de la connexion
des câbles. Une extrême prudence est requise en cas d’orages.
En cas d’utilisation de cables blindés ou coaxiaux, vérifier qu’il y a bien une connexion à la terre aux deux
extrémités. Le raccordement à la terre et la liaison à la prise de terre doivent être conformes à la
réglementation locale.
Il se peut que le câblage de télécommunications dans le bâtiment soit endommagé ou présente un
danger d’incendie en cas de contact entre des câbles externes dénudés et les lignes électriques AC
(courant alternatif). Afin de réduire le risque, il y a une limitation du diamètre des fils dans les câbles de
télécommunications, entre l’équipement et les connecteurs homologues.
Sécurité et élimination (français)
17
Pour réduire les risques d’incendie, utiliser seulement des cordons de
télécommunications 26 AWG ou de section supérieure.
Avertissement
Certains ports sont uniquement adaptés à une connexion à un câblage interne ou à un câblage non
exposé. Dans ce cas, une notification sera fournie dans les instructions d’installation.
Ne pas tenter de démonter l’équipement ou le matériel de connexion.
Compatibilité Electromagnétique (CEM)
L'équipement est conçu et approuvé pour se conformer aux réglementations électromagnétiques des
principaux organismes de réglementation. Les instructions suivantes peuvent améliorer les
performances de l'équipement et fournir une meilleure protection contre les émissions excessives et
une meilleure immunité contre les perturbations.
Une bonne connexion à la terre est essentielle. Lors de l'installation de l'équipement dans un rack,
veillez à éliminer toute trace de peinture des points de montage. Utilisez des rondelles de blocage et un
couple appropriés. Si une cosse de mise à la terre externe est fournie, connectez-la au bus de terre à
l'aide d'un fil tressé aussi court que possible.
L’équipement est conçu pour répondre aux exigences CEM lors de la connexion avec des câbles à paires
torsadées non blindées (UTP), à l’exception des ports 1000BaseT, qui doivent toujours utiliser des câbles
à paires torsadées blindés de bonne qualité (CAT 5E ou supérieure). Cependant, l'utilisation de câbles
blindés est toujours recommandée, en particulier pour les données à haut débit. Dans certains cas,
lorsque des câbles non blindés sont utilisés, des noyaux en ferrite doivent être installés sur certains
câbles. Dans ce cas, des instructions spéciales sont fournies dans le manuel.
Débranchez tous les câbles qui ne sont pas utilisés de manière permanente, tels que les câbles utilisés
pour une configuration unique.
La conformité de l'équipement à la réglementation en matière d'émission conduite sur les lignes de
données dépend de la qualité du câble. L'émission est testée pour des câbles UTP avec un
affaiblissement de conversion longitudinale (LCL) de 80 dB.
Sauf indication contraire ou décrite dans le manuel, les sources d'énergie électrique ES1 et ES2 offrent
protection contre les surtensions sur les lignes de données. Des protections primaires doivent être
fournies dans l’installation du bâtiment.
Sécurité et élimination (français)
18
L'équipement est conçu pour fournir une protection adéquate contre les décharges électrostatiques
(DES). Toutefois, il est recommandé de faire preuve de prudence lors du raccordement de câbles munis
de connecteurs en plastique (sans capot métallique mis à la terre, tels que des câbles plats) sur des
lignes de données sensibles. Avant de connecter ces câbles, déchargez-vous en touchant le sol ou portez
un bracelet antistatique.
FCC-15 Information Utilisateur
Cet équipement a été testé et déclaré conforme aux limites d’un appareil numérique de classe A,
définies à la section 15 du règlement de la FCC. Ces limites sont conçues pour fournir une protection
raisonnable contre les interférences nuisibles lorsque l'équipement est utilisé dans un environnement
commercial. Cet équipement génère, utilise et peut émettre de l'énergie de fréquence radio, s'il n'est
pas installé et utilisé conformément au Manuel d'Installation et d'Utilisation, il peut provoquer des
interférences nuisibles aux communications radio. L'utilisation de cet équipement dans une zone
résidentielle est susceptible de provoquer des interférences nuisibles, dans ce cas, l'utilisateur sera tenu
de corriger les interférences à ses frais.
Exigences d’émissions canadiennes
Cet appareil numérique de Classe A répond a toutes les exigences de la réglementation canadienne sur
les équipements causant des interférences.
Avertissement: EN 55032 (CISPR 32)
Cet appareil est conforme a la Classe A de la CISPR 32. Dans un
environnement résidentiel, il peut provoquer des interférences radio.
Avertissement
Sécurité et élimination (français)
19
Élimination du produit
Afin de faciliter la réutilisation, le recyclage ainsi que d'autres formes de
récupération d'équipement mis au rebut dans le cadre de la protection de
l'environnement, il est demandé au propriétaire de ce produit RAD de ne pas
mettre ce dernier au rebut en tant que déchet municipal non trié, une fois
que le produit est arrivé en fin de cycle de vie. Le client devrait proposer des
solutions de réutilisation, de recyclage ou toute autre forme de mise au
rebut de cette unité dans un esprit de protection de l'environnement,
lorsqu'il aura fini de l'utiliser.
Sicherheit und Entsorgung (Deutsch)
20
Sicherheit und Entsorgung (Deutsch)
Allgemeine Sicherheitsanleitung
Die folgenden Anleitungen dienen als allgemeiner Leitfaden für die sichere Installation und Bedienung
von Telekommunikationsprodukten. Zusätzliche Anleitungen sind im Nutzerhandbuch vorhanden.
Dieses Gerät ist nicht für die Verwendung an Orten geeignet, an denen sich Kinder aufhalten können.
Sicherheitssymbole
Dieses Symbol kann auf ihren Geraeten oder im Text auftauchen. Es weist
den Nutzer oder das Servicepersonal auf möglche Gefahren bei der
Bedienung der Geräte hin.
Achtung
Gefahr eines elektrischen Schlages! Vermeiden Sie jeglichen Kontakt mit der
gekennzeichneten Oberfläche während das Gerät unter Spannung steht
oder an auβenliegende Telekommunikationsleitungen angeschlossen ist.
Schutzerdung: Die gekennzeichnete Mutter oder das Terminal müssen an
den Anschluss der Haupterdung des Gebäudes angeschlossen sein.
Sicherheit und Entsorgung (Deutsch)
21
Einige Produkte können mit einer Laserdiode ausgestattet sein. In solchen
Fällen muβ ein Aufkleber mit der Laserklasse und entsprechenden
Warnungen neben dem optischen Transmitter angebracht sein. Das
Warnsymbol für Laser kann zusätzlich angebracht sein.
Bitte beachten Se die folgenden Vorsichtsmaβnahmen:
Vor der Inbetriebnahme des Gerätes, vergewissern Sie sich, daβ das
optische Glasfaserkabel unbeschädigt ist und an den Transmitter
angeschlossen ist.
• Versuchen Sie nicht, den durch den Laser fliessenden Strom zu
regulieren.
• Verwenden Sie keine gebrochenen oder anderweitig unvollständige
Glasfaserkabel oder Stecker. Blicken Sie nicht in den Laserstrahl.
• Die Benutzung optischer Komponenten zusammen mit Ihrem Gerät
erhöhen die Gefahr für Ihre Augen.
• Die Benutzung von Bedienelementen, die Geräteeinstellung oder die
Ausführung von Prozessen, die hier nicht aufgeführt sind, können zu
gefährlicher Strahlung führen.
ACHTUNG: Der Laserstrahl kann unsichtbar sein!
•
In einigen Fällen werden Nutzer eigene SFP-Lasertransceiver in das Gerät einführen. Nutzer sind darauf
hingewiesen, dass RAD nicht verantwortlich zeichnet für Beschädigungen, die von nicht kompatiblen
Transceivern herrühren. Nutzer seien ferner darauf hingewiesen, daβ ausschlieβlich amtlich zugelassene
Produkte eingesetzt werden sollten, die den ortsüblichen Sicherheitsbestimmungen für Lasergeräte der
Laserklasse 1 entsprechen.
Beachten Sie ferner die üblichen Sicherheitsmaβnahmen während der Installation, des Betriebs, der
Wartung oder der Reparatur des Gerätes. Installationen, Einstellungen und Reparaturen sollten weder
vom Nutzer oder dem zuständigen Operator durchgeführt werden.
Umgang mit Geräten unter Spannung
Grundlegende Sicherheitsmaβnahmen
Berühren oder verändern Sie das Netzteil nicht wenn das Stromkabel angeschlossen ist. Einige Bauteile
im Gerät können auch dann unter Spannung stehen, wenn der Ein/Aus-Schalter auf Aus steht (sofern
vorhanden) oder eine Sicherung defekt ist. Für Produkte, die unter Gleichstromspannung (DC) stehen,
besteht ebenfalls die Gefahr eines elektrischen Schlages, auch wenn die angelegte Spannung in der
Regel nicht gefährlich ist.
Sicherheit und Entsorgung (Deutsch)
22
Legen Sie Schmuck oder sonstige Metallobjekte ab, bevor Sie mit Geräten arbeiten, die an das Netz oder
Telekommunikationsleitungen angeschlossen sind, um zu verhindern, daβ dies mit spannungsgeladenen
Bauteilen in Berührung kommen.
Falls nicht anders angegeben, sollten alle Produkte bei normalem Gebrauch geerdet werden. Die Erdung
erfolgt durch den Anschlss an eine Steckdose mit Schutzerdung. Wenn das Gerät mit einer
Erdungslasche ausgestattet ist, sollte diese immer an die Schutzerde angeschlossen sein mit einem
Kabel, das einen Durchmesser von mindestens 18 AWG aufweist. Geräte für die Rack-Montage sollten
ausschlieβlich in geerdeten Racks oder Schränken montiert werden.
Schlieβen Sie grundsätzlich zuerst die Schutzerde an und klemmen Sie diese zuletzt ab. Schlieβen Sie
keine Telekommunikationskabel an nicht geerdete Geräte an. Stellen Sie sicher, dass alle anderen Kabel
abgeklemmt sind, bevor Sie die Erdung abklemmen.
Die Frontpanele einiger Geräte sind mit Flügelschrauben mit Schlitz gesichert. Diese Paneele decken
gefährliche Schalkreise oder Teile, wie zum Beispiel Netzteile ab. Diese Flügelschrauben sollten daher
immer mittels eines Schraubenziehers sicher angezogen werden nach der Erstinstallation und jedem
späterem Zugriff auf die Paneele.
Vor dem Anschließen oder Trennen des AC- oder DC-Netzsteckers an das/vom
Gerät, sollte der Benutzer sicherstellen, dass der Netzschalter im Bedienfeld auf OFF
gestellt ist.
Achtung
Der Netzschalter kann erst aktiviert werden, nachdem der AC- oder DC-Netzstecker
mit dem Gerät verbunden ist.
Anschluss an eine Wechselstromquelle (AC)
Stellen Sie sicher, daβ die elektrische Installation den örtlichen Bestimmungen entspricht.
Stecken Sie den Stecker immer in eine Steckdose mit Schutzerdung ein.
Der maximal mögliche Stromfluss im Bereich des Verteilerstromkreis, der die Stromversorgung des
Gerätes sicherstellt, ist 16 A (20A in den USA und in Kanada). Der Schutzschalter in der
Gebäudeinstallation muss starke Ströme unterbrechen können und muss den Stromfluss bei 35A (40A in
den USA und Kanada) unterbrechen.
Schlieβen Sie das Netzkabel zuerst an das Gerät und dann an die Steckdose an. Falls ein Ein/Aus-Schalter
zur Verfügung steht, schalten Sie diesen auf AUS (OFF). Falls das Netzkabel im Notfall nicht schnell
herausgezogen werden kann, stellen Sie sicher, daβ ein Schutzschalter oder Notschalter Bestandteil der
elektrischen Installation des Gebäudes ist.
Falls die Stromversorgung über einen IT Netz-Verteiler erfolgt, muss der Schalter die Stromversorgung
zu beiden Polen gleichzeitig unterbrechen.
Sicherheit und Entsorgung (Deutsch)
23
Anschluss an eine Gleichstromquelle (DC)
Falls im Benutzerhandbuch (Manual) nicht anderweitig beschrieben, schwankt die Gleichstromzufuhr
relativ zur Erdung. Jeder einzelne Pol kann von aussen geerdet werden.
Aufgrund der Fähigkeit, hohe Stromflüsse zu verarbeiten, muss sorgfältig vorgegangen werden beim
Anschluss der Gleichstromquelle, um Kurzschlüsse und Brände zu vermeiden.
Stellen Sie sicher, daβ Gleichstromquellen (DC) von Wechselstromquellen (AC) isoliert sind und daβ die
Installation den örtlichen Richtlinien entspricht.
Der maximal mögliche Stromfluss im Bereich des Verteilerstromkreis, der die Stromversorgung des
Gerätes sicherstellt, ist 16 A (20A in den USA und in Kanada). Der Schutzschalter in der
Gebäudeinstallation muss starke Ströme unterbrechen können und muss den Stromfluss bei 35A (40A in
den USA und Kanada) unterbrechen.
Vor dem Anschluss der Gleichstrom-Speisekabel ist sicher zu stellen, daβ kein Strom über den
Gleichstromkreis flieβt. Finden Sie den Schutzschalter an der Schalttafel, die das Gerät bedient, und
schalten Sie ihn auf AUS (OFF). Wenn Sie die Gleichstrohmdrähte anschlieβen, schliessen Sie zuerst den
Erdungsdraht an das zugehörige Terminal an, dann den Pluspol und zuletzt den Minuspol. Schalten Sie
den Schutzschalter zurück auf AN (ON).
Ein verfügbares nicht angeschlossenes Gerät, das ordnungsgemäβ genehmigt und abgenommen wurde,
sollte in die bestehende Installation eingebaut werden.
Falls die Gleichstromspannung schwankt, muss der Schalter beide Pole gleichzeitig trennen.
Anschluss von Daten- und Telekommunikationskabeln
Daten- und Telekommunikationsschnittstellen sind gemäβ ihrem Sicherheitsstatus klassifiziert.
Verschiedene Standardschnittstellen sind zusammen mit ihrem jeweiligen Sicherheitsstatus in der
folgenden Tabelle aufgeführt. Auf eventuelle Abweichungen vom Standardsicherheitsstatus wird im
Benutzerhandbuch (Manual) gesondert hingewiesen.
Sicherheit und Entsorgung (Deutsch)
Schnittstellen
Sicherheitsstatus
V.11, V.28, V.35, V.36, RS-530, X.21,
10BASE-T, 100BASE-T, 1000BASE-T,
Unsymmetrisches E1, E2, E3, STM, DS-2,
DS-3, S-Schnittstelle ISDN,
Analogsprache E&M
ES1
24
Elektrische Energiequelle Klasse 1
Anschlüsse, die kein Sicherheitsrisiko darstellen,
normalerweise bis zu 30 VAC oder 60 VDC.
xDSL (ohne einspeisende Spannung),
symmetrisches E1, T1, Sub-E1/T1, POE
Eingangs-Gleichspannung bis zu 60 VDC
FXS, FXO
ES2
Elektrische Energiequelle Klasse 2
ES3
Elektrische Energiequelle Klasse 3
Eingangs-Gleichspannung bis zu 72 VDC
AC-Spannungsquelle deklariert
Verbinden Sie Anschlüsse, die denselben Sicherstatus aufweisen. Wenn Sie nicht sicher sind, wenden Sie
sich bitte an einen qualifizierten Sicherheitsingenieur.
Vergewissern Sie sich immer, daβ das Gerät geerdet ist bevor Sie Telekommunikationskabel
anschlieβen. Klemmen Sie die Erdung nie ab, bevor Sie Telekommunikationskabel abklemmen.
Einige SELV und Nicht-SELV-Stromkreise nutzen dieselben Stecker. Seien Sie vorsichtig, wenn Sie Kabel
anschlieβen. Seien Sie besonders vorsichtig während einem Gewitter.
Wenn Sie abgeschirmte -, oder Koaxialkabel nutzen, stellen Sie sicher, daβ diese an beiden Enden eine
gute Erdung aufweisen.
Wenn auβenliegende Kabel und Wechselstromleitungen (AC) in Kontakt kommen, kann die Verkabelung
innerhalb des Gebäudes beschädigt werden oder einen Brand auslösen. Um dieses Risiko zu verringern,
gibt es Bestimmungen zum Durchmesser von Telekommunikationskabeln zwischen den Geräten und
den Anschlüssen.
Um das Brandrisiko zu reduzieren, setzen Sie ausschließlich 26 AWG oder
dickere Telekommunikationskabel ein.
Achtung
Einige Anschlüsse eignen sich lediglich für Verbindungen zu gebäude-internen oder nicht
außenliegenden Verkabelungen. Auf solche Fälle wird in der Installationsanleitung gesondert
hingewiesen.
Versuchen Sie nicht, die vom Carrier erhaltene Ausrüstung oder Verbindungselemente zu manipulieren.
Sicherheit und Entsorgung (Deutsch)
25
Elektromagnetische Kompatibilität (EMC)
Die Ausrüstung ist ausgelegt und anerkannt für die Erfüllung elektromagnetischer Bestimmungen der
Regulierungsbehörden. Die nachfolgenden Anleitungen sind darauf ausgerichtet, die Leistungsfähigkeit
der Ausrüstung zu erhöhen und besseren Schutz gegen extreme Emissionen und besseren Schutz gegen
Störungen zu gewährleisten.
Eine gute Erdung ist wesentlich. Wenn die Ausrüstung in einem Rack montiert wird, stellen Sie sicher,
daβ jegliche Farbspuren von den Befestigungspunkten entfernt sind. Benutzen Sie geeignete
Sicherungsscheiben und das richtige Drehmoment. Falls eine externe Erdungsmutter zur Verfügung
steht, schließen Sie diese an den Erdbus an mittels kürzestmöglichem verdrillten Draht.
Die Ausrüstung ist ausgelegt, um den Anforderungen der EMC zu entsprechen, wenn man sie mit nicht
abgeschirmten und verdrillten (UTP) Kabeln anschließt mit Ausnahme von 1000BaseT-Anschlüssen, die
grundsätzlich mit abgeschirmten verdrillten Kabeln hoher Qualität (CAT 5E oder besser) erfordern. Im
Allgemeinen ist die Verwendung von abgeschirmten Kabeln immer empfohlen, besonders für schnellen
Datendurchsatz. Beim Einsatz nicht abgeschirmter Kabel wird in manchen Fällen empfohlen, einen
Ferritkern an bestimmten Kabeln anzubringen. In diesen Fällen werden im Benutzerhandbuch
gesonderte Anleitungen bereitgestellt.
Klemmen Sie alle Kabel ab, die nicht permanent in Gebrauch sind, wie zum Beispiel solche, die fuer eine
einmalige Konfiguration eingesetzt wurden.
Die Einhaltung der Regeln für elektromagnetische Leitungsemissionen an den Datenleitungen hängt von
der Kabelqualität ab. Die Emission wurde für UDP mit 80 db Längsumwandlungsdämpfung (LCL)
getestet.
Falls im Benutzerhandbuch nicht anders spezifiziert oder beschrieben, Elektrische Energiequelles ES1
und ES2 Anschlüsse lediglich Schutz gegen Überspannungen in den Datenleitungen. Primäre Protektoren
müssen innerhalb der Gebäudeinstallation bereitgestellt werden.
Die Ausrüstung ist ausgelegt, ausreichenden Schutz gegen elektrostatische Entladung (ESD) zu bieten. Es
ist jedoch empfehlenswert, vorsichtig zu agieren, wenn Kabel mit Plastikanschlüssen (ohne geerdete
Metallhalterung wie bei flachen Kabeln) und empfindliche Datenleitungen angeschlossen werden. Vor
dem Anschliessen solcher Kabel, entladen Sie sich selbst durch Berührung des Bodens oder durch das
Tragen eines ESD-präventiven Bandes um das Handgelenk.
FCC-15 Informationen für Nutzer
Diese Ausrüstung wurde getestet und bewegt sich innerhalb der Grenzwerte für Class A-Digitalgeräte
gemäß Artikel 15 der FCC-Regeln. Diese Grenzwerte wurden festgelegt, um angemessenen Schutz gegen
schädliche Einflüsse sicherzustellen wenn die Geräte in einer kommerziellen Umgebung betrieben
Sicherheit und Entsorgung (Deutsch)
26
werden. Diese Geräte produzieren, konsumieren und strahlen möglicherweise Energie im
Radiofrequenzbereich ab, die schädliche Auswirkungen auf den Funkverkehr haben kann, falls sie nicht
gemäß dem Benutzerhandbuch (Installation and Operation Manual) installiert wurden. Es ist
wahrscheinlich, daβ der Betrieb dieser Geräte in einem Wohngebiet zu Störungen führt, die der
Betreiber auf eigene Kosten zu beseitigen hat.
Kanadische Emissionsbestimmungen
Dieses digitale Gerät der Klasse A erfüllt alle Vorgaben der Kanadischen Regulierungen für Geräte, die
Störeffekte haben können (Canadian Interference-Causing Equipment Regulation).
EN 55032 (CISPR 32) Warnung
Das vorliegende Gerät fällt unter die Funkstörgrenzwertklasse A. In
Wohngebieten können beim Betrieb dieses Gerätes Rundfunkströrungen
auftreten, für deren Behebung der Benutzer verantwortlich ist.
Achtung
Entsorgung des Produktes
Um die Wiedernutzung, die Wiederverwertung oder andere Formen der
Wiederaufbereitung von stillgelegten Geräten zum Schutz der Umwelt zu
gewährleisten, ist der Besitzer des RAD-Produktes verpflichtet, die
Entsorgung als unsortierter Abfall am Ende des Lebenszyclus des Produktes
zu unterlassen. Wenn das Gerät ausser Betrieb genommen wird, hat der
Kunde dieses Gerät einer umweltverträglichen Wiederverwendung,
Wiederverwertung oder Entsorgung zuzuführen.
EU Declaration of Conformity
EU Declaration of Conformity
SecFlow-1p Declaration of Conformity
27
Environmental Compliance Statement
Environmental Compliance Statement
Environmental Compliance Statement
28
Contents
1
Introduction ..............................................................................................................................42
1.1 Overview......................................................................................................................................... 42
Product Options ............................................................................................................................. 42
Features ......................................................................................................................................... 43
1.3 New in this Version......................................................................................................................... 46
1.5 Technical Specifications.................................................................................................................. 48
Hardware Specifications ................................................................................................................ 48
Software Specifications.................................................................................................................. 56
2
Installation and Setup ................................................................................................................62
2.5 Safety .............................................................................................................................................. 62
Laser Safety .................................................................................................................................... 63
Grounding ...................................................................................................................................... 64
2.6 Site Requirements and Prerequisites ............................................................................................. 64
Power ............................................................................................................................................. 65
Ambient Requirements .................................................................................................................. 65
2.7 Package Contents ........................................................................................................................... 65
2.8 Physical Installation ........................................................................................................................ 66
Required Equipment ...................................................................................................................... 66
Wall Mounting ............................................................................................................................... 66
Installing Antennas ........................................................................................................................ 68
Installing a SIM Card ...................................................................................................................... 70
Installing an SFP ............................................................................................................................. 71
Installing a Memory Card ............................................................................................................... 73
Connecting to a Management Console.......................................................................................... 73
Connecting to Power ..................................................................................................................... 74
Connecting to Ethernet Equipment ............................................................................................... 79
Connecting to Serial Equipment .................................................................................................... 80
Connecting to a Dry Contacts Terminal ......................................................................................... 80
Installing the GNSS Antenna .......................................................................................................... 83
2.15 Basic Connectivity Tests ............................................................................................................... 85
3
Operation and Maintenance ...................................................................................................... 86
3.1 Turning On the Unit ........................................................................................................................ 86
SecFlow-1p
Contents
30
3.2 Indicators ........................................................................................................................................ 86
3.3 FD Button........................................................................................................................................ 89
3.5 Startup ............................................................................................................................................ 90
Applicability and Scaling ................................................................................................................ 90
Configuration and Software Files................................................................................................... 90
Loading Sequence .......................................................................................................................... 91
3.6 Working with Custom Configuration Files ...................................................................................... 92
Applicability and Scaling ................................................................................................................ 93
Factory Defaults ............................................................................................................................. 93
Saving Configuration Changes ....................................................................................................... 93
Confirming the Startup Configuration File..................................................................................... 94
On-Net Zero Touch ........................................................................................................................ 95
Off-Net Zero Touch ........................................................................................................................ 99
3.7 Configuration and Management .................................................................................................. 103
3.8 CLI-Based Configuration ............................................................................................................... 104
Working with SSH......................................................................................................................... 104
Login ............................................................................................................................................. 105
Using the CLI ................................................................................................................................ 107
Using Scripts ................................................................................................................................. 126
Examples ...................................................................................................................................... 126
3.9 Web-based Configuration ............................................................................................................ 127
Logging In ..................................................................................................................................... 127
Navigating the Web Interface ...................................................................................................... 128
Graphical Controls ....................................................................................................................... 131
Dynamic Tables ............................................................................................................................ 131
Containers (LXD) .......................................................................................................................... 133
Firewall ......................................................................................................................................... 133
3.10 SNMP-Based Network Management ......................................................................................... 134
Configuring SecFlow-1p for SNMP Management Access............................................................. 134
Working with RADview ................................................................................................................ 134
3.11 NETCONF-Based Network Management .................................................................................... 135
3.12 Turning Off the Unit ................................................................................................................... 135
4
Ports........................................................................................................................................ 136
4.2 Cellular Ports ................................................................................................................................ 137
Applicability and Scaling .............................................................................................................. 137
Standards Compliance ................................................................................................................. 137
Functional Description ................................................................................................................. 137
SecFlow-1p
Contents
31
Factory Defaults ........................................................................................................................... 145
Configuring a Cellular Port ........................................................................................................... 146
Viewing Cellular Port Status......................................................................................................... 152
Viewing Cellular Port Status using Swagger................................................................................. 157
4.3 Ethernet Ports .............................................................................................................................. 160
Applicability and Scaling .............................................................................................................. 161
Functional Description ................................................................................................................. 161
Factory Defaults ........................................................................................................................... 162
Configuring Ethernet Port Parameters ........................................................................................ 162
Configuration Errors..................................................................................................................... 165
Viewing Ethernet Port Status ....................................................................................................... 165
Viewing Ethernet Port Statistics .................................................................................................. 167
4.4 Flash (SD Card) Ports .................................................................................................................... 169
Factory Default............................................................................................................................. 169
Configuring Flash Ports ................................................................................................................ 169
Viewing Flash Status .................................................................................................................... 170
4.5 PPP Ports ...................................................................................................................................... 170
Standards Compliance ................................................................................................................. 170
Functional Description ................................................................................................................. 171
Factory Defaults ........................................................................................................................... 174
Configuring Ports ......................................................................................................................... 174
Configuration Errors..................................................................................................................... 176
Viewing Port Status ...................................................................................................................... 177
4.6 Serial Ports .................................................................................................................................... 177
Applicability and Scaling .............................................................................................................. 178
Standards ..................................................................................................................................... 178
Functional Description ................................................................................................................. 178
Factory Defaults ........................................................................................................................... 181
Configuring Serial Port Parameters ............................................................................................. 182
Configuring the Terminal Server .................................................................................................. 183
Configuring the Tunnel ................................................................................................................ 185
Viewing Status Information ......................................................................................................... 186
Configuration Errors..................................................................................................................... 187
4.7 Virtual Ports .................................................................................................................................. 188
Applicability and Scaling .............................................................................................................. 188
Benefits ........................................................................................................................................ 189
Factory Defaults ........................................................................................................................... 189
Configuring Virtual Ports.............................................................................................................. 189
Viewing Virtual Port Status .......................................................................................................... 190
Viewing Virtual Port Statistics ...................................................................................................... 190
SecFlow-1p
Contents
32
4.8 VLAN Ports .................................................................................................................................... 191
Applicability and Scaling .............................................................................................................. 191
Functional Description ................................................................................................................. 191
Factory Defaults ........................................................................................................................... 192
Configuring VLAN Port Parameters.............................................................................................. 192
Configuration Errors..................................................................................................................... 194
Viewing VLAN Port Status ............................................................................................................ 194
Viewing VLAN Port Statistics ........................................................................................................ 195
4.9 WiFi ............................................................................................................................................... 196
Applicability and Scaling .............................................................................................................. 197
Standards Compliance ................................................................................................................. 197
Functional Description ................................................................................................................. 197
Factory Defaults ........................................................................................................................... 198
Configuring WLAN Port Parameters ............................................................................................ 199
Examples ...................................................................................................................................... 202
Testing WiFi.................................................................................................................................. 203
5
Management and Security ....................................................................................................... 204
5.1 Access Control List (ACL) .............................................................................................................. 204
Applicability and Scaling .............................................................................................................. 205
Standards Compliance ................................................................................................................. 205
Benefits ........................................................................................................................................ 205
Functional Description ................................................................................................................. 205
Factory Defaults ........................................................................................................................... 207
Configuring ACL ............................................................................................................................ 207
Examples ...................................................................................................................................... 210
Configuration Errors..................................................................................................................... 211
Viewing ACL Status....................................................................................................................... 211
Viewing ACL Statistics .................................................................................................................. 212
5.2 Authentication via RADIUS Server ................................................................................................ 212
Applicability and Scaling .............................................................................................................. 213
Standards Compliance ................................................................................................................. 213
Benefits ........................................................................................................................................ 213
Functional Description ................................................................................................................. 213
Factory Defaults ........................................................................................................................... 214
Configuring RADIUS Server Parameters....................................................................................... 215
Viewing RADIUS Statistics ............................................................................................................ 216
5.3 Authentication via TACACS+ Server ............................................................................................. 217
Applicability and Scaling .............................................................................................................. 217
SecFlow-1p
Contents
33
Standards Compliance ................................................................................................................. 217
Benefits ........................................................................................................................................ 218
Functional Description ................................................................................................................. 218
Factory Defaults ........................................................................................................................... 220
Configuring TACACS+ Entities ...................................................................................................... 220
Examples ...................................................................................................................................... 223
Configuration Errors..................................................................................................................... 224
Viewing TACACS+ Statistics .......................................................................................................... 224
5.4 DHCP Server.................................................................................................................................. 226
Applicability and Scaling .............................................................................................................. 226
Standards Compliance ................................................................................................................. 226
Benefits ........................................................................................................................................ 226
Functional Description ................................................................................................................. 227
Factory Defaults ........................................................................................................................... 230
Configuring DHCP Server ............................................................................................................. 231
Configuration Errors..................................................................................................................... 240
5.5 DHCPv6 Server .............................................................................................................................. 242
Applicability and Scaling .............................................................................................................. 242
Standards Compliance ................................................................................................................. 242
Benefits ........................................................................................................................................ 243
Functional Description ................................................................................................................. 243
Factory Defaults ........................................................................................................................... 245
Configuring DHCPv6 Server.......................................................................................................... 245
Configuration Errors..................................................................................................................... 249
5.6 Management Access Methods ..................................................................................................... 250
Applicability and Scaling .............................................................................................................. 251
Functional Description ................................................................................................................. 251
Factory Defaults ........................................................................................................................... 251
Configuring Management Access ................................................................................................ 252
5.7 Management Ports ....................................................................................................................... 252
Applicability and Scaling .............................................................................................................. 253
Factory Defaults ........................................................................................................................... 253
5.8 Management Source IP Address .................................................................................................. 254
Applicability and Scaling .............................................................................................................. 254
Functional Description ................................................................................................................. 255
Configuring the Management Protocols Source IP Address ........................................................ 255
5.9 NETCONF-Based Network Management ...................................................................................... 255
Applicability and Scaling .............................................................................................................. 256
Standards Compliance ................................................................................................................. 256
SecFlow-1p
Contents
34
Benefits ........................................................................................................................................ 256
Functional Description ................................................................................................................. 256
Factory Defaults ........................................................................................................................... 264
Configuring NETCONF Parameters............................................................................................... 265
Examples ...................................................................................................................................... 265
5.10 Public Key Infrastructure ............................................................................................................ 266
Applicability and Scaling .............................................................................................................. 266
Standards Compliance ................................................................................................................. 266
Functional Description ................................................................................................................. 266
Factory Defaults ........................................................................................................................... 267
Configuring X.509 Entities ............................................................................................................ 267
Configuration Errors..................................................................................................................... 270
Viewing Certificates Status .......................................................................................................... 272
5.11 SNMPv3 Management................................................................................................................ 273
Applicability and Scaling .............................................................................................................. 273
Standards Compliance ................................................................................................................. 273
Functional Description ................................................................................................................. 274
Factory Defaults ........................................................................................................................... 275
Configuring SNMPv3 Parameters ................................................................................................ 275
Examples ...................................................................................................................................... 283
5.12 User Access ................................................................................................................................. 288
Applicability and Scaling .............................................................................................................. 288
Factory Defaults ........................................................................................................................... 288
Functional Description ................................................................................................................. 288
Access Policy ................................................................................................................................ 291
Configuring Access Policy............................................................................................................. 292
Configuration Errors..................................................................................................................... 294
Configuring Users ......................................................................................................................... 295
Examples ...................................................................................................................................... 297
Viewing User Access Status ......................................................................................................... 299
5.13 Zone-based Stateful Firewall ...................................................................................................... 301
Functional Description ................................................................................................................. 302
Configuring the Firewall ............................................................................................................... 305
6
Traffic Processing ..................................................................................................................... 329
6.1 Bridge............................................................................................................................................ 329
Applicability and Scaling .............................................................................................................. 329
Standards Compliance ................................................................................................................. 329
Benefits ........................................................................................................................................ 329
SecFlow-1p
Contents
35
Functional Description ................................................................................................................. 330
Factory Defaults ........................................................................................................................... 334
Configuring the Bridge ................................................................................................................. 335
Examples ...................................................................................................................................... 338
Viewing Bridge Status .................................................................................................................. 341
Configuration Errors..................................................................................................................... 343
6.2 DNP3 Gateway.............................................................................................................................. 345
Configuring DNP3 Gateway ......................................................................................................... 345
6.3 GRE Tunneling .............................................................................................................................. 346
Applicability and Scaling .............................................................................................................. 346
Standards Compliance ................................................................................................................. 346
Functional Description ................................................................................................................. 347
Factory Defaults ........................................................................................................................... 348
Configuring Tunneling .................................................................................................................. 348
Configuration Errors..................................................................................................................... 351
Examples ...................................................................................................................................... 352
Viewing GRE Status ...................................................................................................................... 352
6.4 IPsec .............................................................................................................................................. 354
Applicability and Scaling .............................................................................................................. 356
Standards Compliance ................................................................................................................. 356
Benefits ........................................................................................................................................ 356
Functional Description ................................................................................................................. 356
Configuring IPsec.......................................................................................................................... 362
Configuration Errors..................................................................................................................... 369
6.5 Network Address Translator (NAT) .............................................................................................. 370
Applicability and Scaling .............................................................................................................. 370
Functional Description ................................................................................................................. 371
Configuring Network Address Translator (NAT) .......................................................................... 373
Viewing NAT Translation Table .................................................................................................... 375
Viewing NAT Statistics ................................................................................................................. 376
Configuration Errors..................................................................................................................... 377
6.6 Policy-Based Routing (PBR) .......................................................................................................... 379
Applicability and Scaling .............................................................................................................. 379
Benefits ........................................................................................................................................ 379
Functional Description ................................................................................................................. 379
Factory Defaults ........................................................................................................................... 380
Configuring PBR ........................................................................................................................... 380
Configuration Errors..................................................................................................................... 382
6.7 Quality of Service (QoS)................................................................................................................ 382
SecFlow-1p
Contents
36
Applicability and Scaling .............................................................................................................. 382
Benefits ........................................................................................................................................ 382
Functional Description ................................................................................................................. 383
Factory Defaults ........................................................................................................................... 383
Classifier ....................................................................................................................................... 383
Traffic-Class .................................................................................................................................. 388
Queuing........................................................................................................................................ 390
6.8 Router ........................................................................................................................................... 400
Applicability and Scaling .............................................................................................................. 400
Standards Compliance ................................................................................................................. 400
Benefits ........................................................................................................................................ 401
Functional Description ................................................................................................................. 401
Factory Defaults ........................................................................................................................... 403
Configuring the Router ................................................................................................................ 404
Viewing Router Information ........................................................................................................ 413
Viewing Router Statistics ............................................................................................................. 423
Configuration Errors..................................................................................................................... 424
6.9 Routing Protocol BGP ................................................................................................................... 426
Applicability and Scaling .............................................................................................................. 427
Standards Compliance ................................................................................................................. 427
Benefits ........................................................................................................................................ 427
Functional Description ................................................................................................................. 427
Factory Defaults ........................................................................................................................... 432
Configuring BGP ........................................................................................................................... 433
Example........................................................................................................................................ 448
Configuration Errors..................................................................................................................... 449
Viewing BGP Status ...................................................................................................................... 452
6.10 Routing Protocol OSPF................................................................................................................ 462
Applicability and Scaling .............................................................................................................. 462
Standards Compliance ................................................................................................................. 462
Benefits ........................................................................................................................................ 462
Functional Description ................................................................................................................. 463
Factory Defaults ........................................................................................................................... 466
Configuring OSPF ......................................................................................................................... 468
Example........................................................................................................................................ 475
Configuration Errors..................................................................................................................... 476
Viewing OSPF Status .................................................................................................................... 477
Viewing OSPF Statistics ................................................................................................................ 480
Testing OSPF ................................................................................................................................ 481
6.11 Tunneling .................................................................................................................................... 481
SecFlow-1p
Contents
37
Applicability and Scaling .............................................................................................................. 481
Standards Compliance ................................................................................................................. 481
Functional Description ................................................................................................................. 482
Factory Defaults ........................................................................................................................... 484
Configuring Tunnels ..................................................................................................................... 484
Examples ...................................................................................................................................... 487
Configuration Errors..................................................................................................................... 489
Viewing Tunnel Status.................................................................................................................. 490
6.12 Virtual Router Redundancy Protocol (VRRP) .............................................................................. 495
Standards Compliance and MIBs ................................................................................................. 495
Functional Description ................................................................................................................. 495
Factory Defaults ........................................................................................................................... 496
Configuring VRRP ......................................................................................................................... 496
Configuration Errors..................................................................................................................... 498
Viewing VRRP Status .................................................................................................................... 499
Viewing VRRP Summary............................................................................................................... 500
7
Containerization ...................................................................................................................... 502
7.1 Applicability and Scaling ............................................................................................................... 502
7.2 Functional Description.................................................................................................................. 502
Containers .................................................................................................................................... 503
Snapshots ..................................................................................................................................... 504
Images .......................................................................................................................................... 504
Profiles ......................................................................................................................................... 505
Network ....................................................................................................................................... 505
7.3 Factory Defaults............................................................................................................................ 505
7.4 Configuring LXD Containers .......................................................................................................... 506
CLI Configuration.......................................................................................................................... 506
Web Configuration....................................................................................................................... 506
7.5 Example: Suricata TAP Mode Container....................................................................................... 520
Creating Internal Bridges ............................................................................................................. 521
Creating a Container Based on Image.......................................................................................... 522
Checking Communication ............................................................................................................ 525
Establishing SSH Access ............................................................................................................... 525
Updating Suricata Rules ............................................................................................................... 526
Configuring Syslog........................................................................................................................ 526
Checking Syslog Connectivity ....................................................................................................... 526
7.6 Viewing Container Status ............................................................................................................. 527
SecFlow-1p
Contents
38
8
Timing and Synchronization ..................................................................................................... 529
8.1 GNSS location reporting ............................................................................................................... 529
Functional Description ................................................................................................................. 529
Factory Defaults ........................................................................................................................... 529
Configuring GNSS ......................................................................................................................... 530
Viewing GNSS Status .................................................................................................................... 530
Examples ...................................................................................................................................... 531
8.2 Date and Time .............................................................................................................................. 533
Applicability and Scaling .............................................................................................................. 533
Standards Compliance ................................................................................................................. 533
Benefits ........................................................................................................................................ 533
Functional Description ................................................................................................................. 533
Factory Defaults ........................................................................................................................... 534
Configuring Date and Time .......................................................................................................... 534
Examples ...................................................................................................................................... 536
Viewing Status.............................................................................................................................. 537
8.3 Daylight Saving Time .................................................................................................................... 538
Applicability and Scaling .............................................................................................................. 538
Functional Description ................................................................................................................. 538
Factory Defaults ........................................................................................................................... 539
Configuring Daylight Saving Time Scheduling .............................................................................. 539
Examples ...................................................................................................................................... 540
Configuration Errors..................................................................................................................... 540
Viewing Scheduled Daylight Saving Time .................................................................................... 541
9
Administration......................................................................................................................... 542
9.1 Product Information ..................................................................................................................... 542
Applicability and Scaling .............................................................................................................. 542
Standards Compliance ................................................................................................................. 542
Setting Parameters ...................................................................................................................... 542
Example........................................................................................................................................ 543
9.2 File Operations ............................................................................................................................. 546
Applicability and Scaling .............................................................................................................. 546
Functional Description ................................................................................................................. 546
Copying Files ................................................................................................................................ 548
Viewing Copy Status..................................................................................................................... 550
Viewing Information on Files ....................................................................................................... 550
Deleting Files ................................................................................................................................ 553
Examples ...................................................................................................................................... 553
SecFlow-1p
Contents
39
9.3 Resetting to Default...................................................................................................................... 557
Resetting to Factory Defaults ...................................................................................................... 557
Resetting to User Defaults ........................................................................................................... 559
Restarting SecFlow-1p ................................................................................................................. 559
9.4 Inventory ...................................................................................................................................... 559
Applicability and Scaling .............................................................................................................. 560
Standards Compliance ................................................................................................................. 560
Benefits ........................................................................................................................................ 560
Viewing Inventory Information .................................................................................................... 560
Examples ...................................................................................................................................... 562
9.5 Login Banner ................................................................................................................................. 563
Applicability and Scaling .............................................................................................................. 564
Functional Description ................................................................................................................. 564
Configuring Login Banners ........................................................................................................... 564
Example........................................................................................................................................ 565
10 Monitoring and Diagnostics...................................................................................................... 566
10.1 Dry Contacts ............................................................................................................................... 566
Applicability and Scaling .............................................................................................................. 566
Functional Description ................................................................................................................. 566
Factory Defaults ........................................................................................................................... 566
Configuring Alarms....................................................................................................................... 566
10.2 Syslog .......................................................................................................................................... 569
Applicability and Scaling .............................................................................................................. 570
Standards Compliance ................................................................................................................. 570
Functional Description ................................................................................................................. 570
Factory Defaults ........................................................................................................................... 571
Configuring Syslog Parameters .................................................................................................... 572
Example........................................................................................................................................ 573
Configuration Errors..................................................................................................................... 574
Viewing Syslog Statistics .............................................................................................................. 574
10.3 Performance Management ........................................................................................................ 575
Functional Description ................................................................................................................. 575
Factory Defaults ........................................................................................................................... 576
Configuring Performance Management ...................................................................................... 577
Viewing Performance Management Configuration ..................................................................... 578
Examples ...................................................................................................................................... 579
Configuration Errors..................................................................................................................... 580
10.4 Detecting Problems .................................................................................................................... 580
SecFlow-1p
Contents
40
Controlling Popup Behavior ......................................................................................................... 581
Alarms and Events........................................................................................................................ 581
10.5 Running a Ping Test .................................................................................................................... 582
Applicability and Scaling .............................................................................................................. 582
Functional Description ................................................................................................................. 582
Configuring a Ping Test ................................................................................................................ 583
Examples ...................................................................................................................................... 584
10.6 Tracing the Route ....................................................................................................................... 584
Applicability and Scaling .............................................................................................................. 584
Running Trace Route.................................................................................................................... 584
10.7 Technical Support ....................................................................................................................... 585
11 Software Upgrade .................................................................................................................... 586
11.1 Compatibility Requirements....................................................................................................... 587
11.2 Impact ......................................................................................................................................... 587
11.3 Prerequisites ............................................................................................................................... 587
SFTP/FTP/TFTP Prerequisites ....................................................................................................... 587
Software Packs ............................................................................................................................. 588
11.4 Upgrading Software via CLI ........................................................................................................ 588
Verifying the Host Parameters..................................................................................................... 588
Pinging the PC .............................................................................................................................. 589
Activating the SFTP Server ........................................................................................................... 589
Activating the TFTP Server ........................................................................................................... 589
Downloading the New Device Software Release File .................................................................. 590
Activating the Device Software .................................................................................................... 590
Activating the Software ............................................................................................................... 592
11.5 Verifying Upgrade Results .......................................................................................................... 592
11.6 Restoring the Previous Version .................................................................................................. 593
A
Connection Data ...................................................................................................................... 594
A.1 Ethernet Connector ...................................................................................................................... 594
A.3 Serial Port ..................................................................................................................................... 594
B
598
SecFlow-1p
1. Introduction
42
1 Introduction
1.1 Overview
SecFlow­1p is an industrial IoT gateway, a member of RAD’s SecFlow suite of ruggedized Ethernet
products.
This is an open platform hosting third-party software, besides its communication capabilities.
In its maximum configuration, SecFlow-1p can support four GbE Copper ports and two GbE SFP ports,
two serial ports (single RS-232 port or one RS-232 plus one RS-485/2W), built-in WiFi modem, GPS
receiver for location indication and a cellular modem with two SIM cards or two modems for maximum
link resiliency.
SecFlow-1p is equipped with serial interfaces for connectivity of legacy equipment. As a gateway it
converts legacy serial protocols to modern IP-based protocols, enabling seamless communication from
the IP SCADA to both the old and new RTUs. This provides a single box solution for multi-service
applications and smooth migration to all-IP networks.
SecFlow-1p features DIN-rail mounting, IP30 protection level, wide operating temperature range (-40°C
to 65°C) without fans, or regular temperature range (-20°C to 60°C) for desktop application.
Product Options
SecFlow-1p can be ordered in the following configurations:
•
Without LTE and Wifi modules
•
With LTE, without Wifi
•
With Wifi, without LTE
•
With both LTE and Wifi
•
With 2 x 10/100/1000BASE-T ports or with 2 x 1000FX + 4 x 10/100/1000BASE-T ports
(“Superset”)
It can also be ordered for use with AC or DC power supply. DIN rail power supply is also available.
SecFlow-1p
1. Introduction
43
Features
Connectivity
SecFlow-1p provides rich WAN connectivity over diverse access technologies, including Ethernet,
IP/MPLS, WLAN and 4G/LTE.
Hybrid WAN connectivity with ACTIVE/ACTIVE support enables high availability service using multiple
links.
SecFlow-1p provides Ethernet, LTE and WiFi LAN connectivity.
Management and Security
The digital transformation accelerates the pace of adoption of new services. SecFlow-1p is designed to
simplify operations, while providing the service provider with visibility to its branch office demarcation.
SecFlow-1p incorporates secure Zero-Touch-Provisioning mechanisms for agile and seamless vCPE
deployment, reducing truck rolls and minimizing mass deployment operating costs.
To automate setting up of overlay connectivity to the data center, SecFlow-1p can be integrated with
the service provider’s SDN controllers or orchestration systems, using NETCONF/YANG modeling.
SecFlow-1p can also be managed via WEB, CLI or by RADview.
Management Capabilities
•
Secure remote management via any port using SSH, SNMP, NETCONF/YANG, or RADview, RAD’s
SNMP-based management system
•
Zero Touch, allowing SecFlow-1p to receive software and configuration files automatically
without having to manually log into SecFlow-1p. Supported over VPN and Public networks.
•
Performance Management – SecFlow-1p maintains performance management (PM) statistics.
The PM statistics are collected into a file that can be read using RAD’s RV PM-portal for further
analysis and presentation.
•
SecFlow-1p access control lists (ACLs) flexibly filter management traffic. Data ACLs with a single
Permit rule are also supported for IPsec only, to set the traffic permitted through the IPsec
tunnel and thus protected by IPsec.
SecFlow-1p
1. Introduction
44
Console Port
vCPE-OS can be installed on a white box with the following ports:
•
USB port for installation of vCPE-OS image from disk-on-key
•
Mini USB or serial (RS-232 or similar) port to which a console can be connected for management
via CLI
Note
The mini USB port has neither configuration nor monitoring parameters.
File Transfer Protocols
vCPE-OS supports SCP, SFTP, FTP and FTPs client functionality.
Security Protocols
SecFlow-1p supports the security protocols listed below, ensuring client-server communication privacy
and correct user authentication:
•
SNMPv3 (provides secure access to the device by authenticating and encrypting packets
transmitted over the network)
•
RADIUS (client authentication)
•
TACACS+ (client authentication)
•
SSHv2 for Secure Shell communication session
DHCP and DHCPv6 Client and Server
SecFlow-1p supports Dynamic Host Configuration Protocol (DHCP) server functionality for IPv4 clients.
Based on the Bootstrap Protocol (BOOTP), DHCP server assigns to DHCP clients IPv4 addresses from
configured pools, as well as various configuration parameters (DHCP options), in response to the
broadcast requests of DHCP clients. This functionality eliminates the need to assign an IP address for
each potential client.
SecFlow-1p supports DHCP and DHCPv6 client functionality working opposite IPv4 and IPv6 servers to
get network IP addressing as well as other configuration parameters (DHCP options) that facilitate the
device’s ZT functionality.
SecFlow-1p
1. Introduction
45
Traffic Processing
Layer-3 Forwarding
SecFlow-1p provides Layer-3 forwarding, with multiple Virtual Routing and Forwarding instances (VRFs).
Up to 10 routers and 32 router interfaces are supported.
SecFlow-1p supports static routing definitions, Border Gateway Protocol (BGP) and OSPF.
Network Address Translation (NAT)
SecFlow-1p supports Network Address Translation (NAT), a method that maps IP addresses (IPv4 only)
from one IP domain to another in an attempt to provide transparent routing to hosts.
IPsec Tunneling
SecFlow-1p supports IPsec on router interfaces to secure private communication across public IP
networks.
GRE Tunneling
SecFlow-1p supports Generic Routing Encapsulation (GRE) protocol, which sets up Layer-3 point-to-point
connectivity between two remote sites (over an underlay Layer-3 network).
Layer-2 Forwarding
SecFlow-1p supports up to two bridges and up to 32 bridge ports. The bridge ports can be bound to
Ethernet ports. The bridge entity enables users to perform local switching.
Layer-3 Quality of Service (QoS)
SecFlow-1p supports Quality of Service (QoS), i.e. traffic management, on Ethernet and Cellular ports to
ensure that traffic with specific characteristics, such as management, is guaranteed specific bandwidth
with minimum delay.
QoS support also includes classification – classifying traffic into traffic-classes on the ingress directions of
a port. Traffic class defines actions such as fixed Class of Service (CoS) mapping on the ingress direction
of an Ethernet port and DSCP marking.
SecFlow-1p
1. Introduction
46
Monitoring and Diagnostics
SecFlow-1p offers several types of diagnostic procedures:
•
Fault Propagation
•
Syslog – Syslog protocol generates and transports event notification messages from SecFlow-1p
to servers across IP networks.
•
Ping Test – SecFlow-1p can ping a remote IP host to check SecFlow-1p IP connectivity with that
host.
•
Trace Route – SecFlow-1p can quickly trace a route through the network from SecFlow-1p.
Timing
You can configure the SecFlow-1p internal real-time clock as free running or with Network Time Protocol
(NTPv4).
1.2 New in this Version
Feature
Cards and Ports
Blank APN name is now supported to allow the
cellular network to determine the correct APN
PPPoE (Point-to-Point Protocol over Ethernet)
is now supported
PPP (Point-to-Point Protocol) is now supported
for Cellular ports
Displaying the devices connected to the access
point is enabled
Viewing Cellular Port Status using Swagger is
enabled
Rest API Get support is added for cellular ports
Dual SIM protection is added to Cellular
Interface
Two new 450 MHz modems are supported by
the LTE interface
Comments
SecFlow-1p
1. Introduction
Feature
47
Comments
Dual LTE modems are supported
Serial ports are now supported
Terminal Server is supported
Serial Tunneling is supported
Serial to DNP3 tunneling over TCP/IP is
supported
Cellular interface display is reorganized to
display more parameters.
The device can be now managed via serial
port.
The device can be now managed via SMS.
MAC access control can be now enabled over
the Ethernet ports.
New Hardware
Support
SFP-30H is now supported
Monitoring and
Diagnostics
GNSS functionality has been added to the
device
GPON SFP is now supported
A new ordering option includes 3 digital input
and 1 digital output “I/O ALARM” pins (dry
contacts)
Dry contacts can be set based on pre-defined
events
RADview can collect device statistics (CPU,
memory and Ethernet ports) for generation of
CSV files to 3rd party PM applications
Management and
Security
Enhanced ACL management (logging, accessgroup parameters added)
GRE over IPsec is supported in "Tunnel Mode“
DHCP option 66 (tftp-server-name) was added
IPsec authentication using X.509 certificate,
with SCEP server is enabled
Traffic Processing
Address with prefix length 32 is allowed for
interface bound to virtual port
The default ordering option includes
2 digital input and 2 digital output
pins.
SecFlow-1p
1. Introduction
Feature
Comments
PBR enhanced features have been added to
the device
Ethernet Local switching has been added
VRRP is now supported.
Administration
Unsigned software update files are now
rejected for the purpose of security
OS patch mechanism has been added
Configuration file can be now uploaded and
stored on SD card
Factory Default Button is now supported from
the device panel
1.3 Technical Specifications
Note
Asterisk (*) marking the feature means that the feature will be released in a
future version. Some of these features are described in the manual and
marked with the asterisk.
Hardware Specifications
Interfaces
Ethernet
2 x 10/100/1000BASE-T ports
2 x 1000FX, 4 x 10/100/1000BASE-T ports
LTE
LTE modem with dual SIM
Wi-Fi
802.11b/g/n/ac dual band
Serial ports
1 RS-232 interface
2 RS-232 interfaces
48
SecFlow-1p
1. Introduction
1 RS-232, 1 RS-485 interfaces
Connector: RJ-45
GNSS
GPS – American (default)
Galileo – European
SD Card
1 port
Max size: 32GB
Modems
Dual SIM
Cellular
Modem
LTE bands – see Table below
Firmware
Upgrade
FOTA (Firmware upgrade Over the Air)
EVDO networks (technology backward compatible)
Configurable PAP, CHAP
Cellular
Authentication
SIM Card
Mini SIM, 25 mm x 15 mm (0.98 in x 0.59 in
Form factor: 2FF
WiFi Module
IEEE 802.11ac/a/b/g/n
Dual band 2.4 GHz or 5 GHz (software selectable)
Up to 8 users
Integrated LTE Modems
LTE Ordering Code
Modem Category and Frequency Bands
L1
CAT 4 EMEA/Korea/Thailand
LTE FDD: B1/B3/B5/B7/B8/B20
LTE TDD: B38/B40/B41
WCDMA: B1/B5/B8
GSM: B3/B8
49
SecFlow-1p
L3
1. Introduction
CAT 4 Australia/New Zealand/Taiwan/Brazil
LTE FDD: B1/B2/B3/B4/B5/B7/B8/B28
LTE TDD: B40
WCDMA: B1/B2/B5/B8
GSM: B2/B3/B5/B8
L4
CAT 4 North America, Verizon wireless + AT&T LTE
LTE FDD: B2/B4/B5/B12/B13/B14/B66/B71
WCDMA: B2/B4/B5
L450A
L450B
CAT 4 450MHz for private LTE networks
LTE-FDD: B3/7/20/31/72
CAT 4 450MHz for private LTE networks
LTE-FDD: B3/20/87
50
SecFlow-1p
1. Introduction
51
Antennas
Depending on the ordering option, your package may include a number of antennas supplied along with
the modems. For instructions on the antenna installation, refer to Installing Antennas.
Cellular Antennas – Embedded
Embedded LTE (L1, L3)
Description
Embedded antenna for
devices with L1 and L3
cellular modem
Embedded LTE (L4)
Embedded LTE (L450A, L450B)
Embedded antenna for
devices with L4 cellular
modem
Embedded antenna for devices
with L450 cellular modem
Photo
Frequencies
690-960
699-960
1400-2170
1710-2690
2300-2700
452.5 – 467.5
620 – 960
1170 – 1180
1560 – 1660
1710 – 2170
2300 – 2700
Impedance
50 Ohms
50 Ohms
50 Ohms
Polarization
Linear
Linear
Linear
Gain
4 dBi avg.
3 dBi typ.
4.94 dB max.i
VSWR
<2
<3:1; <5:1 at 2500-2690MHz
<2.65
IP/IK ratings
IP67
IP67, IK09
IP67
Connector type
SMA male
SMA male
SMA male
Cable
none
none
none
SecFlow-1p
1. Introduction
Cellular Antennas – External
Description
SF-ANT3G-2M(5M)
SF-ANT4G-2M(5M)
SF-ANT-LTE700-7DBI-MGNT
Outdoor antenna 3G cellular
modem,2 m (5 m) connecting
cable, 824-894 MHz/900
MHz/1800 MHz/1900 MHz
Outdoor antenna for 4G
cellular modem, 2 m (5 m)
connecting cable, 699-960
MHz/1710-2170 MHz/25002690 MHz
Outdoor magnetic base
antenna for LTE options
AMPS (824-894 MHz)
4G/LTE
700-960 MHz
ISM (868 MHz)
699-960 MHz /
1710-2170 MHz
GSM (900 MHz)
1710-2170 MHz /
2500-2700 MHz
DCS (1800 MHz)
2500-2690 MHz
Photo
Electrical Specifications
Frequencies
PCS (1900 MHz)
3G (UMTS 2.1 GHz)
WIFI / BLUETOOTH (2.4 GHz)
Impedance
50 Ohms
50 Ohms
50 Ohms
Polarization
Linear
Vertical
-
Gain
2.2 dBi avg.*
3 dBi typ.
7.0 dBi
VSWR
<2.6:1**
699-960 MHz <5:1 /
< 2.5
1710-2690 MHz <3:1***
IP/IK ratings
IP67
IP67, IK09
-
Connection Specifications
Connector
type
FME female
SMA male
SMA male
Cable
RG174U
RG174
RG195
52
SecFlow-1p
Cable length
1. Introduction
SF-ANT3G-2M(5M)
SF-ANT4G-2M(5M)
SF-ANT-LTE700-7DBI-MGNT
2m/5m
2m/5m
3m
*Antenna gain depend on size of the ground plane
**VSWR stated when measured with 2.5m RG174 on 50x50cm ground-plane
***Values stated when measured on 50x30cm ground plane
GPS Antenna
SF-ANT-GPS-PAS-3DBI-MAG/3M
Description
GPS passive antenna, 3m
Photo
Electrical Specifications
Center Frequency
1575.42 ± 3 MHz
Band Width
CF ± 5 MHz
Impedance
50 Ohms
Polarization
RHCP
Gain (Zenith)
3 dBic
VSWR
1.5
Connection Specifications
Connector type
SMA male
Cable
RG174
Cable length
3m
WiFi Antenna
SF-ANT-WIFI-DUALBAND-3DBI-SMA
Description
WiFi dual band antenna, 3 dBi, for options with WiFi modem
53
SecFlow-1p
1. Introduction
SF-ANT-WIFI-DUALBAND-3DBI-SMA
Photo
Electrical Specifications
Frequencies
2.4–2.5 GHz
5.15–5.85 GHz
Impedance
50 Ohms
Polarization
Linear Vertical
Gain
2.37 dBi
IP/IK ratings
2.93 dBi
IP-65
Connection Specifications
Connector type
RP-SMA male straight connector
Cable
RG-178 coaxial cable
Management and Diagnostics
Console Port
Ethernet port with the highest number (4 or 6, according to the device ordered), RJ-45
connector
Note: Console cable is not included and must be ordered separately (see Optional
Accessories).
LEDs
Including alarm indication and cellular RSSI level
Dry Contacts
2 In, 2 Out
3 In, 1 Out (special ordering option)
Maximum rating: 60 VDC, 1A
Maximum switching power: 30W, 37.5VA
54
SecFlow-1p
1. Introduction
General
Compliance Enhanced EMI and immunity according to
EN 50121-4*
EUCE
FCC and TUV for North America
EMC Class A
Environment
Storage
-40 to 85°C (-40 to 185°F)
Temperature
Operating
DIN rail: -40 to 65°C (-40 to 149°F)
Temperature
Humidity
Up to 90%
Physical
Height mm
(in)
138 (5.43)
Width
53.3 (2.1)
Depth
123.3 (4.85)
Weight
0.88 kg (1.94 lb)
Power
Wide Range Input 10.8-26.4 VDC @ 1-0.5A
Voltage
EXT AC Power
Supply
90–240VAC
Power
Consumption
< 12W
55
SecFlow-1p
1. Introduction
Software Specifications
Management
Configuration
Web-based interface using HTTPS or HTTP
CLI with password-protected access
Protocols
NETCONF server (v1.0/v1.1)/ YANG
SNMP v2/v3
Telnet, SSH v2, HTTPS server, TFTP/SFTP
Users
User roles and privileges
Monitoring and
Diagnostics
Syslog
Traceroute, ping
Alarm and event logs
DHCP Server
IPv4, IP subnet pools support 256 addresses
IP Addressing and Routing
Addressing
IPv4 and IPv6
Routing
Protocols
OSPF v2, BGP v4
VRRP*
IP-BFD for fast route propagation*
Routing
Static
Technologies
Policy-based
VRF (10), RIF (32)
NAT
Static/dynamic
56
SecFlow-1p
1. Introduction
NAPT/NAT
DHCP
Client, server, relay
IP helper addresses
DNS
Server
Timing
Date and
Time
Local time setting
Protocol
SNTPv4
IP Quality of Service
Classification and
Priority
IP-based (DiffServ)
Queuing
Class-based, SPQ, WFQ
Traffic Processing
Shaping
Egress Queues
4 queues per port
Classification
Port-based, 802.1p, DSCP
Scheduling
Strict Priority / WRR
Marking, remarking
Security
Access Lists
Standard and extended
Firewall
Zone-based, stateful
Session
Monitoring and limiting
Authentication
Locally, RADIUS, TACACS+ (also for
authorization and accounting)
Port-based: 802.1X* on Ethernet and Wi-Fi
57
SecFlow-1p
Public Keys
1. Introduction
Public Key Infrastructure with X.509
certification for Zero Touch
Certificates with SCEP CA server
Features
Login lockout
IP VPNs
Protocols
Policy- and route-based IPsec, GRE
GREoIPsec
IKEv1 (main and aggressive mode), IKEv2, SHA2
L3 mGRE DMVPN*
L3 IPsec VPN
PPPoE supporting Broadband or LTE access
IKE Algorithms
AES CBC 128 and 256, SHA-1, SHA-2 256 and 512
IKE Hashing
Algorithms
SHA1-96-HMAC, SHA2-256-128-HMAC, SHA2-512-256HMAC
ESP Algorithms
AES CBC 128 and 256, AES GCM 128 and 256, AES
GMAC 128 and 256, null encryption, SHA-1, SHA-2 256
and 512
DH Groups
1 (768-bit modulus)
2 (1024-bit modulus)
5 (1536-bit modulus)
14 (2048-bit modulus)
19 (256-bit elliptic curve)
20 (384-bit elliptic curve)
Technologies
NAT traversal
Interoperability with SCEP server 2012 and higher
Advanced Technologies
Containers
LXC/LXD
58
SecFlow-1p
1. Introduction
Zone-based Firewall
Type
Stateless (ACL-like)
Stateful (monitor connection state; e.g. only allow to start a
connection from inside the organization)
IPv4 and IPv6 NAT
SNAT, DNAT
REDIRECT
Masquerading (PAT)
Security Measures
DDOS protection: SYN and RST flood prevention
Configuration
via Web GUI
Rules
Interfaces are assigned to zones, for which a set of rules is
configured
IPv4 and IPv6
Can be limited to specific days, dates and times
Number of connections per rule can be limited
Rule hits reported to local LINUX Syslog
Geo IP: Block or allow traffic based on source or destination
country (requires Internet connection
DPI: Layer 7 rules (e.g. block Skype)
Web content filtering (requires
internet connection, for periodic
list updates)
Blacklisting of URL or IP, based on categories (e.g. ads, gambling)
Blacklisting of phrases, based on categories
Limiting downloadable files by extension
DNS Proxy: black list filtering, downloadable periodically from
the Internet
Integrated Routing and Bridging (IRB)
Operation Mode
VLAN aware VLAN un-aware
Static or Dynamic MAC addresses
QoS
VLAN tagging and un-tagging
59
SecFlow-1p
1. Introduction
802.1p priority tagging
ToS/CoS and CoS/ToS mapping
Max number of bridges
2
Max number of bridge
ports
32
Max MAC addresses per 512
bridge
Wi-Fi
Radio mode 802.11a/b/g/n/ac
Security
WPA2-AES
Users
8 concurrent
SSID
6
Bands
2.5Ghz and 5Ghz
Cellular and GPS
LTE
Single SIM
Dual SIM
Dual LTE modems
Operation Modes
PPP, Eth/DHCP
GPS
Location reporting
OAM
SLA
Monitoring
ICMP echo, UDP echo
60
SecFlow-1p
ZTP
1. Introduction
On-net
Off-net (over unsecured network) performs secure “call
home” using Public Key Infrastructure (X.509)
61
2 Installation and Setup
This chapter provides installation instructions for the SecFlow-1p systems including:
•
General description of the equipment enclosure and its panels
•
Mechanical and electrical installation instructions
After the system is installed, it must be configured in accordance with the specific user's requirements.
The preliminary system configuration is always performed by means of a supervision terminal
(procedures for using the terminal are detailed in the Operation and Mainenace chapter). After the
preliminary configuration, the system can also be managed by means of SNMP-based network
management stations, e.g., RADview with an integrated SecFlow-1p Network Management tool.
2.1 Safety
Danger of electric shock! Avoid any contact with the marked surface while
the product is energized or connected to outdoor telecommunication lines.
Protective earth: the marked lug or terminal should be connected to the
building protective earth bus.
LINE VOLTAGE
Before connecting the product to the power line, make sure the voltage of
the power source matches the requirements of the product, as marked on
the label located near the power connectors.
SecFlow-1p
2. Installation and Setup
63
Caution
This equipment contains Electrostatic Discharge (ESD) sensitive components.
Use ESD protection before servicing or installing components of this system.
Caution
Changes or modifications made to this device that are not expressly
approved by the party responsible for compliance could void the user’s
authority to operate the equipment.
Caution
Remove the power cord from a power-supply unit before installing it or
remove it from the device. Otherwise, as a result, the power supply or the
device could be damaged. (The device can be running while a power supply
is being installed or removed, but the power supply itself should not be
connected to a power source.)
Caution
The unit is designated to operate in environments of up to 75 degrees
ambient temperature.
Caution
Use Safety approved AC/DC adapter, according to IEC/EN 60950-1 or IEC/EN
62368-1 with rated voltage of 12/24 VDC, certified as LPS.
Caution
Installing or removing a SIM card during modem operation can damage the
modem. Make sure either the modem is disabled (cellular disable) or
SecFlow-1p is turned off, before manipulating the SIM card.
Laser Safety
SecFlow-1p includes Class 1 lasers. For your safety:
Do not look directly into the optical connectors while the unit is
operating. The laser beams are invisible.
• Do not attempt to adjust the laser drive current.
The use of optical instruments with this product will increase eye hazard.
Laser power up to 1 mW at 1300 nm and 1550 nm could be collected by an
optical instrument.
Use of controls or adjustment or performing procedures other than those
specified herein may result in hazardous radiation exposure.
•
SecFlow-1p
2. Installation and Setup
64
Grounding
For your protection and to prevent possible damage to equipment when a
fault condition, e.g., a lightning stroke or contact with high voltage power
lines, occurs on the lines connected to the equipment, the chassis must be
properly grounded (earthed) at any time. Any interruption of the protective
(grounding) connection inside or outside the equipment, or the
disconnection of the protective ground terminal can make this equipment
dangerous. Intentional interruption is prohibited.
2.2 Site Requirements and Prerequisites
Warning
SecFlow-1p must be installed by qualified personnel according to the
National Electrical Code or Local Electrical Regulation.
Always observe standard safety precautions during installation, operation,
and maintenance of this product.
This is a radio device. To avoid radiation-related health problems per EN
62311:2008, the minimum distance from the human body to an operating
product should be at least 25 cm.
Warning
Note
Before connecting this product to a power source, make sure to read the
Handling Energized Products section at the beginning of this manual.
Caution
SecFlow-1p is intended for installation in a Restricted Access Location.
Caution
SecFlow-1p does not have a power switch, and therefore will start
operating as soon as power is applied to one of the power supply inlets.
The external circuit breaker used to protect the input power line can be used
as an ON/OFF power switch, or an external ON/OFF switch may be installed.
SecFlow-1p
2. Installation and Setup
65
Power
Available power input versions and their respective maximum current are shown in the table below.
Power Inputs and Max Current
DC Power Input
Max Input Current [A]
12V
1A
24V
0.5
Ambient Requirements
The ambient storage temperature range of SecFlow-1p is -40 to 85°C (-40 to 185°F). Operating
temperature is -20 to 65°C (-4 to 149°F); humidity up to 90%.
SecFlow-1p has no fans and is cooled mainly by free air convection. Keep 10 cm distance from top and
bottom between SecFlow-1p and any other nearby device for proper cooling using natural air flow.
2.3 Package Contents
The SecFlow-1p package includes the following items:
•
SecFlow-1p unit
•
CBL-ETH/STP/STR/1M – Console port cable (if ordered)
•
External desktop AC power supply kit (if /ACEX option is ordered)
•
Terminal block power plug (if /DC option is ordered)
Note
If /DC option is ordered, the power supply must be provided by the customer.
However, you can also order this option and SF-AC-12VDC-20W power
supply, allowing both DIN rail installation and connecting to AC power.
•
SF-AC-12VDC-20W, external DIN Rail AC to 12VDC 20W power supply for SF-1P/DC devices (if
ordered)
•
Optional: One or two cellular antennas as per ordering option
•
Optional: Two WiFi antennas as per the ordering option
SecFlow-1p
2. Installation and Setup
•
Optional: A GPS antenna as per the ordering option
•
Optional: CBL-RJ45/D9/F/6FT – Serial port cable with male RJ-45 and female DB-9 connector
•
Optional: CBL-SF-RJ45-RS485 – Serial port open cable with male RJ-45 connector
66
2.4 Physical Installation
SecFlow-1p is designed as a fixed unit connected in its rear side to an industry-standard DIN rail. The
DIN-rail mount is the default SecFlow-1p setup.
RAD products must be transported to installation sites in their original packaging.
Failing to do so may damage the equipment and voids the warranty.
Warning
Required Equipment
SecFlow-1p needs no special tools for installation. You need a screwdriver to remove the unit from a 35
mm DIN rail.
The cables needed to connect to SecFlow-1p depend on your specific application. You can prepare the
appropriate cables yourself in accordance with the information given in the Connection Data appendix,
or you can order cables from RAD.
Wall Mounting
The following mounting instructions assume that a standard DIN rail has been previously installed. If one
has not, use the installation instructions that come with the DIN rail to mount the DIN rail on the wall.
Locate the DIN mounting brackets on the back of the device.
 To mount SecFlow-1p:
1. Place the device with the DIN rail guide on the upper edge of the DIN rail.
2. Snap it in with a downward motion.
SecFlow-1p
2. Installation and Setup
Step 1
Step 2
DIN Rail Mounting
 To remove SecFlow-1p from the DIN rail:
1. Pool the latch downwards with the aid of a screwdriver to loosen the lower clamp.
2. Slide the device out and up at the lower edge of the DIN rail.
Caution
Product installation must be vertical so that the device bottom panel faces
downwards.
67
SecFlow-1p
2. Installation and Setup
Step 3
Step 1
Step 2
SecFlow-1p Dismantling
Installing Antennas
The number and type of antennas supplied with SecFlow-1p depends on the ordering option. For the
technical specifications of the supplied antennas, refer to Antennas.
For optimal signal performance, it is recommended to connect both antennas of the same type that
come with the device.
68
SecFlow-1p
Note
2. Installation and Setup
If you connect only one antenna, verify that it is connected to the upper
(MAIN) connector on the front panel.
 To install the antenna:
•
Screw the antenna on the appropriate connector.
Connectors
The LTE connectors are located on the front panel and designated LTE/LTE1/LTE2 MAIN and
LTE/LTE1/LTE2AUX.
The WiFi connectors are located on the top panel and designated WIFI MAIN and WIFI AUX.
For LTE and GPS antennas, SMA female connectors are used.
69
SecFlow-1p
Note
2. Installation and Setup
70
In the dual-LTE modem platform, GPS antenna is connected to the modem in
slot 1 (specified as Lx1 in the ordering string SF-1P/@/#/$/Lx1/Lx2/&/H1)
and coordinates are sent from modem slot one only.
For WiFi antennas, RP-SMA connectors are used.
Antenna
Caution
SecFlow
Make sure you use the correct connector for each antenna type.
LTE Antennas
If a single LTE antenna is used, the main antenna supports both Rx and Tx. Adding a second antenna
splits Tx and Rx to one antenna each.
Installing a SIM Card
SecFlow-1p provides cellular interface that requires an active SIM card. The SIM cards compartment on
the bottom panel can house up to two SIM cards ensuring redundancy and backup of network
connectivity.
Note
SIM changing on-the-fly is not allowed. To change the SIM cards, you have to
power the device off and turn it on again once the changing is completed.
SecFlow-1p
2. Installation and Setup
71
 To install a SIM card into SecFlow-1p:
1. Make sure the device power is turned off.
2. Unscrew the screw fastening the cover of the SIM compartment.
3. Open the cover and insert the SIM card into one of the slots. Make sure the card direction
match the corresponding icon on the front panel.
4. Close the cover and fasten the screw with the screwdriver.
 To remove a SIM card from SecFlow-1p:
1. Make sure the device power is turned off.
2. Unscrew the screw fastening the cover of the SIM compartment.
3. Open the cover and press on the SIM card against the horizontal slot as on the figure below. You
can use any fitting tool, for example a small screwdriver or a pen.
The card comes out.
4. Carefully remove the SIM card from the slot.
5. Close the cover and fasten the screw with the screwdriver.
Installing an SFP
You can install a recognized SFP module with an RJ-45 copper or LC fiber optic connector into a SecFlow1p Ethernet SFP port.
Third-party SFP optical transceivers must be agency-approved, complying
with the local laser safety regulations for Class I laser equipment. The laser
product must be safety approved to IEC 60825 and CDRH registered.
Caution
When calculating optical link budget, always take into account adverse
effects of temperature changes, optical power degradation, and so on. To
compensate for signal loss, leave a 3 dB margin. For example, instead of
maximum receiver sensitivity of -28 dBm, consider the sensitivity measured
at the Rx side to be -25 dBm. Information about Rx sensitivity of fiber optic
interfaces is available in the Pluggable Transceivers data sheet.
SecFlow-1p
2. Installation and Setup
72
 To install the SFP:
1. Lock the wire latch of the SFP module by lifting it up until it clicks into place, as illustrated on the
picture below.
Note
Some SFP models have a plastic door instead of a wire latch.
Locking the SFP Wire Latch
2. Carefully remove the dust covers from the SFP slot.
3. Insert the rear end of the SFP into the socket, and push slowly backwards to mate the
connectors until the SFP clicks into place. If you feel resistance before the connectors are fully
mated, retract the SFP using the wire latch as a pulling handle, and then repeat the procedure.
Caution
Insert the SFP gently. Using force can damage the connecting pins.
4. Remove the protective rubber caps from the SFP modules.
 To remove the SFP module:
1. Disconnect the fiber optic cables from the SFP module.
2. Unlock the wire latch by lowering it downwards (as opposed to locking).
3. Hold the wire latch and pull the SFP module out of the Ethernet port.
SecFlow-1p
Caution
2. Installation and Setup
73
Do not remove the SFP while the fiber optic cables are still connected. This
may result in physical damage (such as a chipped SFP module clip or socket),
or cause malfunction (e.g., the network port redundancy switching may be
interrupted).
Installing a Memory Card
Memory card slot is located on the bottom panel of SecFlow-1p and is designated SD.
 To install a memory card to SecFlow-1p:
•
Insert the card to the slot marked SD.
 To remove a memory card from SecFlow-1p:
•
Press on the memory card against the horizontal slot. You can use any fitting tool, for example a
small screwdriver or a pen.
Connecting to a Management Console
You can connect one of the SecFlow-1p Ethernet ports to a laptop equipped with a management
application, such as PuTTY, via an 8-pin RJ-45 connector. This port is the Ethernet port with the highest
number, according to the device ordered:
•
6 for 4U2S configurations
•
4 for 2U configurations.
Refer to the Connection Data appendix for the connector pinout.
Caution
Console cables must have a frame ground connection. Use ungrounded
cables when connecting a supervisory terminal to a DC-powered unit with
floating ground. Using improper console cable may result in damage to the
supervisory terminal port.
 To connect to a management console:
1. Connect the RJ-45 connector of CBL-ETH/STP/STR/1M cable, available from RAD, to the unit’s
Ethernet port 4.
SecFlow-1p
2. Installation and Setup
74
2. Connect the other end of the CBL-ETH/STP/STR/1M cable to a computer equipped with an ASCII
terminal emulation application.
Note
After completing the configuration of the management console, disconnect
the cable and leave the Ethernet port open.
Connecting to Power
SecFlow-1p has the power input designated according to the device ordering option:
•
ACEX – external AC power adaptor
•
DC – Wide Range 12/24V input voltage (10.8-26.4 VDC)
Before connecting any cables and before switching on this instrument, the
protective ground terminal of this instrument must be connected to the
protective ground conductor. Any interruption of the protective (grounding)
conductor (inside or outside the instrument) or disconnecting the protective
ground terminal can make this instrument dangerous. Intentional
interruption is prohibited.
Grounding
The SecFlow-1p grounding connector is located on its bottom panel, as shown in the figure below.
 To install the grounding wire:
1. Prepare a grounding wire terminated by a crimped lug with hole diameter 11-14 AWG as shown
in the below figure.
SecFlow-1p
2. Installation and Setup
75
2. Use a suitable crimping tool to fasten the lug securely to the wire.
3. Adhere to your company’s policy as to the wire gauge and the number of crimps on the lug.
11-14 AWG
SecFlow-1p Grounding Lug
4. Apply some anti-oxidant onto the metal surface.
5. Mount the lug on the grounding posts, replace the spring-washers and fasten the bolts. Avoid
using excessive torque.
Caution
Do not remove the earth connection unless all power supply connections are
disconnected.
Caution
Protective earth: the marked lug or terminal should be connected to the
building protective earth bus.
Connecting to DC Power
If /DC option is ordered, the power supply must be provided by the customer. RAD provides a 3-prong
terminal block power plug for DC power connection.
Note
You can also order this option and SF-AC-12VDC-20W power supply, allowing
both DIN rail installation and connecting to AC power.
Caution
SecFlow-1p should be powered from external, separately approved and
suitably rated power supply, providing SELV output.
To wire the voltage, use the supplied plug connector (see figures below), according to the pinout shown
on the DC power terminal located on the device bottom panel.
SecFlow-1p
2. Installation and Setup
Plug Connector Wiring
DC Power Terminal
 To connect the device to a DC power source:
1. Strip 7 mm (1/4 inch) of insulation from the leads (copper wire within the range of 10 to 18
AWG).
2. Release two terminal screws on the plug.
3. Push the lead into the plug terminal block up to its insulating sleeve.
4. When the lead is in position, fasten the screw to secure the lead.
5. Verify that the lead is securely held.
6. Insert the plug into the socket on the device.
7. Secure the plug by tightening the two screws.
8. Connect the leads to an external DC power source (color code the wiring according to local
standards to ensure that the input power and ground lines are easily distinguished).
9. Turn on the power to the feed lines at the supply circuit-breaker.
10. Verify that the power supply PWR LED is green.
Connecting to AC Power
If /ACEX option is ordered, an external desktop AC power supply kit is supplied (see the figure below).
76
SecFlow-1p
2. Installation and Setup
77
If you want a DIN Rail power supply, RAD offers SF-AC-12VDC-20W power supply, allowing both DIN rail
installation and connecting to AC power (see below). SF-AC-12VDC-20W power supply is actually The
ACEX power supply with DIN rail mounting brackets.
SecFlow-1p
2. Installation and Setup
 To connect the device to an AC power source:
1. Release two terminal screws on the terminal block plug.
2. Insert the orange lead of the ACEX/SF-AC-12VDC-20W power supply to the right socket of the
plug and the white lead – into the middle socket.
3. Fasten the screws on the plug.
4. Verify that the lead is securely held.
78
SecFlow-1p
2. Installation and Setup
79
5. Insert the plug into the socket on the device.
DC Power Terminal
6. Secure the plug by tightening the two screws.
7. Connect the power supply to the power cord.
8. Connect the power cord to the AC mains.
9. Turn on the power to the feed lines at the supply circuit-breaker.
10. Verify that the power supply PWR LED is green.
Connecting to Ethernet Equipment
SecFlow-1p is connected to Ethernet equipment via the fiber optic SFP transceiver with LC connector or
the electrical port with the standard RJ-45 connectors.
 To connect to Ethernet equipment with the fiber optic interface:
•
Connect SecFlow-1p to the Ethernet equipment at customer premises using the standard fiber
optic cable terminated with LC connector.
 To connect to Ethernet equipment with copper interface:
•
Connect SecFlow-1p to the Ethernet equipment at customer premises using the standard CAT5
cable or better terminated with RJ-45 connector.
SecFlow-1p
2. Installation and Setup
Connecting to Serial Equipment
SecFlow-1p serial ports are terminated in RJ-45 connectors. The user serial equipment standard ports
have DB-9 connectors. Refer to the Connection Data appendix for the RJ-45 connector pinout.
 To connect to serial equipment:
•
Connect the RJ-45 serial port to serial equipment at customer premises using
CBL-RJ45/D9/F/6FT cable terminated with the RJ-45 connector.
Connecting to a Dry Contacts Terminal
Note
A circuit intended for connection to the Dry Contact interface should be
limited to 60 VDC maximum, 1A maximum, 37.5 VA maximum, under normal
and single fault condition.
SecFlow-1p performs discrete IO tunneling via a terminal block located on the bottom.
Dry Contacts Terminal Block
The supported input alarm is:
•
typical – 48 VDC
•
minimal – 9 VDC
•
maximal – 60 VDC
When the administrative status of the dry contacts is enabled, on the state change (SET/CLEAR) of any
defined input or output alarm, the following reports are sent:
•
Syslog event
•
Device log event
•
SNMP trap
80
SecFlow-1p
2. Installation and Setup
81
The default ordering option of the device features 2 inputs and 2 outputs.
In addition to the default 2inx2out configuration of Dry Contact block, another ordering option
(designated /3DI) is available, allowing to expand of number of analog inputs to three.
2inx2out Option
Pins 1-3 implement the Dry Contacts Output Module. Pin #3 is the output common. Pins #1 and #2 are
normally-open relays that can be defined as two independent alarm outputs. Once the configured alarm
occurs, the relay change its state to “close”.
Pins 4-6 implement the Dry Contacts Input Module. Pin #5 is the input common. Pins #4 and #6 are
inputs that can be defined as two independent alarm inputs. A syslog event occurs on each change in
the input state.
Input
Output
d-in2 Common d-in1 Common d-out2 d-out1
6
5
4
3
1
2
N/O
N/O
Dry Contacts Interface Diagram – Default (2inx2out) option
Refer to the table below for the terminal block pinout.
SecFlow-1p
2. Installation and Setup
82
Dry Contacts Pinout – Default (2inx2out) option
DC CON Pin
6
5
4
3
2
1
Signal Name
DIN2
COM-DIN
DIN1
COM-DOUT
DOUT2
DOUT1
3inx1out Option
In this option, pin 1 implements the Dry Contacts Output Module. Pin #3 is the output common. Pin #1 is
normally-open relay that can be defined as alarm output. Once the configured alarm occurs, the relay
changes its state to “close”.
Pins 2, 4, 6 implement the Dry Contacts Input Module. Pin #5 is the input common. Pins #2 #4 and #6
are inputs that can be defined as three independent alarm inputs. A syslog event occurs on each change
in the input state.
This option is shown in the diagram below.
Dry Contacts Interface Diagram – (3inx1out) option
Refer to the table below for the terminal block pinout.
SecFlow-1p
2. Installation and Setup
83
Dry Contacts Pinout
DC CON Pin
6
5
4
3
2
1
Signal Name
DIN2
COM-DIN
DIN1
COM-DOUT
DIN3
DOUT1
 To connect the discrete channel to digital input/output:
1. Strip the insulation of your power supply wires according to the dimensions shown below.
Terminal Block Wire Stripping
2. Place each wire lead into the appropriate TB plug terminal according to the terminal block
scheme.
3. Tighten the terminal screws to close them.
4. Isolate the exposed terminal screws/wire leads using a plastic sleeve or insulating tape to avoid
a short circuit.
Installing the GNSS Antenna
Use of SecFlow­1p with the GNSS ordering option requires installation of a GNSS antenna on the roof of
the building.
Positioning the GNSS Antenna
Damage to an antenna or GNSS receiver is more often due to lightning strikes on nearby objects, rather
than direct strikes on the antenna. These direct or indirect lightning strikes are likely to induce damaging
voltages in the antenna system. Therefore, it is advisable to place the GNSS antenna below and at least
15 meters away from towers, lightning rods, or structures that attract lightning.
SecFlow-1p
2. Installation and Setup
84
Mounting the Lightning Arrestor
It is recommended to install a Lightning Arrestor to further protect your GNSS circuit from lightning
strikes. A Lightning Arrestor is able to handle lightning currents by reducing the pulse energy of the input
surge.
GNSS In-Line Lightning Arrestor
 To mount the Lightning Arrestor:
1. Mount the Lightning Arrestor on good earth ground (low impedance), between the GNSS
antenna and the point where the cable enters the building.
2. Connect the GNSS antenna on the roof to the surge side connector at the top of the Lightning
Arrestor using the shortest possible interconnection cable.
3. Connect the protected side connector at the bottom of the Lightning Arrestor to the GPS
receiver (the device) using a coax cable.
4. If the coax cable length connecting the Lightning Arrestor to the GPS receiver is no longer than
20 m, no further safety measures are required.
For longer cable distances, a further fine protector may be needed to protect the receiver
against induced voltages caused by magnetic coupling. If this is the case, contact RAD Technical
Support for more information.
Mounting GNSS In-Line Lightning Arrestor
SecFlow-1p
2. Installation and Setup
2.11 Basic Connectivity Tests
Caution
Before leaving the installation site, it is highly recommended that you test
network connectivity between the device and the remote network
management station (for example, by sending a ping).
85
3
Operation and Maintenance
3.1 Turning On the Unit
When turning on SecFlow-1p, it is useful to monitor the power-up sequence.
Caution
SecFlow-1p does not have a power on/off switch, and will start operating as
soon as power is applied.
 To turn on SecFlow-1p:
1. Connect SecFlow-1p to power (see detailed instructions in Connecting to Power). The PWR and
RUN indicators light up and remain lit as long as SecFlow-1p is powered. The PWR indicator
lights up immediately upon turning on, while the RUN indicator lights up in about two minutes.
2. After startup ends, you may log in, using the supervision terminal.
3.2 Indicators
The SecFlow-1p unit’s LED indicators are located on the device’s front panel. These LEDs enable the user
to quickly observe the state of the device. Each LED has a default “normal” functionality.
Note
Depending on the ordering option, some LEDs may not exist.
The following tables summarize the normal functions of the SecFlow-1p LED indicators per device.
SecFlow-1p
3. Operation and Maintenance
87
SecFlow-1p Front Panel
LED Indicators
Name
LED Color
Function
ALM
Green/Red
Red on: The device has at least one active alarm
RUN
Green
Green blinking: The device is under test
Note: Only tests that stop port traffic (such as Ethernet port loopback),
affect the ALM LED.
On: Normal operation, system is up
Off: No power or at early boot stage
• Fast blinking: Linux loading
Blinking: During Zero Touch procedure, see also the Zero Touch table
below.
SecFlow-1p
3. Operation and Maintenance
Name
LED Color
Function
AUX
Green/Red
Red blinking: ZTP is in process
Green on: Device has a running container
Green blinking: Reboot without ZTP is in process
PWR
Green
On – Power is on
LINK/ACT 1 to 6
Green
On – Link is synchronized
Off – Power is off
SIM1, SIM2
Green
LTE
Green
Blinking – Data is being transmitted or received on the link
Single LTE modem platform:
• On – SIM card is enabled and inserted
• Off – no SIM card in the slot or SIM card is disabled
• Blinking – SIM card is connected to mobile network
Dual LTE modem platform (SIM1 and SIM2 are acting as LTE modem 1
and modem 2 LEDs):
• On – SIM card is enabled and inserted
• Off – no SIM card in the slot or SIM card is disabled
• Blinking – SIM card is connected to mobile network
Presents RSSI indication, as follows:
•
•
•
•
•
Four LEDs ON – Excellent signal; RSSI [dBm}: S > -60
Three lower LEDs ON – Good signal; RSSI [dBm}: -60 > S > -75
Two lower LEDs ON – Fair signal; RSSI [dBm}: -75 > S > -85
One lower LED ON – Poor signal; RSSI [dBm}: -85 > S > -105
All LEDs OFF – No signal; RSSI [dBm}: S < -105
Notes:
• RSSI value and LEDs are updated every five seconds.
• LEDs indicate status according to maximal value between two
antennas. For example, if one antenna RSSI is -90 dBm and the
second is -70 dBm, this means that the signal strength is good and
the three lower LEDs should be on.
• In the dual-LTE modem platform, the RSSI indication is presented
for the modem in slot 1 only
• In the dual-LTE modem platform, SIM1 and SIM2 are acting as LTE
modem 1 and modem 2 LEDs
WiFI
Green
On: WiFi physical link is up
Blinking: WiFi passes data
Note: Wi-Fi LED indicator is working only on devices with WiFi
functionality (“WF” ordering options)
88
SecFlow-1p
3. Operation and Maintenance
Name
LED Color
Function
Serial S1-S2
Green
TX blinking – Port is transmitting data
TX/RX LED
89
RX blinking – Port is receiving data
The stages of Zero Touch procedure are displayed by the RUN and ALM LEDs as in the table below. In
addition to the LEDs, the particular ZTP operation is displayed by corresponding messages in the CLI.
Zero Touch Status – RUN LED
RUN LED - Green
Status
Blinking: one long, then three short and fast
Bootstrapping phase of Zero Touch is performed
Blinking: one long, then one short and fast
Bootstrapping is in progress: connecting to bootstrap server,
downloading configuration, downloading software, rebooting
Blinking: long
Call-home phase of Zero Touch is performed
On
Zero Touch procedure is completed successfully
ALM LED is blinking at the same rate as RUN to
indicate the current Zero Touch stage
Zero Touch procedure error
3.3 FD Button
You can restore the device to Default configuration using the Factory Default Button present on the
bottom panel.
SecFlow-1p
3. Operation and Maintenance
90
 To restore the device to Factory Default configuration:
1. Insert a pin into the opening marked FD and hold it pressed for 5 seconds (or more)
2. Wait for the ping reply to default IP 169.254.1.1 via Port 6.
3. Then you can open a SSH session to the device.
3.5 Startup
Applicability and Scaling
All configuration and software files, as well as the loading sequence, are applicable to all SecFlow-1p
versions.
Configuration and Software Files
SecFlow-1p supports the following files:
•
Software (two software packs: sw-pack-1, 2). The software files are named according to the
current version, for example Syncope-v5.0.0.5002.iso, where 5.0.0.5 is the version number. The
file Syncope-v5.0.0.5002.iso is the SecFlow-1p image used for installation onto a disk on key.
•
Configuration – running-config, rollback-config, startup-config, user-default-config, factorydefault-config, restore-point-config
•
Zero touch configuration – zero-touch-config-xml
•
DB schema – db-schema
•
DB configuration – db-config
•
Scheduler log – schedule-log
•
Alarm and event logs – log, brief-log
•
Performance management data – pm-0
•
User files – You can store files under any name, for any purpose (e.g. configuration or log
backup) in the user directory.
SecFlow-1p
•
3. Operation and Maintenance
91
Syslog accounting local log – accounting-log
Refer to File Operations in the Administration chapter for details on file operations.
Software Files
At any time, SecFlow-1p has at least one and possibly two software packs, named sw-pack-1 and
sw-pack-2. Only one of these software packs is installed and active.
Configuration Files
SecFlow-1p supports the following configuration files, containing configuration settings:
•
factory-default-config – contains the manufacturer default settings. At startup,
factory-default-config is loaded if startup-config, rollback-config, and user-default-config are
missing or invalid.
•
rollback-config – serves as a backup for startup-config. At startup, rollback-config is loaded if it
exists and is valid, and if startup-config is missing or invalid.
•
restore-point-config – created by SecFlow-1p when software is installed with restore point
option.
•
running-config – contains the current configuration that the device is running. This file is deleted
and rebuilt at device reboot.
•
startup-config – contains saved non-default user configuration. This file is not automatically
created. You can use the save or copy command to create it. At startup, startup-config is loaded
if it exists and is valid.
•
user-default-config – contains default user configuration. This file is not automatically created.
You can use the copy command to create it. At startup, user-default-config is loaded if
startup-config and rollback-config, are missing or invalid.
Note
Configuration files should contain only printable ASCII characters (0x20–0x7E),
<Enter> (0x0D), <Line Feed> (0x0A), and <Tab> (0x09).
Loading Sequence
At startup, the device attempts to load configuration files in the following sequence until a valid one is
found:
SecFlow-1p
•
startup-config
•
rollback-config
•
user-default-config
•
factory-default-config
3. Operation and Maintenance
92
If an error is encountered while loading a file, the default is to ignore the error and continue loading.
You can use the on-configuration-error command to change this behavior, to either stop loading the file
when the first error is encountered, or reject the file and reboot; after rebooting, the next file in the
loading sequence is loaded).
To display the parameter values after startup, use the info [detail] command.
3.6 Working with Custom Configuration Files
In large deployments, often a central network administrator sends configuration files to the remote
locations and all that remains for the local technician to do is replace the IP address in the file or other
similar minor changes, and then download the file to the device. Alternatively, the technician can
download the file as is to the device, log in to the device and make the required changes, and then save
the configuration.
To download the configuration file, use the global copy command (refer to the Administration chapter).
After downloading the configuration file, the unit must be reset in order to execute the file. After the
unit completes its startup, the custom configuration is complete.
To ease deployment of large numbers of devices, you can automatically distribute software and
configuration files in the following ways:
•
Use On-Net Zero Touch provisioning (ZTP) to enable units to automatically receive an IP address,
and software and configuration files (see On-Net Zero Touch for details).
•
Use PPPoE (Point-to-Point Protocol over Ethernet) to establish a management channel through
which an IP address can be acquired (refer to Point-to-Point Protocol over Ethernet (PPPoE) in
the Management and Security chapter, for details). For instance, the IP address can be acquired
from a broadband remote access server (BRAS). The BRAS then notifies a Radius server, which in
turn reports to a management system, such as RADview, that a new device is up. The
management system then sends software and configuration files to the device.
SecFlow-1p
3. Operation and Maintenance
93
Applicability and Scaling
Zero Touch is applicable to all the SecFlow-1p versions.
Factory Defaults
Off-Net Zero Touch via bootstrap server is by default disabled (no ztc-bootstrap).
Saving Configuration Changes
You must save your configuration if you wish to have it available, as it is not saved automatically.
You can save your configuration as follows:
•
Use the save command to save running-config as startup-config.
•
Use the copy command to copy running-config to startup-config or user-default-config.
Additionally, some commands erase the configuration saved in startup-config by copying another file to
it and then resetting the device. The figure below indicates the commands that copy to startup-config,
and whether the device resets after copying.
 To save the user configuration in startup-config:
1. Enter: save
2. At any level, enter: copy running-config startup-config
SecFlow-1p
3. Operation and Maintenance
94
 To save the user default configuration in user-default-config:
•
At any level, enter: copy running-config user-default-config.
Confirming the Startup Configuration File
SecFlow-1p supports the enabling of active confirmation of the startup-config file following reboot.
Confirmation of startup-config prevents loss of the management link to a remote device due to
erroneous configuration.
If you enable the startup-confirm-required request, the next time the device reboots, you must enter
the global command startup-config-confirm in order to confirm startup-config within the configured
timeout period. (This command is only relevant if you run startup-confirm-required and then reboot the
device; otherwise, it is masked.)
If you confirm the new startup-config within the configured timeout period, SecFlow-1p loads startupconfig and copies running-config or any other user-specified configuration file to rollback-config.
If you do not succeed to confirm the new startup-config before timeout, the device rejects
startup-config, reboots, and attempts to load the next available configuration file (rollback-config,
user-default-config, factory-default-config).
 To enable startup-config confirmation following reboot;
•
At the admin# prompt enter:
startup-confirm-required [time-to-confirm <minutes>] [rollback {startup-config |
user-default-config | factory-default-config | running-config}]
The <minutes> parameter defines the confirmation timeout, range 1–65535 (default 5). If
rollback <config-file> is specified, the specified configuration file is copied to rollback-config.
For example, entering rollback user-default-config copies user-default-config to rollback-config.
Note
If rollback is not specified and rollback-config is invalid or does not exist, the
device copies running-config to rollback-config upon execution of
startup-confirm-required.
SecFlow-1p
3. Operation and Maintenance
95
On-Net Zero Touch
The on-net Zero Touch feature allows SecFlow-1p to receive software and configuration files
automatically, when SecFlow-1p is located in the same network, eliminating the need to manually log
into SecFlow-1p in order to transfer the required files to it.
The following zero touch mechanisms enable automatic provisioning of SecFlow-1p:
•
Zero Touch via DHCP – SecFlow-1p retrieves configuration information from the DHCPv4 server
(see Zero Touch via DHCP/DHCPv6).
•
Zero Touch via DHCPv6 – SecFlow-1p retrieves configuration information from the DHCPv6
server (see Zero Touch via DHCP/DHCPv6).
•
Zero Touch via trap – SecFlow-1p sends a notification trap to the management system (see Zero
Touch via Trap), so that the management system can perform the appropriate provisioning.
Zero Touch via DHCP/DHCPv6
This section describes Zero Touch provisioning via DHCP (for IPv4) or DHCPv6 for (DHCPv6).
Prerequisites
•
A Zero Touch Configuration (ZTC) XML file, containing directives regarding downloading and
installation of software and configuration files. See ZTC File Structure for details on how to
prepare this file.
•
A DHCPv4/DHCPv6 server for providing the TFTP server address, in addition to the usual IP
address, default gateway, etc.
•
A TFTP server from which to download the following:
 ZTC file
 Software image file, if required by the directives
 Configuration file, if required by the directives
Sequence
1. At reboot, SecFlow-1p obtains a DHCPv4 lease from the DHCPv4 server and/or a DHCPv6 lease
from the DHCPv6 server. If SecFlow-1p receives more than one lease that contains ZTC
directives (from multiple interfaces), it processes them one by one. After the first one is
finished, either successfully or not (e.g. reaching a timeout during file download), the device
proceeds with the directives received in the second lease.
SecFlow-1p
3. Operation and Maintenance
96
2. For DHCP: The lease provides the device IP address (for device management), TFTP server IP
address, either via option 150, or as a string via option 66 (the string is interpreted as an IP
address rather than a device name). Option 66 is valid only if the string is formatted as
(‘xxx.xxx.xxx.xxx’). Optionally, the DHCP lease provides the path and/or the file name of the ZTP
file via DHCP option 67.
3. For DHCPv6: The lease provides the device IP address (for device management), TFTP server
address via CableLabs vendor-specific (17) sub-option 32, provided that SecFlow-1p supports it.
If multiple TFTP server addresses are received, only the first one is used. Optionally, the DHCPv6
lease provides the path and/or the file name of the ZTP file via DHCPv6 sub-option 33.
4. If a valid file name is not obtained, SecFlow-1p tries to download the file considering the option
67 as a path, and the default file name rad.xml is added to it. If this attempt fails as well, the
third time SecFlow-1p uses the path rad/ with the file name rad.xml.
5. If the last attempt fails, the ZTC process finishes unsuccessfully and SecFlow-1p sends the event
download_end with error indication.
6. If the ZTC file is loaded successfully, SecFlow-1p sends the event download_end (with success
indication) to any configured network managers, and saves the ZTC file as
zero-touch-config-xml.
7. If zero-touch-config-xml contains directives for a software file, SecFlow-1p does one of the
following, according to the action specified in the directives:
 upgrade-only – Load software file if it is newer than the active software image.
 downgrade-only – Load software file if it is older than the active software image.
 replace – Load software file if different from the active software image.
8. If zero-touch-config-xml contains directives for a configuration file, then if the action specified
in the directives is replace-cfg, SecFlow-1p loads the specified configuration file if it is different
than the last configuration file loaded via the ZTC mechanism, and saves it as specified by
startup-config.
9. If a software file was downloaded, SecFlow-1p installs it as the active software pack.
10. If a software file and/or configuration file was downloaded, SecFlow-1p reboots. After startup,
the normal startup loading sequence is performed, so that if startup-config is loaded in the
sequence, SecFlow-1p executes the CLI commands in the file.
If the ZTC process ends successfully, SecFlow-1p sends the event download_end (with success
indication) to any configured network managers.
If an error occurs in the ZTC process, SecFlow-1p does the following:
•
Sends the event download_end (with failed indication) to any configured network managers
SecFlow-1p
3. Operation and Maintenance
•
Starts a timer lasting about 2-4 minutes
•
When the timer expires, SecFlow-1p again attempts the ZTC process.
97
ZTC File Structure
This section describes the ZTC directives in the ZTC file, which is written in standard XML, based on the
NETCONF schema. The file can contain directives for one or more devices. This flexibility enables the use
of one ZTC file per device, or one ZTC file for all devices. ZTC File Example shows a ZTC file containing
directives for SecFlow-1p.
The directives are enclosed in the element pair <zero-touch-configuration>
</zero-touch-configuration>. The ZTC directives for a particular device are enclosed by an element pair.
The element contents are according to the chassis name in the inventory display (refer to Resetting to
Default). The file can contain software-related directives and/or configuration-related directives for
each device.
The following software directives supply information about the software file to download:
•
sw-version – version of the software to download; must be formatted in the same way as the
chassis software revision displayed in the inventory display (refer to Inventory).
•
sw-action – software installation to perform:
 upgrade-only – Load software file if sw-version specifies a newer version than the chassis
software revision.
 downgrade-only – Load software file if sw-version specifies an older version than the
chassis software revision.
 replace – Load software file if sw-version specifies a version that is different from the
chassis software revision.
•
sw-src-file – path and name of the software to download
•
sw-dst-file – file name for saving the downloaded software:
 sw-pack-<n> – File is saved as the specified name, if it is not the active software.
 auto – File is saved as follows:

If there is an unused software pack number, and there is enough space in the file
system, then the file is saved as sw-pack-<n>, where <n>is the smallest unused software
pack number.

If all software packs numbers are in use, or if there is not enough space to save the
software, then the file is saved as sw-pack-<n>, where <n>is the software pack number
of the oldest version.
The following configuration directives supply information about the configuration file to download:
SecFlow-1p
3. Operation and Maintenance
98
•
cfg-version – version of configuration to download
•
cfg-action – action to take regarding configuration:
 replace-cfg – Load configuration file if cfg-version is different than the last ZTC configuration
version.
•
cfg-src-file – path and name of the configuration file to download
•
cfg-dst-file – specifies the name under which to save the downloaded configuration file; must
contain startup-config
ZTC File Examples
In this example, the software pack is to be chosen automatically (auto).
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<zero-touch-configuration xmlns="http://www.rad.com/schema/zero-touchconfiguration/1.0">
<SF-1p>
<sw-version>5.0.0(0.05)</sw-version>
<sw-action>replace</sw-action>
<sw-src-file>sw-pack_test.bin</sw-src-file>
<sw-dst-file>auto</sw-dst-file>
<cfg-version>pcpe_2.2</cfg-version>
<cfg-action>replace-cfg</cfg-action>
<cfg-src-file>cfg_file.txt</cfg-src-file>
<cfg-dst-file>startup-config</cfg-dst-file>
</SF-1p>
</zero-touch-configuration>
</config>
</edit-config>
</rpc>

In this example, the software pack is entered manually (sw-pack-2).
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<zero-touch-configuration xmlns="http://www.rad.com/schema/zero-touchconfiguration/1.0">
SecFlow-1p
3. Operation and Maintenance
99
<SF-1p>
<sw-version>5.0.0(0.05)</sw-version>
<sw-action>replace</sw-action>
<sw-src-file>sw-pack_test.bin</sw-src-file>
<sw-dst-file>sw-pack-2</sw-dst-file>
<cfg-version>rados_2</cfg-version>
<cfg-action>replace-cfg</cfg-action>
<cfg-src-file>cfg_file.txt</cfg-src-file>
<cfg-dst-file>startup-config</cfg-dst-file>
</SF-1p>
</zero-touch-configuration>
</config>
</edit-config>
</rpc>
Zero Touch via Trap
SecFlow-1p supports a bootstrap trap.
If a management station address is configured (typically in user-config), you can specify that SecFlow-1p
send a trap periodically to the management station (usually RADview) to notify it of its existence in the
network (by default, this trap is not sent).
 To enable sending the trap:
1. Navigate to configure management snmp.
The config>mngmnt>snmp# prompt is displayed.
2. Configure target and target-params (Refer to Configuring SNMPv3 Parameters for more
information).
3. Enter:
bootstrap-notification
SecFlow-1p sends the systemBootstrap trap every 120–240 seconds, until the command
no bootstrap-notification is entered, or the management station acknowledges the trap. If
SecFlow-1p reboots before the trap is acknowledged, it resumes sending the trap after it
completes its startup.
Off-Net Zero Touch
This section describes Zero Touch provisioning with bootstrap server over public network.
SecFlow-1p
3. Operation and Maintenance
100
During off-net Zero Touch process, SecFlow-1p retrieves an Artifact file containing bootstrapping data
from the bootstrap server to establish a secured connection with NOC.
Prerequisites
•
Information elements essential for Zero Touch procedure (see Public Key Infrastructure for
details on Certificates and X.509):
 UUID – Device MAC address
 a private key securely stored in the device
 X.509 v3 CA Certificate signed by RAD CA
 X.509 v3 Device Certificate signed by RAD CA (optionally)
An additional element is the path to the bootstrap server.
•
A bootstrap server that holds the entire bootstrapping data.
•
An Artifact file created for the particular device, recognized by its UUID and stored on the
bootstrap server. The Artifact is a zipped ZT file that can contain all or some of the following
files:
 bootstrap.cfg –configuration file
 config_manager.cer – configuration manager X.509 certificate file
 bootstrap.xml – SW pointer XML file
•
Configured NTP server (optionally)
•
Configured DHCP or DHCPv6 client (optionally)
Sequence
1. When SecFlow-1p device is powered on, it either obtains its networking configuration from a
service-provider controlled DHCP server, or starts ZT process with a static IP if configured so.
Then it connects to the bootstrap server via a secured connection, according to its
preconfigured bootstrap server path and based on its preinstalled X.509 certificates. After
mutual or one-way authentication, the device obtains the pre-prepared Artifact from the
bootstrap server. In case of one-way authentication, a password should be configured. Upon
extracting the bootstrapping data, SecFlow-1p acts according to the obtained bootstrapping
data.
2. After successful SecFlow-1p bootstrapping (which may include SW upgrade, applying
configuration and device reboot), SecFlow-1p can open a secure connection to the IPsec/VPN
Gateway in the NOC.
SecFlow-1p
3. Operation and Maintenance
101
3. When a secure connection between SecFlow-1p and the NOC is established, SecFlow-1p may
call home, i.e. send an enrollment trap to the deployment-specific network manager. When
network manager receives the device call, it acts according to the corresponding ZT entry,
registers the device and performs complementary provisioning actions.
ZT process with TFTP bootstrapping always precedes ZT with bootstrap server, in other words, if both ZT
processes are enabled, only TFTP bootstrapping is performed. However, if during the ZT process DHCP
options of TFTP server are not received, TFTP bootstrapping is not performed, while ZT connection to
the bootstrap server is initiated.
Exceptional Cases
If the device fails to connect to the bootstrap server, it stops the ZT procedure and attempts to access
the bootstrap server in intervals between two to four minutes.
If the device successfully completed the Artifact downloading, but the Artifact is corrupted, according to
the following criteria, it stops the ZT procedure:
•
The archived .gz file cannot be extracted by the device
•
After successful extraction, one of the following files is missing or having an unexpected name:
 configuration file (.cgf)
 SW image pointer XML file
 RV Configuration manager X.509 certificate
•
After successful extraction, the format of one of the following files is corrupt:
 configuration file (.cgf)
 SW image pointer XML file
 RV Configuration manager X.509 certificate
If the device successfully completed the Artifact downloading, but software download failed, it stops the
ZT procedure, terminates all configuration actions (for example, copying received configuration file to
startup-config) and attempts to access the bootstrap server in intervals between two to four minutes.
If the device successfully completed the bootstrapping phase, but failed during the call-home phase, it
stops the ZT procedure, applies user-default-config to startup-config, saves and reboots. The ZT
procedure is repeated after the reboot. The failure of the call-home is defined according to the following
criteria:
•
The entry in bootstrapServerTable is configured with bootstrapServerRevertiveMode = yes (3)
•
ZT with the bootstrap server is not confirmed by manager (bootstrapServerConfirmCmd is not
set to off (2)) within a timeout of 600 sec.
SecFlow-1p
3. Operation and Maintenance
102
Configuring Off-Net Zero Touch
 To configure ZTC parameters:
1. Navigate to config>mngmnt>access# prompt.
2. Perform the required tasks according to the following table.
Task
Command
Comments
Start Zero Touch
Configuration process after
the next reboot
ztc-after-reboot
Type no ztc-after-reboot to start
ZTC immediately.
Enabling off-net Zero Touch
Configuration with bootstrap
server
ztc-bootstrap [url <url-string>]
[non-revertive] [password
<password-string> [hash]]
Type no ztc-bootstrap to disable
off-net ZTC with bootstrap server.
url-string–URL of the bootstrap
server
non-revertive - SecFlow-1p does
not wait for confirmation of ZTC
process by ztc-bootstrap-confirm
password-string – Bootstrap server
password
Confirming successful
completion of off-line Zero
Touch
ztc-bootstrap-confirm
Disabling off-net Zero Touch
TFTP provisioning
[no] ztc-tftp disable
Note
If ZTC revertive mode is set (by
omitting non-revertive in ztcbootstrap), you need to confirm
successful completion; otherwise,
ZTC process will be initiated again
after rollback.
You have to enable the bootstrapping revertive mode to allow the RADview
configuration manager to confirm the entire ZT process as a part of call-home
phase, before device re-initiate the entire ZT process. Nevertheless, this is an
optional procedure that you may choose not to use.
Example
The following is an example of the configuration required for ZTP.
#===============Define config for ZTP
configure management
==========#
SecFlow-1p
3. Operation and Maintenance
103
access
ztc-bootstrap no-revertive
ztc-tftp-disable
exit all
#===============Define VLAN for Management/Service
configure port
ethernet 1
vlan <WAN_VLAN_ID>
no shutdown
exit all
==========#
configure Router 1
name "Router#1"
dhcp-client
duid-type en
dhcpv6-option-request vendor-specific-information-17
exit
interface 1
bind ethernet 1 vlan <WAN_VLAN_ID>
dhcp
dhcp-client
client-id mac
exit
dhcpv6-client
ipv6-autoconfig
no shutdown
Note
The dhcpv6-option-request vendor-specific-information-17 command in the
above configuration, requests the DHCP server to provide the address of the
bootstrap server to SecFlow-1p.
3.7 Configuration and Management
Usually, initial configuration of the management parameters is performed via an ASCII terminal. Once
the management flows and corresponding router interface have been configured, it is possible to access
SecFlow-1p via NETCONF or SNMP for operation configuration. See Configuring SecFlow-1p for SNMP
Management Access for an example of management configuration. For details on configuring the
router, refer to the Router section in the Traffic Processing chapter.
The following table summarizes management options for SecFlow-1p.
SecFlow-1p
3. Operation and Maintenance
Port
Manager
Location
Transport Method
Management
Protocol
Application
Ethernet
FE/GbE/
10GbE
Local, remote
Inband
SSH
RADview (see Working with
RADview below)
104
Terminal emulation application (see
Working with SSH below)
Note
NETCONF
Third-party NETCONF client
See NETCONF-Based Network
Management below.
SNMP
Third-party NMS (see SNMP-Based
Network Management below)
By default, the terminal, SSH, NETCONF, and SNMP management access
methods are enabled. See Configuring Management Access for details on
how to enable/disable a particular method.
3.8 CLI-Based Configuration
SecFlow-1p supports the RAD-OS CLI engine. CLI sessions should be open remotely, by SSH.
SecFlow-1p supports up to ten concurrent CLI sessions – one local and nine remote.
Working with SSH
You can connect to SecFlow-1p via SSH using a program, such as PuTTY.
Typically, the SSH host is a PC or Unix station with the appropriate suite of TCP/IP protocols.
The management port is the Ethernet port with the highest number, according to the device ordered:
•
6 for 4U2S configurations
•
4 for 2U configurations.
The management interface is set in factory defaults as follows.
For 4U2S (superset) configurations:
interface 32
SecFlow-1p
3. Operation and Maintenance
105
address 169.254.1.1/16
bind ethernet 6
dhcp-client
client-id mac
exit
no shutdown
For 2U configurations:
interface 32
address 169.254.1.1/16
bind ethernet 4
dhcp-client
client-id mac
exit
no shutdown
You can use a SSH host connected directly or via a local area network.
Login
SecFlow-1p supports various access levels to prevent unauthorized modification of the operating
parameters. Refer to User Access in the Management and Security chapter for more information on the
SecFlow-1p
3. Operation and Maintenance
106
access levels, as well as a list of the default users defined in the device and information on configuring
additional users.
Note
The superuser (su) can perform all the activities supported by the SecFlow-1p
management facility.
You can log into your device with your username and password.
If you fail to log in to the terminal five times (due to wrong username or password) in less than five
minutes, from the same IP address, the device does the following:
•
Blocks further login attempts from the same IP for five minutes. Attempts from remote are
answered with immediate TCP reset, without trying to authenticate the user. Blocks any
management protocol from the same IP, such as SNMP and NETCONF, for five minutes.
•
Logs the failed_login event, with the maximum number of attempts exceeded string.
When the locking period is over, the device lifts the block, even if there were further attempts during
this time. Afterwards, you can fail five more attempts before being locked again.
Note
•
•
•
An SNMP access attempt with wrong credentials does not count as a
failed login attempt, and the user is not blocked due to it.
You can display information on recent failed login attempts (of sources
that failed since last being unblocked) by invoking the show failed-loginattempts command (under the management level). Refer to Viewing
Failed Login Attempts in the Management and Security chapter.
<CR> for either username or password is ignored, and is not considered a
failed login attempt.
Logging In
 To log in to SecFlow-1p:
1. At the user prompt (user>), enter the user name and press <Enter>.
The password prompt (password>) appears.
2. Enter the password (default is 1234) and press <Enter>.
The base prompt SF-1p# appears.
Note
You can display a banner at login. Refer to the Administration chapter for
details.
SecFlow-1p
3. Operation and Maintenance
107
Changing Password
It is recommended that you change the users’ default passwords to prevent unauthorized access to the
unit using the special option chngpass. This option is also useful in case the user has forgotten their
password.
 To change/restore a password:
1. At the User prompt (config>mngmnt# user>), enter chngpass and press <Enter>.
2. Enter user as user name and press <Enter> to receive a temporary password. With this
password you can enter as user and change the password to your own.
A key code is displayed.
3. Send the key code to RAD Technical Support department.
RAD technical support department will generate a temporary password which is valid for a
single login.
4. Use this temporary password to log in and set a new permanent user name and password.
Lost Superuser Password
If you have lost your superuser password, contact Technical Support via the RADcare Online portal or by
email.
Using the CLI
The CLI consists of commands organized in a tree structure of levels, starting at the base level. Each level
(also referred to as context) can contain levels and commands (see Navigating for more information on
the levels and commands available in SecFlow-1p). The level is indicated by the CLI prompt.
Note
Most commands are available only in their specific context. Global commands
are available in any context. You can enter ? at any level to display the
available commands.
CLI Prompt
The base level prompt contains the device name, which is SecFlow-1p by default (the device name can
be configured in the system level; refer to Device Information in the Administration chapter). The
prompt ends with $, #, or >, depending on the type of entity being configured and the user level.
SecFlow-1p
3. Operation and Maintenance
108
If a new dynamic entity is being configured, the last character of the prompt is $. Examples of dynamic
entities include flows, QoS profiles, and OAM CFM entities.
If a new dynamic entity is not being configured, the last character of the prompt is > (for tech or user
access levels) or # (for other access levels).
Note
The examples in this manual use # as the last character of the prompt, unless
the creation of a new dynamic entity is being illustrated.
After you type a command at the CLI prompt and press <Enter>, SecFlow-1p responds according to the
command entered.
CLI Inactivity Timeout
If a CLI session is inactive (i.e. no input received) for ten minutes (the default) or the number of minutes
configured in the inactivity timer (refer to timeout and console-timeout configuration in the Control
Ports section of the Management and Security chapter), the device terminates the session and logs the
logout event, with the due to inactivity timeout string.
Navigating
To navigate down the tree, enter the name of the next level. The prompt then reflects the new location.
To navigate up, use the global command exit. To navigate all the way up to the root, enter exit all.
At the prompt, one or more level names separated by a space can be typed, followed (or not) by a
command. If only level names are typed, navigation is performed and the prompt changes to reflect the
current location in the tree. If the level names are followed by a command, the command is executed,
but no navigation is performed and the prompt remains unchanged.
Note
To use show commands without navigating, type show followed by the level
name(s) followed by the rest of the show command.
In the following example, the levels and command were typed together and therefore no navigation was
performed, so the prompt did not change.
configure system date-and-time date-format yyyy-mm-dd
show configure system system-date
2013-06-10
15:08:20 UTC +00:00
In the following example, the levels were typed separately and the navigation is reflected by the
changing prompt.
configure
config# system
config>system# date-and-time
SecFlow-1p
3. Operation and Maintenance
109
config>system>date-time# date-format yyyy-mm-dd
config>system>date-time# exit
config>system# show system-date
2013-06-10
15:13:23 UTC +00:00
config>system#
Full-Path Command
Full-path command allows you to enter a CLI command anywhere in the tree as if the current level was
the CLI root, by preceding the command or level change with a backslash character. The device executes
the command as if it were invoked from the CLI root.
If you enter a level change (preceded by \) without a command, the CLI does not return to the prompt of
the level that the command was invoked from, but remains at the changed level. For example, the
\configure system command, when invoked from any level in the CLI tree, returns the SF1p>config>system# prompt. However, if you enter a level change followed by a command, the system
performs the command and then returns the prompt of the level that the command was invoked from.
For example, if following the command SF-1p>admin>scheduler#, you enter \configure system name
my-device, the latter command sets the device name to my-device and then returns the prompt mydevice>admin>scheduler#.
Note
Before executing a full path command, the CLI engine exits to the CLI root.
Some commands (e.g. ping) behave differently, depending on the location
they were executed from. The following command, for example, would use a
router 1 source address, although executed from router 2:
SF-1p>config>router(2)# \configure router 1 ping 192.168.1.1
Command Tree
The tree command displays a hierarchical list of all the commands in the CLI tree, starting from the
current context.
 To view the entire CLI tree (commands only):
1. At the root level, type tree.
SF-1p# tree
|
+---admin
|
|
|
+---factory-default-all
|
|
|
+---factory-default
|
|
SecFlow-1p
3. Operation and Maintenance
110
|
+---license
|
|
|
|
|
+---license-enable
|
|
|
|
|
+---show summary
|
|
|
|
|
+---show SF-1p-id|
|
|
|
|
+---reboot
|
|
|
+---scheduler
|
|
|
|
|
+---clear-finished-schedules
more..
2. Press <Enter> to see more or <CTRL-C> to return to the prompt.
When adding the detail parameter, the output also includes the parameters and values for each
command.
 To view the CLI tree including all parameters and values:
1. Navigate to the required context by typing level names separated by a space and press <Enter>.
2. Type tree detail and press <Enter>.
config# tree detail
configure
|
+---access-control
|
|
|
+---access-list [{ipv4|ipv6}] <acl-name>
|
|
no access-list <acl-name>
|
|
|
|
|
+---delete <sequence-number>
|
|
|
|
|
+---deny udp <src-address> [<src-port-range>] <dst-address>
[<dst-port-range>] [dscp <dscp-value>] [log] [sequence
<sequence>]
|
|
|
deny tcp <src-address> [<src-port-range>] <dst-address>
[<dst-port-range>] [dscp <dscp-value>] [log] [sequence
<sequence>]
|
|
|
deny icmp <src-address> <dst-address> [icmp-type <icmp-type-number>]
[icmp-code <icmp-code-number>] [dscp <dscp-value>] [log]
[sequence <sequence>]
|
|
|
deny ip [protocol <ip-protocol-number>] <src-address> <dst-address>
3. Press <Enter> to see more or <CTRL-C> to return to the prompt.
SecFlow-1p
3. Operation and Maintenance
Command Structure
CLI commands have the following basic format:
command [parameter]{ value1 | value2 | … | valuen } [ optional-parameter <value> ]
where:
{}
Indicates that one of the values must be selected
[]
Indicates an optional parameter
<>
Indicates a value to be typed by the user according to parameter
requirements
You can type only as many letters of the level, command, or parameter as required by the system to
identify it. For example, you can enter config manag to navigate to the management level.
Special Keys
The following keys are available at any time:
?
List all commands and levels available at the current level.
<Tab>
Command-line completion; complete the unambiguous characters
of the command, and display a list of available commands
beginning with those characters (as when pressing ?).
↑
Display the previous command (history forward).
↓
Display the next command (history backward).
<Backspace>
Delete character before cursor.
<Delete>
Delete character before cursor.
<-
Move cursor one character left.
->
Move cursor one character right.
<Alt>+B, <Esc>+B
Move cursor left one word (or go to start of word).
<Alt>+D, <Esc>+D
Delete until end of word starting from the cursor.
<Alt>+F, <Esc>+F
Move cursor right one word (or go to end of word).
<Ctrl>+<_>
Exit CLI.
or
<Ctrl>+<Shift>+<->
<Ctrl>+A
Move cursor to start of line.
<Ctrl>+B
Move cursor one character left.
<Ctrl>+C
Interrupt current command.
111
SecFlow-1p
3. Operation and Maintenance
<Ctrl>+D
Delete character to right of cursor.
<Ctrl>+E
Move cursor to end of line.
<Ctrl>+G
Return to upper level.
<Ctrl>+H
Delete character to left of cursor.
<Ctrl>+K
Delete text from cursor to end of line.
<Ctrl>+L
Redisplay current line.
<Ctrl>+P
Display the previous command (history forward).
<Ctrl>+Q
Resume transmission (XON).
<Ctrl>+S
Pause transmission (XOFF).
<Ctrl>+U
Delete text up to cursor.
<Ctrl>+W
Delete word to the left of cursor.
<Ctrl>+Y
Paste text last deleted by a shortcut.
<Ctrl>+Z
Navigate to base level.
112
Getting Help
You can get help in the following ways:
•
Type help to display general help (see General Help).
•
Type help <command> to display information on a command and its parameters (see Command
Help).
•
Type ? to display the commands available in the level (see Level Help).
•
Use <Tab> while typing commands and parameters, for string completion (see Command-Line
Completion).
•
Use ? after typing a command or parameter, for interactive help (see Interactive Help).
General Help
Enter help at any level to display general CLI help, including:
•
Short description of CLI interactive help
•
Commands and levels available at the current level
•
Globally available commands
•
CLI special keys (hotkeys)
SecFlow-1p
•
Output modifiers for filtering output
•
URLs for device manual and shelf view manual
3. Operation and Maintenance
Example of help command output from the root level:
1. Full help - 'help <cmd>'.
2. To complete level name, command, keyword, argument - <tab> ('conf<tab>' =>
'configuration').
3. To display all currently valid levels, commands, keywords or arguments '?' ('name ?' => '<name-of-device>').
Commands and levels:
admin
+ Administrative commands
configure
+ Configure device
file
+ File commands
logon
- Logon as Debug user
on-configuration-error
- Behavior for configuration error
Global commands:
copy
- Copy file
echo
- Displays a line of text (command) on the
screen
exec
- Execute script of CLI commands
exit
- Returns to the next higher command level
(context)
help
- Displays information regarding commands
in the current level
history
- Displays the history of commands issued
since the last restart
info
- Displays the current device configuration
level-info
- Displays the current device configuration
- commands from the current level only
logout
- Logs the device off
ping
- Ping
[no] popup-suspend
- Suspends popup messages
save
- Save current settings
[no] schedule
- Schedule a command to run in a future
time
trace-route
- Traceroute
tree
- Displays the command levels from the
current context downwards
Hotkeys:
Ctrl-H, Del, Backspace
-Delete character left of cursor
Ctrl-D
-Delete character right of cursor
Ctrl-U
-Delete text up to cursor
Ctrl-K
-Delete text from cursor to end of line
Ctrl-W
-Delete word left of cursor
Alt-D, Esc-D
-Delete word right of cursor
Ctrl-Y
-Paste last deleted text
Tab
-Completion token
?
-Interactive help token
Ctrl-P, Up arrow
-History forward
Down arrow
-History backward
Ctrl-B, Left arrow
-Move cursor left one character
113
SecFlow-1p
3. Operation and Maintenance
Right arrow
-Move cursor right one character
Ctrl-A
-Move cursor to beginning of line
Ctrl-E
-Move cursor to end of line
Alt-B, Esc-B
-Move cursor left one word
Alt-F, Esc-F
-Move cursor right one word
Ctrl-L
-Redisplay current line
Ctrl-S
-Pause transmission (XOFF)
Ctrl-Q
-Resume transmission (XON)
Ctrl-C
-Interrupt current command
Ctrl-G
-Return to upper level
Ctrl-Z
-Return to CLI root
Ctrl-_
-Exit CLI
Output Modifiers (usage: 'command | modifier'):
begin <regular-expression>
-Start printing once expression found
exclude <regular-expression>
-Print lines not containing expression
include <regular-expression>
-Print lines containing expression
Show commands can be printed repeatedly by appending 'refresh' to them
SF-1p Installation and Operation Manual
: https://www.rad.com/docs/877
Command Help
Enter help <command> to display command and parameter information.
config>system# help name
- name <name-of-device>
- no name
<name-of-device> : Device name [0..255 chars]
Level Help
Enter ? at the command prompt to display the commands available in the current level.
file# ?
delete
dir
show
show
show
show
show
show
show
show
show
banner-text
configuration-files
copy
factory-default-config
rollback-config
schedule-log
startup-config
sw-pack
user-default-config
- Delete file
- Display file directory
-
Display banner
Displays configuration files properties
Display Copy progress
Display factory-default-config
Display rollback-config
Display schedule-log
Display startup-config
Display SW packs
Display user-default-config
114
SecFlow-1p
3. Operation and Maintenance
115
Command-Line Completion
Command-line completion saves you command-line entry time and reminds you the syntax of
command-line entities (levels, commands, parameters, and profiles).
In a command-line, SecFlow-1p completes command-line entities, when you press <Tab> immediately
following a string (one or more characters).
Some user-defined entity names can be completed as well. If you enter an entity name that does not
exist in the database, SecFlow-1p creates this entity with the selected name.
•
If the command-line entity name can be completed in only one way, when you press <Tab>,
SecFlow-1p autocompletes the entire name and appends a space.
•
If the command-line entity name can be completed in more than one way, SecFlow-1p appends
the characters that are common to all possibilities, and displays a list of the completion
possibilities beginning with those characters.
•
If the string is already a complete entity name (level/command/parameter/ profile) or cannot be
completed to a complete name, no completion is done.
•
Pressing <Tab> following a complete command name (followed by a space), displays a list of
available command arguments, if they exist (same behavior as ?).
•
Pressing <Tab> following a string and a space returns a CLI error: Ambiguous Command. This is
because the string entered could be completed to more than one command and is therefore
ambiguous.
•
Pressing <Tab> at the beginning of a command line behaves like a regular tab, and unlike ?, does
not display a list of available commands.
The following tables show examples of string completion.
Level
String
Possibilities for Completion
Result After Pressing <Tab>
file
show c
show configuration-files
show copy
show co
file
show con
show configuration-files
show
configuration-files<space>
config>sys
name
name
name
config
mgm
No possibilities
mgm
SecFlow-1p
3. Operation and Maintenance
116
Interactive Help
To get interactive help, type ?.
In general, typing a ? directly after a string displays possibilities for string completion, while typing
<space> and then a ? displays possibilities of the next argument.
When a <CR> appears in a ? list, the string you entered is itself a valid command needing no further
additions. Pressing <Enter> executes the command or navigates to the indicated level.
Typing ? immediately after a command or partial command with no space before the ?, tells SecFlow-1p
to display all possibilities for completing the string. Help output is always followed by the string you
typed with the cursor at the end of the string waiting for input.
config>system# date?
date-and-time
config>system# date
admin# fact?
factory-default-all
factory-default
- Configure date and time
- Return to factory default and reboot
- Return to factory default configuration and
reboot
admin# fact
admin# factory-default?
factory-default-all
- Return to factory default and reboot
<CR>
admin# factory-default
Current configuration will be erased and device will reboot with factory default
configuration. Are you sure
? [yes/no] _
When a string cannot be completed, SecFlow-1p displays “cli error: Invalid Command”.
admin# stac?
# cli error: Invalid Command
admin# stac
file# da ?
# cli error: Invalid Command
file# da
Typing <?> after a space between a command or level name and the ? tells SecFlow-1p to display
possibilities of the next argument. If the string preceding the ? is ambiguous or invalid, an explanatory
message is displayed. The string does not have to be a complete command.
If there is only one possible command starting with that string, pressing <Enter> will execute the
command. If there is more than one command that starts with the string, the CLI displays a message
that it can’t clarify which command you want.
admin# factory?
factory-default-all
- Return to factory default and reboot
SecFlow-1p
3. Operation and Maintenance
factory-default
117
- Return to factory default configuration
and reboot
A command followed by a ? without a space, shown above, returns a list of possible completions. The
same command followed by a space and then ? returns an ambiguous command message. This means
the string entered could be completed to more than one command and is therefore ambiguous, as
shown below.
admin# factory ?
# cli error: Ambiguous Command
admin# factory
A string that is a complete command name followed by a space ? displays all possible command
parameters.
The next example shows a complete command to which a parameter could be appended. It also shows
how a string that is a complete command is executed by pressing <CR>, or <Enter>.
config>reporting# pm-collection system interval ?
<seconds>
: Duration [1..900]
Scheduling CLI Commands
You can schedule the execution of CLI commands at a future date and time. By default, no scheduling is
configured.
The global schedule command is used to configure the scheduling of a command. You can specify any
command to be scheduled except the logout command.
When you schedule a command, before saving it, SecFlow-1p prefixes the command with the path from
which the schedule command was executed. To specify a CLI command with a full CLI level path, you
should schedule it at the CLI root level.
SecFlow-1p tests the command that is configured as scheduled in the same way that it would be tested
when executed; if the tests fail, you are notified of this, but the command is still scheduled, since it may
be valid when the scheduled time arrives.
The following types of schedules can be configured:
In <minutes>
Executed once, after the specified number of minutes. This type of
schedule is not saved in nonvolatile (permanent) SecFlow-1p
memory; it is deleted at device reboot whether or not it was
executed.
At <date-and-time>
Executed once at the specified date and time. This type of schedule
can be optionally saved in permanent memory, in order to be
available after device reboot.
SecFlow-1p
Note
3. Operation and Maintenance
118
Schedules for date and time are saved in system local time. If the local time
changes, SecFlow-1p does not modify the schedules to compensate for the
change; therefore, changing the time can cause schedules to be executed
twice or not executed at all.
Schedules are marked as finished after they are executed.
When executing scheduled commands, SecFlow-1p assumes a Yes answer for any confirmation
questions. When a scheduled command is executed, it is sent to TACACS+ and Syslog accounting, as if it
were executed by a CLI user.
Configuring Command Scheduling
 To schedule a command:
•
In any level, enter the schedule command according to the type of schedule:
 In <minutes> – Enter:
schedule <name> in <minutes> [repeat-forever] “<command>”
The schedule is saved with its name set to <name>, and the specified <command> is executed
after the specified amount of <minutes> has elapsed, regardless of changes to the local system
time.
Range for <minutes>: 1–14400 [10 days]
repeat-forever: Repeat schedule at specified intervals forever.
 At <date-and-time> – Enter:
schedule <name> at {january | february | march | april | may | june | july | august |
september | october | november | december} <dd> <yyyy> <hh>:<mm> <command>
[volatile | nonvolatile]
The schedule is saved with its name set to <name> (in permanent memory if nonvolatile was
specified), and the specified <command> is executed at the specified date and time. If the local
system time is changed after the schedule is configured, the scheduled command might not be
executed, or might be executed twice.
Note
An invalid date and time is not allowed; however, a date and time in the past
is allowed; a schedule with its date and time in the past will never be executed
unless the device date/time is changed such that the schedule date and time is
no longer in the past
SecFlow-1p
3. Operation and Maintenance
Note
Schedules can be added or deleted, but not changed. If you wish to
change the details of a schedule, you have to delete it and then
recreate it with the changes.
 To delete schedules:
•
To delete a specific schedule, in any level enter:
no schedule <name>
•
To delete all finished schedules, navigate to the admin scheduler level and enter:
clear-finished-schedules
Viewing Scheduling Information
You can view the following scheduled information:
•
Commands, with or without details of the commands
•
Daylight saving time (For an explanation on the configuration of daylight saving time, refer to
Daylight Saving Time)
Note
You can also enter the info command from the root of the device to view all
commands of the device, including scheduled commands (see Viewing the
Device Configuration below).
 To view scheduling without command details:
•
119
Navigate to the admin scheduler level and enter:
show scheduler
admin scheduler
admin>scheduler# show scheduler
Current date:
13 June 2017
09:36:55
UTC
+00:00
Schedule Name
Type
Prm Fin Activation
--------------------------------------------------------------reportpm
Once (In) No Yes -schedulepm
Once (In) No Yes -Syslogfacility
Once (In) No No
0 day(s),
Summer Time
Start (Date) : 21 June 2017 01:00
End
(Date) : 27 October 2017 12:59
Offset
: 60
00:04:03
SecFlow-1p
3. Operation and Maintenance
Reboot is not scheduled
 To view scheduling with command details:
•
Navigate to the admin scheduler level and enter:
show scheduler-details
admin scheduler
admin>scheduler# show scheduler-details
Current date:
13 June 2017
09:40:00
Schedule Name
Type
Permanent
Finished
Activation In(Seconds)
:
:
:
:
:
UTC
+00:00
reportpm
Once (In)
No
Yes
--
Command : configure system date-and-time config reporting pm
Schedule Name
Type
Permanent
Finished
Activation In(Seconds)
:
:
:
:
:
schedulepm
Once (In)
No
Yes
--
Command : config reporting pm
Schedule Name
Type
Permanent
Finished
Activation In(Seconds)
:
:
:
:
:
Syslogfacility
Once (In)
No
No
0 day(s), 00:00:38
Command : configure system syslog device facility local1
Summer Time
Start (Date) : 21 June 2017 01:00
End
(Date) : 27 October 2017 12:59
Offset
: 60
Reboot is not scheduled
120
SecFlow-1p
3. Operation and Maintenance
121
Scheduling Display Parameters
Parameter
Description
Current date
Current date and time, and current offset from UTC
Schedule Name
Name of schedule
Type
Type of schedule:
• Once (In) – to be executed in specified number of minutes
• Once (At) – to be executed at a specified date and time
Prm/Permanent
Indicates if schedule is saved in permanent memory
Fin/Finished
Indicates if schedule is marked as finished
Activation
In output of show scheduler, indicates the amount of time before the scheduled
command will be executed, according to the type of schedule:
• Once (In) – Amount of time before the scheduled command will be executed, in the
form <hh:mm:ss>, <1 day hh:mm:ss> or <ddd days, hh:mm:ss>
• Once (At) – Date and time at which the scheduled command will be executed
• For either type, -- is displayed if the schedule is marked as finished.
Activation (Local
Time)
In output of show scheduler-details for schedule type Once (At), displays the date and
time at which the scheduled command will be executed.
Activation In
(Seconds)
In output of show scheduler-details for schedule types Once (In) and Once (At), displays
the amount of time before the scheduled command will be executed.
Command
In output of show scheduler-details, displays the scheduled command.
Start (Date)
For one-shot daylight saving time scheduling, displays daylight saving time start date and
time.
End (Date)
For one-shot daylight saving time scheduling, displays daylight saving time end date and
time.
Start (Recurring)
For recurring daylight saving time scheduling, displays the configured week of the
month, weekday, month, and time for daylight saving time start.
End (Recurring)
For recurring daylight saving time scheduling, displays the configured week of the
month, weekday, month, and time for daylight saving time end.
Start
For recurring daylight saving time scheduling:
• If the device is currently not in daylight saving time, displays the next scheduled date
and time for daylight saving time to start.
• If the device is currently in daylight saving time, displays the date and time at which
the daylight saving time started.
End
For recurring daylight saving time scheduling, displays the next scheduled date and time
for daylight saving time end.
SecFlow-1p
3. Operation and Maintenance
Parameter
Description
Offset
Number of minutes to move the clock during daylight saving time
122
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a command scheduling
configuration error is detected.
Message
Cause
Corrective Action
Schedule with this name
already configured
You tried to create a new schedule
with a name that is used by an
existing schedule.
Specify a name that is not being used by
an existing schedule.
Warning: Scheduled
command failed sanity
The command that you specified to
schedule may fail when executed.
Check the command; if changes are
needed, delete the schedule and
re-enter it with the changed command.
The logout command may
not be scheduled
You specified the logout command as
the command to schedule.
None. You are not allowed to schedule
the logout command.
Viewing the Device Configuration
You can enter the info command at the device root, to view all commands that have been configured for
the device. This includes scheduled commands, as they are global commands. See an example in the
Examples below.
 To view commands of a device:
•
At the device root, type info.
Refreshing Output
You can specify that SecFlow-1p should periodically refresh the output of a show command.
 To periodically refresh the output of a show command:
•
Append refresh [<sec>] to the command. The allowed range for <sec> is 3–100 seconds (default
is 5 seconds).
SecFlow-1p
3. Operation and Maintenance
SecFlow-1p enters refresh mode and displays the output of the command periodically, along
with an indication of how to exit refresh mode, at the interval specified by <sec>. You cannot
enter any commands while SecFlow-1p is in refresh mode.
To exit refresh mode, type <ESC> or <Ctrl>+C.
The example below shows the result of refreshing the RADIUS statistics every 15 seconds, and typing
<Ctrl>+C after the status is displayed twice.
config# show management radius statistics refresh 15
Server 1
Server 2
Server 3
Server 4
--------------------------------------------------------------Access Requests
0
0
0
0
Access Retransmits
0
0
0
0
Access Accepts
0
0
0
0
Access Rejects
0
0
0
0
Access Challenges
0
0
0
0
Malformed Response
0
0
0
0
Bad Authenticators
0
0
0
0
Pending Requests
0
0
0
0
Timeouts
0
0
0
0
Unknown Types
0
0
0
0
Packets Dropped
0
0
0
0
Counter Discontinuity 0
0
0
0
To exit the refresh-mode press ESC or Ctrl+C
Filtering Output
Some commands, such as info and show display large amounts of information as their output. It is
possible to control the type and amount of information displayed, by filtering the output.
To filter a command’s output, append to the command:
| [include | exclude | begin] <filter-expression>
Keyword
Description
include
The output includes only lines that match the filter expression.
exclude
The output includes only lines that do not match the filter
expression.
begin
The output starts with the first line that matches the filter
expression and continues with all further lines.
<filter-expression>
A filter expression is a regular expression that defines what to
exclude, include or match at the beginning. Filter expressions can
contain letters, numbers, and metacharacters (see below). Filter
expressions are case sensitive.
One and only one keyword is allowed. If no keyword is specified, no filtering is performed.
123
SecFlow-1p
3. Operation and Maintenance
124
The following example illustrates filtering output.
config>system# info detail | include date
date-and-time
date-format yyyy-mm-dd
Metacharacters
Metacharacters are characters with special meaning. They allow you to define filter criteria, while not
being part of the filter criteria themselves. Some are placeholders or wildcards. Some allow you to
define ranges of characters to either include or exclude. You can construct complex filter expressions to
see the exact output you want. The following table describes filter metacharacters.
Metacharacter
Description
Example
.
Matches any single character.
r.t matches the strings rat, rut, and r t, but not
root.
$
Matches the end of a line.
device$ matches the end of the string header
device but not the string header device-name.
^
Matches the beginning of a line.
^device matches the beginning of the string
device loaded from but not the string header
device-name.
*
Matches zero or more occurrences of
the preceding character.
.* means match any number of any characters.
\
This character is used to treat the
following metacharacter as an
ordinary character.
\$ is used to match the $ character rather than
match the end of a line.
Matches any one of the characters
between the brackets.
r[aou]t matches rat, rot, and rut, but not ret.
Ranges of characters are specified by
a beginning character (c1), a hyphen,
and an ending character (c2); multiple
ranges can be specified as well.
[A-Za-z] matches any upper or lower case
letter.
[]
[c1-c2]
[^c1-c2]
To match any character except those
in the range, use ^ as the first
character after the opening bracket.
|
Logical OR two conditions together
\. is used to match a period rather than match
any single character.
[0-9] matches any digit.
[^269A-Z] matches any character except 2, 6, 9,
and uppercase letters.
(band|comp) matches the lines bandwidth cir
999936 cbs 65535 and compensation 0.
SecFlow-1p
3. Operation and Maintenance
125
Metacharacter
Description
Example
+
Matches one or more occurrences of
the character or filter expression
immediately preceding it.
9+ matches 9, 99, and 999
“”
Matches the string enclosed in the
quotation marks. The string may
include spaces. See Regular
Expression Syntax.
“e s” matches "double star"
{i}
Matches a specific number (i) or
range (i through j) of instances of the
preceding character.
A[0-9]{3} matches A followed by exactly three
digits, i.e. it matches A123 but not A1234.
{i,j}
[0-9]{4,6} matches any sequence of 4, 5, or 6
digits.
Regular Expression Syntax
A filter expression is a regular expression. A regular expression can be composed of characters and
metacharacters. Any combination of metacharacters can be used. If you want spaces as part of the filter
expression, enclose the expression with quote metacharacters. All characters found after a space not
enclosed by quotes are ignored by the CLI.
The following table provides some example of regular expressions and the resulting string that will be
used to filter the CLI output.
Regular Expression
Resulting Filter String
“str”
str
“s t r”
str
“str
“str
“str\”str”
str”str
“str\”str
“str\”str
“str”str
str
\”str”
\”str”
“str1” | include str2
First expression – str1, second expression – str2
SecFlow-1p
3. Operation and Maintenance
126
Enabling Entities
Some dynamic entities are created as inactive by default. After the configuration is completed, the
no shutdown command activates the entity, as shown below.
configure system syslog device
config>system>syslog(device)# severity-level critical
config>system>syslog(device)# no shutdown
config>system>syslog(device)# exit
config>system#
The shutdown command is also used to deactivate/disable a hardware element (such as a port), while
no shutdown enables/activates it.
Using Scripts
CLI commands can be gathered into text files. They may be created using a text editor, by recording the
user commands or by saving the current configuration.
These files can be configuration files or scripts. Configuration files have specific names and contain CLI
commands that SecFlow-1p can use to replace the current configuration, while scripts contain CLI
commands that add to the current configuration. Configuration files can be imported from and exported
to RAD devices via file transfer protocols.
For more information on configuration files, refer to the description in the Administration chapter.
In order to execute a CLI script, you have to copy/paste it to the CLI terminal, or send it to SecFlow-1p
via the RADview Jobs mechanism, CLI script option.
To execute a script, run the commit command.
Examples
 To schedule shutdown of the syslog device in five minutes:
config>system>syslog(device)# schedule sched1 in 5 "shutdown"
 To schedule copying a log file in two hours:
schedule sched-copy-2hrs in 120 “copy log tftp://1.1.1.1”
SecFlow-1p
3. Operation and Maintenance
127
 To schedule copying a log file on April 2 at 6:00, with the schedule saved in permanent memory:
schedule sched-copy-Apr2 at april 2 2015 06:00 “copy log tftp://1.1.1.1” permanent
save
 To display commands configured for the device (including scheduled shutdown command):
SF-1p# info
configure
echo "System Configuration"
#
System Configuration
system
date-and-time
date-format mm-dd-yyyy
echo "NTP (Network Time Protocol)"
#
NTP (Network Time Protocol)
ntp
server 1
exit
exit
summer-time date june 21 2017 01:00 october 27 2017 12:59
exit
schedule "sched1" in 5 "configure system syslog device shutdown"
3.9 Web-based Configuration
Logging In
You can configure and manage SecFlow-1p locally or remotely using its web interface. Supported
browsers are the following:
• Google Chrome
•
Microsoft Internet Explorer
•
Microsoft Edge
•
Apple Safari
•
Mozilla Firefox
SecFlow-1p
Note
3. Operation and Maintenance
128
To prevent configuration errors, flush the browser’s cache whenever you
return to the same screen.
 If you have trouble with the web interface:
•
Enable scripts.
•
Make sure that local and organizational firewalls allow access to the destination IP address.
•
Disable pop-up blocking software, such as Google Popup Blocker. You may also have to
configure spyware and adware protecting software to accept traffic from/to the destination IP
address.
 To log into SecFlow-1p via the web interface:
1. In the web browser, navigate to the SecFlow-1p IP address, using HTTPS protocol (https://).
The SecFlow-1p login prompt appears.
2. Enter the relevant credentials (see Login), and click <Login>.
The main menu is displayed.
You can log out by clicking the
icon on the top right. After 5 minutes of user inactivity, the logout is
performed automatically, and you are returned to the login page.
If you have lost your superuser password, contact Technical Support via the RADcare Online portal or by
email.
Navigating the Web Interface
You can navigate between the dialogs using the following methods:
•
Navigation tree (on the left of the screen)
•
Top path
•
Web browser ‘Back’ and ‘Forward’ controls
•
Clicking on an entry in a table
•
Creating a new entry in a dynamic table
A navigation tree is displayed on the left, as shown below. The tree featuring expandable/collapsible
branches is organized according to the CLI hierarchy.
SecFlow-1p
3. Operation and Maintenance
129
To see clearer the configuration parameters on the right, you can hide (and restore) the navigation tree
using the
button in the upper part of the screen.
The navigation tree contains two types of icons.
SecFlow-1p
This type of icon denotes a simple menu item
corresponding configuration screen.
This type of icon denotes a menu
the arrow on the right.
3. Operation and Maintenance
130
that should be pressed to open the
that can be expanded to submenus using
In addition to these submenus, there are also general parameters that can be configured by selecting
this option.
SecFlow-1p
3. Operation and Maintenance
131
Graphical Controls
The WEB GUI commands are similar to the CLI commands with the following main differences:
•
A CLI action command is presented by a button.
•
A Boolean CLI command (command with a no-form but without arguments) is presented by a
check-box (with “shutdown” is an exception and presented as pull-down menu).
•
A CLI command with a no-form and one or more arguments is presented as a check-box (for the
no-form) and the appropriate fields for the arguments
You can toggle between light and dark screen modes by clicking
The ‘Save’ button
and
buttons.
in the top right corner copies the running-config to the startup-config.
The ‘Reboot’ button
in the top right corner is used to reboot the device. When clicked, the
following display appears:
Click “Reboot Now” to confirm.
Dynamic Tables
Dynamic tables are used in screens serving to add and remove entries. For example, in the screen below
you can add SNMP users.
SecFlow-1p
3. Operation and Maintenance
132
Clicking on an ‘Add (…)’ button opens a new dialog (navigation) with the parameters and information of
the selected entity. Fill in the fields of the new entry.
Two buttons, ‘Submit’ and ‘Cancel’ act as follows:
•
‘Submit’ – commits the data entered so far in the dialog to the device and opens a new dialog
(navigation) with the parameters and information of the selected entity. In the case of failure,
an error message is displayed.
•
‘Cancel’ – clears the data entered so far in the dialog (reads again the current configuration from
the device).
SecFlow-1p
3. Operation and Maintenance
Containers (LXD)
This menu option opens the Containers web page that allows you to configure virtualization in
SecFlow-1p. Using Containers, you can create and edit instances, images and profiles. For more
information, refer to Containerization chapter.
Firewall
This menu option activates RAD firewall and data filtering application. For more information, refer to
Zone-based Stateful Firewall.
133
SecFlow-1p
3. Operation and Maintenance
134
3.10 SNMP-Based Network Management
Configuring SecFlow-1p for SNMP Management Access
SecFlow-1pcan be managed via SSH or by any SNMP-based network management station (NMS),
provided you preconfigure the basic parameters using a terminal connected to the SecFlow-1p control
port.
In the case that SecFlow-1p is to be managed by the RADview family of network management stations,
IP communication must be established with the management station, as well as with the standalone
RADview stations.
 To configure SecFlow-1p for management access:
1. Add a router interface, bind it to the Ethernet port, and add a static route to the next hop.
#*********************Configuring_Router_Interface*************
configure router 1
interface 1
bind Ethernet 1
address 172.18.141.39/24
no shutdown
exit
static-route 172.17.0.0/16 address 172.18.141.1
exit all
save
Working with RADview
RADview is a Windows- or Linux-based modular, client server, scalable management system that can be
used in a distributed network topology or single-station configuration. RADview features Element
Manager System (EMS) functionality (referred to as ‘system’) and the following optional modules:
RADview is a Windows- or Linux-based modular, client server, scalable management system that can be
used in a distributed network topology or single-station configuration. RADview features Element
Manager System (EMS) functionality (referred to as ‘system’) and the following optional modules:
•
Domain Orchestrator –creates, configures, and manages virtual machines and containers within
RAD’s customer edge devices.
•
Service Manager (SM) – end-to-end intuitive, error-free Carrier Ethernet service provisioning for
Ethernet and TDM products; calculates the shortest path.
SecFlow-1p
•
3. Operation and Maintenance
135
Performance Monitor (PM) – portal for service SLA monitoring for both carriers and their
customers.
RADview supports the following optional modules and functionalities for SecFlow-1p products, as
described in the following table:
Modules/Functionalities
SecFlow-1p
Element Management System
(EMS)
-
Service Manager (SM)
-
Performance Monitor (PM)

D-NFV Orchestrator
Container Management
Tasks

Faults

Shelf View
-
3.11 NETCONF-Based Network Management
This feature is applicable to all SecFlow-1p versions.
For a full explanation and instructions on how to configure and monitor the device using NETCONF, see
the NETCONF-Based Network Management chapter below.
3.12 Turning Off the Unit
 To power off the unit:
•
Remove the power cord from the power source.
4 Ports
SecFlow-1p supports the following port types:
•
Physical: Ethernet (including SFP), Cellular
•
Virtual and internal Ethernet
•
VLAN
 To display the operational summary for all ports:
1. At the prompt config>port#, enter:
show summary
The ports operational status is displayed.
config>port# show summary
Panel
Name
Admin Oper
Speed
----------------------------------------------------------------------------Ethernet 1
Ethernet 1
Down
Down
0
Ethernet 2
Ethernet 2
Down
Down
0
Ethernet 3
Ethernet 3
Up
LLD
0
Ethernet 4
Ethernet 4
Up
Up
1G
Ethernet 5
Ethernet 5
Up
LLD
0
Ethernet 6
Ethernet 6
Up
LLD
0
Ethernet wan-switch Ethernet wan-switch
Up
Up
0
Ethernet lan-switch Ethernet lan-switch
Up
Up
0
Cellular lte
Cellular lte
Down
Down
0
WLAN 1
WLAN 1
Up
Up
0
WLAN 2
WLAN 2
Up
Up
0
Virtual 1
Virtual 1
Down
Down
0
Virtual 2
Virtual 2
Down
Down
0
Virtual 3
Virtual 3
Down
Down
0
Virtual 4
Virtual 4
Down
Down
0
Virtual 5
Virtual 5
Down
Down
0
Virtual 6
Virtual 6
Down
Down
0
Virtual 7
Virtual 7
Down
Down
0
Virtual 8
Virtual 8
Down
Down
0
Virtual 9
Virtual 9
Down
Down
0
Virtual 10
Virtual 10
Down
Down
0
SecFlow-1p
4. Ports
4.1 Cellular Ports
SecFlow-1p supports the cellular modem interface (LTE module) in both PPP and Eth/DHCP modes of
operation.
Applicability and Scaling
This feature is applicable to SecFlow-1p with LTE ordering options.
Standards Compliance
ETSI TS 127 060 (3GPP TS 27.060)
3GPP TS 29.061
RFC 1661
The Point-to-Point Protocol (PPP)
3GPP TS 23.060
Functional Description
Packet Domain Access Interfaces and Reference Points
The following figure shows the packet domain access interfaces and reference points.
137
SecFlow-1p
4. Ports
138
In the above diagram, the Cellular dongle is the Modem Termination (MT), and the Terminal Equipment
(TE) is the SecFlow-1p cellular interface.
The cellular interface also includes configuration for the cellular modem (MT), such as the pin code.
IP-Based Services
In a mobile network using Long Term Evolution (LTE) architecture, bearers are the tunnels used to
connect the user equipment to Packet Data Networks (PDNs) such as the Internet. In practice, bearers
are concatenated tunnels that connect the user equipment to the PDN through the Packet Data
Network Gateway (P-GW).
3G PPP supports bearers (tunnels) with IP-based services.
The SecFlow-1p cellular interface supports two IP-based service modes:
•
PPP relay mode – Underlying Layer-2 is PPP.
•
Ethernet/DHCP mode – Underlying Layer-2 is Ethernet.
PPP Relay Mode
The following figure illustrates IP bearer in PPP relay mode.
SecFlow-1p
4. Ports
139
IP-Based Services: PPP Mode
In this mode, PPP is negotiated between Terminal Equipment (TE) and the modem with Link Control
Protocol (LCP) and Internet Protocol Control Protocol (IPCP) to obtain the interface IP address.
As TE transmits an IPCP request from an IP address, the modem relays this request to the network, and
as soon as it receives an answer, it responds to TE.
After the establishment of the connection, data is transmitted in PPP frames.
Note
SecFlow-1p supports PPP negotiation of IPv4 addresses only.
PPP negotiation is illustrated in the following figure.
SecFlow-1p
Ethernet/DHCP Mode
The following figure illustrates IP bearer in Ethernet/DHCP mode.
4. Ports
140
SecFlow-1p
4. Ports
141
In this mode, TE opens a transparent channel to the GGSN and obtains its IP address by DHCP with the
GGSN. After the IP address is obtained, the channel is used for data transfer over Ethernet packets.
Note
SecFlow-1p supports DHCPv4 for IPv4.
The following diagram illustrates DHCPv4 negotiation.
SecFlow-1p
4. Ports
142
Cellular Interface IP Address
As part of the network synchronization process, the modem cellular interface obtains dynamically an IP
address from the network.
Receive Signal Strength Indicator (RSSI)
RSSI measures in a single figure both the usable signal and the noise (in dBm), with -50 a perfect signal
and -120 when you fall off the network.
•
High signal: -50 to -75 dBm
•
Medium signal: -76 to -90 dBm
SecFlow-1p
•
Low signal: -91 to -100 dBm
•
Poor signal: -101 to -120 dBm
4. Ports
Cellular Group (Dual SIM) Protection
Cellular interface supports dual SIM protection. Each of the SIM cards may operate in a different
operation mode (PPP relay or IP).
Once enabled (cellular group set to ‘no shutdown’), the redundancy mechanism will select which SIM
would be the active one.
The redundancy mechanism is operating according to the following scheme:
1. The Primary and Secondary interfaces are assigned by the user.
2. The device tries to connect to the Primary interface.
3. The device disconnects from the primary interface upon the following events:
 SIM failure (see ‘SIM failure’ definition below) declared after reconnect tryouts during
‘connect-timeout’ time
 Interface (SIM) shutdown
4. The modem is reset and tries to connect to the secondary interface. Once connected:
 If revertive mode is configured, the device is reset and tries to move back to the primary
interface upon time-to-revert expired
 If non-revertive is considered, the device is reset and tries to move back to the primary
interface upon the secondary interface failure.
143
SecFlow-1p
4. Ports
144
Once the active cellular interface is changed, the Router Interface IP address is deleted, and a new IP
address is learned from the new active cellular interface.
The SIM failure is declared upon on of the following:
• Oper status is ‘Down’
•
No registration or registration denied for ‘connect-timeout’ period (the device could not
reconnect)
•
RSSI is below the minimum threshold for ‘connect-timeout’ period
•
No IP is retrieved from cellular network for ‘connect-timeout’ period (the device could not
reconnect)
Dual Modems
The devices supporting two modems (according to the ordering options) feature dual modem
functionality. 4.1In this mode each of the two modems is represented by a dedicated SIM and can
connect to another cellular network or cellular provider. 4.1The two modems are working
simultaneously and independently from one another. 4.1Each of the modems is bound to a different IP
interface (Router Interface).
SecFlow-1p
4. Ports
145
The two modems are always ‘ON’, the traffic redirection and redundancy mechanisms are at the IP level.
The configuration refers to the cellular interface in the case of Dual modem in the following way:
•
Modem 1: ‘lte-1’
•
Modem 2: ‘lte-2’
Factory Defaults
By default, cellular ports have the following configuration.
Parameter
Description
Default Value
radio-access-technology
2G/3G/4G access permissions
radio-2g
dialer-number
Cellular network dialer number
*99#
name
Cellular interface name
cellular#1
pin
SIM PIN code
0
queue-group
Attaching queue group profile to the
port
no queue-group
rssi-threshold
RSSI thresholds for TCA event
-100 (lower threshold) -90
(higher threshold)
shutdown
Disconnect/connect modem from
cellular network
shutdown
SecFlow-1p
4. Ports
Parameter
Description
Default Value
shutdown
shutdown/no shutdown of the
cellular protection group
shutdown
revertive/non-revertive
Revertive mode for the protection
group
revertive
time-to-revert (minutes)
The time to stay on the secondary
cellular interface before trying to
reconnect back to primary (revertive
mode)
240
connect-timeout (sec)
Time of the failure persisting before
switching to the standby SIM
30
146
Configuring a Cellular Port
 To configure the cellular interface:
1. Configure the cellular interface parameters (see below).
2. If one of the SIM’s operates in Ethernet/DHCP mode, configure the router interface with DHCP
enable (refer to Configuring Router Interfaces).
3. Bind the cellular interface to the router interface (refer to Configuring Router Interfaces).
 To configure the cellular port parameters:
1. Navigate to the following:
 configure port cellular lte to configure the single cellular port
 configure port cellular lte-1 to configure the first cellular port for a dual modem device
SecFlow-1p

4. Ports
147
configure port cellular lte-2 to configure the second cellular port for a dual modem device.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring the cellular
protection level
cellular-protection
See Configuring Cellular Protection
Clearing cellular interface
counters of the active SIM
clear statistics
Configuring cellular
interface name
name <interface-name>
no name <interface-name>
interface-name – cellular interface
name; character string
Configuring cellular
modem operation mode,
either single SIM (#1 or #2)
or dual SIM protection
mode
mode {dual-sim | sim { 1 |
2}}
Default: dual-sim
Configuring the sim level
sim
See Configuring the SIM level
Displaying the cellular
connection status of the
active SIM
show status
Saving/removing the
Network Connectivy
configuraton
no shutdown
shutdown
• no shutdown – The Network
Connectivy configuration is saved;
used later to configure PPP or WWAN
when binding the interface to an
upper layer interface (such as Router
Interface).
• shutdown – The Network Connectivy
configuration is removed.
Note: When the Network Connectiviity
configuration is removed, the oper status
alarm turns on; and when it is saved, the
alarm turns off.
Configuring Cellular Protection
If you selected the dual-sim mode, you can configure the following cellular protection parameters.
SecFlow-1p
4. Ports
148
 To configure cellular protection:
1. At the prompt config>port>cellular(<port-index>)#, enter:
cellular-protection
The system switches to the cellular-protection context.
2. Perform the required tasks according to the following table.
Task
Command
Comments
Select revertive or non revertive
SIM redundancy scheme
[no] revertive
Traffic is switched back to the primary
port after it recovers.
no revertive sets the port recovery mode
to non-revertive. Traffic continues being
transmitted over the secondary port
after the primary port recovers.
Configuring the primary sim in the
cellular protection scheme
primary-sim {1 | 2}
Select primary SIM in the protection
scheme
Default: 1
Setting the time to stay on the
secondary cellular interface
before switching back to primary
(revertive mode in dual SIM
redundancy)
time-to-revert <minutes>
Setting the time before switching
to the standby SIM
connect-timeout <seconds>
The primary port resumes transmitting
traffic once the link has been restored
and the specified time has elapsed.
Possible Values: 2..14,400 minutes
Possible values: 30..600 seconds
Configuring the SIM Level
Two SIM cards can be relevant for dual sim protection, each having different network configuration.
Some of the parameters are configured on the specific SIM level.
 To configure the SIM level:
1. At the prompt config>port>cellular(<lte, lte-1, lte-2>)>, enter:
sim #
The system switches to the sim context.
2. Perform the required tasks according to the following table.
SecFlow-1p
4. Ports
Task
Command
Comments
Configuring SIM cellular
provider Access Point Name
(APN)
apn-name <name>
name – SIM cellular provider APN
For example: apn-name
internet.golantelecom.net.il
149
The APN contains the settings to set up a
connection to the gateway between your
carrier's cellular network and the public
Internet (or private network)
Leaving APN name blank allows the cellular
network to determine the correct APN
Configuring cellular network
dial sequence
dialer-number <dialstring>
dial-string – cellular network dialer number.
The modem uses this number in the ATD
command to dial into the cellular network to
set up a data call.
Possible values: string (excluding the ATD
string)
Configuring SIM PIN code
pin <pin-number>
pin-number – SIM PIN code number
Possible values: 0-9999
Notes:
• Required for a locked SIM. Pin code is
required to allow the modem (MT) to
communicate with the SIM.
• When you configure a PIN, you should
configure the modem with this code
(AT+CPIN).
Configuring type of cellular
network that modem can
connect to
radio-access-technology
<access-technology>
access-technology – allowed radio access
technology for this modem
Possible values: 2g, 3g, 4g, 2g/3g, 3g/4g,
2g/3g/4g
Note: The configuration applies according to
the modem capabilities. For example, for a 3G
modem, the default 2G/3G/4G is NA (only 3G
is possible). For a 2G/3G modem, the
2G/3G/4G configuration is actually 2G/3G.
SecFlow-1p
4. Ports
Task
Command
Comments
Configuring RSSI thresholds for
TCA event
rssi-threshold <lowthreshold> <highthreshold>
low-threshold – When RSSI goes below this
value, a TCA event is issued to indicate too
low receive power.
Possible values: -50 to -120 dBm
150
high-threshold – When RSSI goes above this
value, a TCA event is issued to indicate
receive power recovered.
Possible values: -50 to -120 dBm
Selecting LTE bands enabled on
the modem
lte-bands <band1>[
<band2>] [<band3>]
[<band4>] [<band5>]
[<band6>]
This parameter is relevant if 'radio-accesstechnology' includes 4G
Possible Values for different ordering options:
• L1: b1, b3, ,b5, b7, b8, b20, b38, b40, b41,
any
• L3: b1, b2, b3, b4, b5, b7, b28, b40, any
• L4: b2, b4,b5, b12, b13, b14, b66, b71,
any
Default: any
• L450A: b3, b7, b20, b31, b72
• L450B: b3, b20, b87
Default: b3
If ‘any’ is configured, no additional band can
be configured
Configuring PDP type to set
data call mode per 3GPP
definitions
pdp-type {ip | relayedppp}
Default: ip
Configuring CHAP hostname
chap-hostname <name>
name –CHAP hostname
Possible values: 1-80 character string
[no] chap-hostname
[name]
SecFlow-1p
4. Ports
Task
Command
Comments
Configuring CHAP default
password
chap-password
<pass> [{hash}]
pass – CHAP password
Possible values: 1-40 character string
[no] chap-password
[name]
hash – password encrypted
Possible values: hash, “”
151
Notes:
• If you enter a clear password (chappassword), the device encrypts it, saves
the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
• If you enter an encrypted password (chappassword hash) the device saves the
encrypted password in pppSecuritySecret
and sets pppSecuritySecretType to ‘off’.
Configuring the SIM name
Configuring PAP credentials
(not when pdp-type is ip)
no name [name]
name <name>
name – SIM name
Possible values: 1-80 character string
pap-username <name>
password <pass> [{hash}]
name – PAP username; string
Possible values: string up to 80 characters
[no] pap-username
[name]
pass – PAP password
Possible values: string up to 80 characters
Notes:
• If you enter a clear password (pappassword), the device encrypts it, saves
the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
• If you enter an encrypted password (pappassword hash) the device saves the
encrypted password in pppSecuritySecret
and sets pppSecuritySecretType to ‘off’.
Refusing CHAP authentication
(not when pdp-type is ip)
[no] refuse-chap
Refusing PAP authentication
(not when pdp-type is ip)
[no] refuse-pap
Refusing no authentication (not
when pdp-type is ip)
[no] refuse-no-auth
SecFlow-1p
4. Ports
152
Viewing Cellular Port Status
You can display the status and configuration of an individual cellular port.
 To display the status of a specific cellular port:
•
At the prompt config>port>cellular(<port-index>)#, enter:
show status
The cellular port status parameters are displayed. The parameters are described in the following
table.
 To display cellular port lte status:
Interface Status:
Administrative Status
Operational Status
IP Address
IP Gateway
:
:
:
:
Up
Up
20.20.20.5
20.20.20.1
Cellular Modem Information
Modem
: MultiConnect Cell 100
Firmware
: Revision: EC25EFAR06A03M4G
Mode
: sim-2
IMEI
: 08976543987234
SIM Information
SIM
SIM Status
Provider name
MCC
MNC
IMSI
ICCID
MSISDN
: SIM1
: Ready
: Cellcom
: 123
: 456
: 313460000000001
: 1123456789000
: 972551234567
Cellular Connectivity Information
Cellular Network Connection: Connected
Registration Status
: Registered, roaming
RAT Selected
: TDD LTE
LAC/TAC
: 50
Cell ID
: 10
Band
: LTE Band 6
Channel
: 100
Uplink BW
: 1.4MHz
Downlink BW
: 1.4MHz
SecFlow-1p
4. Ports
Signal Quality
RSSI
: -67 dbm
RSRP
: -90 dbm
RSRQ
: -8.5db
SINR
: 6 db
Traffic Statistics
Counter
Total Packets
Total Octets
Packets dropped
Packets errors
Overflows
Rx
22567
22567
22567
22567
22567
Tx
45897
45897
45897
45897
45897
The fields are explained in the table below.
Parameter
Description
Interface Status
Administative status
Cellular interface administrative status
Possible values:
• Up – the port is enabled
• Down – the port is deabled
Operational Status
Operation status of the cellular port
Possible values:
• Up – the ‘dial in’ to the network was successful and connected
• Down – Data call is disconnected
IP Address
IP address acquired from the cellular network (IPCP/DHCP phase)
Possible values: None, IPv4 address
Note: Each time the cellular interface fails, the Interface IP address is cleared
and set after the end of the initiated IPCP/DHCP stage.
IP Gateway
The gateway IP address acquired from the cellular network
Cellular Modem Information
Modem name
Manufacturing information of the cellular modem
Modem firmware
Modem firmware
Mode
Modem operation mode
Possible Values: dual-sim, sim 1, sim 2
This field is not displayed for a dual modem device
153
SecFlow-1p
4. Ports
Parameter
Description
IMEI
International Mobile Station Equipment (modem HW identifier)
SIM Information
SIM
Name of the active SIM
Possible Values: sim1, sim2
SIM Status
SIM operational status
Possible Values: not-inserted, general-failure, ready, unknow, locked-pinrequired, locked-puk-required
Provider Name
Cellular provider name
MCC
Mobile Country Code
MNC
Mobile Network Code
IMSI
International Mobile Subscriber Identity
ICCID
Integrated Circuit Card Identifier: SIM serial number
MSISDN
A number uniquely identifying a subscription in a mobile network (SIM burnt
number)
Cellular Connectivity
Information
Cellular network connection
Status of cellular connection. Possible values:
•
•
•
•
Registration Status
Unknown – No modem, no SIM, SIM locked, or modem failure
Connecting – dial mode is either dialing or ringing
Connected
Failed
Cellular network registration status. Possible Values:
•
•
•
•
•
•
Registered, home network
Registered, roaming
Not Registered, MT not searching
Not Registered, trying to attach
Denied
Unknown
RAT Selected
Radio Access Technology selected
LAC/TAC
Tracking Area Code
Cell ID
Cell ID
Band
Frequency Band
154
SecFlow-1p
4. Ports
Parameter
Description
Channel
Rx Channel
Uplink Bandwidth
Uplink Bandwidth
155
Possible Values: Unknown, 1.4MHz, 3MHz, 5MHz, 10Mhz, 15MHz,
20MHz
Downlink Bandwidth
Downlink Bandwidth
Possible Values: Unknown, 1.4MHz, 3MHz, 5MHz, 10Mhz, 15MHz,
20MHz
Signal Quality
RSSI
Received Signal Strength Indication of cellular radio signal (in dbm)
RSRP
Reference signal received power (dbm), applicable for LTE only
Possible values: -140 dBm to – 44 dBm with 1 dB resolution
RSRQ
Reference signal received quality (db), applicable for LTE only
Possible values: -3…-19.5 dB with 0.1 dB resolution
SINR
Signal To Interference Plus Noise Ratio (db), applicable for LTE only
Possible values: -20…+50 dB with 0.1 dB resolution
Traffic Statistics
Rx Total Packets
Number of packets received from cellular interface
Tx Total Packets
Number of packets transmitted to cellular interface
Rx Total Octets
Number of bytes transmitted to cellular interface
Tx Total Octets
Number of bytes received from cellular interface
Rx packets Dropped
Number of valid packets received from cellular interface that were dropped
Rx packets Errors
Number of errored packets received from cellular interface that were dropped
Tx packets Dropped
Number of valid packets at transmit direction to cellular interface that were
dropped
Tx packets Errors
Number of errored packets at transmit direction to cellular interface that
were dropped
Tx Overflows
Number of transmit queue overflows
Rx Overflows
Number of receive queue overflows
If pdp-type is ‘relayed-ppp’, the PPP status is also displayed.
PPP Status
SecFlow-1p
4. Ports
156
LCP
--------------------------------------------------------------------State
: Opened
MRU Local : 1280
Peer : 1500
Authentication
--------------------------------------------------------------------Of Us : CHAP
State : Completed
Identity : Hostname
IPCP
--------------------------------------------------------------------State
: Opened
Local Address : 20.20.20.5
Peer Address : 20.20.20.2
Parameter
Description
LCP
State
LCP status
Possible Values: Initial, Starting, Closed, Stopped, Closing, Stopping, Request-Sent,
Ack-Received, Ack-Sent, Opened
MRU Local
Local PPP MRU size advertized in LCP negotiations
MRU Peer
Peer PPP MRU size received in LCP negotiations
Authentication
Of Us
Authentication protocol of the device
Possible Values: CHAP, PAP, None
State
Authentication phase state
Possible Values: Initial, Completed, In Progress, Failed
Identity
Authentication identity
IPCP
State
IPCP status
Possible Values: Initial, Starting, Closed, Stopped, Closing, Stopping, Request-Sent,
Ack-Received, Ack-Sent, Opened
Local Address
IPCP local IP address
Peer Address
IPCP remote IP address
SecFlow-1p
4. Ports
157
Viewing Cellular Port Status using Swagger
SecFlow-1p supports Swagger, an interactive user-friendly API explorer that enables you to design, build,
document, and simulate sending REST API calls to SecFlow-1p API directly from your browser.
The documentation that you build describes what each vCPE‑OS API function does, its request
parameters, and response objects, all without any indication of code implementation.
The Swagger UI makes an existing YAML document interactive. You can access the YAML files of each
device per port (according to REST API), and perform operations on the YAML’s functions. It is possible
to build functions, specify the function parameters, and what the functions do. Swagger uses these
YAML files for documentation.
 To retrieve the cellular port status:
1. Configure the management:
configure
management
login-user su
level virt
password 1234
no shutdown
2. Enter the Swagger portal:
http://<ip-address>:8008/swagger
 The Swagger portal opens:
SecFlow-1p
4. Ports
158
SecFlow-1p
3. In the Swagger portal, above the functions, click
The Available authorizations box opens.
4. Ports
159
.
4. Wait for some time to see the asterisks appear.
5. Click the Close Button to finish authentication.
6. Click Try it out. If you would like to get results for a specific entity, under Parameters, enter id of
that entity. Click Execute.
Each request in Swagger shows the equivalent Curl command.
You can copy/paste the curl command into your computer, which has curl installed, to run the
same API call.
SecFlow-1p
4. Ports
7. If you entered the correct credentials, Server response displays Code of 200 (Successful
operation) and Response body shows the requested information.
4.2 Ethernet Ports
SecFlow-1p is connected to Ethernet equipment via the following interfaces:
160
SecFlow-1p
•
2 x 10/100/1000BASE-T ports
•
2 x 1000FX, 4 x 10/100/1000BASE-T ports (“superset”)
4. Ports
161
In addition, two internal Ethernet ports (ethernet lan-switch and ethernet wan-switch) considered
as Ethernet ports without physical level are used for bridge switching.
Applicability and Scaling
This feature is applicable to all the SecFlow-1p versions.
Functional Description
The Ethernet ports are disabled by default, with one exception. The factory default configuration
enables and contains configuration of router 1 interface 32, attached to the last RJ-45 Ethernet port. The
router interface is configured to non-forwarding mode, to limit it to management traffic. No VLAN is
configured, assuming management traffic is likely to be untagged.
Internal Ethernet Ports
Two internal Ethernet ports (ethernet lan-switch and ethernet wan-switch) considered as Ethernet ports
without physical level are used for bridge switching.
When configuring some of the Ethernet port functionalities, the following should be taken into account:
•
If a bridge is configured on lan-switch or wan-switch port, ACL/802.1X/QoS/PBR/force-nexthop/mac-access-control configuration is effective on this port; this functionality configured on
Ethernet port members (physical ports) of this switch port is ignored.
•
If bridge is not configured, ACL/802.1X/QoS/PBR/force-next-hop/mac-access-control
configuration is effective on the physical ports; this functionality configured on lan-switch/wanswitch ports is ignored.
Quality of Service (QoS)
SecFlow-1p supports QoS (traffic management) on Ethernet ports.
Configuration of QoS requires that you first configure the Ethernet port with the following features (see
table below):
•
Classifier
SecFlow-1p
•
4. Ports
162
Traffic-class (TC) action option:
 Marking
 Traffic-classes per port: 20
For full details on how to configure QoS, refer to Quality of Service (QoS) in the Traffic Processing
chapter.
MAC Access Control
Flooding a device with MAC addresses and filling its MAC address table is a well-known attack. Bridges,
for example, flood packets of unknown MAC destination to all ports, a process that impairs performance
and generates excessive traffic on all ports. MAC access control allows the user to limit the number of
source MAC addresses allowed to send traffic to a port. If you know which legitimate devices are going
to be connected to a port, you can whitelist them, and reject other addresses. This can be done by
entering the mac-access-control level.
Factory Defaults
By default, Ethernet ports have the following configuration.
Parameter
Description
Default Value
egress-mtu
Packet size
1790
name
Port name
Ethernet <port-name>
shutdown
Administrative status
Shutdown
Note: Exception is the no shutdown default
status of the last RJ-45 Ethernet port (lan4)
Configuring Ethernet Port Parameters
1. Navigate to configure port ethernet <port-name> to select the Ethernet port to configure.
Physical port names correspond to the front panel designation. Internal Ethernet port names are
lan-switch and wan-switch.
2. Enter all necessary commands according to the tasks listed below.
SecFlow-1p
4. Ports
Task
Command
Comments
Administratively enabling
port
no shutdown
Enter shutdown to disable the port.
This command is inactive for internal
ports.
Binding ACL to the port
access-group <acl-name> in
[{ipv4 | ipv6}]
acl-name: 1-80 characters
163
no access-group in {ipv4 |
ipv6}
Clearing ACL statistics
clear-access-list-statistics [in]
[{ipv4 | ipv6}]
Setting maximum frame
size (in bytes) to transmit
egress-mtu <68–12288>
Mapping the traffic
originated by a router
interface to its egress port
force-next-hop [next-hop <ipaddress>]
no force-next-hop
Configuring MAC access
control
mac-access-control
Assigning description to
port
[no] name <port-name>
Configuring collection of
performance management
statistics for the port, that
are presented via the
RADview Performance
Management portal
[no] pm-collection interval
Binding PBR rule to the
port
Frames above the specified size are
fragmented or discarded.
See Configuring MAC Access Control
below.
port-name – 0-64 characters
Note: Configured name included in
events and traps.
<seconds>
Note: In addition to enabling PM
statistics collection for the ports, it
must be enabled for the device.
Refer to Performance Management in
the Monitoring and Diagnostics
chapter for details.
policy-based-route priority
<priority> match-acl <name>
{next-hop <ip-address>}
interface <type, index>
See Configuring PBR
no policy-based-route priority
<priority>
Associating a queue group
profile with the port
[no] queue-group profile
<queue-group-profile-name>
Displaying ACL statistics
show access-list statistics [in]
[{ipv4|ipv6}]
See Viewing Ethernet Port Statistics
below.
SecFlow-1p
4. Ports
Task
Command
Comments
Displaying the summary of
ACLs bound to the VLAN
show access-list summary
Displays ACL summary at the current
level
164
See Ethernet Port Status below.
Displaying the port
statistics
show statistics
See Viewing Ethernet Port Statistics
Displaying the port status
show status
See Viewing Ethernet Port Status
Configuring VLAN port
vlan <vlan-id>
See VLAN Ports for details on VLAN
port configuration.
Type no vlan <vlan-id> to delete the
Ethernet port VLAN.
Note: You can delete a VLAN port only
when its administrative status is down.
Configuration required for QoS
Enabling classifier at the
port level
[no] classifier {ingress}
ingress – classifier classification
direction is ingress, i.e. from port to
application. For example, router
interface.
Enter no classifier { ingress } to remove
a classifier.
For details on how to configure
classifier parameters, refer to Port
Classification in the Traffic Processing
chapter.
Defining a traffic-class
entity
traffic-class <tc-name>
tc-name – traffic class name.
Possible values: variable length string,
up to 32 characters.
Enter no traffic-class <tc-name> to
remove the traffic-class entity.
For details on how to configure trafficclass parameters, refer to Traffic-Class.
Configuring MAC Access Control
 To configure MAC Access Control:
1. Navigate to configure port ethernet <port-name> mac-access-control.
SecFlow-1p
4. Ports
165
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring static MAC
address
mac <mac-address>
mac: Valid unicast MAC address
no mac <mac-address>
no mac: Any hex string
formatted as MAC address
Disabling MAC access
control
[no] shutdown
By default, MAC access control
is disabled.
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Address not found
You tried to delete a non-existing
static MAC address
Address must be unicast MAC not
owned by the device
mac-address must be a valid
unicast MAC address not owned by
the device.
Corrective Action
Viewing Ethernet Port Status
You can display the status and configuration of an individual Ethernet port.
 To display the status of a specific Ethernet port:
•
At the prompt config>port>eth(<port-name>)#, enter:
show status
The Ethernet port status parameters are displayed. The parameters are described in the
following table.
 To display Ethernet port 1 status:
# configure port ethernet 1
config>port>eth(1)# show status
SecFlow-1p
4. Ports
Name
: Ethernet 1
Administrative Status
Operational Status
Connector Type
Speed And Duplex
MAC Address
:
:
:
:
:
Up
Up
RJ45 Ethernet
100 Half Duplex
00-08-A2-0B-95-58
 To display Ethernet lan-switch port status:
# configure port ethernet lan-switch
config>port>eth(lan-switch)# show status
Name Ethernet lan-switch
Administrative Status
Operational Status
Connector Type
Speed And Duplex
MAC Address
:
:
:
:
:
Up
Up
RJ45 Ethernet
1000 Full Duplex
00-55-66-77-02-42
Parameter
Description
Name
Port name
Administrative Status
Possible values: Up, Down,
Operational Status
Possible values: Up, Down,
Connector Type
Possible value: RJ45 Ethernet
Speed and Duplex
Possible values:
-10 Half Duplex
10 Full Duplex
100 Half Duplex
100 Full Duplex
MAC Address
MAC address, formatted 00-00-00-00-00-00
Note: Ethernet 1 address is considered the system MAC address. It is used
when SecFlow-1p host has to uniquely identify itself, such as when
providing a MAC address on which to base the license file.
 To display an SFP port status:
# configure port ethernet 1
config>port>eth(1)# show status
Name
: Ethernet 1
166
SecFlow-1p
Administrative Status
Operational Status
Connector Type
Speed And Duplex
MAC Address
4. Ports
:
:
:
:
:
167
Up
Up
SFP in
1000 Full Duplex
02-09-C0-95-BB-E3
SFP
---------------------------------------------------------Connector Type
: LC
Manufacturer Name
: RAD Data Comm.
Manufacturer Part Number
: SFP-6D
Typical Maximum Range (Meter)
: 10000
Wave Length (nm)
: 1310.00
Fiber Type
: SM
 To display the ACL status of the Ethernet port:
1. Navigate to the corresponding Ethernet port and enter show access-list summary command.
The following information is displayed:
show access-list-summary
ACL Name
Type Bound to
Direction
----------------------------------------------------------------------------ip_port6_v4
IPv4 Ethernet 6
In
icmp_port6_v6
IPv6 Ethernet 6
In
Viewing Ethernet Port Statistics
The following port statistics can be displayed for an Ethernet port. The counters are described in the
following table.
Running
----------------------------------------------------------------------------Counter
Rx
Tx
Total Frames
3539
10
Total Octets
236594
1060
Multicast Frames
213
-Error Frames
99999
99999
Undersize Errors
99999
-Discard Frames
--
99999
SecFlow-1p
4. Ports
Parameter
Description
Total Frames
Total number of frames received/transmitted
Total Octets
Total number of bytes received/transmitted
Error Frames
Total number of error frames received/transmitted
Undersize Frames
Total number of undersize (less than 64 octets) received frames that
were discarded
Multicast Frames
Total number of multicast frames received
Discard Frames
Total number of discarded Tx frames
168
 To display the ACL statistics for the Ethernet port:
1. Navigate to the corresponding Ethernet port and enter show access-list statistics in [{ipv4 |
ipv6}].
The following statistical information is displayed:
show access-list-statistics
IPv4
access list:
ip_port6_v4
(Inbound)
Bound to:
Ethernet 6
Matches counted for: 0 days 0 hours 51 minutes 43 seconds
Sequence Action Protocol Source
Port Destination
Port ICMP Type Code DSCP
Log
Matches
----------------------------------------------------------------------------------------------------------10
permit
ip
172.18.92.111
172.18.92.78
disable
(200 matches)
show access-list-statistics in ipv6
IPv6
access list:
ip_port6_v6
(Inbound)
Bound to:
Ethernet 6
Matches counted for: 0 days 0 hours 26 minutes 41 seconds
Sequence Action Protocol Source Port
Destination Port
ICMP TypeCode DSCP Log
Matches
----------------------------------------------------------------------------10
permit icmp
fd00:0::72e6:73f8:4b79 fd00::fd75:3fea:ecc6:a999
disable
(3 matches)
SecFlow-1p
4. Ports
169
4.3 Flash (SD Card) Ports
Flash is supported by devices that have SD-card ports. Files on flash memory can be listed by media-dir
command. They are considered local and can be source or destination of copy (see Copying Files).
Factory Default
By default, Flash media (SD card) functionality is disabled.
Configuring Flash Ports
 To enable the flash port:
1. Navigate to file# and type flash-enable, to enable the port permanently.
2. The flash status is available upon typing show flash-status.
 To list the files in the flash media plugged into the device:
1. Navigate to file# and type media-dir media flash <number> [folder <folder-name>].
The flash contents are displayed as follows. If you specified a folder name, the command prints a
list of files and folders in it. Otherwise, the root contents are displayed. Either slash or backslash
can serve as folder delimiter.
SF-1p>file# media-dir media flash 1
Name
Size
Status
(kilobytes)
----------------------------------------------------------------------------System Volume Information
-Folder
sw_pack_21
542453
userscriptTFTP
4
234
4
Test_Reports
-Folder
accountTFTP
3
facTFTP
1
rollTFTP
4
scLogTFTP
5
startupTFTP
4
SecFlow-1p
4. Ports
Viewing Flash Status
You can display the status and configuration of an individual flash port.
 To display the status of flash port:
file# show flash-status
Admin Status
Operational Status
Port
Name
Manufacturer
SD Version
Capacity (megabytes)
:
:
:
:
:
:
:
Enabled
Media Is Plugged In And Operational
1
SDCIT
TI : 0x5449
3.0
29856
4.4 PPP Ports
SecFlow-1p supports a single Point-to-Point Protocol (PPP) session over Ethernet (PPPoE) interfaces.
PPP provides a standard method for transporting multiprotocol datagrams over point-to-point links.
Standards Compliance
RFC 1332 - The PPP Internet Protocol Control Protocol (IPCP)
RFC 1334 - PPP Authentication Protocols
RFC 1661 - The Point-to-Point Protocol (PPP)
RFC 1994 - PPP Challenge Handshake Authentication Protocol (CHAP)
RFC 2516 - A Method for Transmitting PPP Over Ethernet (PPPoE)
RFC 5072 - IP Version 6 over PPP
170
SecFlow-1p
4. Ports
171
Functional Description
PPPoE Session Establishment
PPPoE is used to build PPP sessions and encapsulate PPP packets over Ethernet. PPPoE is useful for
device auto-configuration, typically for authentication.
You can have a single PPPoE session on one router interface.
On Ethernet interfaces, you are required to establish a PPPoE session before starting PPP negotiation
(see PPP Negotiation below). You can establish the PPPoE session only on a router interface that is
bound to a PPP port that is bound to an operational Ethernet port.
Note
There is no command to explicitly enable PPPoE. It is enabled on PPP ports
that are bound to an Ethernet port.
A PPPoE session is established as follows:
1. SecFlow-1p sends a session initiation (PADI).
 If after sending a session initiation (PADI), SecFlow-1p does not receive an offer (PADO)
within four seconds, SecFlow-1p resends the request (PADI) and doubles the waiting period.
 If SecFlow-1p does not receive an offer after four retries (five including the first), it restarts
the session initiation process (i.e. resends a PADI and waits up to four seconds).
2. When SecFlow-1p receives an offer (PADO), one of the following takes place:
 If a service name is configured, SecFlow-1p accepts the first offer it receives.
 If a service name is not configured, SecFlow-1p accepts the first offer it receives containing
the same service name tag.
3. After sending an offer (PADR), SecFlow-1p waits for session confirmation.
 If SecFlow-1p does not receive a session confirmation (PADS) within four seconds, SecFlow1p resends the request (PADR) and doubles the waiting period.
 If SecFlow-1p does not receive an offer after four retries (five including the first), it restarts
the session initiation process (i.e. resends a PADI and waits up to four seconds).
4. If a PPPoE session is terminated (receives PADT packe) or rejected, SecFlow-1p retries to
establish a PPPoE session (by sending a PADI).
5. If a PPPoE session is terminated due to a lower layer state changed to down, SecFlow-1p retries
to establish a PPPoE session (by sending a PADI) as soon as the physical layer is up and there is
Layer-2 connectivity.
SecFlow-1p
4. Ports
172
PPP Negotiation
SecFlow-1p negotiates a PPP session on any router interface that is bound to a PPP port (refer to
Configuring Router Interface in the Traffic Processing chapter).
Note
If the PPP port is bound to an Ethernet port, PPP starts only after a PPPoE
session has been established (see PPPoE Session Establishment above). If the
PPP port is bound to a cellular port, PPP starts as soon as the cellular port is
bound is operationally up.
There are three phases in PPP negotiation:
•
Link establishment
•
Authentication (optional)
•
Network Control Protocols
PPP Link Establishment Phase
The first phase in PPP negotiation requires establishing a link.
PPP establishes a link as follows:
1. SecFlow-1p requests a Link Control Protocol (LCP), with the understanding that SecFlow-1p
accepts the first legal LCP that it receives.
 If SecFlow-1p does not receive a response within four seconds, it resends the request and
doubles the waiting period.
 If SecFlow-1p does not receive a response after four retries (five including the first), it
restarts the LCP negotiation process (i.e. resends a configuration request and waits up to
four seconds).
2. If the peer rejects the LCP request, SecFlow-1p resends the request and doubles the waiting
period.
 If SecFlow-1p does not receive a response after four retries (five including the first), it
restarts the LCP negotiation process (i.e. resends a configuration request and waits up to
four seconds).
3. If a PPP session is terminated due to reception of an LCP Terminate-Request packet, SecFlow-1p
retries to establish a PPP session.
4. If LCP fails, SecFlow-1p raises the lcp-failure alarm.
SecFlow-1p
4. Ports
173
PPP Authentication Phase
Note
Authentication is optional.
PPP supports two authentication methods: Password Authentication Protocol (PAP) and Challenge
Handshake Authentication Protocol (CHAP).
CHAP is the recommended method. PAP is not secure as the username, as it passes the password in the
clear.
Authentication is unidirectional. The methods used to authenticate a peer are not necessarily the
methods that a peer uses for authentication.
SecFlow-1p performs PAP authentication only after a username and password are configured.
Chap authentication uses the challenge-response method.
When a CHAP challenge is received, SecFlow-1p does the following:
•
If the username in the challenge matches a login-user, the login-user and its password are used.
•
If the username in the challenge does not match any of the login-users, the device uses the
default CHAP password, if one is configured.
If the username does not match any of the login-users and a default CHAP password is not
configured, the CHAP authentication fails.
SecFlow-1p also supports configuration of a CHAP hostname.
•
•
By default (i.e. a CHAP hostname is not configured), SecFlow-1p identifies itself by its system
name. If a CHAP hostname is configured, the device uses it to identify itself, instead of the
system name.
•
SecFlow-1p supports configuration of the authentication methods that it may accept if
requested by a peer.
•
If during the authentication phase, SecFlow-1p does not receive a response from the server
within four seconds, it does the following:
 Resends the request and doubles the waiting period.
 If a PPPoE session was established and SecFlow-1p does not receive a response after four
retries (Five including the first), it must terminate the PPPoE session (by sending a PADT)
and try negotiating it anew (by sending a PADI).
PPP Network Control Protocols (NCP) Phase
Once the authentication phase has completed successfully (or if you skipped authentication, once link
establishment has completed successfully), SecFlow-1p begins the NCP phase, i.e. negotiating the set of
supported network control protocols – IPCP and IPv6CP.
SecFlow-1p performs the NCP phase, as follows:
SecFlow-1p
4. Ports
1. SecFlow-1p begins Internet Protocol Control Protocol (IPCP) negotiation.
2. If SecFlow-1p does not receive a response within four seconds, it resends the request and
doubles the waiting period.
3. If the peer rejects IPCP, SecFlow-1p waits four seconds, resends the request, and doubles the
waiting period for four retries (five including the first).
4. If IPCP is terminated due to receiving a Terminate Request packet, SecFlow-1p retries to
establish IPCP.
5. SecFlow-1p begins IPv6 Control Protocol (IPv6CP) negotiation (same as steps 2 to 4 for IPCP
negotiation).
Factory Defaults
By default, PPP ports have the following configuration.
Parameter
Description
Default Value
name
Port name
name “PPP <port-name>”
refuse-chap
Refuse CHAP authentication
no refuse-chap
refuse-no-auth
Refuse no authentication
refuse-no-auth
refuse-pap
Refuse PAP authentication
refuse-pap
pppoe
PPPoE configuration
pppoe
service-name
PPPoE service name
no service-name
Configuring Ports
PPP Port
 To configure the PPP port:
1. Navigate to configure port ppp <number> to select the PPP port to configure.
2. Enter all necessary commands according to the tasks listed below.
174
SecFlow-1p
4. Ports
Task
Command
Comments
Binding PPP to a lower
layer (Ethernet)
[no] bind ethernet <port>
port – Ethernet port
no bind
Configuring CHAP
hostname
[no] chap-hostname [name]
name –CHAP hostname
Possible values: 1-80 character string
Configuring CHAP
default password
chap-password
<pass> [{hash}]
pass – CHAP password
Possible values: 1-80 character string
[no] chap-password [name]
hash – password encrypted
Possible values: hash, “”
chap-hostname <name>
175
Notes:
• If you enter a clear password (chappassword), the device encrypts it,
saves the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
• If you enter an encrypted password
(chap-password hash) the device saves
the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
Configuring port name
Configuring PAP
credentials
no name [name]
name – port name
Possible values: 1-80 character string
pap-username <name>
password <pass> [{hash}]
name – PAP username; string
Possible values: string up to 80 characters
[no] pap-username [name]
pass – PAP password
Possible values: string up to 80 characters
name <name>
Notes:
• If you enter a clear password (pappassword), the device encrypts it,
saves the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
• If you enter an encrypted password
(pap-password hash) the device saves
the encrypted password in
pppSecuritySecret and sets
pppSecuritySecretType to ‘off’.
Configuring PPPoE
pppoe
For detailed nformation on PPPoE
configuration, see PPPoE below.
SecFlow-1p
4. Ports
Task
Command
Refusing CHAP
authentication
[no] refuse-chap
Refusing PAP
authentication
[no] refuse-pap
Refusing no
authentication
[no] refuse-no-auth
176
Comments
PPPoE Port
 To configure PPPoE:
3. Navigate to configure port ppp <number> pppoe.
4. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring service
name
service-name <string>
[no] service-name [string]
service-name –service
name
Possible values: string up
to 80 characters
Displaying PPPoE status
show status
See Viewing Port Status
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Cannot execute: too
long password
You tried to configure an unencrypted
password (PAP or CHAP) of more than
80 characters.
Shorten the password.
SecFlow-1p
4. Ports
177
Viewing Port Status
PPPoE
You can display the status and configuration of an individual PPP port, which is configured with PPPoE,
provided it is bound to a router interface.
Note
If the PPP port, which is configured with PPPoE, is not bound to a router
interface, the following output is displayed: PPP is not bound to an interface.
 To display status of PPP port 1 configured with PPPoE (and bound to a router interface):
configure port ppp 1 pppoe
config>port>ppp(1)>pppoe# show status
Router Interface
: Router 1/If 2
Physical Port
: Ethernet 1
State
: Up
Service Name Requested : Song
PPP Configured with PPPoE Port Status Parameters
Parameter
Description
Router Interface
Router/router interface
Physical Port
Physical interface under the router interface
Possible values: string
State
PPPoE state
Possible values: Up, Down, Lower Layer Down, Admin Disabled
Service Name Requested
Service name
4.5 Serial Ports
This section describes the SecFlow-1p serial ports, as well as applications running over them – terminal
server and serial tunneling.
SecFlow-1p
4. Ports
178
Applicability and Scaling
1 or 2 serial ports are available on the device, depending on the ordering option. The serial port can be
of the RS-232 or RS-485 type, depending on the hardware.
Only one tunnel can be created per port.
Only one terminal server can be created per port.
Standards
The SecFlow-1p serial ports comply with RS-232 and RS-485 standards (depending on the hardware).
Functional Description
Serial Interfaces
The maximum latency allowed before transmitting an IP packet can be configured in the range of 2 to
255 milliseconds. The longer the latency is, the more serial characters can be grouped in one packet.
The serial port speed can be configured to the following values: 300, 600, 1200, 2400, 4800, 9600,
19200, 38400, 57600, and 115200 kbps.
You can also configure the bus idle time, which is the number of Rx bits considered as a single message.
By default, the bus idle time is set by the device to the minimum value allowed for the configured baud
rate, according to the following table:
Minimum Idle Time per Baud Rate
Baud Rate
Minimum Idle Time
300
30
600
60
1200
120
2400
240
4800
480
9600
1000
19200
2000
SecFlow-1p
4. Ports
Baud Rate
Minimum Idle Time
38400
4000
57600
6000
115200
12000
179
The number of data bits in a transmission unit can be configured in the range of 5 to 8.
The parity bit type (the parity is a simple error detection code). The user can configure even or odd
parity. By default parity is configured to none, which means that it is not used.
The number of stop bits (buffer between transmission units) can be set to 1 or 2.
The device allows you to configure a delay (in milliseconds) before starting to transmit. This can be
useful to prevent many RTUs from answering at the same time. The default delay is 10 milliseconds and
the configurable range is 1..10000.
Terminal Server
Terminal server is an application that can be configured over serial ports. It translates serial traffic
incoming from a serial port to IP packets (TCP or UDP), which are sent over an IP network (and vice
versa). This way a user with an IP device such as a laptop can manage a serial device such as RTU.
Terminal server and serial tunneling are mutually exclusive.
The user can telnet the terminal server (on a TCP or UDP port) and be connected to the serial port the
terminal server is configured on. The terminal server converts the user’s IP traffic to serial traffic, and
vice versa.
A complementary terminal server application is to configure a Telnet TCP server on one device and a
client on another. The client opens a connection, a kind of tunnel, to the server, allowing serial devices
connected to the two devices to pass serial traffic between them, over IP network.
Terminal server parameters are configured on the system and the serial port levels, as follows:
•
parameters that are relevant to both serial ports are configured on the system level; these
parameters have the same values for both ports
•
shutdown of the entire feature is also configured on the system level (per device)
•
the actual terminal server with its proper protocol per port is configured on the port level
SecFlow-1p
4. Ports
180
System Level Configuration
You can set a dead peer timeout (in the range of 1 to 1440 minutes, i.e. one day) for terminal server
traffic over TCP. If no traffic is sent over a connection for the configured duration, the device closes the
connection, making room for another. If no dead-peer-timeout is configured, the TCP connection expires
only if closed by a FIN packet or if administratively aborted by the disconnect command.
The command is irrelevant for UDP traffic, which is a connectionless protocol.
The terminal server functionality is disabled by default. However, it can be enabled even if the essential
configuration (e.g. local IP address) is missing. Even being useless in this case, it will become operational
once the missing configuration is added.
Port Level Configuration
The local IP address (i.e. owned by the device), on which the terminal server listens, is configured via the
local-address command in the configure>port>serial>terminal-server level. A user telneting this address
will be connected by the terminal server to the serial port on which it is configured. Traffic sent by the
user will appear on any device connected to the serial port, and vice versa.
Note
Configuring the local address is mandatory.
If the address is not owned by the device, the terminal server is not
operational, even if it is enabled. It will start being operational once the
address is owned by the device.
Some terminal clients require the null-CR mode functionality. When enabled, the device drops a null
character if it arrives immediately after a carriage return (^M or ASCII 0x0d).
Some terminal clients require this mode to be enabled, and some disabled. Null-CR mode is disabled by
default.
Serial Tunneling
Serial tunneling is an application that can be configured over a serial port, to create an IP tunnel
between one or more opposite devices with serial ports. Serial traffic passes through the tunnel
encapsulated in IP packets, between the tunnel endpoints.
Terminal server and serial tunneling are mutually exclusive.
The tunnel can be point-to-point, point-to-multipoint or multipoint-to-multipoint. Each endpoint can be
designated master or slave. Master traffic is sent to all slaves, and slave traffic is sent to all masters.
SecFlow-1p
4. Ports
181
The tunnel addresses and roles are configured by means of the address command. The user can
designate the local device as master. Otherwise, the peer is the master (the default setting).
When configuring the tunnel, note the following:
•
There are no default addresses. Without configuring them the tunnel is useless, even if it is
enabled.
•
If the local address is not owned by the device, this address will not be operational, even if this
address is enabled. Both devices will start being operational once the address is owned by the
device.
•
If the remote address is owned by the device or if there is no IP connectivity to it, this address
(and its local peer) will not be operational, even if it is enabled. It (and its local) will start being
operational once the address is not owned by the device and there is IP connectivity to it.
•
If the user repeats the command with the same local and remote addresses, the command is
accepted, replacing the previous instance. The only thing that can change in this case is the
master status.
•
Traffic is not passed between masters or between slaves on the same tunnel.
•
Traffic from a slave reaches all the masters on the tunnel.
•
Traffic from a master reaches all the slaves on the tunnel.
•
The tunnel can be enabled even if essential configuration (i.e. addresses) is missing. It would be
useless in this case but will become operational the moment the missing configuration is added.
Factory Defaults
SecFlow-1p is supplied with all serial ports disabled. Other parameter defaults are listed in the table
below.
Parameter
Default Value
allowed-latency (msec)
16
baud-rate (kbps)
9600
bus-idle
auto
parity
none
data-bits
8
stop-bits
1
SecFlow-1p
4. Ports
Parameter
Default Value
tunnel level
disabled
buffer-mode
byte
null-cr-mode
disabled
telnet-client-tcp server-address
No Telnet client exists by default
telnet-server-tcp port
No Telnet server exists by default
telnet-server-udp port
No Telnet server exists by default
address local
By default no adresses are configured
master-remote
buffer-mode
byte
transport-layer
udp
terminal-server
disabled
dead-peer-timeout <minutes>
10
buffer-mode
byte
Configuring Serial Port Parameters
 To configure the serial port parameters:
1. Navigate to configure port serial <port number> to select the serial port to configure.
The config>port>serial>(<port>)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Administratively enabling
port
no shutdown
Using shutdown disables the port
Configuring the allowed
latency
allowed-latency
{milliseconds <number>}
Possible Values: 2-255
182
SecFlow-1p
4. Ports
183
Task
Command
Comments
Configuring the BAUD rate
baud-rate {speed}
Possible Values: 300, 600, 1200, 2400, 4800, 9600, 19200,
38400, 57600, 115200
If bus-idle is bits and number-of-bits is less than the
allowed minimum (see the Minimum Idle Time per Baud
Rate table above), the rate may be rejected by the
device.
Configuring the bus idle
time in bits
bus-idle {auto | bits
<number-of-bits>}
<number-of-bits>: The maximum value is 100000. The
minimum depends on the configured baud rate (see the
Minimum Idle Time per Baud Rate table above).
Clearing statistics
clear-statistics
Configuring the number of
data bits
data-bits<number-of-bits>
Configuring the parity
type
parity {none | even | odd}
Displaying the port status
show status
Disable port
shutdown
Configuring the number of
stop bits
stop-bits <number-of-bits>
Possible Values: 1,2
Terminal server level
terminal-server 1
Only one terminal server can be configured per port.
[no] terminal-server 1
See Configuring the Terminal Server below.
Tunnel level
tunnel <1..10>
See Configuring the Tunnel Parameters below
Setting Tx delay, in
milliseconds
tx-delay
1..10000
Possible Values: 5-8
Configuring the Terminal Server
 To configure the terminal server on the port level:
1. Navigate to configure port serial <port> terminal-server 1.
The config>port>serial>(<port>) terminal-server (1)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
SecFlow-1p
4. Ports
184
Task
Command
Comments
Disconnecting the session
(administratively aborting
an active TCP connection)
disconnect port <number>
Port number of the session to be disconnected:
2001..65534
Enabling the null CR mode
[no] null-cr-mode
Displaying the status
show status
Configuring a TCP Telnet
client application over the
terminal server
[no] telnet-client-tcp serveraddress <ip-address> port
<port-number>
The client establishes a connection to a preconfigured
TCP telnet server, and once the connection is alive the
serial ports behind both the client and server can pass
traffic to each other.
No Telnet client exists by default.
A serial port is limited to one Telnet application.
ip-address: Telnet server address (valid unicast IPv4
address)
<port-number>: 2001..65534
Note: A TCP Telnet client can be configured regardless of
the terminal server administrative or operational status.
However, if the terminal server is not operational, neither
is the Telnet client.
Configuring a TCP Telnet
server application over the
terminal server.
[no] telnet-server-tcp port
<port-number>
No telnet server exists by default
A serial port is limited to one Telnet application.
<port-number> - Port The telnet server listens on
Possible Values: 2001..65534
Note: A TCP Telnet server can be configured regardless of
the terminal server administrative or operational status.
However, if the terminal server is not operational, neither
is the Telnet server.
Configuring a UDP Telnet
server application over the
terminal server.
telnet-server-udp port <portnumber> client <client-ipaddress>
No telnet server exists by default
A serial port is limited to one Telnet application.
<port-number> - Port the Telnet server listens on
Possible Values: 2001..65534
<client-ip-address>: IPv4 unicast address
Note: A UDP Telnet server can be configured regardless
of the terminal server administrative or operational
status. However, if the terminal server is not operational,
neither is the Telnet server.
SecFlow-1p
4. Ports
185
 To configure the terminal server on the system level:
1. Navigate to configure system serial terminal-server 1.
The config>system>serial> terminal-server (1)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring buffer mode
buffer-mode {byte | frame}
Configuring dead peer
detection timeout
dead-peer-timeout <minutes>
no dead-peer-timeout
Configuring device IP
address to listen on
[no] local-address <ipaddress>
Disabling terminal server
functionality
[no] shutdown
<minutes>: 1..1440
Configuring the Tunnel
 To configure the tunnel parameters:
1. Navigate to configure port serial <port number> tunnel <1..10> to select the tunnel to
configure.
The config>port>serial>(<port>)# tunnel <tunnel> prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring the tunnel
local/remote addresses
and roles
address local <local-ipaddress> remote <remoteip-address> [master-local
| master-remote]
By default no adresses are configured
no address local <local-ipaddress> remote <remoteip-address>
<local-ip-address>: Valid unicast IPv4 address
Up to 10 peers can be configured per tunnel.
remote-ip-address (Peer IP address): Valid unicast IPv4
address
The local and remote addresses must be different but
belong to the the same IP version.
master-local – the peer is slave
master-remote – the peer is master
Default: master-remote
SecFlow-1p
4. Ports
Task
Command
Configuring the buffer
mode
buffer-mode {byte |
frame}
Disabling serial tunnel
shutdown
186
Comments
Terminal server and serial tunneling are mutual exclusive.
A tunnel becomes operational if it is enabled and has the
required configuration, which is:
• Local (i.e. source) unicast IPv4 address is owned by
the device.
• Remote (i.e. destination) unicast IPv4 address is not
owned by the device and has the same IP version as
the local address.
Configuring the transport
layer
transport-layer {tcp | udp}
The tunnel is opened on port 9850 + tunnel number.
Viewing Status Information
 To view the status of a serial port:
1. Navigate to config>port> serial (<port>)#
2. Type show status.
The port status and statistics are displayed, for example as follows:
# show configure port serial 1
Administrative Status
Interface Type
BAUD Rate
Data Bits
Stop Bits
Parity
Allowed Latency (milliseconds)
Tx Delay (milliseconds)
Rx
Tx
Rx
Tx
Bytes
Bytes
Errors
Errors
:
:
:
:
status
: Up
: RS-232
: 9600
: 8
: 1
:
: 16
: 10
0
0
0
0
#
 To view the status of a terminal server:
1. Navigate to config>port> serial (<port>) terminal-server (1)#
SecFlow-1p
4. Ports
187
2. Type show status.
The status is displayed, for example as follows:
Admin Status
: Enabled
Local IP address
: 192.168.1.1
Buffer Mode
: Byte
Dead Peer Detection (Minutes): 10
Null CR Mode
: Off
TCP Telnet Server Ports
configured**
: 2001-2009 **displayed if TCP or UDP telnet server is
Connections **displayed if TCP Telnet server is configured and has active connections**
Port | Source IP address | Destination IP address
-------------------------------------------------2001 | 10.10.10.10
| 192.168.1.1
Configuration Errors
The tables below list messages generated by SecFlow-1p when a configuration error on serial ports is
detected.
Message
Description
Telnet application is already
configured on this port
One Telnet application (TCP or UDP server, or TCP client) is
already configured on this port
Invalid unicast IP address
The address is not a valid unicast IPv4 address
No such addresses
You are trying to delete a pair of addresses that is not configured.
Maximum number of peers is
configured
You are trying to configure more than 10 peers per tunnel.
Local and remote must be valid unicast
IP addresses
The local and remote addresses must be valid unicast IP
addresses.
Local and remote addresses must be
different
The local and remote addresses must be different.
Cannot enable serial tunnel on port
with active terminal server
Terminal server and serial tunneling are mutual exclusive.
Maximum number of terminal servers
is configured on this port
Only one terminal server can be configured per port.
SecFlow-1p
4. Ports
Message
Description
Invalid unicast IP address
You are trying to configure an IP address which is not a valid
unicast IPv4 address
Maximum number of IP addresses is
configured
Only one local IP address is supported for configuring the
terminal server.
Cannot enable terminal server on port
with active serial tunnel
Terminal server and serial tunneling are mutual exclusive.
Bus idle configuration is below
minimum for this baud rate
You are trying to configure the bus idle time to less than the
minimum allowed for the baud rate.
Value may not be higher than 100000
The bus idle time cannot be set above 100000.
Value must be at least <allowedminimum>
The bus idle time cannot be set below the allowed minimum (see
the Minimum Idle Time per Baud Rate table above).
Maximum number of tunnels is
configured on this port
You are trying to configure more than one tunnel per port.
UDP port is in use by terminal server
on another serial port
UDP port is in use by terminal server on another serial port
TCP port is in use by terminal server on
another serial port
TCP port is in use by terminal server on another serial port
Same tunnel ID, remote address need
same buffer mode on all ports
If there is another tunnel (on different port) with the same ID and
remote address, they must have the same buffer-mode (both
either byte of frame)
4.6 Virtual Ports
Virtual ports are predefined fixed logical ports used as reference points through which virtualization
functions can connect to SecFlow-1p logical networking elements.
Virtual ports also provide connection between components.
SecFlow-1p requires 10 predefined virtual ports.
Applicability and Scaling
This feature is applicable to all the SecFlow-1p versions.
188
SecFlow-1p
4. Ports
189
Benefits
Virtual ports provide flexible binding of ports, networking functions, and virtualization layer.
Factory Defaults
By default, virtual ports have the following configuration.
Parameter
Description
Default Value
name
Assigns a port name
no name
Virtual # of port
shutdown
Sets virtual port administrative
status
shutdown
Configuring Virtual Ports
 To configure a virtual port:
1. Navigate to configure port virtual <port-name>.
The configure> port>virtual (<port-name>)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Administratively enabling port
no shutdown
Enter shutdown to disable the port.
Setting maximum frame size (in
bytes) to transmit
egress-mtu <68–12288>
Frames above the specified size are
fragmented or discarded.
Mapping the traffic originated by a
router interface to its egress port
force-next-hop [next-hop <ipaddress>]
Assigning description to port
[no] name <port-name>
no force-next-hop
port-name – 0-64 characters
Note: Configured name included in
events and traps.
Enter no name to revert the name to
its default value (virtual < port-name>).
SecFlow-1p
4. Ports
policy-based-route priority
<priority> match-acl <name>
{next-hop <ip-address> |
interface <type, index>}
Bind PBR rule to the port
190
See Configuring PBR
no policy-based-route priority
<priority>
Displaying the port statistics
show statistics
See Viewing Virtual Port Statistics
Displaying the port status
show status
See Viewing Virtual Port Status
Configuring VLAN port
vlan <vlan-id>
See VLAN Ports for details on VLAN
port configuration.
Type no vlan <vlan-id> to delete the
Ethernet port VLAN.
Note: You can delete a VLAN port only
when its administrative status is down.
Viewing Virtual Port Status
The following port status can be displayed for a virtual port.
Name
Administrative Status
Operational Status
MAC Address
:
:
:
:
My Port
Up
Up
41-41-42-42-43-43
Parameter
Description
Name
Port name
Administrative Status
Possible values: Up, Down
Operational Status
Possible values: Up, Down
MAC Address
MAC address, formatted 00-00-00-00-00-00
Viewing Virtual Port Statistics
The following port statistics can be displayed for a virtual port. The counters are described in the
following table.
SecFlow-1p
4. Ports
191
Running
----------------------------------------------------------------------------Counter
Rx
Tx
Total Frames
3539
10
Total Octets
236594
1060
Discard Frames
-213
Parameter
Description
Total Frames
Total number of frames received/transmitted
Total Octets
Total number of bytes received/transmitted
Discard Frames
Total number of discarded Tx frames
4.7 VLAN Ports
SecFlow-1p supports the creation of VLAN ports over Ethernet and Virtual ports, thus providing single
VLAN tag encapsulation.
Applicability and Scaling
This feature is applicable to all the SecFlow-1p versions.
Functional Description
VLAN port configuration is similar to Ethernet port configuration. You can configure traffic management,
and binding entities (such as router interface) to port. However, in VLAN ports, you cannot configure
physical properties, such as auto negotiation.
Note
VLAN tags have 0x8100 Ethertype. Other Ethertypes are not configurable or
recognized.
SecFlow-1p
4. Ports
192
Factory Defaults
By default, VLAN ports have the following configuration on creation.
Parameter
Description
Default Value
name
Assign a port name
no name
VLAN #
shutdown
Administrative status
shutdown
Configuring VLAN Port Parameters
 To configure the VLAN port parameters:
1. For Ethernet port VLAN: Navigate to configure port ethernet<port-name> vlan <vlan-id> to
select the VLAN port to configure. VLAN ID can be 0-4094.
For Virtual port VLAN:
Navigate to configure port virtual <port-name> vlan <vlan-id>. VLAN ID can be 0-4094.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Binding ACL to the port
access-group <acl-name> in [{ipv4 |
ipv6}]
Ethernet port VLAN only
no access-group in {ipv4 | ipv6}
Clearing ACL statistics
clear-access-list-statistics [in]
[{ipv4|ipv6}]
Clearing statistics
clear-statistics
Setting maximum frame size (in
bytes) to transmit
egress-mtu <68–12288>
Mapping the traffic originated
by a router interface to its
egress port
force-next-hop [next-hop <ipaddress>]
no force-next-hop
Ethernet port VLAN only
Frames above the
specified size are
fragmented or discarded.
SecFlow-1p
4. Ports
Task
Command
Comments
Configuring the VLAN port name
name
name – 0-64 character
string
193
Enter no name to revert
the name to its default
value (VLAN #).
Bind PBR rule to the port
policy-based-route priority <priority>
match-acl <name> {next-hop <ipaddress> | interface <type, index>}
See Configuring PBR
no policy-based-route priority
<priority>
Binding PBR rule to this entity
policy-based-route priority <priority>
match-acl <name> {next-hop <ipaddress> } interface <type, index>
no policy-based-route priority
<priority>
priority <number> - set
PBR rule priority per
interface; the lower is
the number, the higher is
the priority
Possible values: 1 –
4294967295
match-acl <name> attach ACL to PBR rule
Possible values: 1–80
characters string
next-hop <ip-address> –
Set next hop IP address
to define the direction of
PBR rule
interface <type, index> –
Set interface to define
the direction of PBR rule.
Possible values:
• ethernet < portname>
• ethernet < portname> vlan <vlannumber>
virtual <port-number>
SecFlow-1p
4. Ports
194
Task
Command
Comments
Displaying the summary of ACLs
bound to the VLAN
show access-list summary
Displays ACL summary at
the current level
See Viewing VLAN Port
Status below.
Displaying the port statistics
show statistics
See Viewing VLAN Port
Statistics
Displaying the port status
show status
See Viewing VLAN Port
Status
Administratively disabling the
port
shutdown
Entering no shutdown
enables the port.
Note: shutdown is
possible only when the
port is not bound to any
entity (router interface,
bridge port, and more).
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Upper layer is bound to this
VLAN port
You tried performing shutdown while
port was bound to an entity.
Unbind port from all entities and then
perform shutdown.
Viewing VLAN Port Status
The following port status can be displayed for a VLAN port.
Name
Administrative Status
Operational Status
MAC Address
:
:
:
:
My Port
Up
Up
41-41-42-42-43-43
SecFlow-1p
4. Ports
Parameter
Description
Name
Port name
Administrative Status
Possible values: Up, Down
Operational Status
Possible values: Up, Down
MAC Address
MAC address, formatted 00-00-00-00-00-00
195
 To display the ACL status for the VLAN:
1. Navigate to configure port ethernet<port-name> vlan <vlan-id> and enter the show access-list
summary command.
The following status information is displayed:
show access-list-summary
ACL Name
Type Bound to
Direction
----------------------------------------------------------------------------ip_port1_v4
IPv4 Ethernet 1 Vlan 100
In
ip_port1_v6
IPv6 Ethernet 1 Vlan 100
In
Viewing VLAN Port Statistics
The following port statistics can be displayed for a VLAN port. The counters are described in the
following table.
config>port>eth(4)>vlan(200)# show statistics
Running
----------------------------------------------------------------------------Counter
Rx
Tx
Total Frames
3539
10
Total Octets
236594
1060
Discard Frames
-99999
Parameter
Description
Total Frames
Total number of frames received/transmitted
Total Octets
Total number of bytes received/transmitted
Discard Frames
Total number of discarded Tx frames
SecFlow-1p
4. Ports
196
 To display the ACL statistics for the VLAN:
1. Navigate to configure port ethernet<port-name> vlan <vlan-id> and enter show access-list
statistics in [{ipv4 | ipv6}].
The following statistical information is displayed:
show access-list-statistics
IPv4 access list:
Listv4
(Inbound)
Bound to:
Ethernet 1 Vlan 100
Matches counted for: 0 days 0 hours 5 minutes 43 seconds
Sequence Action Protocol Source
Port Destination
Port ICMP Type Code DSCP Log
Matches
----------------------------------------------------------------------------40
permit tcp
10.10.10.100
20.20.20.100
1024
enable (289317 matches)
50
permit tcp
10.10.10.100
20.20.20.100
600
disable (288857 matches)
60
deny
tcp
10.10.10.100
20.20.20.100
400
disable (288216 matches)
IPv6 access list:
Listv6
(Inbound)
Bound to:
Ethernet 1 Vlan 100
Matches counted for: 0 days 0 hours 6 minutes 6 seconds
Sequence Action Protocol Source
Port Destination
Port
ICMP Type Code DSCP Log Matches
----------------------------------------------------------------------------40
permit tcp 2005:db8:21:444::1 2006:db8:21:444::1 1024
disable (307566 matches)
50
permit tcp 2005:db8:21:444::1 2006:db8:21:444::1 600
disable (307162 matches)
60
deny
tcp 2005:db8:21:444::1 2006:db8:21:444::1 400
disable (306710 matches)
4.8 WiFi
SecFlow-1p can be equipped with a WiFi modem for wireless local area networking, in addition to its
main modem.
WiFi interface provides a single access point, within the frequencies bands of 2.4 GHz and 5GHz.
SecFlow-1p
4. Ports
197
Applicability and Scaling
WiFi modem is installed on SecFlow-1p devices with WF ordering option. Devices with dual modems
cannot hold a WiFi modem.
SecFlow-1p supports up to two WiFi bands (2.5Ghz and 5Ghz) and up to six SSIDs.
Standards Compliance
Relevant sections of IEEE 802.11
Functional Description
WiFi Band Level
SecFlow-1p supports underlying dual-band WiFi interfaces:
•
UHF - 2.4GHz
•
SHF - 5GHz
For each WiFi band, SecFlow-1p supports the following configurations:
•
Radio mode (802.11a/b/g/ng/na/ac or auto)
•
Operating channel for the WiFi interface
Virtual AP Level
SecFlow-1p supports multiple virtual Access Points (vAPs), which are statically allocated to the WiFi
band. SecFlow-1p supports 2.4GHz and 5GHz bands, which cannot work simultaneously. 3 vAPs are
supported per WiFi band.
Once you configure the WiFi interface, you can bind a router interface to a vAP, in order to create a
separate subnet for each vAP (see Configuring Router Interfaces).
Note
As binding vAP to the router interface is not part of the end-user
configuration, binding commands must be included in the device configuration
file received from the NoC.
SecFlow-1p
4. Ports
198
For each vAP, SecFlow-1p supports the following configurations:
•
vAP SSID
•
SSID broadcast (true | false)
•
Security type
•
Encryption type
•
Authentication type
•
Authentication password (stored as hash string)
•
vAP max associated clients
•
vAP partitioning
•
vAP MAC filtering policy
SecFlow-1p supports configuration of MAC filtering table per vAP. The table can contain at least 50 MAC
addresses. The policy of MAC filtering (allow/deny) is configured independently per vAP.
SecFlow-1p provides WiFi Protected Setup (WPS) functionality that can be applied only to a particular
vAP at any given time.
If you change the vAP during an active vAP session, the session is discarded.
Multicast to Unicast Conversion
When media is streamed, unicast is preferred to multicast, due to the following reasons:
•
Multicast traffic is susceptible to packet loss, which reduces media quality.
•
Unicast traffic operates at higher data rates.
SecFlow-1p supports multicast to unicast conversion of packets. It duplicates multicast streams to WiFi
clients that joined that stream, by changing the multicast MAC address of the stream frames received
over the upstream SecFlow-1p interface into the WiFi client’s unicast MAC address.
This conversion provides higher quality video transmission to a larger number of clients.
Factory Defaults
By default, WLAN ports have the following configuration on creation.
SecFlow-1p
4. Ports
Parameter
Description
Default Value
radio-mode
Wireless LAN interface operating
radio mode
auto
channel
Wireless LAN interface operating
channel
255 (auto)
Enable vAP
no shutdown
Access-point parameters
shutdown
no ssid
ssid
broadcast-ssid
Enable SSID broadcast
broadcast-ssid
security
vAP security method
none
encryption
vAP encryption method
none
authentication
vAP authentication method
none
password
Preshared key for PSK
authentication
no password
max-clients
Maximum clients allowed on vAP
8
wlan-partition
Enabling WLAN partitioning
no wlan-partition
wps
Enabling WPS
no wps
mac-filter-enable
Enabling MAC filter on vAP
no mac-filter-enable
Configuring WLAN Port Parameters
 To configure the WLAN port parameters with CLI:
1. Navigate to configure port wlan <port> to select the WLAN port to configure.
2. Perform the required tasks according to the following table.
199
SecFlow-1p
4. Ports
200
Task
Command
Comments
Configuring Virtual Access Point
(vAP) number
access-point <ap-number>
ap-number – Access Point number
Possible values:
1-3 on 2.4GHz band (wlan1 1-3 shown as
AP1, AP2, AP3)
4-6 on 5GHz band (wlan2 1-3 shown as
AP4, AP5, AP6)
2.4 GHz and 5GHz bands cannot work
simultaneously.
Commands under access-point (apnumber)
Configuring Virtual Access Point
authentication
authentication
<authentication>
authentication – virtual access point
authentication method
Possible values: none, psk, radius
Note: When security is set to none,
authentication can be set to none only.
Enabling/disabling SSID broadcast
[no] broadcast-ssid
Configuring Virtual Access Point
encryption
encryption <encryption>
encryption – virtual access point
encryption method
Possible values: none, ccmp
Note: When security is set to none,
encryption can be set to none only.
Mapping the traffic originated by a
router interface to its egress port
force-next-hop [next-hop
<ip-address>]
Adding filtered MAC address
[no] mac-filter [address
<client-mac-address>]
no force-next-hop
client-mac-address - EUI-48 MAC address
Notes:
• Command is accumulative.
• Up to 50 Mac addresses are
supported.
• The no mac-filter address [<clientmac-address>] command deletes the
specific entry.
• The no mac-filter command clears
the entire table.
Enabling MAC filter on Access Point
[no] mac-filter-enable [deny
| allow]
SecFlow-1p
4. Ports
201
Task
Command
Comments
Configuring maximum clients
allowed on Access Point
max-clients <max-clients>
max-clients – maximum clients allowed
on Access Point
Possible values: 1-8
Configuring Virtual Access Point
password
password <pass-key> [hash]
pass-key – preshared key for PSK
authentication
Possible values: character string
Binding PBR rule to the port
no password
policy-based-route priority
<priority> match-acl <name>
{next-hop <ip-address>}
interface <type, index>
See Configuring PBR
no policy-based-route
priority <priority>
security – virtual access point security
method
Possible values: none, wpa2
Configuring Virtual Access Point
security
security <security>
Enabling/disabling access point
operation
[no] shutdown
Configuring Access Point SSID
ssid <ssid>
Configuring Access Point
partitioning
[no] wlan-partition
Configuring WPS
[no] wps
WPS can only be enabled on one vAP.
Configuring WLAN interface
operating channel
channel < channel>
channel – channel number
Possible values: 1-196, 255 (auto)
SSID – Service Set Identifier; WiFi
network name
Possible values: 1-32 character string
Note: Values 1-13 are selectable on
WLAN 1 (2.4GHz) only.
SecFlow-1p
4. Ports
Task
Command
Comments
Configuring WLAN interface
operating radio mode
radio-mode < radio-mode>
Possible values:
802.11b
802.11g
auto
802.111a
802.11ng
802.11na
802.11ac
202
Notes:
• 802.11b, 802.11g, 802.11ng and auto
are only selectable on 2.4GHz band
(WLAN 1)
• 802.11a, 802.11na, 802.11ac and
auto are only selectable on 5GHz
band (WLAN 2)
Examples
echo "Wlan - Port Configuration"
#
Wlan - Port Configuration
wlan 1
radio-mode auto
channel 255
access-point 1
ssid "QA-PCPE-260-Pass"
broadcast-ssid
password "2419756A246CC8BB07943FA7C3A163EC" hash
security wpa2
encryption ccmp
authentication psk
max-clients 8
no wlan-partition
no wps
no mac-filter-enable
no shutdown
exit
access-point 2
ssid "QA-PCPE-260-No-Pass"
broadcast-ssid
no password
security none
encryption none
authentication none
max-clients 8
no wlan-partition
SecFlow-1p
4. Ports
203
no wps
no mac-filter-enable
no shutdown
exit
Testing WiFi
When the WiFi access point is configured, client cellular devices can discover the network name (ssid) in
the list of available networks, if the name is allowed for advertising (broadcast ssid value is set to yes).
SecFlow-1p
5. Management and Security
204
5 Management and Security
This chapter describes the following:
•
Access Control List (ACL)
•
Management access methods
•
Management and configuration options
•
Management-related features
Usually, initial configuration of the management parameters is performed via an ASCII terminal. Once a
router interface has been configured, it is possible to access SecFlow-1p via NETCONF or SNMP for
operation configuration. For details on configuring the router, refer to Router.
The following table summarizes management options for SecFlow-1p.
Port
Manager
Location
Transport
Method
Management
Protocol
Application
Ethernet
FE/GbE
Local, remote
Inband
SSH
Terminal emulation application (refer
to Working with SSH)
SNMP
Third-party NMS
Note
By default, the terminal and SNMP management access methods are enabled.
See the following section for details on enabling/disabling a particular
method.
5.1 Access Control List (ACL)
SecFlow-1p supports Access Control Lists (ACLs) to flexibly filter incoming and outgoing IPv4 and IPv6
traffic.
SecFlow-1p
5. Management and Security
205
Applicability and Scaling
This feature is applicable to all versions of SecFlow-1p.
The number of rules an ACL can contain is limited by the hardware device.
Standards Compliance
RFC 1812 - Requirements for IP Version 4 Routers
Benefits
Service providers use ACLs to maintain network security by preventing malicious traffic from entering
the device. ACLs can be used to save network resources by dropping unwanted packets.
Functional Description
Devices featuring ACLs can flexibly filter management and user traffic, by denying or permitting IP
packets to enter the host, according to the packet’s source/destination address, protocol type, or other
criteria.
ACL entries are sequentially numbered rules containing statements (Deny, Permit, or Remark) and
conditions. Statements in the access list are sorted and checked in ascending order of the statements’
sequence numbers. Remarks are free-text ACL entries used for commenting and visually organizing
ACLs.
Packets are permitted or denied access, based on the following mandatory conditions:
•
protocol (IP, TCP, UDP, and ICMP)
•
source IP address
•
destination IP address
The following parameters are optional:
•
source port, if the protocol is TCP or UDP
•
destination port, if the protocol is TCP or UDP
•
DSCP value
SecFlow-1p
5. Management and Security
•
sequence number
•
ICMP type and code, if the protocol is ICMP
•
IP protocol number, if the protocol is IP
206
The ACL structure is illustrated in the Management-Level Tasks section.
If there is a need to add a rule between already existing rules with consecutive numbers, the rules can
be interspaced to accommodate additional rules between them. For example, if you apply resequencing
to an ACL including rules 1, 2, and 3, with an interspacing value of 30, the rule numbers change to 30, 60
and 90. Sequence numbers can also be set at the rule level.
ACLs are referred by name, which have to be unique, even for different IP version ACLs. To be active an
ACL has to be bound to an entity, which could be physical or logical port. The ACL can filter incoming or
outgoing traffic. One IPv4 and one IPv6 may be bound to an entity in each direction.
Binding Access Control Lists
Once created, ACLs are applied (bound) to an entity, which could be physical or logical port. The ACL can
filter incoming or outgoing traffic. One IPv4 and one IPv6 may be bound to an entity in each direction.
If an entity bound to an ACL is deleted, all associated ACLs are automatically detached.
Multiple access lists can be configured; however, only one IPv4 ACL can be attached per management
entity (and it must be in the incoming direction) or port. An additional IPv6 ACL may coexist with one
IPv4 access list on the same interface / management entity.
Filtering
Packets attempting to enter an entity to which the ACL is bound are checked against the access list rules,
one by one. Access of matching packets is denied (packets are dropped) or permitted (packets are
forwarded), as directed by the ACL statement. ACL has three types of rules:
Remark
Free-text comment used as a bookmark in an ACL for better arrangement
Deny
ACL rule specifying fields to match. Matching packet is dropped if it was not permitted by a
previous rule.
Permit
ACL rule specifying fields to match. Matching packet is permitted if it was not denied by a
previous rule.
Fields to match are IP addresses, upper-layer protocols, ports, and other IP packet fields.After a match,
the rest of the rules are ignored. Packets not matching any rule are dropped. Empty ACLs deny access of
all packets matched to them.
SecFlow-1p
5. Management and Security
207
If a packet is denied, SecFlow-1p sends an ICMP Destination Unreachable message. To protect the
network from bandwidth exhaustion attack, the unreachable messages rate is limited for all denied
packets.
When a rule match occurs, an entry is added to the event log if logging is enabled. To prevent log
overflow, it is possible to disable logging (per rule or device) or define the minimal logging interval of
packets matching ACL entries (per device).
Note
By default, logging is disabled. If you choose to enable it, the default logging
interval is five minutes.
Two packets matching the same rule on the same entity in the same direction are logged only if the time
between them exceeds the logging interval.
Statistics
The device collects ACL statistics per router, SecFlow-1p and management entity. The statistic counters
include the number of rule matches that occurred since the counters were last cleared. The statistic
counters are cleared upon device reboot. The user may also clear ACL statistics of any entity.
Factory Defaults
Parameter defaults are alphabetically listed in the tables below.
Topic
Parameter
Default Value
Access List
access-list type
ipv4
All ACL Rules
ACL statement sequence
Highest number in use in the ACL plus 10
Deny/Permit Rule
dst-port-range
All values are filtered.
sequence-number
The last sequence number in use increased by
ten.
src-port-range
All values are filtered.
Configuring ACL
The ACL configuration tasks are performed at the access control and management levels.
SecFlow-1p
5. Management and Security
208
 To configure ACL:
1. Create an access control list.
2. Add deny and permit rules to the ACL.
3. Bind the ACL to a management entity (See Configuring Ethernet Port Parameters for binding an
Ethernet port or Configuring VLAN Port Parameters for binding a VLAN port).
Access-Control-Level Tasks
The following commands are available in the CLI access-control context: config>access-control#. The
exception to this are the deny, permit, and remark commands, which are performed in the access-list
(acl_name) context: configure>access-control>access-list (acl_name)#.
Task
Command
Comments
Creating and
deleting an ACL
access-list [{ipv4 | ipv6}] <acl_name>
You create an ACL by assigning a name and
specifying the ACL IP type. The ACL names
must be unique.
no access-list <acl_name>
The ACL name contains up to
80 alphanumeric characters.
access-list level commands (delete, deny, permit, remark)
Removing rules
from an ACL
delete <sequence-number>
Possible values for sequence-number:
1–2147483648.
Adding deny
rules to an ACL
deny {tcp|udp} {any|<src-address>[/<srcprefix-length>]} [<src-port-range>]
{any|<dst-address>[/<dst-prefix-length>]}
[<dst-port-range>] [dscp <dscp-value>] [log]
[sequence <sequence-number>]
Possible values for sequence:
1–2147483648
deny icmp {any|<src-address>[/<src-prefixlength>]} {any|<dst­address>[/<dst­prefixlength>]} [icmp-type <icmp-type-number>
[icmp­code <icmp-code-number>]] [dscp
<dscp-value>] [log] [sequence <sequencenumber>]
deny ip [protocol <ip-protocol-number>]
{any|<src-address>[/<src-prefix-length>]}
{any|<dst­address>[/<dst­prefix-length>]}
[log] [sequence <sequence­number>]
log enables logging match events of the
rule into the event log and sending SNMP
traps.
Note: If the ACL already has a statement
with the same sequence number, the old
statement is replaced with the new one.
SecFlow-1p
5. Management and Security
Task
Command
Comments
Adding permit
rules to an ACL
permit {tcp | udp} <src-address> [<src-portrange>] <dst-address> [<dst-port-range>]
[log] [sequence <sequence-number>]
Possible values for sequence:
1–2147483648.
permit icmp {any | <src-address> [/<srcprefix-length>]} {any | <dst­address>
[/<dst­prefix-length>]} [icmp-type <icmptype-number> [icmp­code <icmp-codenumber>]] [dscp <dscp-value>] [log]
[sequence <sequence-number>]
209
Note: If the ACL already has a statement
with the same sequence number, the old
statement is replaced with the new one.
permit ip [protocol <ip-protocol-number>]
{any | <src­address> [/<src­prefix­length>]}
{any | <dst­address> [/<dst­prefix­length>]}
[log] [sequence <sequence­number>]
Adding remarks
to an ACL
remark <description> [sequence <sequencenumber>]
The description contains up to 255
characters.
Resequencing the
rules in an ACL
resequence access-list <acl-name>
[<number>]
number – difference between consecutive
ACL rule numbers
Possible values for number:
1–100000
Setting the
logging interval
of all ACLs
logging access-list <interval>
no logging access-list
Enable logging at the maximum rate of the
value set at Access Control level. <0> is
equivalent to no logging access-list
command.
no logging access-list disables event
logging for all rules in the ACL.
Management-Level Tasks
The following commands are available in the CLI management context:
configure>management>access#.
SecFlow-1p
5. Management and Security
210
Task
Command
Comments
Binding the ACL to a
management entity
and defining the ACL
direction
access-group <acl-name>
When binding the ACL to the management entity,
or when adding/editing rules in an ACL that is
bound to the management entity, the rules must
conform to the following limitations:
no access-group {in} {ipv4 | ipv6}
The protocol rules must be of TCP/UDP type.
The destination address must be set to any.
The source port must be set to any.
The destination port must be tcp/830
(NETCONF), tcp/22 (SSH), udp/161 (SNMP), or
any
• DSCP, IP precedence, and P-bit cannot be used.
•
•
•
•
Clearing ACL
statistics
clear-statistics {ipv4|ipv6}
Displaying ACL
statistics
show statistics {ipv4|ipv6}
See Management Statistics below.
Displaying the
summary of ACLs
bound to a
management entity
show access-list summary
Displays ACL status at the current level
Examples
 To create a management ACL:
The example below illustrates a typical ACL applied to the incoming management traffic:
•
Allows SSH (TCP port 22) traffic from any source
•
Denies incoming SNMP (UDP PORT 161) connections from any source, except for 192.168.1.0
subnet
access-control>access-list(mng)#
remark Allow incoming SSH traffic
permit tcp any any 22
remark Allow SNMP traffic coming from 192.168.1.0 subnet
permit udp 192.168.1.0/24 any 161
remark Deny incoming SNMP traffic
deny udp any any 161
SecFlow-1p
5. Management and Security
211
The table below summarizes the rules configured for the ACL. Items in red are either implied or
unavailable for the current parameter or serve as system settings that cannot be changed. The deny rule
appearing in the bottom row is a system rule that is used to deny all non-compliant data.
Sequence
Number
Action
Protocol
Source IP
TCP/UDP
Source Port
Dest. IP
TCP/UDP Dest. Port
Log
10
Permit
TCP
Any
Any
Any
22
No
20
Permit
UDP
192.168.1.0/24
Any
Any
161
No
30
Deny
UDP
Any
Any
Any
161
Yes
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
Maximum number of rules
exceeded
You tried to add more rules than the
device can support
Delete unnecessary rules and add a
new rule once again.
Only TCP, UDP or IP rules can
be in traffic
The ACL is bound to an entity and ICMP
protocol is used.
Choose TCP, UDP or IP protocols.
Only TCP or UDP rules can be
in management ACL
The ACL is bound to management and a
protocol other than TCP or UDP is used.
Choose TCP or UDP protocol.
Sequence number is out of
range
The specified or calculated sequence
number is out of the allowed range
Change the number.
No such access-list
A non-existing ACL cannot be bound to
the entity.
Check if the ACL name is correct.
Viewing ACL Status
The ACL status displays information on the ACL name, type (IPv4 or IPv6), direction, and the entity that
the ACL is bound to at the respective level.
 To display the ACL status (management):
•
At the config>mngmnt>access# prompt, enter show access-list summary.
The following status information is displayed:
ACL Name
Type
Bound to
Direction
---------------------------------------------------------------
SecFlow-1p
4v
5. Management and Security
IPv4
mng
212
In
Viewing ACL Statistics
The ACL statistic counters gather information, per router, router interface or for management, on the
number of rule matches registered on the ACL since the last reboot or counter clearing.
Note
All ACLs have an implied last rule that denies all packets. The device does not
provide statistic counters for this rule. If you intend to collect statistics on the
number of packets discarded by the default ACL mechanism, you must add the
deny ip any any rule at the end of the ACL.
Management Statistics
 To display the ACL statistics (management):
1. At the config>mngmnt>access# prompt, enter show statistics ipv4 access-list (for IPv4) or show
statistics ipv6 access-list (for IPv6).
The following statistic information is displayed:
IPv4 access list: 4v
(in)
Bound to: Management
Matches counted for: 0 days 0 hours 2 minutes 33 seconds
--------------------------------------------------------------10
permit tcp 172.17.154.154/24 any 22 (0 matches)
20
permit tcp 172.17.154.154/24 any 830 (0 matches)
30
permit udp 172.17.154.154/24 any 161 (0 matches)
 To delete ACL statistics (management):
•
At the config>mngmnt>access# prompt, enter clear-statistics.
The statistics counters are cleared.
5.2 Authentication via RADIUS Server
RADIUS (Remote Authentication Dial-In User Service) is an AAA (authentication, authorization, and
accounting) client/server protocol that secures networks against unauthorized access. RADIUS is used to
SecFlow-1p
5. Management and Security
213
authenticate users and authorize their access to the requested system or service. The RADIUS client
communicates with the RADIUS server using a defined authentication sequence.
Note
SecFlow-1p supports RADIUS functionality; it cannot function as a RADIUS
server.
Applicability and Scaling
This feature is applicable to all the device versions.
SecFlow-1p doesn’t support RADIUS accounting.
Standards Compliance
RFC 2865, Remote Authentication Dial In User Service (RADIUS)
RFC 2618, RADIUS Authentication Client MIB
Benefits
The RADIUS protocol allows centralized authentication and access control, avoiding the need to
maintain a local user database on each device in the network.
Due to its generic nature, service providers and enterprises use the RADIUS protocol to easily manage
access to the Internet, internal networks, wireless networks, and integrated email services. These
networks may incorporate DSL, access points, VPNs, network ports, and more.
Functional Description
RADIUS servers have built-in mapping of users to service-types. Note that each user has the rights of all
users above it. All users have default password 1234. It is highly recommended to change the default
password when setting up your device. (Refer to Working with SSH on how to change a password.)
SecFlow-1p
5. Management and Security
214
RADIUS Service-Types
Name
Prompt
RADIUS Service-Type (User Access Level)
user
device-name%
1 (login)
tech
device-name%
7 (NAS prompt)
oper
device-name#
8 (authenticate only)
su
device-name#
6 (administrative)
When a user attempts to log in to SecFlow-1p, the following occurs:
1. User is prompted to enter their username and password.
2. RADIUS client submits an authentication request to the RADIUS server. The username and
encrypted password is transmitted over the network. (A hash code is generated over the
entered password and a previously defined shared secret (string of free text) is transmitted
between the RADIUS server and SecFlow-1p.)
3. The RADIUS server verifies the user information against a database stored at the RADIUS server,
and sends one of the following responses:
 Access Rejected – User is not authenticated and access to all resources is denied. User is
prompted to reenter their username and password.
 Access Accepted – User is authenticated. Access to the requested network resources is
granted. The RADIUS service-type is sent, indicating what services the user can access.
Verifying Credential s and Privileges
vi a RADIUS Data Base
Logon Request t o vCPE-OS
Management
Work Station
Network
Logging on to vCPE-OS or
Returning Authentication Error
vCPE
Operating
Syst em
RADIUS
Server
Access Accepted or Denied
Shared Secret
Factory Defaults
By default, no RADIUS servers are defined. When the RADIUS server is first defined, it is configured as
shown below.
SecFlow-1p
5. Management and Security
Parameter
Description
Default Value
address
IP address of server
0.0.0.0
key
Key
“ “ hash
retry
Max number of authentication attempts
3
timeout
Time interval between two authentication attempts
3 seconds
auth-port
UDP port used for authentication
1812
215
Configuring RADIUS Server Parameters
SecFlow-1p provides connectivity to up to four RADIUS authentication servers. You have to specify
access parameters such as Radius server ID, associated server IP addresses, the number of allowed
authentication request attempts, etc.
 To define RADIUS server parameters:
1. At the config>mngmnt>radius# prompt, type server <server-id> to specify which server to
configure. server-id can be 1-4.
The config>mngmnt>radius>server(<server-id>)# prompt is displayed.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Comments
Assigning an IP address to the RADIUS
server
address <ip-address>
A valid unicast IP address
Defining the UDP port to be used for
authentication key
auth-port <udp-port-number>
Possible values: 1–65535
Defining a non-disclosed string
(shared secret) used to encrypt the
user password.
key <string>
The shared secret is a secret
key consisting of free text
(1-79 characters) known to
the client and the server for
encryption.
Defining the number of
authentication request attempts
retry <number-of-retries>
Possible values: 0–10
Defining timeout (in seconds) for
response from RADIUS server
timeout <seconds>
Possible values: 1–5
SecFlow-1p
5. Management and Security
216
Viewing RADIUS Statistics
 To display RADIUS statistics:
•
At the config>mngmnt>radius# prompt, enter:
show statistics.
RADIUS statistics appear as shown below.
config>mngmnt>radius# show statistics
Server1
Server2
Server3 Server4
-------------------------------------------------------------------------Access Requests
:
0
0
0
0
Access Retransmits :
0
0
0
0
Access Accepts
:
0
0
0
0
Access Rejects
:
0
0
0
0
Access Challenges
:
0
0
0
0
Malformed Response :
0
0
0
0
Bad Authenticators :
0
0
0
0
Pending Requests
:
0
0
0
0
Timeouts
:
0
0
0
0
Unknown Types
:
0
0
0
0
Packets Dropped
:
0
0
0
0
Counter Discontinuity:
0
0
0
0
Counter
Description
Access Requests
Number of Access-Requests packets sent to RADIUS server
Access Retransmits
The number of RADIUS Access-Request packets retransmitted to RADIUS
server
Access Accepts
Number of Access-Accept packets sent to RADIUS server
Access Rejects
Number of Access-Reject packets received from the RADIUS server
Access Challenges
Number of Access-Challenge packets sent to RADIUS server
Malformed Response
Number of malformed Access-Requests packets received
Bad Authenticators
Number of Access-Requests packets with invalid Signature attributes
received
Pending Requests
The number of RADIUS Access-Request packets destined for this server
that have not yet timed out or received a response. This counter is
incremented when an Access-Request is sent and decremented due to
receipt of an Access-Accept, Access-Reject or Access-Challenge, a timeout
or retransmission.
SecFlow-1p
5. Management and Security
217
Counter
Description
Timeouts
Number of times a server did not respond, and the RADIUS server re-sent
the packet
Unknown Types
Number of RADIUS packets of unknown type which were received
Packets Dropped
Number of incoming packets silently discarded for some reason other
than malformed, bad authenticators or unknown types
Counter Discontinuity
Number of centiseconds since the last discontinuity in the RADIUS Client
counters. A discontinuity may be the result of a reinitialization of the
RADIUS Client module within the managed entity.
 To clear RADIUS statistics:
•
At the config>mngmnt>radius# prompt, enter:
clear statistics
The RADIUS statistics are cleared.
5.3 Authentication via TACACS+ Server
TACACS+ (Terminal Access Controller Access Control System Plus) is a security application that provides
access control for routers, network access servers, and other networked computing devices via one or
more centralized servers. TACACS+ provides separate authentication, authorization, and accounting
services. It is used to communicate between the switch and an authentication database. As TACACS+ is
based on TCP, implementations are typically resilient against packet loss.
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
TACACS+ Protocol Version 1.78 (IETF draft-grant-tacacs-02)
SecFlow-1p
5. Management and Security
218
Benefits
The TACACS+ protocol allows centralized authentication and access control, avoiding the need to
maintain a local user data base on each device on the network. The TACACS+ server encrypts the entire
body of the packet, but leaves a standard TACACS+ header.
Customers do not have to adapt their TACACS+ server privilege levels to RAD CLI default values; CLI
levels can be remapped in accordance with the customer’s TACACS+ levels.
Functional Description
TACACS+ is a protocol that provides access control for routers, network access servers, and other
networked computing devices via one or more centralized servers. TACACS+ is based on the AAA model:
•
Authentication – The action of determining identity of a user
•
Authorization – The action of determining what a user is allowed to do. It can be used to
customize the service for the particular user.
•
Accounting – The action of recording what a user is doing, and/or has done
Note
TACACS+ performs authorization according to the user level; it does not send
each command to the server for authorization.
The TACACS+ client can be configured to use authentication/authorization with or without accounting
functionality.
When configuring users on external TACACS+ servers, see User Access to define authorization levels for
SecFlow-1p users. Note that each user has the rights of all users below it, in addition to those explained
in its description.
Level
User
Allowed Actions
Description
3
user
Monitoring
Commands that do not affect services, traffic, or
configuration
6
tech
Diagnostics
Commands that may affect services and traffic, but are
not saved in the database
9
oper
Configuration
Commands that change configuration parameters
permanently
12
su
User management
Commands that manage users in the database
SecFlow-1p
5. Management and Security
219
Components
The TACACS+ remote access environment has three major components: access client, TACACS+ client,
and TACACS+ server.
•
The access client is an entity which seeks the services offered by the network.
•
TACACS+ client, running on SecFlow-1p, processes the requests from the access client and
passes this data to TACACS+ server for authentication.
•
TACACS+ server authenticates the request, and authorizes services over the connection. The
TACACS+ server does this by matching data from the TACACS+ client`s request with entries in a
trusted database.
TACACS+ server decides whether to accept or reject the user's authentication or authorization. Based on
this response from the TACACS+ server, the TACACS+ client decides whether to establish the user's
connection or terminate the user's connection attempt. The TACACS+ client also sends accounting data
to the TACACS+ server to record in a trusted database.
TACACS+ uses TCP for its transport and encrypts the body of each packet. TACACS+ client and server can
agree to use any port for authentication and accounting. TACACS+ supports authentication by using a
user name and a fixed password.
Accounting
SecFlow-1p supports up to five accounting groups, with up to five TACACS+ servers per group. However,
each TACACS+ server can be bound to a single accounting group only.
A group can be defined with its own accounting level:
•
Shell accounting, which logs the following events:
 Successful logon
 Logon failure
 Logout
 SecFlow-1p - terminated management session
•
System accounting, which logs alarms and events
•
Command accounting, which logs CLI commands and level changes executed by the user or the
SecFlow-1p scheduler
Mapping Privilege Levels
SecFlow-1p supports software configuration of mapping CLI levels to TACACS+ privilege levels.
SecFlow-1p
5. Management and Security
220
•
There are 16 TACACS+ privilege levels.
•
You can map a CLI level to multiple TACACS+ levels.
•
You cannot map a TACACS+ level to multiple CLI levels. If the command is repeated for a
TACACS+ level, the new mapping replaces the old one.
•
You can unmap both TACACS+ and CLI levels, with the exception of su, which must be mapped
to at least one TACACS+ level.
Factory Defaults
By default, no TACACS+ servers are defined. When the TACACS+ server is first defined, it is configured as
shown below.
Parameter
Default Value
key
Empty string
retry
1
timeout
5 seconds
authentication-port
49
accounting-port
49
Administrative status
shutdown
Accounting group membership
None
Configuring TACACS+ Entities
TACACS+ Server
SecFlow-1p provides connectivity to up to five TACACS+ authentication servers. You must specify the
associated server IP address, key, number of retries, etc.
Note
If you intend to use TACACS+ for authentication, verify that TACACS+ is
selected as a level-1 authentication method.
SecFlow-1p
5. Management and Security
221
 To configure a TACACS+ server:
1. At the config>mngmnt>tacacsplus# prompt, type server <ip-address> to specify the server IP
address.
The config>mngmnt>tacacsplus>server (<ip-address>)# prompt is displayed.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Comments
Defining the TCP port to be
used for accounting
accounting-port
<port-number>
Possible values: 1–65535
Defining the TCP port to be
used for authentication
authentication-port
<port-number>
Possible values: 1–65535
Binding accounting group to
TACACS+ server
group <string>
no group detaches accounting group from
server.
Defining a non-disclosed
string (shared secret) used to
encrypt the user password
key <string> [hash]
The shared secret is a secret key consisting of
free text known to the client and the server
for encryption.
The hash keyword denotes that the string is
hashed, rather than clear text; usually it is
added by the device after hashing the clear
text that the user enters, before saving it in
the database.
If you enter the password as a text string, do
not use the hash parameter. Use it only if you
are specifying the password as a hashed
value (obtained by using the info command
to display TACACS+ data).
Defining the number of
authentication request
attempts
retry
<number-of-retries>
Permanently set to 1
Defining timeout (in
seconds) for response from
TACACS+ server
timeout <seconds>
Possible values: 1–30
Administratively enabling
server
no shutdown
shutdown administratively disables the
server
Displaying statistics
show statistics
Clearing statistics
clear-statistics
SecFlow-1p
5. Management and Security
222
Accounting Groups
 To configure accounting groups:
1. At the config>mngmnt>tacacsplus# prompt, type group <group-name> to configure an
accounting group with the specified name.
The config>mngmnt>tacacsplus>group (<group-name>)# prompt is displayed.
2. To define the accounting for the group, enter:
accounting [shell] [system] [commands]
Note
•
•
You can enter any combination of the parameters shell, system, or
commands, but you must enter at least one of them.
Type no accounting to disable TACACS+ accounting for the group.
3. Type exit to return to the TACACS+ level.
The config>mngmnt>tacacsplus# prompt is displayed.
4. Type server <ip-address> to select the TACACS+ server to which to bind the group.
The config>mngmnt>tacacsplus>server (<ip-address>)# prompt is displayed.
5. At the config>mngmnt>tacacsplus>server (<ip-address>)# prompt, enter group < group-name>
to bind the previously defined accounting group to the TACACS+ server.
Mapping CLI Levels to TACACS+ Privilege Levels
 To map a CLI level to a TACACS+ privilege level:
1. At the config>mngmnt>tacacsplus# prompt, type
privilege-level <tacacs-privilege-level> { su | oper | tech | user}.
The tacacs-privilege-level value can be 0-15.
Note
Type no privilege-level <tacacs-privilege-level> to remove TACACS+ privilege
level mapping.
SecFlow-1p
5. Management and Security
Examples
Defining Server
The example below illustrates the procedure for defining a TACACS+ server.
•
Server IP address: 175.18.172.150
•
Key: TAC_server1
exit all
configure management tacacsplus
server 175.18.172.150
key TAC_server1
no shutdown
exit all
save
 To display the configuration from the above example:
# configure management tacacsplus server 175.18.172.150
config>mngmnt>tacacsplus>server(175.18.172.150)# information detail
key "244055BF667B8F89225048C6571135EF" hash
retry 1
timeout 5
authentication-port 49
accounting-port 49
no group
no shutdown
Defining Accounting Group
The example below illustrates the procedure for defining an accounting group.
•
Group name: TAC1
•
Accounting: Shell, system, and commands
•
Bound to server defined in the example above.
exit all
configure management tacacsplus
group TAC1
accounting shell system commands
exit
server 175.18.172.150
group TAC1
exit all
configure management tacacsplus server 175.18.172.150
config>mngmnt>tacacsplus>server(175.18.172.150)# info detail
223
SecFlow-1p
5. Management and Security
224
key "244055BF667B8F89829AB8AB0FE50885" hash
retry 1
timeout 5
authentication-port 49
accounting-port 49
group "TAC1"
no shutdown
Mapping CLI Level to Privilege Level
 To map TACACS+ level 7 to the CLI user level:
configure management tacacsplus privilege-level 7 user
 To delete the mapping of TACACS+ level 7 to the CLI user level:
configure management tacacsplus no privilege-level 7
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
su level must be mapped to a
TACACS+ level
You tried removing the last mapping of su, but su
must be mapped to at least one TACACS+ level.
Leave at least one
mapping of su.
Viewing TACACS+ Statistics
 To display TACACS+ statistics:
•
At the config>mngmnt>tacacsplus>server (<ip-address>)# prompt, type:
show statistics.
The TACACS+ statistic counters are displayed.
config>mngmnt>tacacsplus>server(175.18.172.150)$ show statistics
Requests
0
Request Timeouts
0
Unexpected Responses
0
Server Error Responses 0
Incorrect Responses
0
SecFlow-1p
Transaction Successes
Transaction Failures
Pending Requests
5. Management and Security
225
0
0
0
Counter
Description
Requests
Number of authentications performed toward a specific TACACS+
server
Request Timeouts
Number of transaction timeouts that occurred between the client
and server
Unexpected Responses
Number of times the TACACS+ client receives a TACACS+ packet that
is not expected at that time. Usually, this occurs due to a delayed
response to a request that has already timed out
Server Error Responses
Number of errors received from the TACACS+ server
Incorrect Responses
Number of times the TACACS+ client:
• Fails to decrypt the packet
• Detects an invalid field in the TACACS+ packet
• Receives a response that is not valid according to the initial
request
Transaction Successes
Number of successful transactions between the client and TACACS+
server
Transaction Failures
Number of times the TACACS+ client’s request is aborted by the
TACACS+ server or the server fails to respond after maximum retry is
exceeded
Pending Requests
Number of TACACS+ client’s requests minus number of TACACS+
server responses or timeouts
 To clear TACACS+ statistics:
•
At the config>mngmnt>tacacsplus>server (<ip-address>)# prompt, type:
clear-statistics.
TACACS+ statistic counters are set to 0.
SecFlow-1p
5. Management and Security
226
5.4 DHCP Server
SecFlow-1p supports Dynamic Host Configuration Protocol (DHCP) server functionality for IPv4 clients.
Based on the Bootstrap Protocol (BOOTP), DHCP server assigns to DHCP clients IPv4 addresses from
configured pools, as well as various configuration parameters (DHCP options), in response to the
broadcast requests of DHCP clients. This functionality eliminates the need to manually assign an IP
address for each potential client.
It is possible to configure a single DHCP server instance. It can be bound to any VRF.
Note
•
•
DHCP server, client applications are independent. You can configure
neither or any combination of them.
DHCP server is not supported on tunnel interfaces.
Applicability and Scaling
This feature is applicable to all SecFlow-1p versions.
Standards Compliance
RFC 951 – Bootstrap Protocol
RFC 1542 – Clarifications and Extensions for the Bootstrap Protocol (relay agent requirements)
RFC 2131 – Dynamic Host Configuration Protocol
RFC 2132 – DHCP Options and BOOTP Vendor Extensions (basic DHCP options)
Benefits
The main benefits of DHCP servers are:
•
Reduced costs of IP addresses – There is no need to buy and manage an IP address for each
potential client. For example, there is no need to manually assign an address for each machine
that is connected to the network, even briefly or rarely.
SecFlow-1p
5. Management and Security
227
•
Reduced access costs – Dynamic addresses are cheaper than static addresses.
•
Reduced client configuration costs – DHCP ease of configuration leads to fast deployment and
less operational overhead. There is no need to manually configure connectivity parameters on
each client, except for very basic configuration (and sometimes not even this). The DHCP server
can even start a zero touch configuration process, which completely configures the client
without network manager intervention.
•
Centralized management – Network managers only need to configure a single central server. If a
global parameter, e.g. DNS server, is changed, there is no need to manually configure all the
clients in the network.
Functional Description
The following describes the DHCP flow, from the time the client sends a broadcast DHCP request and
until the IP addresses are distributed.
1. The DHCP client sends to the DHCP server a broadcast DHCP request.
2. Any listening DHCP server can assign an IP address to the DHCP client (based on information
sent by the client), as well as other options. Before assigning an IP address, the server pings it. If
a reply is received, this means the address is a conflict, meaning it is an address that is already
occupied. The conflict enters the conflicts table.
3. DHCP server sends back to the client a lease offer, containing an IP address and possibly other
parameters. It sends its IP address in option 54 (server identifier) to the client.
Note
If the DHCP server offers a lease and the client then sends a DHCP request
with an IP address of a different server (in option 54), the server assumes that
the request is no longer relevant, and return the offered address to the pool of
available addresses.
4. The DHCP client accepts the offer. If the DHCP client received more than one lease offer, it
chooses a lease; usually the first one it received.
5. Before accepting a lease, a typical client sends a gratuitous ARP to the IP address it is about to
use. If two replies are received, the client should decline the lease, and the server places the IP
address into the conflicts table.
6. The server acknowledges the lease.
SecFlow-1p saves the lease in a database that includes all active and inactive leases. The lease database
with address binding (IP address to client hardware address) resides in permanent memory that
withstands reboot. If possible, SecFlow-1p assigns to clients the same IP addresses they previously had.
SecFlow-1p
5. Management and Security
228
The lease is usually granted for a limited time; therefore, the DHCP client should renew it before it
expires. A DHCP client may also release a lease once is no longer needed.
The server does not delete a binding from the database when a lease expires. However, if a new client
asks for an address and the server does not have a free address, then one of the unused addresses from
the database may be used.
The server also saves a table of conflicts. A conflict is an IP address that the server tried to assign but
found out it is already occupied. The server does not assign an address from the conflicts table unless all
non-conflicting addresses belong to active leases.
If you change the configuration so that it renders active leases invalid (such as changing a pool’s range of
addresses or network, excluding an address), the server removes the leases from the binding database.
Addresses in the conflict database that are no longer valid are also removed.
The device may function as DHCP client or server at the same time.
DHCP Options
The following Tx options (i.e. sent from server to client) are supported by RAD DHCP server and RAD
clients:
•
Default routers (3) – one or two
•
Lease time (51) – offered lease time
•
Server identifier (54) – IP address of the server offering the lease; not configurable
The following Tx options are supported by RAD DHCP server, but unsupported by RAD clients:
•
Domain name system (DNS) servers (6) – one or two
•
Domain name (15)
•
NetBIOS name server (44)
•
NetBIOS node type [b, p, m, or h] (46)
The following Rx options (i.e. sent from client to server) are supported by RAD DHCP server and RAD
clients:
•
Lease time (51) – requested lease time
•
Server identifier (54) – IP address of the server whose offer is accepted (also used by clients to
send unicast messages to the server)
•
Client identifier (61) – client unique identifier (typically MAC address, but can be any other
string)
SecFlow-1p
5. Management and Security
229
The following Rx options are supported by RAD clients, but ignored by RAD DHCP server:
•
Host name (12) – client host name
•
Vendor class identifier (60) – client vendor identifier
Note
•
•
Options 66 (TFTP server name), 67 (boot file name), and 150 (TFTP server
address) are not supported by RAD DHCP server although RAD clients use
them for the zero touch configuration process.
Unsupported received DHCP options are ignored. They do not invalidate a
request.
Manual Bindings
In cases when it is important that a client, usually a router or server, not change its address, it is possible
to configure manual bindings, i.e. IP addresses that are manually mapped to clients. This directs the
server to grant fixed addresses to specific clients (usually recognized by their MAC address).
DHCP Lease Offer Message
When offering a lease, the server builds a DHCPOFFER message, locates the assigned IP address, and
adds the following options:
•
DHCP message type (53) – 2, in case of a DHCP offer
•
Subnet mask (1) – The subnet mask of the client, taken from the host or network command of
the pool configuration.
•
Lease time (51) – Time the lease is valid
•
Renewal (T1) time value (58) – time (in seconds) at which the client should transition to the
renewing state.
 If the offered lease time is infinite, this option is not sent. Otherwise it is set to the default,
which is 0.5 of the lease time.
•
Rebinding (T1) time value (59) – Time (in seconds) at which the client should transition to the
rebinding state.
 If the offered lease time is infinite, this option is not sent. Otherwise, it is set to the default,
which is 0.875 of the lease time.
•
Server identifier (54) – IP address of the server
•
Any of the following options, if configured:
 Default router (3) – one or two IP addresses
SecFlow-1p





•
5. Management and Security
230
DNS server (6) – one or two IP addresses
Domain name (15) – a string
TFTP server name (66) – a string
NetBIOS name server (14) – one or two IP addresses.
NetBIOS node type (46) – b, p, m, or h
The end option (255) – Marks the end of valid information in the vendor field.
Factory Defaults
By default, no DHCP server or DHCP server pool is defined. When a DHCP server or DHCP server pool is
first defined, it is configured as shown below.
Parameter
Default Value
DHCP server
number
1
clear
--
bind
router 1
exclude-address
--
shutdown
no shutdown
pool
no pool
tftp-server-name
no tftp-server-name
DHCP server pool
address-range
no address-range
client-identifier
no client-identifier
default-router
no default-router
dns-server
no dns-server
domain-name
no domain-name
hardware-address
no hardware-address
host
no host
lease-default
no lease-default
netbios-name-server
no netbios-name-server
SecFlow-1p
5. Management and Security
Parameter
Default Value
netbios-node type
no netbios-node type
network
no network
relay-information
no relay-information
231
Configuring DHCP Server
You can configure a single DHCP server as follows:
1. Globally enable DHCP server functionality (the default).
2. By default, no DHCP server exists. Create a single instance of DHCP server.
3. Exclude addresses that should never be assigned to clients; typically addresses that are statically
configured on servers or routers.
4. Configure DHCP pools containing:
 Range of addresses (or a single address) to assign to clients
 Various DHCP options to send to clients
 Definitions of clients eligible to get lease from the pool
5. Host and subnetwork inherit options from larger networks (simplifying the configuration):
 For example, a global pool (e.g. 192.168.0.0) can contain global options, such as domain
name.
 Additional pools are set for subnets (e.g. 192.168.1.0 and 192.168.2.0), each with its own
default gateway.
 To configure the DHCP server:
1. Navigate to configure system [no] dhcp-server [<number>}.
The config>system>dhcp-server# prompt is displayed.
Note
•
•
<number> is the number of the dhcp-server, which can only be 1.
Type no dhcp-server to remove the DHCP server from the router.
2. At the config>system>dhcp-server# prompt, enter the necessary commands according to the
tasks listed below.
SecFlow-1p
5. Management and Security
232
Task
Command
Comments
Binding DHCP server to
router
bind router <number>
number – router number
Clearing DHCP server
bindings, conflicts, or
statistics
clear {binding {address <ipv4address> | all} | conflict
{address <ipv4-address> | all}}
• You can clear the entire DHCP
server binding database, or
binding of a specific address.
• When clearing a specific
address, if ipv4-address does
not exist in the database, an
error message is generated:
No such address.
• You can clear the entire
conflicts database, or a
specific conflicting address.
• Clearing all conflicts clears
both abandoned (declined by
clients) and blocked (already
in use) addresses.
Configuring the IP address
that is not to be offered to a
client
[no] exclude-address <ipv4address>
A single address to be excluded
can be configured per command.
Note: The DHCP server works only
on the router to which it is bound.
If the bound router does not exist,
the DHCP server is idle.
Repeating this command adds
new excluded addresses; it does
not replace previous excluded
addresses.
Note: Excluded addresses are
typically addresses that are
statically configured on servers or
routers.show
Configuring DHCP server pool
[no] pool
See Configuring DHCP Server
Pool.
Typing no pool removes the DHCP
server pool and the configuration
related to it (IP address ranges
and DHCP options).
Displaying DHCP server
bindings
show binding
See Viewing DHCP Server Binding
SecFlow-1p
5. Management and Security
233
Task
Command
Comments
Displaying DHCP server
conflicts
show conflict
See Viewing DHCP Server Conflict
Displaying DHCP server
statistics
show statistics
See Viewing DHCP Server
Statistics
Disabling/enabling DHCP
server functionality
[no] shutdown
DHCP server functionality is
enabled by default.
Notes:
• The DHCP client functions are
not affected by this command.
• When disabled, the rest of the
server configuration is
ignored.
Configuring DHCP Server Pool
By default, no DHCP server pool exists. The following procedure describes how to create a DHCP server
pool. Each pool must be assigned a unique name.
The DHCP server offers leases based on the pools’ configurations.
 To configure the DHCP server pool:
1. Navigate to configure system [no] dhcp-server pool [name].
The config>system>dhcp-server>pool# prompt is displayed.
2. At the config>system>dhcp-server>pool# prompt, enter the necessary commands according
to the tasks listed below.
Note
•
•
Typing no pool removes the DHCP server pool, as well as the configuration
related to it.
You must assign a unique pool name of 1 to 80 characters
Task
Command
Comments
Configuring range of IP
addresses that server can
assign to clients
[no] address-range
<start-ip> <end-ip>
start-ip – lowest IPv4 address of the range
(relevant only for pool
bound to network)
end-ip – highest IPv4 address of the range
Notes:
SecFlow-1p
Task
5. Management and Security
Command
234
Comments
• An address range can be configured only if
the pool is bound to a network. It is
irrelevant if the pool is bound to a host.
• The address range must be inside the
pool’s subnet (configured with the
network command).
• If no range is configured, the default value
is the entire subnet of the pool.
• A single range can be configured per pool.
• Typing no address-range <start-ip> <endip> deletes an existing range. If the
specified range is not exactly the one
configured by the command, range is not
deleted.
Configuring client
identifier (DHCP option
61)
client-identifier <uniqueidentifier>
no client-identifier
Client identifier (option 61) is used for manual
binding, i.e. assigning a preconfigured IP
address to a specific client.
unique-identifier – client identifier; 1-255
character string
Notes:
• Client identifier can be configured only if
the pool is bound to a host (using host
command).
• If the command is repeated, it replaces
the previous one.
• Either client identifier or hardware
address can be configured; not both.
• You cannot configure a client identifier
already configured on another pool.
• Typing no client-identifier removes the
client identifier from the pool.
• Client identifier can be a hexadecimal
number or a string
• String format is <string>
• Hexadecimal number format is 1:<hex>
Configuring default
router (DHCP option 3)
default-router <address>
[<address-2>]
no default-router
address – default router IPv4 address
address-2 – second default router IPv4
address
Notes:
SecFlow-1p
Task
5. Management and Security
Command
235
Comments
• Repeating this command replaces the
previous one.
• address-2 must be different than address1.
Configuring Firewall
server (DHCP option 6)
dns-server <address>
[<address-2>]
address – DNS server IPv4 address
(mandatory)
no dns-server
address-2 – second DNS server IPv4 address
(optional)
Notes:
• Repeating this command replaces the
previous one.
• address-2 must be different than address1.
Configuring domain
name (DHCP option 15)
Configuring client
hardware address (MAC
address)
domain-name <domain>
no domain-name
hardware-address <macaddress>
no hardware-address
Domain – domain name; 1-255 character
string
Note: Repeating this command replaces the
previous one.
MAC address is used for manual binding, i.e.
assigning a preconfigured IP address to a
specific client.
mac-address – client MAC address
Notes:
• The hardware address can be configured
only if the pool is bound to a host
(configured with the host command).
• Repeating this command replaces the
previous one.
• Either client identifier or hardware
address can be configured; not both.
• You cannot configure a hardware address
already configured on another pool.
Configuring client IP
address and prefix length
host <ipv4-address>/
<prefix-length>
no host
Ipv4-address – client IPv4 address
Prefix-length – client IP prefix length
Possible values: 1-32
Notes:
SecFlow-1p
Task
5. Management and Security
Command
236
Comments
• If no host is invoked while client identifier
or hardware address is configured, the
device deletes the configured client
identifier or hardware address.
• Repeating this command replaces the
previous one.
• Either the host or network command can
be configured; not both.
• The address (while taking into account the
prefix length) must be a unicast address.
• The same pair of address and prefix length
may not be configured on more than one
pool.
• The mask (reflecting the prefix length) is
passed to the client in option 1.
Learning pool
configuration from DHCP
client
[no] learn-from-dhcpclient router <router>
interface <interface>
router, interface – router interface from
which to learn DHCP information
Configuring lease default
validity time (DHCP
option 51)
lease-default {time
<days> [<hours>
[<minutes>]] | infinite}
Possible values: 60-8640000 seconds (100
days); infinite (lease never expires, unless the
client releases it.)
no lease-default
Notes:
• If you configure lease validity time to
between 60 and 8640000 (100 days)
seconds, the server grants it.
• If you configure less than 60 seconds, the
server offers 60 seconds.
• If you configure more than 8640000
seconds, the server offers 8640000
seconds.
• If the client does not send option 51, i.e. it
does not state for how much time it
requires the lease, the server offers the
default lease time (one day, unless
otherwise configured).
• Repeating this command replaces the
previous one.
SecFlow-1p
5. Management and Security
237
Task
Command
Comments
Configuring NetBIOS
name server (DHCP
option 44)
netbios-name-server
<address> [<address-2>]
address – NetBIOS name server IPv4 address
no netbios-name-server
address-2 – Second NetBIOS name server IPv4
address
Note: Repeating this command replaces the
previous one.
Configuring NetBIOS
node type (DHCP option
46)
netbios-node-type
<type>
Type – NetBIOS node type
Possible values: b, p, m, h
no netbios-node-type
Note: Repeating this command replaces the
previous one.
Configuring client
network IPv4 address and
mask
network <ipv4address>/<prefix-length>
Ipv4-address – client IP address
no network
Prefix-length – client IP prefix length
Possible values: 1-32
Notes:
• If the network is deleted or changed in
such a way that the configured ranges are
not in it, the device deletes the ranges
that are out of the newly configured
network.
• Repeating this command replaces the
previous one.
• Either the host or network command can
be configured; not both.
• The IP address (while taking into account
the prefix length) must be a subnet
address.
• The same pair of address and prefix length
cannot be configured on more than one
pool.
Configure relay agent
information (DHCP
option 82)
relay-information circuitid <circuit-id>
relay-information
remote-id <remote-id>
no relay-information
Matching the received option 82 with the
configuration determines the clients that can
receive offers of the pool.
Notes:
• Repeating this command replaces the
previous one.
• Either circuit-id or remote-id can be
specified, as only one of them can be
matched with received option 82.
SecFlow-1p
5. Management and Security
Task
Command
238
Comments
• Option 82 cannot be matched with a hex
pattern.
• The relay agent information option can be
configured only if the pool is bound to a
network.
The same pair of address and prefix length
cannot be configured on more than one pool.
tftp-server-name
<name>
no tftp-server-name
Configure TFTP server
name (DHCP option 66)
Viewing DHCP Server Binding
You can display the DHCP server binding database, which includes all IP addresses that have already
been assigned, lease expiration time and date, and the hardware addresses of the clients.
 To display the DHCP server binding information:
•
At the config>system>dhcp-server# prompt, enter show binding.
The DHCP server binding information is displayed.
IP Address
:
Binding State:
Bound to
:
MAC
:
ID
:
Lease Time
:
Expires At
:
192.168.1.1
active
11:22:33:44:55:66
0x01 rad111
864000 seconds
1949/10/01 01:11:12
DHCP Server Binding Parameters
Counter
Description
IP Address
Lease IPv4 address
Binding State
Binding state.
Possible values: free, offered, active, expired,
released, abandoned, permanent, bootp,
blocked
Bound to MAC
Client MAC address
Possible values: MAC address, formatted
xx:xx:xx:xx:xx:xx
SecFlow-1p
5. Management and Security
Counter
Description
Bound to ID
Client ID
239
Possible values: Hex string. Readable characters
are printed as is; for non-readable, the hex
value is printed preceded by 0x; for example:
0x01 rad111.
Lease Time
Lease time in seconds
Expires At
Lease expiration date and time, formatted as
other date and time parameters in the device
Viewing DHCP Server Conflict
You can display the DHCP server conflict information, which includes all address conflicts that have been
recorded by the DHCP server, including:
•
Abandoned addresses – addresses that clients have declined (they expire after a timeout)
•
Blocked addresses – addresses that were in use without the server assigning them.
 To display the DHCP server conflict information:
•
At the config>system>dhcp-server# prompt, enter show conflict.
The DHCP server conflict information is displayed.
IP Address
Expires in
--------------------------1.1.1.1
-- seconds
100.100.100.100 390 seconds
DHCP Server Conflict Parameters
Counter
Description
IP Address
Conflict IPv4 address
Expires in
Time (in seconds) remaining before the conflict expires
Possible values:
-- – if there is no expiration time, such as for blocked
addresses
number – if there is an expiration time, such as for
abandoned addresses
SecFlow-1p
5. Management and Security
240
Viewing DHCP Server Statistics
You can display the DHCP server statistics.
 To display the DHCP server statistics:
•
At the config>system>dhcp-server# prompt, enter show statistics.
The DHCP server statistics are displayed.
Address Type Total
------------------Free
10
Offered
1
Active
100
Expired
2
Released
-Abandoned
-Permanent
-Bootp
-Blocked
1
DHCP Server Statistics Counters
Counter
Description
Free
Total number of free addresses
Offered
Total number of offered addresses
Active
Total number of active addresses
Expired
Total number of expired addresses
Released
Total number of released addresses
Abandoned
Total number of abandoned addresses
Permanent
Total number of permanent addresses
Bootp
Total number of bootp addresses
Blocked
Total number of blocked addresses
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
SecFlow-1p
5. Management and Security
241
Message
Cause
Corrective Action
No such address
You tried clearing an IPv4 address
that does not exist in the database.
Make sure the address is in the
database.
The pool is not bound to network
You tried to configure a range of
addresses for a pool that has not
been bound to a network.
Bind the pool to a network using
the network command.
Range is not inside the pool’s
network
You tried to configure a range that
is not in the pool’s subnet.
Configure a range inside the pool’s
subnet, using the network
command.
Range is already configured
You can only configure a single
range per pool. You already
configured a range for the pool.
Delete the existing address range,
and then configure a new range.
Range does not exist
You tried to delete an address
range that is not exactly the same
as the one configured.
Delete the exact address range that
you configured.
The pool is not bound to host
You tried to configure a network
while a host is configured.
Unbind the pool from the network,
and bind it to a host using the host
command.
You tried to configure a client
identifier (option 61) or hardware
address (MAC) for a pool that is not
bound to a host.
Bind the pool to a host using the
host command.
Cannot have both client-identifier
and hardware-address
You configured a client identifier
when a hardware address is
already configured, or vice versa.
Remove the client identifier or
hardware address configuration.
Client identifier configured on
different pool
You tried to configure a client
identifier that has already been
configured on another pool.
Configure a unique client identifier.
Hardware address configured on
different pools.
You tried to configure a hardware
address that has already been
configured on another pool.
Configure a unique hardware
address.
The pool is bound to network
You tried configuring a host while
pool was bound to a network.
Unbind the pool from the network.
Invalid address or prefix length
You entered a non-unicast address.
Enter a valid unicast address
(taking into account the prefix
length).
SecFlow-1p
5. Management and Security
Message
Cause
Corrective Action
Address and prefix configured on
another pool
You configured the same pair of
address and prefix length on
another pool.
Configure a unique address and
prefix length pair.
The pool is bound to host
You tried configuring a network
while pool was bound to a host.
Unbind the pool from the host.
Invalid address or prefix length
In case of a host: You entered a
non-unicast address.
Enter a valid unicast IP address
(taking into account the prefix
length).
In case of a network: You entered a
non-subnet address.
Enter a valid subnet IP address
(while taking into account the
prefix length).
242
5.5 DHCPv6 Server
SecFlow-1p supports Dynamic Host Configuration Protocol Version 6 (DHCPv6) server functionality for
IPv6 clients. DHCPv6 server assigns to DHCPv6 clients IPv6 addresses from configured pools, in response
to broadcast requests of DHCPv6 clients. This functionality eliminates the need to manually assign an IP
address for each potential client. In addition, layer-2 or layer-3 DHCP relays can negotiate DHCP
information on behalf of a client, if the client and server are not directly connected.
You can configure a single DHCP server on any VRF (router instance).
Note
•
•
DHCPv6 server, relay, and client applications are independent. You can
configure neither or any combination of them.
DHCP server is not supported on tunnel interfaces.
Applicability and Scaling
This feature is applicable to ODM HW devices with an embedded router.
Standards Compliance
[RFC 3315] – Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
SecFlow-1p
5. Management and Security
243
[RFC 3633] – IPv6 Prefix Options for DHCPv6
[RFC 3646] – DNS Configuration Options for DHCPv6
[RFC 4862] – IPv6 Stateless Address Autoconfiguration
Benefits
The main benefits of DHCP servers are:
•
Reduced costs of IP addresses – There is no need to buy and manage an IP address for each
potential client. For example, there is no need to manually assign an address for each machine
that is connected to the network, even briefly or rarely.
•
Reduced access costs – Dynamic addresses are cheaper than static addresses.
•
Reduced client configuration costs – DHCP ease of configuration leads to fast deployment and
less operational overhead. There is no need to manually configure connectivity parameters on
each client, except for very basic configuration (and sometimes not even this). The DHCP server
can even start a zero touch configuration process, which completely configures the client
without network manager intervention.
•
Centralized management – Network managers only need to configure a single central server. If a
global parameter, e.g. DNS server, is changed, there is no need to manually configure all the
clients in the network.
Functional Description
DHCPv6 server can operate in two modes:
•
Stateless mode – The client derives its IP address from Router Advertisements (RA) and the
server only provides options that cannot be obtained by RA, such as DNS server address.
Stateful mode – The server provides IP addresses as well, and saves the bindings (IP address to
hardware address) in permanent memory. This enables it to grant clients the same addresses
they previously had, to minimize the possibility of their addresses being replaced.
If it is important to preconfigure an address, typically of a router or a server, it is possible to configure a
manual binding, which directs the server to grant a fixed address to a specific client (recognized by MAC
address or other data).
•
The following describes the DHCP flow, from the time the client sends a broadcast DHCP request and
until the IP addresses are distributed.
SecFlow-1p
5. Management and Security
244
1. The DHCP client sends to the DHCP server a broadcast DHCP request (requesting a lease). If the
client and server are not directly connected to each other, the DHCP messages can be
forwarded by a DHCP Layer 2 or Layer 3 relay agent.
2. The DHCP relay agent (if one exists) intercepts the request and broadcasts it toward the DHCP
server.
3. Any listening DHCP server can assign an IP address to the DHCP client (based on information
sent by the client or relay agent), as well as other options.
4. DHCPv6 server sends the client a client identifier option (1) in DHCPv6 messages. The identifier
it carries is called DUID (DUID types: LLT, EN, and LL).
Note
If the DHCP server offers a lease and the client then sends a DHCP request
with an IP address of a different server (in option 54), the server assumes that
the request is no longer relevant, and returns the offered address to the pool
of available addresses.
5. The relay agent (if one exists) forwards the lease offer to the client.
6. The DHCP client accepts the offer. If the DHCP client received more than one lease offer, it
chooses a lease; usually the first one it received.
7. Before accepting a lease, a typical client sends a gratuitous ARP to the IP address it is about to
use. If two replies are received, the client should decline the lease, and the server places the IP
address into the conflicts table.
8. The server acknowledges the lease.
SecFlow-1p saves the lease in a database that includes all active and inactive leases. The lease database
with address binding (IP address to client hardware address) resides in permanent memory that
withstands reboot. If possible, SecFlow-1p assigns to clients the same IP addresses they previously had.
The lease is usually granted for a limited time; therefore, the DHCP client should renew it before it
expires. A DHCP client may also release a lease once is no longer needed.
The server does not delete a binding from the database when a lease expires. However, if a new client
asks for an address and the server does not have a free address, then one of the unused addresses from
the database may be used.
SecFlow-1p may function as DHCP client or server at the same time.
In cases when it is important that a client, usually a router or server, not change its address, it is possible
to configure manual bindings, i.e. IP addresses that are manually mapped to clients. This directs the
server to grant fixed addresses to specific clients (usually recognized by their MAC address).
SecFlow-1p
5. Management and Security
Factory Defaults
By default, no DHCPv6 server or DHCPv6 server pool is defined. When a DHCPv6 server or DHCPv6
server pool is first defined, it is configured as shown below.
Parameter
Default Value
DHCP server
number
1
pool
no pool
DHCP server pool
address-prefix
no address-prefix
length
64
valid-lifetime
86400 (one day)
preffered-lifetime
86400 (one day)
dns-server
no dns-server
domain-search-list
no domain-search-list
learn-from-dhcpv6-client
no learn-from-dhcpv6-client
Configuring DHCPv6 Server
You can configure the DHCP server as follows:
1. By default, no DHCPv6 server exists. Create a single instance of DHCPv6 server over any VRF
supported in the router.
2. Configure DHCP pools containing:
 Range of addresses (or a single address) to assign to clients
 Various DHCP options to send to clients
 Definitions of clients eligible to get lease from the pool
3. Host and subnetwork inherit options from larger networks (simplifying the configuration):
 For example, a global pool (e.g. 192.168.0.0) can contain global options, such as domain
name.
 Additional pools are set for subnets (e.g. 192.168.1.0 and 192.168.2.0), each with its own
default gateway.
245
SecFlow-1p
5. Management and Security
246
 To configure the DHCPv6 server:
1. Navigate to configure system dhcpv6-server [<number>].
Note
•
•
<number> is the number of the dhcpv6-server, which can only be 1.
Type no dhcpv6-server to remove the DHCPv6 server from the router.
2. At the config>system>dhcpv6-server (1)# prompt, perform the required tasks according to
the following table.
Task
Command
Comments
Configuring DHCP server pool
[no] pool
See Configuring DHCP Server Pool.
Typing no pool removes the DHCP
server pool and the configuration
related to it (IP address ranges and
DHCP options).
Displaying DHCP server bindings
Note
show binding
See Viewing DHCP Server Binding
Unlike DHCPv4 server, the DHCPv6 server (once created) is always enabled
and there is no command to disable it. However, you have to bind it to an
interface to make it work.
Configuring DHCP Server Pool
By default, no DHCPv6 server pool exists. The following procedure describes how to create a DHCPv6
server pool. Each pool must be assigned a unique name.
The DHCPv6 server offers leases based on the pools’ configurations.
 To configure the DHCPv6 server pool:
1. Navigate to configure system dhcp-server pool [name].
2. At the config>system>dhcp-server>pool# prompt, perform the required tasks according to
the following table.
Note
•
•
Typing no pool removes the DHCPv6 server pool, as well as the
configuration related to it.
You must assign a unique pool name of 1 to 80 characters.
SecFlow-1p
5. Management and Security
Task
Command
Comments
Configuring IPv6 prefix for
address assignment
address-prefix <prefix>/<length>
[lifetime {<valid-lifetime>
<preferred-lifetime> | infinite}]
prefix – IPv6 prefix
no address-prefix <prefix>/<length>
247
length – IPv6 prefix; 0-128
valid-lifetime – 60-8640000 (one
minute to one hundred days)
preferred-lifetime – 60-8640000
(one minute to one hundred days)
Notes:
• A pool may be associated with
multiple address prefixes. If the
command is repeated with a
different prefix and length it is
added to the configuration. If it is
repeated with the same prefix
and length it replaces the
previous command for that prefix
and length. The reason to do this
is to change the lifetime.
• There may not be more than one
pool with the same address
prefix. If you try to configure this,
the command is rejected, with
the error: Address prefix in use in
another pool
• If infinite is specified, octets 1821 and 22-25 are 0xffffffff.
• preferred-lifetime may not be
greater than valid-lifetime. If you
configure this, the command is
rejected, with the error:
Preferred lifetime may not be
greater than valid lifetime
Configuring DNS server (DHCPv6
option 23)
dns-server <ipv6-address> [<ipv6address-2>]
ipv6-address – DNS server IPv6
address
no dns-server
ipv6-address-2 – second DNS server
IPv6 address
Notes:
• Repeating this command replaces
the previous one.
• address-2 must be different than
address-1.
SecFlow-1p
5. Management and Security
Task
Command
Comments
Configuring domain search list
(DHCPv6 option 24)
domain-search-list <domain-name>
domain-name - 1-255 character
string
no domain-search-list [<domainname>]
248
Notes:
• Repeating this command adds it
to the configuration.
• If domain-name is omitted (in the
no form), the entire list is
deleted.
• If the name is not FQDN,
SecFlow-1p rejects the command
and prints:
cli_error: Name must be FQDN
Learning pool configuration
from DHCPv6 client
[no] learn-from-dhcpv6-client
router <router> interface
<interface> [stateless]
router, interface – router interface
from which to learn DHCPv6
information
no learn-from-dhcpv6-client DHCPv6 server does not pass to
clients information learned from a
DHCPv6 client.
learn-from-dhcpv6-client - DHCPv6
server passes to clients information
learned from a DHCPv6 client,
including IP addresses learned from
PD.
learn-from-dhcpv6-client stateless DHCPv6 server passes to clients
information learned from a DHCPv6
client, except IP addresses learned
from PD.
Viewing DHCP Server Binding
You can display the DHCP server binding database, which includes all IP addresses that have already
been assigned, lease expiration time and date, and the hardware addresses of the clients.
 To display the DHCP server binding information:
•
At the config>system>dhcp-server# prompt, enter show binding.
The DHCP server binding information is displayed.
SecFlow-1p
5. Management and Security
249
config>system>dhcp6-server(1)# show binding
Interface
: Ethernet 1
Client DUID
: LL 1 00:01:02:03:04:05
Client IPv6 Address : dead:beef:ffff:1::1/128
State
: Bound
Lease Time (seconds): 86400
Expires (seconds)
: 125
DHCPv6 Server Binding Parameters
Counter
Description
Interface
Interface from which the lease request was received
Client DUID
Possible sets of values (depends on DUID type):
• LLT, hardware type (a number), time, link-layer address
• EN, enterprise number, identifier (string)
• LL, hardware type (a number), link-layer address
Client IPv6 Address
Lease IPv6 address / prefix length
State
Binding state.
Possible values: Abandoned, Bound, Init, Reconfigure, Release,
Renewing, Requesting, Selecting
Lease Time
Lease time in seconds
Possible values: Infinite, <number of seconds>
Expires
Lease expiration time in seconds
Possible values: Infinite, <number of seconds>
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
No such address
You tried clearing an IPv6
address that does not exist in
the database.
Make sure the address is in the
database.
An address cannot be
configured more than once
You configured the same
value for address-2 and
address.
address-2 must be different from
address.
SecFlow-1p
5. Management and Security
250
Message
Cause
Corrective Action
A different prefix name is
associated with this interface
You tried to repeat the
command with a different
prefix name than previously
configured.
Repeat the command with the same
prefix name as previously
configured.
Address prefix in use in
another pool
You configured another pool
with the same prefix.
Configure pool with a unique address
prefix.
DHCP client is configured on
this interface
The DHCPv6 client, server
and relay functions are
mutual exclusive on an
interface.
You tried to configure the
DHCPv6 server or relay on
the same interface on which
a DHCPv6 client is enabled
DHCP relay is configured on
this interface
The DHCPv6 client, server
and relay functions are
mutual exclusive on an
interface.
You tried to configure the
DHCPv6 server or client on
the same interface on which
a DHCPv6 client is enabled
Preferred lifetime may not be
greater than valid lifetime
You configured preferred
lifetime to a value greater
than valid lifetime.
Configure preferred lifetime to a
value not greater than valid lifetime.
Name must be FQDN
The domain name
configured under domainsearch-list command is not a
fully qualified domain name
(FQDN).
Configure a fully qualified domain
name.
5.6 Management Access Methods
SecFlow-1p can be managed either locally from a terminal directly attached to the serial port, or
remotely, through any port, via SSH, SNMP, Web or NETCONF. Management can be limited by ACLs or
by configuring router ports as non-forwarding (effectually limiting them to management traffic).
SecFlow-1p
Note
5. Management and Security
251
The device can be managed with IP only on router 1.
Applicability and Scaling
This feature is applicable to all SecFlow-1p options.
Functional Description
You can enable or disable access to the SecFlow-1p management system via SSH, SNMP, or NETCONF
applications. By disabling SSH, SNMP, or NETCONF, you prevent unauthorized access to the system
when security of the SecFlow-1p IP address has been compromised. When SSH, SNMP, and NETCONF
are disabled, SecFlow-1p can be managed via an ASCII terminal only. A CLI session can be opened locally
from the terminal connected to the dedicated serial port. Additionally, you can enable or disable file
transfer via SFTP/SCP.
Factory Defaults
By default, access is enabled for all the applications.
In the default factory configuration, SecFlow-1p allows management from the OOB management port.
The default factory configuration includes the following:
•
Allows untagged management access from the OOB port
•
Default IP address of the Router Interface is 169.254.1.1/16
•
No default Gateway configuration
•
Allows local management access using a PC to SecFlow-1p:
 When PC uses DHCP, access to SecFlow-1p is automatically established (PC address defaults
to 169.254.x.y as no DHCP server  Microsoft protocol).
•
Not backward compatible to user configuration CLI scripts that configure OOB port
The factory default configuration is only loaded if there is no startup-config or user-default-config (for
example, after executing the factory-default command).
SecFlow-1p
5. Management and Security
252
If you copy a script and paste it to the terminal after factory-default-config is loaded, it is important to
verify that the configuration in the script does not conflict with the factory default configuration.
You can delete the factory default configuration. You can also replace the factory-default with a
download of a fresh startup-config, by performing Reset.
You can add an additional IP address over the RI to allow remote access.
When accessing remotely, it is possible to delete the local IP 169.254.1.1/16.
Configuring Management Access
This section describes how to configure general management parameters for SFTP, SNMP, SCP and SSH.
See NETCONF-Based Network Management section for management by NETCONF.
 To configure management access:
1. Navigate to configure management access.
2. At the config>mngmnt>access# prompt, enter the necessary commands according to the tasks
listed below.
Task
Command
Comments
Allowing SFTP access
sftp
Typing no sftp blocks access by SFTP
Allowing SNMP access
snmp
Typing no snmp blocks access by SNMP
Allowing SSH (Secure Shell) access
ssh
Typing no ssh blocks access by SSH
Allowing SCP access
scp
Typing no scp blocks access by SCP
5.7 Management Ports
SecFlow-1p can be managed either from a serial port set as a console or from remote, through any port.
You can configure the console parameters, including the security timeout and screen size from which
you are accessing the device.
SecFlow-1p
5. Management and Security
253
Applicability and Scaling
This feature is applicable to all the device versions.
Factory Defaults
Parameter
Default Value
console-timeout limited
10 (minutes)
length
20
serial-port-console
serial-port-console
timeout limited
10 (minutes)
Task
Command
Comments
Defining whether in case of
serial console inactivity, device
remains connected or
disconnects after a specified
time period
console-timeout forever
console-timeout forever – no timeout.
console-timeout limited
<minutes>
If you define a timeout, the timeout
value can be 1–60. The default is 10
minutes.
Defining the terminal screen
size (number of rows to
display)
length <number-of-rows>
The number of rows to print before
pausing, or 0 for no pausing (no limit on
the number of lines displayed).
Possible values: 0-255
SecFlow-1p
5. Management and Security
254
Task
Command
Comments
Using serial port as console
serial-port-console
The serial port configured as console is
the last one (the one with the highest
number)
no serial-port-console
Management connectivity via serial port
can be resumed in one of the following
ways:
• Entering serial-port-console
command via remote access (Inband
or OOB via SNMP).
• Setting to default configuration, by
using the FD button on the bottom
panel (as described in FD Button
section).
Note: If serial-port-console setting in the
running config and in the startup-config
(or other configuration file that will be
loaded) is different, the device will
reboot twice.
Defining whether in case of
SSH session inactivity, device
remains connected or
disconnects after a specified
time period
timeout forever
timeout forever – no timeout.
timeout limited
<minutes>
If you define a timeout, the timeout
value can be 1–60. The default is 10
minutes.
5.8 Management Source IP Address
The management source IP address provides a single point of contact for management applications that
interface with SecFlow-1p.
Applicability and Scaling
This feature is applicable to all the device versions.
SecFlow-1p
5. Management and Security
255
Functional Description
When a router interface responds to management packets, the responding packet source IP address is
set to the router interface IP address. If the router interface sends a management packet that is not a
response, the packet source IP address is set to the SecFlow-1p management source IP address. If the
management source IP address is not configured or the corresponding router interface is down, the
packet source IP address is set to the router interface IP address. You can configure a single
management source address for IPv4 and IPv6 to be used in all client management applications,
including: SNMPv3 (for trap), RADIUS, TACACS+, Syslog, SNTP, SFTP, and SCP.
Configuring the Management Protocols Source IP Address
 To configure the management protocols source IP address:
1. Navigate to configure management.
The config> mngmnt# prompt is displayed.
2. Type management-address <ip-address>
Note
According to the format of the IP address (IPv4 or IPv6), it is saved as the IPv4
or IPv6 management source IP address.
The management protocols source IP address is set to the specified IP address.
3. To delete the IPv4 or IPv6 management address, type:
no management-address {ipv4 | ipv6}
5.9 NETCONF-Based Network Management
NETCONF/YANG, a management interface equivalent to SNMP/MIB, enables the remote manager to
configure and monitor the device.
•
Network Configuration Protocol (NETCONF) 1.1 – a protocol that provides mechanisms to install,
manipulate, and delete the configuration of network devices. NETCONF carries configuration
data and operations as requests and replies using RPCs encoded in XML over a connectionoriented transport (SSH).
SecFlow-1p
•
5. Management and Security
256
YANG – a data modeling language used to model configuration and state data manipulated by
the NETCONF, NETCONF RPCs, and NETCONF notifications.
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
The supported NETCONF versions are based on the following standards:
•
RFC 6241 (06/2011), Network Configuration Protocol (NETCONF) 1.1
•
RFC 6020 (10/2010), YANG 1.0 - A Data Modeling Language for the Network Configuration
Protocol (NETCONF)
•
RFC 6022, YANG Module for NETCONF Monitoring
•
RFC 6243, With-defaults Capability for NETCONF
•
RFC 5277, NETCONF Event Notifications
•
RFC 6470, NETCONF Base Notifications
Benefits
•
Based on transactions, NETCONF reduces the burden on the network management station.
•
Error recovery and sequencing tasks are removed from the management side.
•
YANG enables writing automatic scripts on the management side. YANG models are richer than
MIB, in that you can formally specify capability options, i.e. what is allowed and not allowed on
the device. In MIB, you can only write a description.
•
Enhanced capabilities, in comparison to SNMP.
Functional Description
NETCONF is a session-based network management protocol that uses XML-encoded remote procedure
calls (RPCs) and configuration data to manage network devices.
SecFlow-1p
5. Management and Security
257
The mandatory transport protocol for NETCONF is SSH. The default TCP port assigned for this mapping is
830. A NETCONF server implementation listens for connections to the NETCONF subsystem on this port.
Use of a dedicated port makes it easier for the NETCONF server to identify and filter NETCONF traffic.
The following are characteristics of transactions:
•
Transactions are indivisible; all-or-nothing.
•
There is no internal order inside a transaction. It is a set of all-at-once changes; not a sequence.
•
Parallel transactions do not interfere with each other; no-crosstalk.
•
Committed data always-sticks, i.e. it remains in the system even if fail-over, power failure,
restart, or more occurs; done-is-done.
The following deployment model shows the communication between the device (NETCONF server;
equivalent to SNMP agent) and management station (NETCONF client; equivalent to SNMP manager).
NETCONF/YANG Deployment Model
Note
NETCONF Support
Configuration Data Stores
<running>
NETCONF sessions, similar to CLI sessions, generate session start and session
end events. These generated events are added by default to the event log.
SecFlow-1p
<startup>
5. Management and Security
• Running and Startup data stores locking
• Copy of Running  Startup
• Copy of Startup  Running (requires reboot)
Base Capabilities
:base:1.1
:writable-running
Direct writes to the <running> configuration data store.
:startup
Separate running and startup configuration data stores
:rollback-on-error
Upon error in <edit-config> operation, the processing is stopped
and the configuration is restored to its previous state.
Other Capabilities
:with-defaults
:notifications
:interleave
• Default-handling modes supported by the server
• The only supported mode is “trim”.
• The ability to process and send event notifications
• The same NETCONF session is used for normal operations and
for notifications
Base Operations
<get>
<get-config>
•
•
•
•
<copy-config>
•
•
•
•
•
•
<delete-config>
•
<lock>
•
<unlock>
•
<close-session>
•
<kill-session>
•
<edit-config>
<get> (filter)  data
<get-config> (source, filter)  data
The only supported Filter type is “subtree”.
Subtree filtering: Supports namespace selection, containment
nodes, selection nodes, and content match nodes; when a
content match node is used, it must be a list key.
Target
Default-operation
Test-option: Default behavior is test-then-set.
Error-option: stop-on-error, continue-on-error, rollback-on-error
Config
258
SecFlow-1p
5. Management and Security
259
Additional Operations
<get-schema>
• per RFC 6022, schema retrieval from the server
Miscellaneous Features
NETCONF sessions
Up to 10 concurrent
AAA
• Common NETCONF and CLI users
• SSH does the authentication and authorization.
Default credentials
Username = su, Password = 1234
NETCONF port
indexes:
Ethernet ports on the chassis "main/1", "main/2", etc. (instead of
"ethernet 1", "ethernet 2" in CLI).
YANG Support
All SecFlow-1p features are supported with private YANG models, which are based on the CLI tree and
commands.
The models are organized in hierarchical order. Each private model has its defined prefix, which is used
in the model itself and when imported by other models.
The corresponding file names are the same as the model name with the extension “.yang”.
Prefixes
No.
Module
Prefix
1
rad-root
root
2
rad-admin
admin
3
rad-admin-scheduler
rad-scheduler
4
rad-admin-software
software
5
rad-configure
configure
6
rad-configure-access-control
access-control
7
rad-configure-bridge
bridge
8
rad-configure-crypto
crypto
9
rad-configure-management
mgmt
10
rad-configure-management-access
mgmt-access
12
rad-configure-management-netconf
mgmt-netconf
SecFlow-1p
5. Management and Security
13
rad-configure-management-radius
radius
14
rad-configure-management-snmp
rad-snmp
15
rad-configure-management-tacacsplus
tacacs
16
rad-configure-oam
oam
17
rad-configure-oam-twamp
twamp
18
rad-configure-oam-twamp-controller
twamp-controller
19
rad-configure-oam-twamp-controller-peer
twamp-peer
20
rad-configure-oam-twamp-controller-peer-show
twamp-show
21
rad-configure-oam-twamp-responder
twamp-responder
22
rad-configure-port
port
23
rad-configure-port-cellular
cellular
24
rad-configure-port-ethernet
eth
25
rad-configure-port-ethernet-show
eth-show
28
rad-configure-port-ppp
ppp
30
rad-configure-port-virtual
virtual
31
rad-configure-port-virtual-show
virtual-show
32
rad-configure-reporting
reporting
33
rad-configure-router
router
34
rad-configure-router-bgp
bgp
35
rad-configure-router-bgp-show
bgp-show
36
rad-configure-router-bgp-policy
bgp-policy
37
rad-configure-router-interface
rif
38
rad-configure-router-interface-ospf
rif-ospf
39
rad-configure-router-interface-show
rif-show
40
rad-configure-router-nat
nat
41
rad-configure-router-ospf
ospf
42
rad-configure-router-show
router-show
43
rad-configure-router-tunnel-interface
tunnel-interface
44
rad-configure-system
system
260
SecFlow-1p
5. Management and Security
45
rad-configure-system-date-and-time
tod
46
rad-configure-system-dhcp-server
dhcp-server
47
rad-configure-system-syslog
syslog
48
rad-configure-virtualization
virt
49
rad-file
file
Note
261
RAD recommends getting the YANG models of the actual units from the
product’s schema, using the <get schema> NETCONF operation.
CLI commands, not used for configuration tasks, are mapped to YANG RPCs.
Read-only nodes (config false in YANG) are always under “show” containers. The “show” containers are
interleaved with config true nodes, i.e. not in separate state branches. Show commands have an implicit
“all” parameter, i.e. the entire data is provided without a filtering possibility.
NETCONF Notifications
Event notifications can be received over a NETCONF session by means of subscription, which serves as
an agreement and method to receive the notifications. Subscription is bound to the session lifetime.
Using this functionality, SecFlow-1p can:
•
Create notification subscription
•
Allow event filtering upon subscription creation
•
Send event notifications to the NETCONF client as the events occur within the system
•
Support replay of locally logged notifications
The same NETCONF session is used for both normal operations and for notifications.
SecFlow-1p supports NETCONF base notifications.
For each RAD generic alarm or event, there is a corresponding private NETCONF notification.
SecFlow-1p supports masking of NETCONF notifications using common alarm module capabilities.
To create a subscription and initiate a flow of notifications, the following message sequence is
established between NETCONF client(C) and server(S). The subscription specifies a <startTime>, so the
server starts by replaying logged notifications.
SecFlow-1p
5. Management and Security
In the following example, the subscription specifies a <startTime> and <stopTime>, so it starts by
replaying logged notifications. Then it returns to the state of a normal command-response NETCONF
session, after the <replayComplete> and <notificationComplete> notifications are sent, and it is
available to process <rpc> requests.
262
SecFlow-1p
5. Management and Security
263
Subscription Creation
Only the default NETCONF event stream is supported, i.e. the stream that includes all the notifications.
It is not possible to create other event streams.
It is possible to create a single notification subscription per NETCONF session.
Multiple simultaneous notification subscriptions are supported, one subscription per NETCONF session.
Logging and Replay
When NETCONF is enabled, usually, upon the device startup, a designated notification log is created.
This cyclic volatile notification log is large enough to store the last 1000 notifications. The log creation
does not depend on the subscription requests.
Alarm acknowledgement and manual clearing of the alarm log affect neither the notification log, nor
the replayLogCreationTime parameter.
SecFlow-1p
5. Management and Security
264
Notification transmission rate in a replay is limited to 10pps in total, for all notification subscriptions.
Replay notifications are sent before any notification that have occurred during the replay. In other
words, notifications are sent in ascending order of eventTime.
Standard Notifications
The following standard notifications are supported:
•
netconf-capability-change - Generated when the NETCONF server detects that the server
capabilities have changed
•
netconf-session-start - Generated when a NETCONF server detects that a NETCONF session has
started
•
netconf-session-end - Generated when a NETCONF server detects that a NETCONF session has
terminated
Standard YANG model as per RFC 6470 is supported.
Private Notifications
Private notifications are associated with RAD common (generic) alarms and events. When an alarm or
event is generated, the corresponding NETCONF notification is generated as well.
A private notification includes the following attributes:
•
Source ID - the name of the entity that caused the notification
•
Description - the compound description of the notification
•
Severity - severity values according to ITU-T X.733
•
Clear Reason - the reason for clearing the alarm (relevant only for cleared alarms)
Notification transmission rate is limited to 10pps in total, for all notification subscriptions.
Private notifications can be masked using the relevant reporting CLI commands, e.g. alarm-sourceattribute, mask-minimum-severity.
Factory Defaults
The following is the default configuration of NETCONF.
SecFlow-1p
5. Management and Security
Parameter
Description or value
inactivity-timeout
time 10 (ten minutes)
no shutdown
NETCONF is enabled.
265
Configuring NETCONF Parameters
 To configure NETCONF parameters:
1. Navigate to configure management netconf.
The config>mngmnt>netconf# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Defining NETCONF session
inactivity timeout
inactivity-timeout {time
<minutes> | infinite}
minutes: 1-60
Disabling NETCONF
shutdown
Type no shutdown to enable
NETCONF.
Examples
 To configure NETCONF session inactivity timeout to 15 minutes:
config>mngmnt>netconf# inactivity-timeout time 15
config>mngmnt>netconf#
 To configure NETCONF session inactivity timeout to be infinite:
config>mngmnt>netconf# inactivity-timeout infinite
 To disable NETCONF:
config>mngmnt>netconf# shutdown
SecFlow-1p
5. Management and Security
266
5.10 Public Key Infrastructure
SecFlow-1p supports X.509 standard that provides infrastructure for public key certificates. It is used in
various applications, such as Zero Touch configuration.
Applicability and Scaling
This feature is applicable to all the device versions.
The certificates supported by SecFlow-1p have CER format and PEM encoding. Other formats and
encodings of certificate files should be converted to CER and PEM before you can use them in SecFlow1p. Authentication with Certificate Authority allows secured communication over public network with
off-net Zero Touch provisioning.
Standards Compliance
RFC 5280 Internet X.509 Public Key Infrastructure Certificate
Functional Description
The certificate is used for initial authentication when SecFlow-1p applies to a third-party entity to
establish a secured tunnel or secured association (SA). When the SA (SSL, TLS) is established, it starts
with a mutual handshake process, when each side of SA has to provide authentication (mutual
authentication). It is secure and handy to use X.509 certificates (using RSA keys) during the process.
When both sides proved their authentication, they can proceed, exchange the keys and start to encrypt
the transmitted packets.
A certificate signed by RAD’s CA can be provided to each device.
There are two types of certificates to check the identity of the opposite side:
•
device certificate
•
CA server certificate
Signing the device’s certificate is done by a private key of the CA. CA has a public key and a private key.
The public key is located in its certificate. When the device certificate is created, it is sent to the CA
server, which signs the certificate with its private key and returns it to the sender. At the end of the
SecFlow-1p
5. Management and Security
267
process, the device certificate is created that relates, for example, the serial number of the device with
the public key of the device and all is signed in a secured way by the private key of the CA server.
For authentication, it is enough to send the device certificate. The other side can see the public key of
the device is related to the same device with a specific serial number. Now, it should be proved that the
certificate is authentic. The other side should have the certificate of CA. It takes the CA certificate
(containing the CA public key), runs it over the signature made by the private key of the CA and sees if it
is authentic. It means that binding (serial number and the device public key) is authentic and secure. It
can then identify the device by its public key.
Factory Defaults
By default, no RSA keys are defined.
Configuring X.509 Entities
This section describes how to manage SecFlow-1p certificates and keys.
 To configure RSA keys:
1. Navigate to configure crypto key.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Deleting RSA key pair
delete-rsa label <key-name>
Generating RSA key pair
generate-rsa [label <key-name>]
Comments
<key-name> – If a label is not
specified, the device uses a string
combining the configured host
name and IP domain name, with a
dot between them, if both are nonempty strings
The key-name should be up to 64
characters.
Importing RSA key pair
import-rsa key-label <key-name>
key-url <key-url>
SecFlow-1p
5. Management and Security
268
Task
Command
Comments
Displaying own RSA public key
show public-key-rsa
The command prints all the public
RSA keys stored in the device
 To configure public key infrastructure (PKI):
1. Navigate to configure crypto pki.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Authenticating CA by
importing CA certificate
authenticate certificate-name
<certificate-name> [certificate-url
<url> [fingerprint <fingerprint>]]
The certificate size is limited to 64kB
Deleting the certificate
delete-certificate certificatename <certificate-name>
Deleting the CRL
delete-crl crl-name <crl-name>
Creating CSR for
enrollment by a CA
enroll [certificate-folder-url
<certificate-folder-url>]
[certificate-name <certificatename>] [fingerprint <fingerprint>]
[common-name <cn>] [locality
<locality>] [state <state>] [email
<email>] [organization <org>]
[organizational-unit <ou>]
[country <country>] [challengepassword <password>] [serialnumber {dmi | value <serialnumber>}]
certificate-url – CA certificate URL
<certificate-folder-url>: string 1-200 characters
The following formats are valid:
• TFTP:
tftp://<server-ip-address>/<path>
tftp://<server-hostname>/<path>
• SCEP:
http://<ca-ip-address>/<path>
http://<ca-hostname>/<path>
Before enrolling with SCEP, you must import the
certificate of the signing CA (with the
authenticate command).
Make sure not to set every parameter-string
value with its maximum length, keeping in mind
that the total maximum CLI command length is up
to 650 characters.
SecFlow-1p
Task
5. Management and Security
Command
269
Comments
<fingerprint>: string 1-128 characters
Certificate name and fingerprint are only used by
SCEP (other methods require them in the import
command)
<common-name> (string up to 64 characters) CSR common name that you can specify. If it is
not specified, the device uses the configured
<hostname>.<IP domain name> (or <hostname> if
the domain name is not configured)
<locality>: string 1-128 characters
<state>: string 1-128 characters
<email>: string 1-128 characters
<org>: string 1-64 characters describing the
organization
<ou>: string 1-32 characters describing the
organizational unit
<country>: ISO 3166 two-letter country code
<password>: string 1-80 characters; this password
is not part of the certificate; you should save it in
a secured place, as it may be asked by the CA
manager in the case when changes (e.g. revoking
the certificate) are desired
Device hardware serial number:
• dmi (the serial number is taken from the linux
command dmidecode -s system-serialnumber)
• value <0-64 characters>
Exporting CRL
export-crl crl-name <crl-localname> url <destination-url>
Importing certificate
import-certificate certificatename <certificate-name>
[certificate-url <url> [fingerprint
<fingerprint-string>]]
Importing CRL
import-crl crl-name <crl-localname> crl-url <crl-url>
SecFlow-1p
5. Management and Security
Task
Command
Creating permanent selfsigned certificate
self-sign-certificate certificatename <certificate-name>
[common-name <cn>]
Displaying certificates
stored in the device
show certificate-summary [owner
{self|ca}] [{valid-only|invalidonly}]
Displaying a certificate by
name
show certificate certificate-name
<certificate-name>
Displaying all the CRLs in
the device
show crl-summary
270
Comments
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
Maximum number of RSA keys
was exceeded
You tried configuring more than
one pair of RSA keys.
Currently, only a single pair of keys is
supported. Delete the keys and
generate a new pair.
Common name (hostname.ipdomain-name) too long
The common name comprised
of “hostname” and “ip-domainname” exceeds 64 characters.
Specify a common name that is less than
64 characters.
Common name too long
You specified a CSR common
name that exceedes 64
characters
Specify a common name that is less than
64 characters
No RSA keys found
You tried displaying the missing
keys.
Set a new pair of RSA keys or wait till
the end of the key generation process.
Illegal character; command
aborted
You entered a non-printable
character.
Repeat your input with printable
characters only.
File is too big; command aborted
You tried using a larger
certificate file.
Use certificates which size do not
exceed 64kB.
Invalid certificate; command
aborted
You entered an invalid
certificate.
Enter a valid certificate.
SecFlow-1p
5. Management and Security
271
Message
Cause
Corrective Action
CA name cannot be resolved;
command aborted
CA name does not match one
configured or received by DNS.
Provide another CA name, check the
path and connection to the server.
TFTP to the CA failed; command
aborted
TFTP connection to CA fails.
Check the path and connection to TFTP.
Wrong fingerprint; command
aborted
The fingerprint does not match
the one in the certificate.
Verify the fingerprint.
RSA label (name) already exists
The specified key-name already
exists.
Specify another key-name.
RSA key does not exist
You tried to delete a
nonexistent RSA key.
Certificate name already exists
A certificate of this name exists
No such certificate
A certificate of this name does
not exist
Certificate name must be
specified
In case of SCEP, certificate
name must be specified.
Certificate name is only used by
SCEP
You specified a certificate name
with a method other than SCEP
Fingerprint is only used by SCEP
You specified a fingerprint with
a method other than SCEP
Cannot find valid CA certificate
that was imported with SCEP
You are trying to enroll without
a valid CA certificate that was
imported with SCEP
Cannot find CA certificate for
authentication
You are trying to enroll without
a valid CA certificate for
authentication
Cannot find CA certificate for
encryption
You are trying to enroll without
a valid CA certificate for
encryption
No such CRL
The CRL to delete or export
does not exist.
CRL name already exists
A CRL of this name already
exists.
Specify another CRL-name.
CA address must be a valid
unicast IP address
You entered an invalid IP
address.
Enter a unicast IPv4 or IPv6 address.
Specify another certificate name.
SecFlow-1p
5. Management and Security
Message
Cause
This CA is not configured
No CA with ca-ip-address or cahostname is configured
Corrective Action
Viewing Certificates Status
 To display the SecFlow-1p CA-signed or self-signed certificates:
config>crypto# pki show certificate self
# Certificate data:
-----BEGIN CERTIFICATE----MIIDTjCCAjYCAXgwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCSUwxEzARBgNV
BAgMClNvbWUtU3RhdGUxDDAKBgNVBAcMA1RMVjEMMAoGA1UECgwDUkFEMRAwDgYD
VQQLDAdDQS1URVNUMRAwDgYDVQQDDAdDQS1URVNUMB4XDTE4MDIxNDA2MTg1OFoX
DTE5MDIxNDA2MTg1OFoweDELMAkGA1UEBhMCLi4xKTAnBgNVBAMMIDAwLTA4LUEy
LTBELTFGLUUwLnNpdGUtMy5yYWQuY29tMQ4wDAYDVQQHDAVibGFuazEOMAwGA1UE
CgwFYmxhbmsxDjAMBgNVBAgMBWJsYW5rMQ4wDAYDVQQLDAVibGFuazCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN02nc6BV6LK9MnYlU6uKDlQMn+EdKTZ
yycUlRoyun1sfAPDQ0PvSQOUSO4BCbheAdlAwk56aa0C2GrGfW2Va73n1Cr5deFw
KbycCIJ6FzsNiMgc2mHt4L1qf88VUGLfKFBpgylxwMYwJ7HvYzI+jpHBV34safYI
wXgz78Cy0um7rgBzxLMx1XQk/n+q4nPowPcjCe/OoC61yMLFj6a0HS1uUDNVyNkF
hstN6I0AviD4ehiyz3VyAuTYElTCXcY+gH30bS0XnfQ4U3iTn7E+zw1S+3fRqdXk
8BS4jpbzuB+Wx3VeH9EwTnWOvlM+ZrwjEZDdPuKTG+HhsB3QDd0EFMsCAwEAATAN
BgkqhkiG9w0BAQsFAAOCAQEAW+/1dMRK6nilOOkuJczkUQD9ea14hW+V2lFESID3
qZwpE+0oZ8jNNNhjwhyk5ziH05hE0s2ZilA9L7eI0MPS3RYzI8wAIUAvLA0n0YqR
wuRcDrwo68gqPPA7hPjiACyVzbQ0AWRfIqdasOz6PlQ2JHv5cqV59fhf9DV85KwI
IdiYsmkmPmXdkAo5VBA71RlPOCbfSV9nsyagzPndADqf44GOLI1gDLPodfq+hJaP
rn5aQG1nMNZigroDyQvsTypzBDMrA8mEOS7QvbhV6gamcyGjYbVY7o1wTUYADg0X
c7Dc9K/+4dFEO8X4ZSWRujiIKviTwKOy1zr/+KgjrJnm7A==
-----END CERTIFICATE----config>crypto# pki show certificate ca
# Certificate data:
-----BEGIN CERTIFICATE----MIIDlzCCAn+gAwIBAgIJAIgL2Jgnyb72MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAklMMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYDVQQHDANUTFYxDDAKBgNV
BAoMA1JBRDEQMA4GA1UECwwHQ0EtVEVTVDEQMA4GA1UEAwwHQ0EtVEVTVDAeFw0x
ODAxMjkxNTQ5NTlaFw0yODAxMjcxNTQ5NTlaMGIxCzAJBgNVBAYTAklMMRMwEQYD
VQQIDApTb21lLVN0YXRlMQwwCgYDVQQHDANUTFYxDDAKBgNVBAoMA1JBRDEQMA4G
A1UECwwHQ0EtVEVTVDEQMA4GA1UEAwwHQ0EtVEVTVDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMSstTvj6PgpJsv2dRDdfOC+YK5PCHjlgIzhuzerCVvA
Nx++3+U/DxEHHVF8mEjcSU+2ACqcQq1LVIvMwcPx5skewEDD+pEU8lkF7jnyNnI6
MYGfMgxha1u8P73N3OJ6+TFhiRY/9s3LYkPKmIreEa8BuVi+t7kLMaygEKg9IZ8e
mNZDl+jjWUZrXBFkGZF6OS+mf6VUzuYxWMfHUQGGaGT+AHEQaMezsjhZ8QE8xIlc
y9crtmPl0hyQylINMdptq+7Mtdv5t3wO+RK+elfRKPVpgOiyRSnoEz250q2QHsMb
272
SecFlow-1p
5. Management and Security
273
p0ZeMYUBCLxPxF2pTXu2aeF4vvw+NWhfa6JGnqSZJ18CAwEAAaNQME4wHQYDVR0O
BBYEFHQ3m+px3avGAnj5o7FC2cZWfOYMMB8GA1UdIwQYMBaAFHQ3m+px3avGAnj5
o7FC2cZWfOYMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKbEwTTx
32JqnirOZ6PYANrIfEwbpwUZxcqkmz4pFF6V7kK5cJAiv/O0Cj7k3zPdwRhGeMD7
t0wZVPU29tqfZRdXHcmyY7uB1tc4Hr2FvaaEqoB4DWk2C6jgTreyNrm8GbcnLMyW
ZxpZztX/6NU1FvY0LKKmpKOIlKIkCZn4knBcjMFlOx88eHfGnScak6Pn6DIf8SqK
xKm3pkg1ACdWfyKpM0X5aJ29nRwjnceupGZpN7kVIuFXfR1oIligujgFpsSAczpO
PnIZb8+dzJDevz9mm1cjJQh+djdvxkxR9rDwfuE24UTEj6tTzdrqVPSb+t2FzLYt
EUZUQ8cBTlDym3Y=
-----END CERTIFICATE-----
5.11 SNMPv3 Management
Simple Network Management Protocol (SNMP) is an application layer protocol that provides a message
format for communication between managers and agents.
SecFlow-1p supports SNMPv3, the latest SNMP version to date, including SNMPv2 coexistence mode.
SNMPv3 provides secure access to devices in the network by using authentication and data encryption.
SNMP allows you to remotely manage multiple units from a central workstation using a network
management system.
SNMPv3 allows data to be collected securely from SNMP devices. Confidential information such as
SNMP commands can thus be encrypted to prevent unauthorized parties from being able to access
them.
Note
SNMPv1 is not supported.
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
The supported SNMP versions are based on the following standards:
•
RFC 1901, Introduction to Community-Based SNMPv2. SNMPv2 Working Group
SecFlow-1p
5. Management and Security
274
•
RFC 1902, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2). SNMPv2 Working Group
•
RFC 1903, Textual Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2). SNMPv2 Working Group
•
RFC 1904, Conformance Statements for Version 2 of the Simple Network Management
Protocol (SNMPv2). SNMPv2 Working Group
•
RFC 1905, Protocol Operations for Version 2 of the Simple Network Management Protocol
(SNMPv2). SNMPv2 Working Group
•
RFC 1906, Transport Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)
•
RFC 1907, Management Information Base for Version 2 of the Simple Network Management
Protocol (SNMPv2). SNMPv2 Working Group
•
RFC 1908, Coexistence between Version 1 and Version 2 of the Internet-standard Network
Management Framework. SNMPv2 Working Group
•
RFC 2104, Keyed Hashing for Message Authentication
•
RFC 2271, Architecture for Describing SNMP Management Frameworks
•
RFC 2272, message processing and dispatching for the Simple Network Management Protocol
(SNMP)
•
RFC 2273, SNMPv3 Applications
•
RFC 2274, User-Based Security Model (USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)
•
RFC 2275, View-Based Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)
•
RFC 3412, Version 3 Message Processing and Dispatching
•
RFC 3414, User-based Security Model for SNMPv3
•
RFC 3416, Update for RFC 1904
Functional Description
In an SNMP configuration, one or more administrative computers manage a group of hosts or devices.
Each managed system continuously executes a software component called agent, which reports
information via SNMP back to the managing workstations.
SecFlow-1p
5. Management and Security
275
Factory Defaults
The following is the default configuration of the SNMP parameters:
•
SNMP engine ID set to device MAC address
•
View named “internet” providing access to IETF MIBs and IEEE MIBs
•
User named "initial", with security level no authentication and no privacy
•
Group for SNMPv3 named "initial":
 Security levels – no authentication and no privacy, authentication and no privacy,
authentication and privacy
 User – “initial”
 Views for read/write/notify – "internet"
•
Notifications with tag “unmasked” for the device traps
Configuring SNMPv3 Parameters
SNMPv3 provides secure SNMP access to the device by authenticating and encrypting packets
transmitted over the network.
The SNMPv3 manager application in RADview-EMS provides a user-friendly GUI interface to configure
SNMPv3 parameters. If you intend to use it, you must first use the device CLI to create users with the
required encryption method and security level, as the application can create users based only on
existing users; the new user has the same encryption method, and the same security level or lower. The
SecFlow-1p default configuration provides one standard user named “initial” with no encryption and the
lowest security level (see Factory Defaults for details).
A Network Management Station (NMS) relies on traps in order to display device alarms. As traps are not
reliable, the NMS needs to be aware which traps got lost and be able to ask a device to resend them.
This mechanism is called trap synchronization.
NMSs (targets; such as RADview or third party) may be organized into trap sync groups in order to
provide redundancy between these NMSs. You can define the tags and target parameters in each trap
sync group – for example, you can define one trap sync group for critical alarms such as linkDown and
coldStart, and another group for all other traps.
Each trap is sent to all targets attached to the group, and therefore it is recommended to set identical
traps masking for all group members.
SecFlow-1p
Note
5. Management and Security
•
•
•
276
SecFlow-1p supports up to ten trap synchronization groups.
A single trap synchronization group can support multiple NMS.
If you would like all NMS to receive all traps, there is no need to configure
trap synchronization groups.
Follow this procedure to configure SNMPv3:
1. Set SNMP engine ID if necessary.
2. Add users, specifying authentication protocol and privacy protocol.
3. Add groups, specifying security level, protocol, and views.
4. Connect users to groups.
5. Add notification entries with assigned traps and tags.
6. Configure target parameter sets to be used for targets.
7. Configure targets (SNMPv3 network management stations to which SecFlow-1p should send
trap notifications), specifying target parameter sets, notification tags, and trap synchronization
groups if applicable.
 To configure SNMPv3 parameters:
1. Navigate to configure management snmp.
The config>mngmnt>snmp# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Note
When you enter password parameters, they should contain at least eight
characters
Task
Command
Level
Comments
Configuring group
access-group <group-name>
{ snmpv1c | snmpv2c | usm }
{ no-auth-no-priv | auth-no-priv
| auth-priv }
snmp
Entering no access-group <groupname> {snmpv1|snmpv2c|usm}
{no-auth-no-priv| auth-nopriv|auth-priv} deletes the group.
SecFlow-1p
5. Management and Security
277
Task
Command
Level
Comments
Defining how to
match the context
sent in frames by
the NMS
context-match {exact | prefix}
snmp>access-group
exact – Match the entire context.
Setting view for
traps
notify-view <name>
snmp>access-group
Setting view with
read-only access
read-view <name>
snmp>access-group
Setting view with
write access
write-view <name>
snmp>access-group
Administratively
enabling group
no shutdown
snmp>access-group
Using shutdown disables the
group.
Enabling bootstrap
notification
bootstrap-notification
snmp
Entering no bootstrap-notification
disables bootstrap notification.
Configuring
community
community <community-index>
snmp
Configuring name
name <community-string>
snmp>community
Configuring
security name
sec-name <security-name>
snmp>community
Configuring
transport tag
tag <transport-tag>
snmp>community
This should normally be left set to
the default value.
Administratively
enabling
community
no shutdown
snmp>community
Entering shutdown disables
community.
Notifying of
configuration
change
config-change-notification
snmp>
Entering no config-changenotification does not notify of
configuration change.
Configuring
notification
notify <notify-name>
snmp>
prefix – Match the first part of the
context.
Note: SecFlow-1p automatically
identifies the NMS context,
therefore you can configure exact
match. Normally prefix is used for
devices with multiple instances.
See the description of the view
command for information on how
to limit the parts of the MIB
hierarchy that the view can access.
SecFlow-1p
5. Management and Security
278
Task
Command
Level
Comments
Assigning trap to
notification
bind <trap-name>
snmp>notify
You can assign more than one trap
to a notification, in separate
commands.
Assigning tag to
notification, to be
used to identify
the notification
entry when
configuring target
tag <tag-value>
snmp>notify
Administratively
enabling
notification
no shutdown
snmp>notify
Configuring
notification filter
to define access to
a particular part of
the MIB hierarchy
for trap variables
notify-filter <name>
<sub-tree-oid>
snmp
• name – Name of filter
• sub-tree-oid – OID that defines
the MIB subtree
Specifying the part
of the subtree OID
to use in order to
define the MIB
subtree
mask [<mask>]
snmp>notify-filter
The mask is comprised of binary
digits (for example, the mask 1.1.1
converts OID 1.3.6.7.8 to 1.3.6). It is
not necessary to specify a mask if
sub-tree-oid is the OID that should
be used to define the MIB subtree.
Defining whether
traps with trap
variables
belonging to the
MIB subtree are
sent
type {included | excluded}
snmp>notify-filter
• included – Traps with trap
variables belonging to the MIB
subtree are sent.
• excluded – Traps with trap
variables belonging to the MIB
subtree are not sent.
Administratively
enabling
notification filter
no shutdown
snmp>notify-filter
Configuring
notification filter
profile
notify-filter-profile
<params-name>
snmp
params-name – specifies the target
parameter set to associate with the
profile
SecFlow-1p
5. Management and Security
279
Task
Command
Level
Comments
Configuring
notification filter
profile name
profile-name <argument>
snmp>filter-profile
argument – specifies notification
filter to associate with the profile
Administratively
enabling
notification filter
profile
no shutdown
snmp>filter-profile
Connecting
security name to
group (e.g.
connecting user or
community to
group)
security-to-group
{ snmpv2c | usm }
sec-name <security-name>
snmp
Specifying group to
which to connect
security name
group-name <group-name>
snmp>security-to-g
roup
Administratively
enabling
security-to-group
entity
no shutdown
snmp>security-to-g
roup
Using shutdown disables the
security-to-group entity.
Setting SNMP
engine ID, as MAC
address, IPv4
address, IPv6
address, or string
snmp-engine-id
mac [ <mac-address> ]
snmp
If you use the mac option and don’t
specify the MAC address, the SNMP
engine ID is set to the device MAC
address.
snmp-engine-id
ipv4 [ <ip-address> ]
If you use the ipv4 or ipv6 option
and don’t specify the IP address,
the SNMP engine ID is set to the
device IP address.
snmp-engine-id
ipv6 [ <ip-address> ]
snmp-engine-id text <string>
Configuring target
(SNMPv3 network
manager)
target <target-name>
snmp
Specifying target
address as IP
address or OAM
port
address udp-domain
<ip-address>
snmp>target
address oam-domain
<oam-port>
Using no security-to-group
removes security-to-group entity.
Using no target removes target.
SecFlow-1p
5. Management and Security
280
Task
Command
Level
Comments
Assigning tag(s) to
target (the tag(s)
must be defined in
notification
entries)
tag-list <tag>
snmp>target
If you specify more than one tag,
you must enclose the list in quotes;
however, if you are specifying just
one tag, the quotes are optional.
tag-list [ <tag> ]
tag-list [ <tag1>
<tag2>…<tagn> ]
Specifying set of
target parameters
for target
target-params <params-name>
snmp>target
Specifying the trap
synchronization
group to be
associated with
the SNMP target
(NMS)
trap-sync-group <group-id>
snmp>target
• If the group does not exist, it is
created.
• Enter no trap-sync-group
<group-id> to remove the
manager (NMS) from the group.
If the removed manager was
the last to be associated with
the trap-sync-group, the group
is automatically deleted.
• SecFlow-1p supports up to ten
trap synchronization groups.
Administratively
enabling target
no shutdown
snmp>target
Using shutdown disables the
target.
Configuring set of
target parameters,
to be assigned to
target
target-params
<target-param-name>
snmp
Using no target-params removes
target parameters.
Specifying
message
processing model
(SNMP version) to
be used when
generating SNMP
messages for the
set of target
parameters
message-processing-model
{ snmpv1 |snmpv2c | snmpv3 }
snmp>target
SecFlow-1p
5. Management and Security
281
Task
Command
Level
Specifying user on
whose behalf
SNMP messages
are to be
generated for the
set of target
parameters
security
[ name <security-name> ]
[ level { no-auth-no-priv |
auth-no-priv | auth-priv } ]
snmp>target
Specifying SNMP
version to be used
when generating
SNMP messages
for the set of
target parameters
version { snmpv1 | snmpv2c |
usm }
snmp>target
Use usm for SNMPv3 version.
Administratively
enabling target
parameters
no shutdown
snmp>targetparams
Using shutdown disables target
parameters.
Configuring target
parameters and
tags for trap
synchronization
group
trap-sync-group <group-id>
snmp
The trap synchronization group
must be previously defined at the
target level.
Specifying tags in
trap-sync-group
tag-list <list>
snmp>trap-sync-gr
oup
To remove the tag list, enter: no
tag-list.
Specifying set of
target parameters
in trap-sync-group
target-params <params-name>
snmp>trap-sync-gr
oup
To remove the set of target
parameters, enter: no
target-params <params-name>.
Configuring user
user <security-name>
[md5-auth [ {des | aes128 | non
e} ] ]
snmp
If you don’t specify the
authentication method when
creating a user, the default is MD5
with DES privacy protocol. To
create a user with no
authentication, specify none-auth.
user <security-name>
[sha-auth [ {des | aes128 | none
}]]
user <security-name>
[none-auth]
Comments
Typing no user <security-name>
deletes the user.
SecFlow-1p
5. Management and Security
282
Task
Command
Level
Comments
Setting user
authentication
password and
optional key for
changes
authentication
[ password <password> ]
[ key <key-change> ]
snmp>user
Using no authentication disables
the authentication protocol.
Setting user
privacy password
and optional key
for changes
privacy
[ password <password> ]
[ key <key-change> ]
snmp>user
Using no privacy disables privacy
protocol
Administratively
enabling user
no shutdown
snmp>user
• You must define the
authentication and privacy
method before you can enable
the user, unless the user was
defined with no authentication
(none-auth).
• Using shutdown disables the
user.
Defining access to
a particular part of
the MIB hierarchy
view <view-name>
<sub-tree-oid>
snmp
view-name – name of view, which
can be associated to a group as a
notify, read, or write view
Note: Password minimum length is
10 for AES128 and 8 for DES.
sub-tree-oid – OID that defines the
MIB subtree (for example 1.3.6.1
represents the Internet hierarchy)
Specifying the part
of the subtree OID
to use in order to
define the MIB
subtree
mask <mask>
snmp>view
The mask is comprised of binary
digits (for example, the mask 1.1.1
converts OID 1.3.6.7.8 to 1.3.6). It is
not necessary to specify a mask if
sub-tree-oid is the OID that should
be used to define the MIB subtree.
Defining whether
access to the MIB
subtree is allowed
type {included | excluded}
snmp>view
included – Allow access to the
subtree.
Administratively
enabling view
no shutdown
excluded – Do not allow access to
the subtree.
snmp>view
SecFlow-1p
5. Management and Security
Task
Command
Level
Displaying trap
synchronization
groups and
members for
SNMPv3 manager
groups
show trap-sync
snmp
Displaying SNMPv3
information, such
as the number of
times the SNMPv3
engine has booted,
and how long since
the last boot
show snmpv3 information
snmp
Comments
Examples
 To create an SNMPv3 user and connect it to group:
•
User named “MD5_priv”:
 Security level – MD5 authentication, DES privacy
•
Group named "MD5Group":
 All security levels
 Contains set of views named "internet" (from default configuration)
exit all
configure management snmp
#********* Configure user MD5_priv with authentication method MD5 with DES privacy protocol
user MD5_priv md5-auth des
privacy password MD654321
authentication password MD654321
no shutdown
exit
#******** Configure access group MD5Group with various authentication and privacy options
access-group MD5Group usm no-auth-no-priv
context-match exact
read-view internet
write-view internet
notify-view internet
no shutdown
exit
283
SecFlow-1p
access-group MD5Group usm auth-no-priv
context-match exact
read-view internet
write-view internet
notify-view internet
no shutdown
exit
access-group MD5Group usm auth-priv
context-match exact
read-view internet
write-view internet
notify-view internet
no shutdown
exit
#******** Connect user MD5_priv to group MD5Group
security-to-group usm sec-name MD5_priv
group-name MD5Group
no shutdown
exit all
save
 To create notifications:
•
Notification named “TrapPort”:
 Tag=“Port”
 Bound to ethLos, sfpRemoved
•
Notification named “TrapPower”:
 Tag=“Power”
 Bound to powerDeliveryFailure, systemDeviceStartup
exit all
configure management snmp
#******** Configure notification TrapPort
notify TrapPort
tag Port
bind ethLos
bind sfpRemoved
no shutdown
exit
#******** Configure notification TrapPower
notify TrapPower
tag Power
bind powerDeliveryFailure
bind systemDeviceStartup
no shutdown
exit all
save
5. Management and Security
284
SecFlow-1p
5. Management and Security
285
 To create target parameters and target:
•
Target parameters named “TargParam1”:
 Message processing model SNMPv3
 version USM


•
User “MD5_priv”
Security level authentication and privacy
Target named “TargNMS1”:
 Target parameters “TargParam1”
 Tag list=“Port”, “Power”
 IP address 192.5.4.3
exit all
configure management snmp
#******** Configure target parameters TargParam1
target-params TargParam1
message-processing-model snmpv3
version usm
security name MD5_priv level auth-priv
no shutdown
exit
#******** Configure target TargNMS1
target TargNMS1
target-params TargParam1
tag-list “port power”
address udp-domain 192.5.4.3
no shutdown
exit
 To create communities, target parameters, and target for network devices that are working with
SNMPv1:
•
Community “read”:
 Name: “public”

•
Community “write”:
 Name: “private”

•
Security name: “v1_read” (defined in default configuration)
Security name: “v1_write” (defined in default configuration)
Community “trap”:
 Name: “public”
SecFlow-1p

•
Security name: “v1_trap” (defined in default configuration)
Target parameters named “snv1”:
 Message processing model SNMPv1
 Version SNMPv1


•
5. Management and Security
Security name: “v1_trap”
Security level: no authentication and no privacy
Target named “NMSsnmpv1”:
 Target parameters “snv1”
 Tag list=“unmasked”
 IP address 192.5.6.7
exit all
#******** Configure communities
configure management snmp
snmpv3
community read
name public
sec-name v1_read
no shutdown
exit
community write
name private
sec-name v1_write
no shutdown
exit
community trap
name public
sec-name v1_trap
no shutdown
exit
#******** Configure target parameters
target-params snv1
message-processing-model snmpv1
version snmpv1
security name v1_trap level no-auth-no-priv
no shutdown
exit
#******** Configure target
target NMSsnmpv1
target-params snv1
tag-list unmasked
address udp-domain 192.5.6.7
no shutdown
exit all
save
286
SecFlow-1p
5. Management and Security
 To display SNMPv3 information:
configure management snmp
config>mngmnt>snmp# show snmpv3 information
SNMPv3
: enable
Boots
: 2
Boots Time (sec) : 102
EngineID
: 800000a4030020d2202416
 To configure trap synchronization:
•
Trap synchronization group 1:
 Members NMS1 and NMS2
 Target parameters “TargParam1” (from previous example)
 Tag list=“Port”, “Power” (from previous example)
•
Trap synchronization group 2:
 Members NMS3 and NMS4
exit all
configure management snmp
#******** Configure targets and trap synchronization group
target NMS1
trap-sync-group 1
exit
target NMS2
trap-sync-group 1
exit
target NMS3
trap-sync-group 2
exit
target NMS4
trap-sync-group 2
exit
trap-sync-group 1
tag-list “port power”
target-params TargParam1
exit all
save
 To display trap synchronization configured in the above example:
config>mngmnt>snmp# show trap-sync
Group ID Member
--------------------------------------------------------------1
NMS1
1
NMS2
2
NMS3
2
NMS4
287
SecFlow-1p
5. Management and Security
288
5.12 User Access
SecFlow-1p management software allows you to define new users, and their management and access
rights.
Applicability and Scaling
This feature is applicable to all the versions of SecFlow-1p.
Factory Defaults
By default, the following users exist, with default password 1234:
•
su
•
oper
•
tech
•
user
•
netconf-su
The default users cannot be deleted, but can be disabled (shut down).
Functional Description
SecFlow-1p supports the following user access levels:
•
Superuser (su) can perform all the activities supported by the system, including creating new
users, changing its and other user access levels and passwords, and deleting and disabling other
users.
•
Operator (oper) can perform all the activities, including those that change configuration
permanently. Cannot define, delete, or disable other users.
•
Technician (tech) can monitor the device (info, show status, show statistics). Can use commands
that may temporarily impair services or traffic but not saved in database.
•
User (user) can monitor the device (info, show status, show statistics). Can use commands that
do not impair services, affect traffic, or change configuration
SecFlow-1p
5. Management and Security
289
•
Linux User (linux-user) can access and monitor the device Linux shell. This level can be accessed
by a logged-in su. The user invoking this command undergoes re-authentication, after which
SecFlow-1p opens a Linux bash shell with read-only rights. The initial SecFlow-1p session is
suspended as long as the Linux shell is active. Once the Linux shell is logged off, the initial
session resumes with SecFlow-1p CLI. The inactivity timeout for linux-user is inherited from the
underlying su.
•
Netconf Superuser (netconf-su) can be used in Netconf sessions only. Can perform all the
activities supported by the system, including creating new users, changing its and other user
access levels and passwords, and deleting and disabling other users.
•
Linux Network Administrator (linux-net-admin) has rights to manage networking.
•
Linux Technician (linux-tech) has rights to manage virtualization, networking and processes.
The regular, non-Linux users (oper, tech, user) cannot define, delete or disable other users, or change
their own access levels. They are allowed to change their current passwords. All users can view all CLI
levels. Each user can execute its allowed functionality, as well as those of lower levels.
The Linux users do not have SecFlow-1p CLI, and they cannot execute any of its commands.
Caution
Configuration changes are not saved in SecFlow-1p configuration files; they
may conflict or interfere with SecFlow-1p and may not survive software
installation.
In addition to passwords, SecFlow-1p can be configured to use a more robust and secure public key user
authentication method for SSH sessions.
Password Hashing
You can specify a user’s password as a text string or as a hashed value, that you obtain by using info
detail to display user data.
SecFlow-1p
Note
5. Management and Security
•
•
290
User passwords are stored in a database so that the system can perform
password verification when a user attempts to log in. To preserve
confidentiality of system passwords, the password verification data is
typically stored after a one-way hash function is applied to the password,
in combination with other data. When a user attempts to log in by
entering a password, the same function is applied to the entered value
and the result is compared with the stored value.
A cryptographic hash function is a deterministic procedure that takes an
arbitrary block of data and returns a fixed-size bit string, the
(cryptographic) hash value, such that any change to the data changes the
hash value.
SSH Authentication
SecFlow-1p supports management by SSHv2, enabling user authentication using one of two methods:
•
Password (default) – SecFlow-1p has default usernames and passwords.
•
Public key (1024-bit RSA) – more robust and secure
SMS Management
Devices with cellular L1/L3/L4 modems can be managed by SMS. The user can configure one or more
numbers from which commands are accepted, along with the CLI level allowed for each number. The
calling number can be (optionally) verified by a one-time code sent to it.
Note
The device phone number (MSISDN) is displayed in the show status command
in the configure>port>cellular level.
Up to 10 authorized numbers allowed to manage the device with SMS can be configured using the
caller-id command in the configure>management>access>sms level. You can also specify the authorized
CLI level (su, oper, tech or user), su being the default.
Callers are independent and can send commands simultaneously. The device executes them in the order
they were received.
You can allow SMS management with and without authentication. If authentication is disabled, any SMS
from a configured caller ID is respected.
SecFlow-1p
5. Management and Security
291
When OTP (one time password) authentication is enabled and the device receives an SMS from an
authorized caller, it returns the following SMS, with a random 6-character password:
Verification code: <password>
Send code back via SMS
Do not reply unless you initiated the connection
The caller must return the password by SMS.
If wrong password is returned or the password is not returned in 5 minutes, the command is not
executed, and the device returns the following SMS:
Authentication failed; the command is aborted.
OTP authentication is enabled by default.
The commands sent via SMS are the usual CLI commands, with the following characteristics:
•
The command must be a full path command; otherwise it will fail.
•
A command may span multiple SMS messages.
Access Policy
The access policy allows specifying up to three user authentication methods (local, RADIUS, TACACS+). If
an authentication method is not available, the next method is used, if applicable.
It also defines if the Off-Net ZTP (see Off-Net Zero Touch) is used.
Functional Description
Non-Linux users are authenticated by internal SecFlow-1p system with the methods configured in the
auth­policy command in the management>access level (local, TACACS+, or RADIUS).
Note
While non-Linux users can be authenticated with TACACS+ or RADIUS, the
Linux and Netconf-su users cannot, as they are limited to local authentication.
Factory Defaults
By default, authentication is via the locally stored database (1st-level local).
SecFlow-1p
5. Management and Security
292
Configuring Access Policy
 To define the access policy:
•
At the config>mngmnt>access# prompt, enter the necessary commands according to the tasks
listed below.
Task
Command
Binding the ACL to a
management entity and
defining the ACL direction
access-group <acl-name> in
[{ipv4|ipv6}]
Specifying authentication
method via local database or
RADIUS/ TACACS+ servers,
and the preferable order of
methods
auth-policy 1st-level {local | radius
| tacacs+} [2nd-level {local | radius
| tacacs+ | none}] [3rd-level {local
| none}]
Comments
no access-group in {ipv4|ipv6}
SecFlow-1p first attempts
authentication via the server
specified by 1st-level. If the server
does not answer the authentication
request, then SecFlow-1p attempts
to authenticate via the server
specified by 2nd-level. If the server
does not answer the authentication
request, then SecFlow-1p attempts
to authenticate according to
3rd-level:
• local – SecFlow-1p
authenticates via the local
database and doesn’t procced
to any further level
• none – No further
authentication is done, and the
authentication request is
rejected.
Notes:
If at any time in this process, an
authentication server rejects an
authentication request, SecFlow-1p
ends the authentication process
and does not attempt
authentication at the next level.
Rejecting default login
password
[no] ban-default-login-password
Logging in with the default user
password is forbidden
Selecting a certificate to use
for FTPS
ftps [certificate <certificate-name>]
<certificate-name>: 1-64 characters
SecFlow-1p
5. Management and Security
293
Task
Command
Comments
Defining character
combinations that may not
be used in a login password
login-password-black-list <bannedstring>
banned-string - String not allowed
in login password
no login-password-black-list
[banned-string]
Possible values: 4-20 characters
string
Typing no login-password-black-list
without the [banned-string] results
in deleting all the black lists.
Configuring requirements to
provide a strong login
password
login-password-properties mincharacters <min-characters> mindigits <min-digits> min-symbols
<min-symbols> max-consecutive
<max-consecutive> lifetime
{infinite | days <number>}
[no] login-password-properties
min-character–Minimum number
of characters a login password
must contain
min-digits–Minimum number of
digits a login password must
contain
min-symbols–Minimum number of
non-alphanumeric symbols a login
password must contain
max-consecutive–Maximum
number of consecutive
(incremental or decremental)
alphanumeric characters a login
password may contain
infinite | days <number>–
Password lifetime
Enabling/disabling REST get
interface and selecting
certificate to use for it
rest-get [certificate <certificatename>]
Configuring SMS
management
sms
See Configuring SMS management
Configuring the acceptable
SSH encryption algorithms
ssh-encryption {all | algorithm
<algorithm-1> [algorithm-2]
[algorithm-3] [algorithm-4]
[algorithm-5] [algorithm-6]}
All or any six of the following
algorithms can be set:
<certificate-name>: 1-64 characters
no rest-get
•
•
•
•
•
•
•
aes-cbc-128
aes-cbc-192
aes-cbc-256
aes-ctr-128
aes-ctr-192
aes-ctr-256
3des-cbc-168
SecFlow-1p
5. Management and Security
Task
Command
294
Comments
• arc4-128
• arc4-256
Enabling/disabling
virtualization REST
management and selecting
certificate to use for it
virtualization-rest [certificate
<certificate-name>]
Enabling/disabling web
management and selecting
certificate to use for it
web [certificate <certificatename>]
<certificate-name>: 1-64 characters
no virtualization-rest
<certificate-name>: 1-64 characters
no web
Configuring SMS Management
The following commands are available in the sms level, at the configure>management>access>sms#
prompt.
Task
Command
Comments
Configuring SMS
management
authentication mode
authentication {otp}
Possible Values: authentication otp
no authentication
no authentication
[no] authentication {otp}
Default: authentication otp
caller-id <phone-number> [level
<oper | su | tech | user>]
phone-number – authorized caller number
(string of up to 15 numeric characters). Phonenumber can contain digits only; it must also
contain the country prefix (without +)
Configuring SMS
management authorized
caller
no caller id <phone-number>
No caller is configured by default.
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
Too many characters
You tried to configure a
string for a forbidden
password containing more
than 20 or less than 4
characters
Configure a string 4–20 characters
long.
Too little characters
SecFlow-1p
5. Management and Security
Message
Cause
Corrective Action
Black list is full
You tried to configure more
than 100 combinations of
forbidden passwords.
Delete unnecessary combinations
and configure a new one.
min-symbols + min-digits may
not exceed 20
You tried to set the loginpassword-properties
command with the sum of
min-symbols and min-digits
greater than 20 (the
maximum password size).
Set other values for the min-symbols
and min-digits parameters.
Caller ID may be up to 15
digits
phone-number can contain
digits only; it must also
contain the country prefix
(without +)
Maximum number of callers is
configured
You tried to configure more
than 10 numbers
295
Configuring Users
 To add a new user:
1. Verify that you are logged on as superuser (su).
2. Navigate to the management context (config>mngmnt).
3. Enter login-user, followed by a new user name if you intend to create a new user, or an existing
name, if you intend to change previously defined user.
Notes
•
•
Maximum user name length is 20 characters.
User names are not case-sensitive, that is, “user123” and “UsEr123” is the
same name.
4. The prompt changes to config>mngmnt>login-user<user-name>#.
5. Enter the necessary commands according to the tasks listed in the table below.
SecFlow-1p
5. Management and Security
296
Task
Command
Comments
Specifying user
authentication method
authenticationmethod {password |
public-key}
Default user authentication method is
password. SecFlow-1p has default usernames
and passwords.
If you change the authentication method of a
user with access level su to public key, and no
public key has been defined, you are warned
that the super user is going to be disabled, and
prompted to confirm the operation.
Note: You can create a public key, by
configuring config>mngmnt>login-user<username> public-key <public-key>. Alternately, you
can create a public key using any application
that supports SSHv2 RSA 1024-bit key
generation.
Defining a user access level
level { su | oper |
tech | user | linuxuser | netconf-su |
linux-net-admin
|linux-tech}
su – superuser
oper – operator
tech – technician
user – read only
linux-user – linux read-only
netconf-su – Netconf superuser
linux-net-admin – linux network and
virtualization administrator
linux-tech –linux network, virtualization and
processes technician
Specifying user password
password <password>
[hash]
Maximum password length is as follows:
• Non-hashed – 20 characters
• Hashed:
• 40 characters for SHA1
• 144 characters for SHA512+SALT
• 103 characters for linux-user
The use of the hash function is illustrated in the
example below.
Note: If you try to set a password that has been
defined as a forbidden combination of
characters, the password will be rejected with
the following error message: Invalid password.
SecFlow-1p
5. Management and Security
297
Task
Command
Comments
Setting user public key for
authentication
public-key <publickey>
Public key configuration is relevant only for the
public key authentication method.
Public key format: “ ssh-rsa <space> public key
string <space> comment “ [1..512 chars]
Use the Base64 encoding (ASCII ‘A’ to ‘Z’, ‘a’ to
‘z’, ‘0’ to ‘9’, ’+’, ‘/’ and ‘space’) for the public
key configuration.
Entering no public-key deletes the public key.
Note: SecFlow-1p does not have default public
keys.
Enabling/disabling a user
shutdown
no shutdown
Default users (su, oper, tech, user) can be
disabled, but cannot be deleted.
You can delete dynamic users, including those at su level. You cannot delete default users.
 To delete an existing user:
•
At the config>mngmnt# prompt, enter no login-user <user_name>.
The specified user is deleted.
 To view all connected users:
•
At the config>mngmnt# prompt, enter show users.
A list of all connected users is displayed, showing their access level, the type of connection, and
the IP address from which they are connected.
Examples
Defining Users
 To define a new user:
•
User name – staff
•
Access level – su
•
Password – 1234
SecFlow-1p
5. Management and Security
exit all
configure management
login-user staff
level su
password 1234
# Password is encrypted successfully
no shutdown
exit
 To add a new user with a hashed password:
1. Define a new user with a text password.
2. Use info detail to display the password hash value.
3. Define another user with the hashed password from the info detail output.
The second user can log in with the text password defined in Step 1.
For example, to add the following users:
•
User name – staff1
•
User password – 4222
•
User name – staff2
•
User password – hash of 4222 (user staff2 can log in with password 4222)
exit all
configure management
login-user staff1
level su
password 4222
# Password is encrypted successfully
no shutdown
exit
exit all
configure management login-user staff1 info detail
level su
password "3fda26f8cff4123ddcad0c1bc89ed1e79977acef" hash
no shutdown
exit all
configure management
login-user staff2
level su
password "3fda26f8cff4123ddcad0c1bc89ed1e79977acef" hash
no shutdown
exit
exit all
298
SecFlow-1p
5. Management and Security
configure management login-user staff2 info detail
level su
password "3fda26f8cff4123ddcad0c1bc89ed1e79977acef" hash
no shutdown
Deleting Users
 To delete an existing user:
1. Verify that you are logged on as superuser (su).
2. Navigate to the management context (config>mngmnt).
3. Enter no login-user, followed by the name of the user that you intend to delete.
Viewing User Access Status
Viewing Failed Login Attempts
All unsuccessful user login attempts are registered and can be displayed using a show command.
 To display the unsuccessful logging attempts:
•
At the config>mngmnt# prompt, enter show failed-login-attempts.
The details of each attempt are displayed.
Recent Failed Login Attempts
Source
Attempts First Attempt
Blocked for
------------------------------------------------------1.1.1.1
5
302 seconds ago 277 seconds
100.100.100.100 2
100 seconds ago --
Source
Source address of the unsuccessful login
Attempts
Number of failed login attempts since the source was unblocked for
the last time
First Attempt
The first failed login attempt recorded from the source
Blocked for
Time remaining till the source will be unblocked for login
299
SecFlow-1p
5. Management and Security
300
Viewing SSH Server Information
You can display the fingerprint of the SSH server public key.
 To display the SSH server information:
•
At the config>mngmnt# prompt, enter show ssh-server fingerprint.
The SSH fingerprint information stored on the SSH server is displayed.
configure management
config>mngmnt# show ssh-server fingerprint
RSA key fingerprint is ef:ab:28:81:53:c2:a3:8d:77:0d:06:e7:89:2b:81:9c
Viewing Users
 To view all connected users:
•
At the config>mngmnt# prompt, enter show users.
A list of all connected users is displayed, showing their access level, the type of connection, and
the IP address from which they are connected.
configure management
config>mngmnt# show users
Num
User
Access Level Source
IP Address
----------------------------------------------------------------------------1.
su
Su
Terminal 0.0.0.0
2.
su
Su
Netconf
172.17.160.69
3.
su
Su
SSH
172.17.180.87
Viewing User Information
The details of the currently logged-in users are available in the show users-details screen.
The screen for show users-details provides the following information:
User
User name
Level
User access level
Popup
Alarm/event popup status (enabled or disabled)
From
Source IP address of the management session, followed by protocol
type (serial, SSH, NETCONF)
For (sec)
Duration of the current management session in seconds
SecFlow-1p
5. Management and Security
301
 To display the user information:
•
In the configure>management# prompt, enter show users-details.
configure management
config>mngmnt# show users-details
User:su Level:su Popup:Enabled
From:Serial For(sec):94
User:su Level:su Popup:Enabled
From:172.17.180.87/SSH For(sec):13
User:su Level:su Popup:Enabled
From:172.17.160.69/Netconf For(sec):77
5.13 Zone-based Stateful Firewall
SecFlow-1p features a Zone-based stateful Firewall that is configured via Web GUI. Interfaces are
assigned to zones, for which set of rules are configured. It supports both IPv4 and IPv6 rules. The rules
include IP source and destination networks, IP host addresses, TCP/IP ports and IP protocols. Rules can
be limited to specific days, dates and times and number of connections per rule can be limited.
The firewall also supports IPv4 and IPv6 NAT, SNAT, DNAT, REDIRECT and Masquerading (also known as
NAPT).
It supports Geo IP which means that it can block or allow traffic based on source or destination country
This feature requires Internet connection for the FW to download IP addresses of different regions.
It is possible to enable DDOS protection, by limiting SYN and RST flood packets.
The firewall supports Web URL, application and DNS filtering. This feature also requires Internet
connection, for periodic list updates.
It is also possible to create black lists of URLs or IP addresses, based on categories (e.g. ads, gambling),
black lists of phrases, based on categories and limit downloadable files by extension.
The Firewall supports DNS proxy including black list filtering. The list is downloadable periodically from
the Internet.
SecFlow-1p
5. Management and Security
302
Functional Description
Zones
A Zone is a logical area where ports and related devices having the same trust levels reside. Zones
establish the security borders of a network. A zone defines a boundary where traffic is subject to policy
restrictions as it crosses to another region of a network. An inspection policy is applied to traffic moving
between the zones. Inter-zone policies offer considerable flexibility, so different inspection policies can
be applied to multiple host groups connected to the same router interface.
After creating a Zone, one or more interfaces are assigned to it.
Stateless and Stateful Packet Filtering
SecFlow-1p Firewall supports statefull packet filtering.
Stateless Packet Filtering
A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic.
Instead, it evaluates packet contents statically and does not keep track of the state of network
connections.
The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering.
Packet filtering enables you to inspect the components of incoming or outgoing packets and then
perform the actions you specify on packets that match the criteria you specify. A typical use of a
stateless firewall filter is to protect the Routing Engine processes and resources from malicious or
untrusted packets.
SecFlow-1p
5. Management and Security
303
Stateful Packet Filtering
A stateful firewall monitors the full state of active network connections. This means that stateful
firewalls are constantly analyzing the complete context of traffic and data packets, seeking entry to a
network rather than discrete traffic and data packets in isolation.
Once a certain kind of traffic has been approved by a stateful firewall, it is added to a state table and can
travel more freely into the protected network. Traffic and data packets that do not complete the
required handshake successfully are blocked. By taking multiple factors into consideration before adding
a type of connection to an approved list, such as TCP stages, stateful firewalls are able to observe traffic
streams in their entirety.
Rules
Firewall rules are used to filter network traffic between Zones. To filter traffic means to accept, drop or
reject traffic based on the filtering conditions specified in the rule.
A rule must be configured for each traffic direction.
When a packet enters the Firewall, it is compared against the first rule in the rule set and progresses one
rule at a time, moving from top to bottom in sequence. When the packet matches the selection
parameters of a rule, the rule's action is executed and the search of the rule set terminates for that
packet. This is referred to as “first match wins”. If the packet does not match any of the rules, it gets
caught by the default rule number 65535, which denies all packets and silently discards them.
Each rule is associated with a number from 1 to 65534. The number is used to indicate the order of rule
processing. Multiple rules can have the same number, in which case they are applied according to the
order in which they have been added.
Based on the match of the rules, an action can be applied. Action means that packets or sessions can be
accepted, dropped or rejected:
•
Accept – Session is forwarded between the zones
•
Drop – Session gets dropped silently with no indication being sent to the client or server
•
Reject – Session is rejected by sending a TCP RST packet in both directions. RST packet is also
seen on the attached appliance.
The following Advanced Configuration Options can be applied to rules.
SecFlow-1p
5. Management and Security
304
Logging
It is possible to activate logging of all rule actions. Several log levels are available: Debug, Notice, Info,
Warning, Error, Critical, Alert, and Emergency. Choose a level dependent on the log info you want to be
available.
Time-based Rules
Under Advanced rule setting it is possible to activate a rule based on week days, between certain dates
and between certain times of the day.
NAT
NAT is a tool that lets you share a single public IP address with a whole private subnet, and to run public
servers with private non-routable addresses. Suppose you have a typical low-cost DSL Internet account.
You have only a single public IP address, and a LAN of 25 workstations, laptops, and servers, protected
by a NAT firewall. Your entire network will appear to the outside world as a single computer. Source NAT
(SNAT) rewrites the source addresses of all outgoing packets to the firewall address.
It works the other way as well. While having public routable IP addresses is desirable for public services,
like web and mail servers, you can get by on the cheap without them and run public servers on private
addresses. Destination NAT (DNAT) rewrites the destination address, which is the firewall address, to
the real server addresses, then SecFlow-1p forwards incoming traffic to these servers.
SecFlow-1p uses the following techniques (actions): Masquerade, Destination NAT, Source NAT or
Redirect.
•
Masquerade. IP masquerading is a technique that hides an entire IP address space, consisting of
private IP addresses, behind a single IP address in another, usually public address space. The
hidden addresses are changed into a single (public) IP address as the source address of the
outgoing IP packets so they appear as originating not from the hidden host but from the routing
device itself. Because of the popularity of this technique to conserve IPv4 address space, the
term NAT has become virtually synonymous with IP masquerading.
•
Destination NAT. Destination network address translation (DNAT) is a technique for
transparently changing the destination IP address of an end route packet and performing the
inverse function for any replies. Any router situated between two endpoints can perform this
transformation of the packet. DNAT is commonly used to publish a service located in a private
network on a publicly accessible IP address. This use of DNAT is also called port forwarding,
or DMZ when used on an entire server, which becomes exposed to the WAN, becoming
analogous to an undefended military demilitarised zone (DMZ).
SecFlow-1p
5. Management and Security
305
•
Redirect. A special case of DNAT is REDIRECT. Packets are redirected to a local port of the
router, enabling for example transparent proxying.
•
Source NAT (SNAT). Source NAT (SNAT) rewrites the source addresses of all outgoing packets to
the firewall address. For SNAT the user has to specify the new source-IP explicitly. For routers
with a static IP address SNAT is the best choice because it is faster than MASQUERADE (better
for dynamic IP) which has to check the current IP address of the outgoing network interface at
every packet.
Under Advanced Configuration Options, you can activate logging of all NAT actions. Several log levels
are available: Debug, Notice, Info, Warning, Error, Critical, Alert, and Emergency. Choose a level
dependent on the log info you want to be available.
Configuring the Firewall
Firewall Configuration Sequence
Below are the configuration tasks that you need to follow:
1. Create Interfaces with Interface name and function (see Configuring Objects)
2. Create Zones and assign Interfaces to zones (see Configuring Objects)
3. Configure Networks (see Configuring Objects)
4. Create Firewall rules between Zones.
Note
Hosts, TCP/UDP ports and URLs are other objects that can be configured
Configuring Objects
Before you configure the Firewall and NAT rules you need to define Interfaces, Zones, Hosts, Networks,
URLs and Ports found under OBJECTS on the main menu.
SecFlow-1p
5. Management and Security
Click on OBJECTS and select the fields:
-
Interfaces: Give each interface a name that will be used when you define Zones.
-
Zones: A Zone consists of one interface or a group of interfaces that follow the same rule
-
Hosts: Set a specific host device (IP address).
-
Networks: Set an IP network address and a network mask.
-
URLs: Type URL addresses that will appear when building Firewall rules
-
Ports: A list of TCP ports that will be available when building the Firewall rules
Creating Interfaces
 To create the interfaces:
1. From the top menu, select Objects>Interfaces and follow the instructions on the screen.
In the example below four interfaces are created.
306
SecFlow-1p
5. Management and Security
307
Creating Zones
 To create a zone:
1. From the top menu, select Objects>Zones and follow the instructions on the screen.
In the example below three zones are created with the above four interfaces assigned to them.
Configuring Rules
RAD Firewall allows you to select Create New rules, Delete Selected, Disable Selected and Enable
Selected.
Disable Selected allows you to keep the rule in inactive state. A disabled rule can be enabled again any
time.
In the upper right side of the screen you can select Save and Apply or Commit.
SecFlow-1p
5. Management and Security
Save and Apply saves and activates all rules in the running config. Next time you reboot the CPE, the
rules will not be enabled. This makes it possible to reverse all Firewall rules by rebooting the CPE.
Commit saves the rules in the startup configuration. The rules will be activated once the CPE is
rebooted.
Important!
When “Save and Apply” is selected, ACL and NAT rules
configured in the device on the regular CLI/Web platforms are
removed.
Note
Firewall rules are uni-directional.
 To configure a rule:
1. Click on the Filter tab -> Create New. The Filter (Rule) configuration window opens.
2. Select the rule number.
Note
When assigning the number, note that Firewall is parsing the rules starting
from the lowest number.
3. Enter a meaningful rule name.
4. Select the address family: IPv4+IPv6, IPv4 or IPv6.
5. Select the In Zone.
6. Select the Out Zone.
Note
Prior to selection of In and Out zone, fill in the Zone table under
OBJECT>Zones)
7. Select the Source by entering TCP or UDP ports from the drop-down list.
308
SecFlow-1p
Note
5. Management and Security
Source Port for a connection is typically random and in most cases should not be
configured.
309
SecFlow-1p
5. Management and Security
310
8. Select the Destination Port from the drop-down list.
Note
TCP/UDP IP ports can be modified and expanded under
OBJECTS>Ports.
9. Select the relevant Protocol from the drop-down list.
10. Select the Action: Drop, Accept or Reject.
11. Configure the advanced options if needed (see below).
12. Click Submit.
 To configure the rule advanced options:
1. Click Advanced.
2. Select the log level (Debug, Notice, Info, Warning, Error, Critical, Alert, Emergency).
3. Type the log prefix.
4. Select the connection state to be filtered out the following: NEW, RELATED, ESTABLISHED
INVALID, UNTRACKED. This selection helps you inspect and restrict connections to services
based on their connection state. You can allow or deny access based on the following
connection states:
 NEW — A packet requesting a new connection (for example, an HTTP request).
 ESTABLISHED — A packet that is part of an existing connection.
 RELATED — A packet that is requesting a new connection but is part of an existing
connection. For example, FTP uses port 21 to establish a connection, but data is transferred
on a different port (typically port 20).
 INVALID — A packet that is not part of any connections in the connection tracking table.
 UNTRACKED – A packet was marked as NOTRACK in the raw table.
5. If you want to limit the number of connections, select the maximum number of allowed
connections.
6. If needed, add filters that block connection to source or destination countries. The list of these
countries can be configured under App Layer> Geo-IP rule set.
Note
To enable GEO-IP updates, go to OPERATIONS>Advanced Settings>GEO IP
Settings. The actual Geo-IP addresses per country need to be updated via
online Internet connectivity.
7. Select the Week days (from Sunday to Saturday), Date start, Date stop, Time start, Time stop.
SecFlow-1p
5. Management and Security
8. Click Submit.
Note
Advanced options and Description fields will be implemented in the future
Firewall versions.
Configuring the NAT
Note
Before configuring the NAT, first create the interfaces as described above.
 To configure the NAT:
1. Click on the NAT tab -> Create New. The NAT configuration window opens.
2. Select the NAT number
Note
When assigning the number, note that Firewall is parsing the rules starting
from the lowest number.
3. Select the NAT name.
4. Select the address family: IPv4+IPv6, IPv4 or IPv6.
5. Select the Action: Masquerade, Destination NAT, Source NAT or Redirect.
311
SecFlow-1p
 To configure the Masquerade NAT:
1. Select Masquerade under Action.
2. Select the Out interface.
3. Select the relevant Protocol from the drop-down list.
4. Type the Original Source IP Address.
5. Select Original Source Port (1..65535).
6. Configure the advanced options if needed (see below).
7. Click Submit.
 To configure the Source NAT:
1. Select Source NAT under Action.
2. Select the Out interface.
3. Select the relevant Protocol from the drop-down list.
5. Management and Security
312
SecFlow-1p
5. Management and Security
4. Type the Original Source IP Address.
5. Select Original Source Port (1..65535).
6. Type the Modified Source IP Address.
7. Select Modified Source Port (1..65535).
8. Configure the advanced options if needed (see below).
9. Click Submit.
Note
Source NAT needs at least "Out interface", "Protocol" and "Modified
Destination IP Address" and "Protocol" options to be configured.
 To configure the Destination NAT:
1. Select Destination NAT under Action.
2. Select the In interface.
3. Select the relevant Protocol from the drop-down list.
4. Type the Original Destination IP Address.
5. Select Original Destination Port (1..65535).
6. Type the Modified Destination IP Address.
7. Select Modified Destination Port (1..65535).
8. Configure the advanced options if needed (see below).
9. Click Submit.
Note
Destination NAT needs at least "Modified Destination IP Address" and
"Protocol" options to be configured.
 To configure the Redirect NAT:
1. Select Redirect under Action.
2. Select the In interface.
3. Select the relevant Protocol from the drop-down list.
4. Type the Original Destination IP Address.
5. Select Original Destination Port (1..65535).
6. Type the Modified Destination IP Address.
313
SecFlow-1p
5. Management and Security
314
7. Configure the advanced options if needed (see below).
8. Click Submit.
 To configure the NAT advanced options:
1. Click Advanced.
2. Select the log level.
3. Click Submit.
Configuring the App Layer
Creating GEO-IP Sets
The GEO-IP set is used to block requests and messages to/from hosts with IP address from specified
countries.
The GEO-IP sets are used by the rules. To configure the rule advanced options, see Configuring Rules.
 To create a GEO-IP Set:
1. Navigate to App Layer> GEO-IP rule Sets > click Create New
2. Enter a meaningful name.
3. Select the countries to add to the blacklist
4. Click Submit.
SecFlow-1p
5. Management and Security
315
Configuring DPI Filters
DPI filter is a process running independently of the rule filter. This means that both Rule Filter and DPI
filter are processed independently.
The DPI filter can identify layer 7 applications, such as Youtube, Zoom, Netflix, Gmail, Microsoft365 and
Facebook etc.
 To create a DPI filter:
1. Navigate to App Layer>App Layer Filter>DPI filter>Create New.
2. Under Mode, select Layer7_proto, URL or NETWORK.
 If Layer7_proto is selected, Applications/Layer 7 protocols can be selected from a predefined filter list.
 If URL is selected, the device will try to translate the URL address to a valid IP address using
a DNS server on the device or check a DNS server on the Internet. If no response from a DNS
server is received, the URL will not be accepted.
 If NETWORK is selected, a network with network mask can be entered.
SecFlow-1p
5. Management and Security
316
3. Under Actions, select Accept or Drop.
Advanced options allow the user to perform other actions, for example to mark the packets with DSCP
value.
The DHCP value can be later used for QoS or policy-based routing decisions.
Configuring the DNS Filter
The DNS filter enabels blocking DNS requests from specified suspicious websites, webpages, and IP
addresses, using defined adware/malware blacklists.
SecFlow-1p
DNS Filter Configuration
 To configure the DNS Daemon:
1. Navigate to App Layer> DNS Filter > click Edit
5. Management and Security
317
SecFlow-1p
5. Management and Security
318
2. Select the interface the daemon listens for suspicious requests.
If you don’t select an interface, the DNS filter is disabled.
3. Select the Enable DNS Filter check box.
4. In the ACL list field, enter a AC list, or AC lists IP addresses, if reuired. The firewall will not filter
the IP addresses entered in this list.
The AC lists are typically internal domains.
5. In the Forwarders list field, enter the address of the DNS server that is used to forwad DNS
queries for external DNS names to DNS servers outside the network.
6. Select the Enable Adware/Malware Hosts updates check box to enable updates.
7. In the Adware/Malware Hosts Online source field, enter the web site address that contains the
adware/malware blacklist used by the DNS filter.
8. Select the Adware/Malware Hosts Update frequency.
9. Click Submit.
 To configure the DNS Filter:
1. Navigate to App Layer> DNS Filter >Configuration
2. Under DNS Filter Settings view the following:
 Listen on (Enable DNS) - displays the interface the daemon listens to, as selected in the DNS
Daemon.
 DNS Filter (Domains Blacklisting) - displays the DNS filter status, as selected in the DNS
Daemon.
 ACL List - displays the AC list, or lists, entered in the DNS Daemon.
 Forwarders list – displays the address of the DNS server that is used to forwad DNS queries,
as entered the DNS Daemon.
3. Under Blacklisted Hosts Database set and view the following:
 Update from local file – enables you to upload the adware/malware blacklist database that
resides on the device to be used by the DNS filter. Click Upload DB, then select the required
blacklist database.
 Online Database Source (Known Malware/Adware) – displays the web site address,
entered in the DNS Daemon.
 Blacklists Update Frequency – displays the frequency the adware/malware blacklist is
updated, entered in the DNS Daemon.
To update the adware/malware blacklist at a specific time, click Update now.
SecFlow-1p
5. Management and Security
4. On the Configuration tab, on the left top side click Apply+Commit
Apply +Commit - the system saves the filters in the startup configuration. The filters will be
activated once the CPE is rebooted.
Setting and Downloading DNS Filter Logs
You can display and download logs that contain either DNS requests, or blocked IP addresses.
 To set and download DNS filter logs:
1. Navigate to App Layer> DNS Filter >Logs
2. Under Filtering set the following:
 Log Type - select the required log type
 Max lines - select the maximum number of lines to display in a log
 Update Interval - select logs update frequency
 String filter - enter a grep regular expression to filter the log entries
319
SecFlow-1p

3.
5. Management and Security
320
String filter limit - enter the number of log entries that should be checked to match the
string filter
DNS filter Access Table - displays the logs
Configuring the Web Content Filter
The Web Content Filter blocks access from specified inappropriate or unsafe specified web content, and
from specified file types. If using a secure connection, a HTTPs proxy resides between the computer
running the firewall and the websites, for handling secure connections requests.
WEB content Filter Configuration
 To configure the E2Guaridan Daemon:
1. Navigate to App Layer> WEB content Filter > click Edit
SecFlow-1p
5. Management and Security
321
2. Select the Enable E2Guaridan check box to enable the Web Content Filter daemon.
3. Select the Enable Transparent HTTPs proxy check box, if using a secure connection.
4. In the HTTP port field, leave the default port number, or enter the required number.
5. In the HTTPs port field, leave the default port number, or enter the required number.
6. Select the Enable Blacklists check box to block phrases, custom lists and file extension as
specified in the Phrase and Files lists tab.
7. Select the Enable Blacklists updates check box to enable updates.
8. In the Blacklists Online source, enter the web site address that contains the blacklists used by
the Web content filter.
9. Select the Blacklists source Update frequency.
10. Click Edit, to edit the Block-page template .
The Block-page template is the template of the message that users receive when entering a
blocked page.
11. Click Submit.
 To configure the Web Content Filter:
1. Navigate to App Layer>Web Content Filter >Configuration
2. Under Proxy Settings view the following:
 Enable Daemon - displays if the Web Content filter status, as selected in the E2Guaridan
Daemon.
SecFlow-1p



5. Management and Security
322
Enable HTTPs Transparent proxy - displays the proxy’s status as selected in the E2Guaridan
Daemon.
HTTP port - displays the HTTP port number as entered in the E2Guaridan Daemon.
HTTPs port - displays the HTTPs port number as entered in the E2Guaridan Daemon.
3. Under Blacklists Online Database view the Blacklists status, as selected in the E2Guaridan
Daemon.
4. Under Certificate Authority, if using SSL for a secure connection (HTTPs) click Create New CA,
then do the following:
 From the Key length list, select the certificate’s Key length in bits.
 From the Digest Algorithm list, select the certificate’s digest algorithm.
 In the Lifetime(days) field enter the number of days the certificate will be valid for.
 In the Common Name field, enter a meaningful name for the certificate.
 It is optional to enter a Country Code, State or Province name, City name , Orginaztion
name and Orginzation Unit name.
 Click Submit, then return to the Configuration tab.
5. Click Phrases Lists>Edit to configure the phrases lists to block.
SecFlow-1p
5. Management and Security
323
Do the following:
 In the Name field enter a meaningful name.
 From the Category list, selected the phrases to be filtered.
 In the Custom phrases field, if required, enter custom phrases as explained when clicking
.

Click Submit.
The Phrases Lists tab is displayed, the blocked phrases are indicated by the
custom lists are displayed.
icon, and the
6. Click Files Lists>Edit to select the file types to block.
Do the following:
 In the Name field enter a meaningful name.
 From the Available File Types Blacklists, select the file types to block.
 In the Mime field, enter the media, or content type to block.
 In the Exception url list field, enter the URLs from which blocked files can be downloaded.
 In the Exception site list field, enter the sites from which blocked files can be downloaded.
 Click Submit.
The Files Lists tab is displayed, the blocked file extensions are indicated by the
icon, the
SecFlow-1p
5. Management and Security
blocked MIME extensions and the domains and sites from which blocked files can be
downloaded are displayed.
7. On the Configuration tab, on the left top side click Apply+Commit
Apply +Commit - the system saves the filters in the startup configuration. The filters will be
activated once the CPE is rebooted.
Setting and Downloading Web Content Filter Logs
You can display and download logs that contain blocked phrases and files.
 To set and download Web content filter logs:
1. Navigate to App Layer> Web Content Filter >Logs
2. Under Filtering set the following:
 Max lines - select the maximum number of lines to appar in the log
 Update Interval - select the log’s update frequency
 String filter - enter a grep regular expression to filter the log entries
324
SecFlow-1p


5. Management and Security
String filter limit- enter the number of log entries that should be checked, to match the
string filter
E2Guradian Access Table – TBD
3. Click
, or
.
Displaying the System Log and System Information
The system log, Firewall statistics, Processes information, Interfaces information, Routes information
and Connections information are found under SYSTEM.
Configuring Advanced Settings
Advanced settings are found under OPERATIONS> Advanced settings and cover the following
operations.
325
SecFlow-1p
5. Management and Security
Database Operations
Download database: This function allows the user to download the Firewall database to the local
storage on the computer
Upload database: This function allows the user to upload the Firewall database stored on the local
storage on the computer to the CPE
326
SecFlow-1p
Note
5. Management and Security
327
The Firewall database cannot be uploaded/downloaded using the CLI
command.
Local Backup: This function allows the user to backup the Firewall database to the local CPE storage
Local Restore: This function allows the user to upload the Firewall database from the local CPE storage
Reset to Factory Defaults: This operation resets the Firewall database.
Note
The Firewall database cannot be reset using the CLI command.
Firewall Settings
The advanced Firewall settings are as follows:
•
Enable Generate IPv6 Rules: enables the Firewall to generate IPv6 rules
•
Enable SYN-flood Protection: enables the Firewall to monitor SYN-Flood packets and limit the
number of half open sessions
•
Drop Excessive TCP RST Packet: enables the Firewall to drop excessive TCP RST packets
•
Drop Invalid Packet: enables the Firewall to Drop Excessive invalid packets
•
Block Bogon Networks: Bogons include IP packets on the public Internet containing addresses
that are not in any range allocated or delegated by the Internet Assigned Numbers
Authority (IANA)
•
Block Bogus Packets: Block bogus (fake) IP addresses
DPI (Deep Packet Inspection) Engine Settings
•
Enable LOW CPU utilization: enables the Firewall to perform deep packet inspection, using the
application layer firewall, which uses up a large amount of CPU.
To enable or disable the above settings, click
required option/s.
and in the displayed window select or clear the
SecFlow-1p
5. Management and Security
GEO-IP Settings
The advanced GEO-IP setting are as follows:
•
Enable GEO-IP Updates: This menu item enables the Firewall to update the GEO-IP list used
under APP LAYER>GEO-IP rule-sets
•
GEO-IP Update Frequency: This function allows the user to set the frequency of updates.
These settings require the device to have Internet access.
328
6 Traffic Processing
6.1 Bridge
The SecFlow-1p bridge is a Layer-2 networking device that creates a single, aggregate network from
multiple communication networks or network segments. SecFlow-1p supports VLAN-unaware bridge
and VLAN-aware bridge.
Applicability and Scaling
SecFlow-1p supports up to two independent bridges (bridge #1 for LAN ports, bridge #2 for WAN ports),
up to 32 bridge ports, and at least 512 MAC entries per bridge. Bridge ports can be bound uniquely to
Ethernet and virtual ports. Only one bridge port can be assigned to a specific port.
The SecFlow-1p bridge is a Layer-2 forwarding entity that can work in VLAN-aware or VLAN-unaware
mode.
Standards Compliance
IEEE 802.1D
IEEE 802.1Q
Benefits
The bridge enables performing local switching.
SecFlow-1p
6. Traffic Processing
330
Functional Description
Architecture
The bridge is one of the networking components that can perform layer-2 connectivity between
ethernet ports and the router.
The device hardware design is based on the CPU connected to the LAN and WAN switches which provide
the LAN ports and WAN ports, respectively (see the diagram below).
LAN
Switch
CPU
Figure #1: pCPE HW structure
WAN
Switch
When operating the pCPE device as a router without local switching on LAN or WAN ports, the LAN and
WAN switchs are transparent and provide the following ports connectivity to the router.
When operating the pCPE device as a router with local switching on LAN ports, the LAN switch provides
the bridge functionality between Ethernet physical ports and the router.
SecFlow-1p
6. Traffic Processing
331
Packet Walkthrough in VLAN-Unaware Mode
The SecFlow-1p bridge in VLAN-unaware mode supports the following packet walkthrough:
•
The bridge receives all packets (no restrictions).
•
In Filter mode, the bridge learns the packet source MAC address and adds it to the MAC table
with the corresponding source port.
•
The bridge forwards multicast and unicast packets, as follows:
 Flood broadcast – The bridge forwards multicast packets to all ports (except the packet
source port).
 The bridge forwards unicast packets to the destination port:

According to the packet’s destination in the MAC table (entries are dynamic provided by
learning source MAC addresses or static by configuration)

Flooded to all ports (except the packet source port) in case of a destination MAC that
does not exist in the MAC table

Flooded to all ports (except packet source port) in case of transparent mode
•
The bridge transmits packet as is (no modifications)
Note
In VLAN-unaware mode, legal packets are always forwarded (to a specific port
or flooded to all ports).
Packet Walkthrough in VLAN-Aware Mode
The SecFlow-1p bridge in VLAN-aware mode forwards packets according to MAC address and VLAN, that
is, by creating VLAN domains on the bridge.
It supports VLAN membership table that defines VLAN membership per bridge port as follows:
•
By default, a port doesn’t have VLAN membership.
SecFlow-1p
6. Traffic Processing
332
•
VLAN domain is defined by configuration and includes all ports with a specific VLAN
membership.
•
VLAN membership table defines whether Egress bridge port transmits packets with or without
VLAN tag.
The SecFlow-1p bridge in VLAN-aware mode supports the following packet walkthrough:
•
The bridge receives packets according to the port definition:
 In case of enabled Ingress filtering, SecFlow-1p discards incoming frames for VLANs that do
not include the port in their members set. In case of disabled Ingress filtering, the port
accepts all incoming frames.
 In case of Accept frame type set to tag-only, the bridge discards untagged frames received
at the port. If it is set to all, untagged frames received at the port are accepted and assigned
to a VID based on the VID set for this port (VLAN ID).
•
In Filter mode, the bridge learns the packet source MAC address and VLAN per VLAN domain
and adds it to the MAC table with the corresponding source port.
•
The bridge forwards as follows:
 Flood broadcast – The bridge forwards multicast packets per VLAN domain to all ports
(except packet source port)
 The bridge forwards unicast packets to the destination port per VLAN domain:

According to the packet’s destination in the MAC table (entries are dynamic provided by
learning source MAC addresses or static by configuration)

Flooded per VLAN domain to all ports (except the packet source port) in case of a
destination MAC that does not exist in the MAC table

Flooded per VLAN domain to all ports (except packet source port) in case of transparent
mode
•
The bridge transmits packets according to port definitions in VLAN membership table:
 Tagged – the bridge transmits with VLAN tag
 Untagged – the bridge transmits without VLAN tag
In VLAN-aware mode, the SecFlow-1pbridge can stack or strip VLAN tags on an ingress bridge port to
achieve double-VLAN support.
VLAN Membership
SecFlow-1p bridge supports VLAN domain definition per bridge entity, in VLAN-aware mode only.
For each VLAN domain, SecFlow-1pbridge supports the following VLAN membership table configuration
parameters:
SecFlow-1p
6. Traffic Processing
•
VLAN-ID
•
Egress tagged ports (the ports belong to VLAN domain and transmit tagged packets)
•
Egress untagged ports (the ports belong to VLAN domain and transmit untagged packets)
333
MAC Table
SecFlow-1p bridge erases MAC table every aging time period, implementing by this MAC table aging
mechanism.
It can clear MAC table learned entities with MAC table clear command.
SecFlow-1pbridge supports the following static MAC configuration parameters:
•
Available for VLAN-aware mode only
•
Add / remove static entry
•
Static entries include:
 VLAN
 MAC address
 Bridge port
SecFlow-1p bridge supports MAC table show per bridge entity with the following information
•
For VLAN-unaware mode:
 MAC address
 Received bridge port
 Status: static / dynamic
•
For VLAN-aware mode:
 VLAN-ID
 MAC address
 Received bridge port
 Status: static / dynamic
Bridge Operation
There are 2 bridges to operate:
• Bridge #1 is the LAN bridge; it bridges Ethernet 3..6 ports and the Ethernet lan-switch port that
connects the router.
SecFlow-1p
•
6. Traffic Processing
334
Bridge #2 is the WAN bridge; it bridges Ethernet 1 and Ethernet 2 ports and the Ethernet wanswitch port that connects the router.
Setting a bridge is allowed only when all its related ports are not bound to the upper layer (router) and
do not have ACL, QoS, PBR and force-next-hop configuration.
VLAN unaware bridge operates as follows: once the user activates the bridge ports and binds them to
the physical port, the activated bridge ports are forwarding traffic.
VLAN aware bridge operates as follows: once the user activates the bridge ports, binds them to the
physical port and defines VLAN membership for bridge ports, only the activated bridge ports with VLAN
membership are forwarding traffic.
Factory Defaults
By default, no bridge is configured in SecFlow-1p. When you create a bridge, by default it does not
contain any bridge ports.
The following table shows the default configuration of a bridge and bridge port once they are created.
Parameter
Description
Default Value
name
Bridge name
BRIDGE <bridge-number>
filtering
Bridge forwarding mode
enable
vlan-aware
disable
aging-time
Aging time for MAC table entries
300
vlan
Configure aware bridge VLAN membership
no VLANS
name
Bridge port name
BP <port-number>
shutdown
Administrative status of bridge port
shutdown
accept-frame-type
Accepting all received packets
all
bind
Bind bridge port to lower layer
no bind
ingress-filtering
Enable ingress filtering
disable
ingress-tag-handling
Defines ingress VLAN stacking/stripping mode and effects
the egress direction with the opposite operation
none
pvid
Configure PVID
1
Bridge Port
SecFlow-1p
6. Traffic Processing
335
Configuring the Bridge
 To configure the bridge:
1. At the config# prompt, enter bridge <number>; number can be 1 (for Ethernet 3..6 ports) and 2
(for Ethernet 1 and Ethernet 2 ports).
2. At the prompt, enter all necessary commands according to the tasks listed below.
Note
Creating a bridge is allowed only when its ports are not bound to any entity
and have no configuration of ACL, QoS, PBR and force-next-hop.
Note
Deleting a bridge (no bridge <number>) is allowed only when all bridge ports
are not active.
Task
Command
Comments
Defining aging time for
MAC table entries
(seconds)
aging-time <seconds>
seconds – aging time
Possible values: 60 – 15300 sec
Clearing MAC table
learned MAC addresses
clear-mac-table
Enabling/disabling filtering
forwarding mode
filtering
filtering:
no filtering
• For VLAN-unaware mode, enables filtering
frames received according to the learned MAC
address
• For VLAN-aware mode, enables filtering frames
received according to the learned MAC address
and VLAN
MAC table is erased every aging time period.
no filtering:
• For VLAN-unaware mode, enables transparent
bridge forwarding mode. In this mode, the
bridge forwards all frames received to all ports
(flooding)
• For VLAN-aware mode, VLAN-aware
transparent forwarding
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Assigning a name to the
bridge
[no] name <bridge-name>
bridge-name – name assigned to bridge
Possible values: 1-32 character string
336
To delete the bridge name, type no name.
Defining the behavior and
attributes of bridge ports
port <port-number>
Possible values: 1-32
To delete a bridge port, enter
no port <port-number>.
Note: You can delete a bridge port only if it is not
active.
For detailed configuration of bridge ports, see
Configuring Bridge Ports.
Configuring static MAC
address entry in MAC table
[no] static-mac <vlan-id>
<mac-address> <bridgeport>
Appears in vlan-aware mode only.
vlan-id – Possible values: 1–4094
mac-address – xx-xx-xx-xx-xx-xx (hex format,
x=0..F)
bridge-port – bridge port number
To delete a static MAC address entry from the MAC
table, type no static-mac <vlan-id> <mac-address>
<bridge-port>
Displaying MAC address
table
show mac-address-table
{static | dynamic | all}
all – static and dynamic MAC addresses
Displaying VLAN members
show vlans
See Viewing VLANs
Displaying the bridge ports
number, status, and
Ethernet ports bound to
them
show summary
Appears in vlan-aware mode only
Defining VLAN
membership specifications
vlan <vlan-id>
Appears in vlan-aware mode only
no vlan <vlan-id>
Possible values: 1–4094
See Viewing MAC Table
See Viewing Bridge Status
Type no vlan <vlan-id> to delete the VLAN from the
VLAN membership table.
See Configuring VLAN
Enabling or disabling Layer
2 bridging according to the
VLAN tag
vlan-aware
no vlan-aware
You can change the mode only when there are no
active bridge ports.
SecFlow-1p
6. Traffic Processing
337
Configuring Bridge Ports
The following commands are available in the port level, at the config>bridge(<bridgenumber>)>port(<port-number>)# prompt.
Note that port 1 (reserved for WAN switching) and port 2 (reserved for WAN switching) have special
destinations and cannot be connected to any Ethernet port.
Task
Command
Comments
Defining whether to accept
all packets or VLAN-tagged
packets only
accept-frame-type {all | vlan-only}
Appears in vlan-aware mode only
Binding a bridge port to
physical or virtual port
bind ethernet <port name>
Notes:
no bind
• You can bind only one bridge port to a
specific port.
• You can bind the bridge port only to an
existing port that is not bound to any entity,
such as router interface or another bridge
port.
• You can enter no bind to remove a bound
port.
bridge 1 bind options are as follows: ethernet
lan1, ethernet lan2, ethernet lan3, ethernet
lan4, ethernet lan-switch.
bridge 2 bind options are as follows: ethernet
wan1, ethernet wan2, ethernet wan-switch.
Binding bridges 1 and 2 to other ports is not
allowed.
Enabling/disabling ingress
filtering according to
defined VLANs
Configuring ingress VLAN
stacking/stripping mode
that effects the egress
direction with the opposite
operation
ingress-filtering
Appears in vlan-aware mode only
no ingress-filtering
When ingress filtering is enabled, SecFlow-1p
discards incoming frames for VLANs that do not
include the port in their member set.
When it is disabled, the port accepts all incoming
frames.
ingress-tag-handling {none |
stacking | stripping } [ vlan-id <vlanid> ]
Appears in vlan-aware mode only
stacking – tag stacking
stripping – tag stripping
vlan-id – VLAN ID assigned whenever the chosen
mode is stacking
Possible values: 1 – 4094
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Assigning a name to the
bridge port
[no] name <port-name>
port-name – bridge port name
Possible values: 1-32 character string
338
To delete the bridge port name, enter no name.
Assigning default port
VLAN ID to untagged
traffic
pvid <vlan-id>
Administratively
enabling/disabling the
bridge port
[no] shutdown
Appears in vlan-aware mode only
Possible values: 1 – 4094
To administratively disable the bridge port, enter
shutdown.
Setting the port to ‘no shutdown’ is allowed only
when port is not bound to another bridge port.
Note: Shutting down the bridge port does not
stop the traffic.
Configuring VLAN
The following commands are available in the vlan level, at the config>bridge(<bridgenumber>)>vlan(<vlan-id>)# prompt.
Task
Command
Defining a list of egress tagged ports
tagged-port <port-list>
Comments
no tagged-port <port-list>
Defining a list of egress untagged ports
untagged-port <port-list>
no untagged-port <port-list>
Examples
Note
To configure the bridge, you have first to delete the default router interface.
 To configure a VLAN-unaware bridge:
con
#
echo "Port Configuration"
Port Configuration
port
ethernet 3
no shutdown
//**Connecting the port to traffic generator**//
SecFlow-1p
#
#
6. Traffic Processing
339
exit
ethernet 4
//** Connecting the port to traffic generator**//
no shutdown
exit
ethernet lan-switch
//**Configuring the lan-switch port**//
no shutdown
exit
exit
echo "Bridge Configuration"
Bridge Configuration
bridge 1
//**Configuring bridge 1, by default it’s vlan unaware**//
echo "Bridge Port Configuration"
Bridge Port Configuration
port 1
bind ethernet lan-switch //**Binding lan-switch port**//
no shutdown
exit
port 3
bind ethernet 3 //**Binding the port connected to traffic generator**//
no shutdown
exit
port 4
bind ethernet 4 //**Binding the port connected to traffic generator**//
no shutdown
exit
exit
router 1
name "Router#1"
interface 1
//**Creating router interface to connect to lan-switch port that
is connected to bridge**//
address 10.0.0.1/24
bind ethernet lan-switch //**Binding to lan-swtich port**//
dhcp-client
client-id mac
exit
no shutdown
exit
exit
 To configure a VLAN-aware bridge:
exit all
con
echo "Terminal Configuration"
#
Terminal Configuration
terminal
timeout forever
console-timeout forever
exit
echo "Port Configuration"
#
Port Configuration
port
SecFlow-1p
#
#
#
6. Traffic Processing
ethernet 3
//**Connecting the port to traffic generator**//
no shutdown
//**Connecting the port to traffic generator**//
exit
ethernet 4
no shutdown
exit
ethernet lan-switch
//**Configuring lan-switch port**//
vlan 200
//**Configuring VLAN at lan-switch port**//
no shutdown
//**Activating VLAN **//
exit
no shutdown
//**Activating the port**//
exit
exit
echo "Bridge Configuration"
Bridge Configuration
bridge 1
//**Configuring bridge 1**//
vlan-aware
//**Enabling vlan aware mode**//
filtering
echo "VLAN Configuration"
VLAN Configuration
vlan 200
//**Configuring vlan at bridge**//
tagged-port 1,3..4 //**Configure vlan tagged ports**//
exit
echo "Bridge Port Configuration"
Bridge Port Configuration
port 1
bind ethernet lan-switch //**Binding lan-switch port**//
no shutdown
exit
port 3
bind ethernet 3
//**Binding the port connected to traffic generator**//
no shutdown
exit
port 4
bind ethernet 4
//**Binding the port connected to traffic generator**//
no shutdown
exit
exit
router 1
name "Router#1"
//**Creating router interface to be connected to the
lan-switch port which is connected to the bridge**//
interface 1
address 10.0.0.1/24
bind ethernet lan-switch vlan 200 //**Binding to lan-switch port with the
same vlan**//
dhcp-client
client-id mac
exit
no shutdown
exit
exit
340
SecFlow-1p
6. Traffic Processing
341
Viewing Bridge Status
Viewing Bridge Summary
 To display the bridge summary:
•
At the config>bridge(bridge_number)# prompt, enter show summary.
The summary is displayed.
config>bridge(1)# show summary
Num
Admin Status
Bind
-------------------------------------------------------------------------1
Up
Eth lan-switch
2
Up
Eth 3
3
Up
Eth 4
The above fields are:
Num
Bridge port number
Admin Status
Entry status
Possible values: Up, Down
Bind
Port the bridge port bound to
Viewing MAC Table
You can display the MAC table, which provides information on static and dynamic addresses, and the
bridge ports associated with them.
 To display the MAC address table:
•
At the config>bridge(bridge number)# prompt, enter show mac-address-table all.
The MAC address table is displayed.
Note
VLAN-unaware mode:
SecFlow-1p displays only the first 1000 entries. To view the entire MAC table,
download it to your PC using SFTP. For this, refer to File Operations.
SecFlow-1p
6. Traffic Processing
config>bridge(1)# show mac-address-table all
VLAN-aware mode:
config>bridge(1)# show mac-address-table all
Total MAC Addresses
: 3
Static MAC Addresses : 1
Dynamic MAC Addresses : 2
VLAN Static MAC Address Port Status
----------------------------------------------------------------------------100
12-12-12-11-15-14
1
Static
VLAN Learned MAC Address Port Status
----------------------------------------------------------------------------100
00-10-94-00-00-06
3
Dynamic
100
00-55-66-77-01-42
1
Dynamic
VLAN-unaware mode:
config>bridge(1)# show mac-address-table all
Total MAC Addresses
: 3
Static MAC Addresses : 1
Dynamic MAC Addresses : 2
Static MAC Address Port Status
----------------------------------------------------------------------------12-12-12-11-15-14
1
Static
Learned MAC Address Port Status
----------------------------------------------------------------------------00-10-94-00-00-06
3
Dynamic
00-55-66-77-01-42
1
Dynamic
The above fields are:
Total MAC Addresses
Total number of entries in the MAC address table
Static MAC Addresses
Number of static entries in the MAC address table
Dynamic MAC Addresses
Number of dynamic entries in the MAC address table
VLAN
VLAN ID domain
MAC Address
Learned MAC address in MAC Address table
Port
Received bridge port
342
SecFlow-1p
6. Traffic Processing
Status
343
Entry status
Possible values: Static, Dynamic
Viewing VLANS
 To display VLAN domain members:
•
At the config>bridge(bridge_number)# prompt, enter show vlans.
The VLAN members are displayed per VLAN.
config>bridge(1)# show vlans
VLAN ID
: 100
-------------- :
Tagged Ports
: 1..4
Untagged Ports : 0
Configuration Errors
SecFlow-1p generates the following messages when it detects a configuration error.
Message
Cause
Corrective Action
Cannot create – LAN
ports are bound to
another entity or have
configuration of ACL,
QoS, PBR or force-nexthop
You tried to create bridge 1 while Ethernet
3..6 ports were bound to other ports or have
configuration of ACL, QoS, PBR or force-nexthop
Cannot create – WAN
ports are bound to
another entity or have
configuration of ACL,
QoS, PBR or force-nexthop
You tried to create bridge 2 while Ethernet
1..2 ports were bound to other ports or have
configuration of ACL, QoS, PBR or force-nexthop
Port does not exist
You tried binding the bridge port to a port
that does not exist.
Select another port that does exist,
or create a port and then bind the
bridge port to it.
Port is already bound
You tried binding the bridge port to a port
that is already bound to another entity.
Unbind the port from the other
entity.
SecFlow-1p
6. Traffic Processing
Message
Cause
Corrective Action
Upper layer is bound to
bridge port
You tried to delete a bridge while there are
ports bound by upper layer entity
Unbind the port from the upper
layer entity
Cannot modify – there
are active bridge ports”
You tried to change the VLAN
aware/unaware mode on a bridge with
active bridge ports
Set admin status of the active
bridge ports to “down”, then you
can change the bridge mode
Cannot modify – bridge
port is active
You tried to unbind or modify an active
bridge port
Set admin status of the active
bridge ports to “down”, then you
can unbind or modify it.
Cannot bind – port do not
exist
You tried to bind a non-existing port
Cannot bind – port is
already bound
You tried to bind a port that is already bound
to a bridge port or router interface.
344
LAN ports can be bound once in bridge 1
WAN ports can be bound once in bridge 2
lan-switch port can be bound once in bridge
1 and once by router interface
wan-switch port can be bound once in bridge
2 and once by router interface
lan-switch and wan-switch ports with
defined VLAN ports can be bound to bridge
port and router interface
Cannot modify – bridge
port is not bound
You tried to enable a bridge port, which is
not bound to a lower layer port.
Bound the bridge port to a lower
layer port.
Bridge port is already
assigned to membership
list
You tried to add a bridge port that is already
assigned to another membership set
Exclude the bridge port from
another membership set, then you
can add it to the new list
Cannot bind – port does
not belong to bridge 1
bridge 1 bind options are as follows:
bridge 1 bind options are as follows:
ethernet 3, ethernet 4, ethernet 5, ethernet
6, ethernet lan-switch.
Binding to another port is not allowed.
Cannot bind – port does
not belong to bridge 2
bridge 2 bind options are as follows:
ethernet 1, ethernet 2, ethernet wanswitch.
Binding to another port not allowed.
SecFlow-1p
6. Traffic Processing
345
6.2 DNP3 Gateway
DNP3 (Distributed Network Protocol) is a set of communications protocols used in SCADA applications.
features gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU.
A DNP3 gateway is configured with a terminal server using a TCP port with the number equal or higher
than 20000.
Configuring DNP3 Gateway
The figure below demonstrates the DNP3 gateway configuration.
Ser ial 1
ETH1:1 - 192.168.40.10
Gat eway
DNP3 RTU
192.168.40.11
S1
S2
ETH1
DNP3 Client
Ser ial 2
Sec Flow-1p
DNP3 RTU
DNP3 Gateway Example
 To configure the DNP3 gateway:
*** Activate terminal server***
configure
system
serial
terminal-server
no shutdown
exit
exit
exit
*** Assign serial port for DNP3 RTU connection and gateway using terminal server***
port
serial 1
no shutdown
terminal-server 1
local-address 192.168.40.10
telnet-server-tcp port 20000
exit
exit
SecFlow-1p
6. Traffic Processing
346
serial 2
no shutdown
terminal-server 1
local-address 192.168.40.10
telnet-server-tcp port 20001
exit
exit
exit
*** Assign the gateway IP interface***
router 1
name "Router#1"
interface 32
address 192.168.40.10 /24
bind ethernet 6
dhcp-client
client-id mac
exit
no shutdown
exit
exit
exit
6.3 GRE Tunneling
SecFlow-1p supports Generic Routing Encapsulation (GRE) protocol, which sets up point-to-point tunnels
between two sites and encapsulates other protocols. SecFlow-1p supports point-to-point GRE spoke
functionality.
Applicability and Scaling
This feature is applicable to all versions of SecFlow-1p.
Standards Compliance
RFC 2784
Generic Routing Encapsulation (GRE)
RFC 4087
IP Tunnel MIB
SecFlow-1p
6. Traffic Processing
347
Functional Description
The terminology used in this section is described in the following table:
Term
Stands For
Description
GRE
Generic Routing
Encapsulation
Protocol that sets up point-to-point tunnels between two sites and
encapsulates other protocols
Hub
Central router
Spoke
All devices that contact the hub (central router)
GRE Tunneling
GRE tunneling is accomplished through routable tunnel endpoints that operate on top of existing
endpoints.
Routers use GRE to send traffic through an intervening network that does not support the protocols or
addresses of incoming packets. GRE encapsulates packets into another IP packet + IP header. For
example, you can create an IPv4 tunnel to send IPv6 traffic through a network that handles IPv4 traffic.
The device complies with the Generic Routing Encapsulation standard (RFC 2784).
A GRE encapsulated packet has the form:
--------------------------------|
Delivery Header
|
--------------------------------|
GRE Header
|
--------------------------------|
Payload packet
|
--------------------------------SecFlow-1p supports configuration of tunnel interfaces under the router level.
You can configure the tunnel MTU, or calculate it based on the MTU of the media the tunnel passes
through.
SecFlow-1p supports IP fragmentation and defragmentation in tunnels, for packets that are larger than
the tunnel IP MTU.
SecFlow-1p
6. Traffic Processing
348
Both delivery (encapsulating) and payload (encapsulated) protocols can be either IPv4 or IPv6,
independently of each other.
A GRE tunnel remains operationally up once you configure it with the following:
•
A valid tunnel source address or interface
•
A valid, routable tunnel destination IP address
•
A valid IP address for the tunnel
A GRE tunnel becomes operationally down under any of the following conditions:
•
There is no route to the tunnel destination address.
•
The interface that anchors the tunnel source is down.
•
The route to the tunnel destination address is through the tunnel itself.
Factory Defaults
Parameter
Description
Default Value
ip-mtu
IP MTU of tunnel
For IPv4 – 1476
For IPv6 - 1456
Configuring Tunneling
Use the commands in the following procedure to create a point-to-point GRE tunnel.
•
Configure tunnel address – the IP address defined on the tunnel interface
•
Configure tunnel source.
•
Configure tunnel destination.
 To configure tunneling:
1. Navigate to configure router <number> to select the router interface on which to configure GRE
tunneling.
2. At the config>router(<number>)# prompt that is displayed, enter
tunnel-interface <number> gre-ip
SecFlow-1p
6. Traffic Processing
349
The config>router(<number>)>tunnel-interface(<number>) is displayed.
The tunnel is identified by this number.
3.
Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Defining tunnel IP address
and prefix length
ip-address <ip-address/prefixlength>
Entering no ip-address removes the
tunnel IP address.
ip-address – valid unicast IPv4 or nonlink-local IPv6 address with compatible
prefix length
Notes:
• A tunnel can have only one
address. If you repeat the
command, the last instance applies.
• The tunnel address cannot be the
address of another tunnel or of a
router interface.
• Both ends of the tunnel should be
on the same network.
Defining tunnel IP MTU
ip-mtu <number>
Entering no ip-mtu removes IP MTU
from the tunnel interface.
Possible values: 0 (no IP MTU),
128-65535
Note: 0 means that the MTU is to be
calculated according to the delivery
protocol. For IPv4 it is 1476 and for
IPv6 1456.
Binding PBR rule to the
port
policy-based-route priority
<priority> match-acl <name>
{next-hop <ip-address>}
interface <type, index>
See Configuring PBR
no policy-based-route priority
<priority>
Displaying tunnel status
show status
See Viewing GRE Status
Defining tunnel
destination IP address
tunnel-destination <ipaddress>
Entering no tunnel-destination
removes the address.
Possible values: Valid unicast IPv4 or
non-link-local IPv6 address
SecFlow-1p
Task
6. Traffic Processing
Command
350
Comments
Notes: The source and destination
addresses must be both IPv4 or IPv6.
Configuring GREoIPsec
underlay destination
tunnel-underlay-destination
<IP address>
Entering no tunnel-underlaydestination removes the address.
Possible values: Valid unicast IPv4 or
non-link-local IPv6 address
Notes: The source and destination
addresses must be both IPv4 or IPv6.
Configuring GREoIPsec
underlay source
tunnel-underlay-source [<ipaddress>] [router-interface
<number>]
Entering no tunnel-underlay-source
removes the address.
Possible values:
ip-address – valid unicast IPv4 or nonlink local IPv6 address
number - number of a non-loopback
router interface
Notes:
• Either IP address or router
interface number must be defined;
not both.
• The tunnel and the router interface
anchoring it must be on the same
router.
The source and destination addresses
must be both IPv4 or IPv6.
Defining source IP address
or router interface number
used to bind the tunnel to
a router interface
tunnel-source [<ip-address>]
[router-interface <number>]
Entering no tunnel-source removes
the address.
Possible values:
ip-address – valid unicast IPv4 or nonlink local IPv6 address
number - number of a non-loopback
router interface
Notes:
• Either IP address or router
interface number must be defined;
not both.
• The tunnel and the router interface
anchoring it must be on the same
router.
SecFlow-1p
Task
6. Traffic Processing
Command
351
Comments
• The source and destination
addresses must be both IPv4 or
IPv6.
 To remove a GRE tunnel:
1. Navigate to configure router <number> to select the router interface from which to remove a
GRE tunnel.
2. At the config>router(<number>)# prompt that is displayed, enter no tunnel-interface
<number>.
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
Tunnel exists with a different
type
You tried changing the type of
an existing tunnel.
Create a new tunnel of the new type.
Maximum number of tunnels
exceeded
You tried to create more
tunnels than your device
allows.
Invalid address; enter a unicast
address
You tried to enter a broadcast
or multicast address as the
tunnel address.
Enter a valid unicast IPv4 or IPv6 address
with a compatible prefix-length.
The address is assigned to
another interface
You tried to configure the
tunnel with an address of an
already existing tunnel or
router interface.
Assign a unique address to the tunnel.
Configure either source address
or interface, not both
You tried to configure the
router interface anchoring the
tunnel with both an address
and interface.
Remove one of the configurations:
either the address or interface.
SecFlow-1p
6. Traffic Processing
352
Message
Cause
Corrective Action
Source and destination must be
both IPv4 or both IPv6
You tried to configure tunnel
destination with an IPv4
address while the tunnel source
is an IPv6 address.
Define destination and source with same
type of IP address – both IPv4 or both
IPv6.
You tried to configure tunnel
source with an IPv4 address
while the tunnel destination is
an IPv6 address.
Examples
 To configure a tunnel from Router A to Router B:
# Router A
tunnel-interface 1 gre-ip
tunnel-source 2.2.2.2
tunnel-destination 2.2.2.1
ip-address 10.10.10.1/30
exit
 To configure a tunnel from Router B to Router A:
# Router B
tunnel-interface 1 gre-ip
tunnel-source 2.2.2.1
tunnel-destination 2.2.2.2
ip-address 10.10.10.2/30
exit
Viewing GRE Status
You can display the current GRE tunnel status.
 To display GRE tunnel status:
•
At the config>router(<number>)>tunnel-interface(<number>)# prompt, enter:
show status
The GRE tunnel status is displayed.
config>router(1)>tunnel-interface(1)$ show status
SecFlow-1p
6. Traffic Processing
Tunnel
: 1
Tunnel Name
: tunnel1
Type
: GRE-IP
Status
Admin
: Enabled
Oper
: Up
Tunnel Attachment Circuit: Bridge 1 Port 1
Tunnel Address
: 10.10.10.1/30
Tunnel Source
Interface
: Router Interface 1/2 (Ethernet lan2/1)
Address
: 1.1.1.1
Tunnel Destination
: 2.2.2.2
IP MTU
: 1476 (Calculated)
Up For (seconds)
Input
Bytes
Packets
Output
Bytes
Packets
: 0 Day(s), 0:52:13
: 10000
: 150
: 5000
: 100
Parameter
Description
Tunnel
Tunnel number
Type
Tunnel type
Possible value: GRE or IPsec
Status
Tunnel administrative and operational status
Possible values:
• Up
• NotConfigured
• LLD - Lower Layer Down
• No Route To Destination
Tunnel IP address
Tunnel Address
Possible values:
Tunnel Source Interface
• -- (Tunnel address is not configured.)
• <IPv4 or IPv6 unicast address>/<prefix length>
Router interface anchoring the tunnel
Possible values:
• -- (No interface is configured.)
• Router Interface <router number>/<interface number>
353
SecFlow-1p
6. Traffic Processing
Parameter
Description
Tunnel Source Address
Tunnel source IP address
Possible values:
• -- (Tunnel source IP address is not configured.)
• IPv4 or IPv6 unicast address
Tunnel destination IP address
Possible values:
• -- (Tunnel destination IP address is not configured.)
• IPv4 or IPv6 unicast address
Tunnel Destination
IP MTU
Tunnel IP MTU
Possible values: --, number
• If Tunnel IP MTU configuration method is non-zero, it is printed
• If Tunnel IP MTU configuration method is zero:
o If tunnel source address type is IPv4, 1476 is printed.
o If tunnel source address type is IPv6, 1456 is printed.
o If tunnel source address type is unknown, -- is printed.
Up For (seconds)
Tunnel uptime
Possible values: Time in seconds; Display hint: ddd Days, hh:mm:ss
Input Bytes
Number of Rx bytes since tunnel uptime
Inout Packets
Number of Rx packets since tunnel uptime
Output Bytes
Number of Tx bytes since tunnel uptime
Output Packets
Number of Tx packets since tunnel uptime
Last Registration
Last registration request status
Possible values:
•
•
•
•
-- (registration was not sent; no entry in this table for the tunnel)
Registering
ACK (ACK received)
NAK (NAK received)
6.4 IPsec
IPsec is a protocol suite for securing private communication across IP networks.
354
SecFlow-1p
6. Traffic Processing
355
SecFlow-1p supports IPsec on router interfaces having an IPv4 address, with the following main
features:
•
Tunnel mode
•
ESP with the following algorithms: AES CBC 128 and 256, AES GCM 128 and 256, AES GMAC 128
and 256, null encryption, SHA-1, SHA-2 256 and 512
•
DH groups:
 1 (768-bit modulus)
 2 (1024-bit modulus)
 5 (1536-bit modulus)
 14 (2048-bit modulus)
 19 (256-bit elliptic curve)
 20 (384-bit elliptic curve)
•
IKEv1 (main and aggressive mode) and IKEv2
•
IKE authentication with pre-shared keys
•
IKE algorithms AES CBC 128 and 256, SHA-1, SHA-2 256 and 512
•
Configurable IKE identities enable IPsec between peers, whose IP address is unknown at the
time of configuration
•
IPsec over GRE
•
Policy-based and Route-based IPsec
•
Simple redundancy mechanism for route-based IPsec tunnels
•
IPv4 and IPv6
•
NAT traversal
•
Transport (underlay) router can differ from the router on which the tunnel is configured.
In tunnel mode, SecFlow-1p adds an IPsec header before the original packet, then encapsulates it with a
new IP header, whose source and destination addresses are those of the tunnel peers. This mode is
usually used between two gateways protecting the machines behind them.
IPsec tunnels always ensure the integrity of the traffic they protect. Encryption is optional. SecFlow-1p
supports Encapsulating Security Protocol (ESP), which provides both integrity and confidentiality (i.e.
encryption). ESP operates on top of IP, using IP protocol 50.
SecFlow-1p
6. Traffic Processing
356
Applicability and Scaling
This feature is applicable to all the device versions.
AH is not supported, since similar functionality can be achieved having ESP with null encryption.
SecFlow-1p supports up to four proposals (policies). Up to 20 crypto maps can be configured. Up to 20
transform sets can be configured.
Only tunnel mode of operation is supported; transport mode is not supported.
Standards Compliance
RFC 5996
RFC 7383
Internet Key Exchange Protocol Version 2 (IKEv2)
Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
Benefits
IPsec automatically secures applications at the IP layer.
Functional Description
The terminology used in this section is described in the following table:
Term
Stands For
Description
ESP
Encapsulating Security Payload
Protocol that provides origin authenticity, integrity, and
confidentiality protection of IP packets
IKE
Internet Key Exchange
ISAKMP
Internet Security Association and
Key Management Protocol
Provides a framework for agreeing to the format of SA
attributes, and for negotiating, modifying, and deleting SAs.
IPsec
IP Security
A protocol suite for securing private communication across
IP networks
PSK
Pre-shared key
Authentication method for IPsec phase-one (IKE) policies
PFS
Perfect Forward Secrecy
DH group
Diffie-Hellman group
SecFlow-1p
6. Traffic Processing
357
Term
Stands For
Description
SA
Security Association
Relationship between two or more entities (VPN Hubs and
Spokes) that describes how the entities will utilize security
services to communicate securely.
Crypto Map
SecFlow-1p supports the configuration of crypto maps - IPsec profiles that determine how IPsec tunnels
are established and maintained.
Crypto maps define tunnel policies. These policies determine how IPsec processes data packets.
A valid crypto map should be configured with the following:
•
At least one IPsec phase one (IKE) policy
•
At least one source and one destination protected network
•
Peer address
•
At least one transform set
After a crypto map is configured, and is associated with an operational router interface, SecFlow-1p
establishes and maintains an IPsec tunnel.
You can associate multiple crypto maps with one router interface. For each map, SecFlow-1p maintains
a separate tunnel. When a packet enters or has to be forwarded, SecFlow-1p tries to match it against
the maps’ protected networks in the order of the map sequence numbers (lowest first). If multiple maps
have the same number, they are checked in the order of their names (lowest first). A packet is handled
by the first crypto map that matches it. Whatever the map does with it is final, even if the packet
matches another map (with lower priority).
Outgoing packets whose source and destination IP addresses match the crypto map protected network
configuration, are processed by the crypto map before being forwarded. Incoming packets matching the
configuration (after reversing its source and destination) are expected to be IPsec protected as well. If
not, they are discarded.
Packets whose source and destination IP addresses do not match the crypto map protected network
configuration, are not processed by the crypto map (in both directions). They may be handled by a
different crypto map, should they match its rules; otherwise, they are forwarded in the clear.
SecFlow-1p supports crypto map binding to a router or tunnel interface. A map can be associated with
multiple interfaces, and multiple maps may be associated with one interface.
SecFlow-1p
6. Traffic Processing
358
Security Associations (SAs)
A Security Association (SA) is a relationship between two peers that describes how the entities will
utilize security services to communicate securely.
This relationship is represented by a set of information that can be considered a contract between the
entities. The information must be agreed upon and shared between all the entities.
ISAKMP (IKE) provides the protocol exchanges to establish a security association between negotiating
entities followed by the establishment of a security association by these negotiating entities on behalf of
ESP.
Each SA (IKE) has its own lifetime. When it expires, the SA is deleted.
Transform Sets
SecFlow-1p supports the configuration of up to 20 transform sets, which define the algorithms to be
used in IPsec phase 2.
Internet Security Association and Key Management Protocol (ISAKMP)
ISAKMP provides a framework for agreeing to the format of SA attributes, and for negotiating,
modifying, and deleting SAs.
An initial protocol exchange allows a basic set of security attributes to be agreed upon. This basic set
provides protection for subsequent ISAKMP exchanges. It also indicates the authentication method and
key exchange that will be performed as part of the ISAKMP protocol. After the basic set of security
attributes is agreed upon, initial identity authenticated, and required keys generated, the established SA
can be used for the protection of the VPN tunnels.
ISAKMP implementation guards against denial of service, replay/reflection, and man-in-the-middle
(attacks against protocols).
A security association (SA) is a set of policy and key(s) used to protect information. ISAKMP SA is the
shared policy and key(s) used by the negotiating peers to protect their communication.
ISAKMP uses the Internet Key Exchange (IKEv1) for the authentication and encryption establishment.
Internet Key Exchange (IKE)
IKE negotiates the IPsec security associations (SAs). This process requires that the IPsec systems first
authenticate themselves to each other and establish ISAKMP (IKE) shared keys.
SecFlow-1p
6. Traffic Processing
359
If IKEv2 is configured, the device must support fragmentation by sending
IKEV2_FRAGMENTATION_SUPPORTED notification in the IKE_SA_INIT exchange. If the peer does not
support fragmentation, the tunnel is established without fragmentation support. If the peer supports
fragmentation it is up to the initiator to decide on it. If the device is the initiator, fragmentation is
available, with MTU of 576 for IPv4 and 1280 for IPv6.
Phase 1
In Phase 1, two IPsec peers establish a secure, authenticated channel to communicate. This process is
called the ISAKMP Security Association (SA) or IKE Security Association.
The authentication is supported with Pre-Shared Keys.
Policies
SecFlow-1p supports the configuration of up to twenty IPsec phase-one (IKE) policies.
The following elements are configurable:
•
Authentication method (currently only the PSK (Pre-Shared Keys) method is supported.)
•
Encryption algorithm
•
Key exchange algorithm – Diffie-Hellman group
•
Hashing algorithm
•
SA lifetime
•
Exchange mode
Phase-one policies (i.e. proposals) are globally configured. Each has a sequence number that determines
its priority (lowest number has the highest priority). They are proposed to the peers in the same order
by all the IPsec tunnels.
If IKEv2 is configured, SecFlow-1p acts as both initiator and responder, that is, it accepts tunnel initiation
from a peer, and if the peer does not initiate the tunnel, it initiates the tunnel itself.
SecFlow-1paccepts the first policy that a peer has proposed that it supports. If the mandatory elements
are configured, SecFlow-1p starts negotiating the IPsec tunnel with the configured peer.
If the process fails, SecFlow-1p retries, using a backoff algorithm, after 1 second, 2, 4, 8, 16, 32 and 64
seconds; then restarts the sequence.
If the peer does not answer, or the peer responds but the parties cannot agree, SecFlow-1p raises an
alarm.
SecFlow-1p
6. Traffic Processing
360
SecFlow-1p drops packets, incoming or outgoing, which are supposed to pass through an IPsec tunnel, if
that tunnel is not established.
Diffie Hellman
DH (Diffie-Hellman) describes a means for two parties to agree upon a shared secret. This secret may
then be converted into cryptographic keying material for other (symmetric) algorithms. The DiffieHellman key agreement requires that both the sender and recipient of a message have key pairs. The
private key of each member is never sent over the insecure channel. The public key is generated from
the private key by each member and is the one sent over the insecure channel. By combining one's
private key and the other party's public key, both parties can compute the same shared secret number.
This number can then be converted into cryptographic keying material. That keying material is typically
used as a key-encryption key (KEK) to encrypt the IPsec tunnel traffic. This key is kept secret and never
exchanged over the insecure channel.
D-H groups are identified by a group number. The higher the group number, the higher the security
level.
Pre-shared Keys (PSKs)
SecFlow-1p supports the configuration of up to twenty pre-shared keys (PSKs) for IKE phase-1
authentication.
You configure PSKs at the Crypto level for pairs of addresses and prefix lengths. SecFlow-1p uses the one
with the longest prefix match.
You can configure PSKs for hosts or subnets. If a key is shared across a subnet, all the IPsec tunnels
opposite peers on that subnet use the same key. This is less recommended as a breached key affects the
security of multiple tunnels. When SecFlow-1p looks for a pre-shared key to use, if there is a key for the
peer address, it uses it. If there is no key for the peer, it uses the key configured for the subnet with the
longest prefix that contains the peer address.
The encryption, hash, and authentication algorithm for use with a pre-shared key are part of the state
information distributed with the key itself. Each peer must have a unique ID and common shared key
known to the remote peer.
Exchange Modes
There are two Exchange modes: Main and Aggressive.
Main mode is the more secure option for Phase1 as it involves identity protection.
A session flow is as follows:
SecFlow-1p
6. Traffic Processing
361
•
A session begins with the initiator sending a proposal to the responder describing what
encryption and authentication protocols are supported, the lifetime of the keys, and if phase 2
perfect forward secrecy should be implemented. The proposal may contain several offerings.
The responder chooses from the offerings and replies to the initiator.
•
The next exchange passes Diffie-Hellman public keys and other data. All further negotiation is
encrypted within the IKE SA.
•
The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPsec
negotiation (Quick Mode) begins.
In Aggressive mode, the negotiation is quicker since the session is completed in only three messages.
The disadvantage is that the identity of the peers is not protected.
The first two messages negotiate policy, exchange Diffie-Hellman public values and ancillary data
necessary for the exchange, and identities. In addition, the second message authenticates the
responder. The third message authenticates the initiator and provides a proof of participation in the
exchange.
•
The initiator sends a request with all required SA information.
•
The responder replies with authentication and its ID.
•
The initiator authenticates the session in the follow-up message.
Phase 2
In this phase, the negotiation of SA to secure the IPsec tunnel, is completed.
Perfect Forward Secrecy (PFS)
PFS forces a new D-H key exchange for each phase-2 tunnel, deriving phase-2 keys independent from
and unrelated to the preceding keys.
PFS is a part of the key agreement session and serves to ensure that a session key derived from a set of
long-term public and private keys are not compromised if one of the (long-term) private keys is
compromised in the future. The VPN (IPsec) sessions can negotiate new keys for every communication,
and if a key is compromised only the specific session it protected is revealed.
PFS uses the D-H groups as well, but independently of phase 1.
SecFlow-1p
6. Traffic Processing
362
NAT Traversal
SecFlow-1p supports NAT traversal. NAT traversal changes the packets header so that they can pass NAT
without the protected data being changed by the NAT. You cannot configure NAT traversal, as it is
activated automatically when SecFlow-1p learns that an IPsec connection is passing through NAT.
Route-Based IPsec Tunnels
SecFlow-1p supports IPsec tunnels, with IPv4 as delivery and payload protocols, each one independently
of the other.
Configuring IPsec
This section describes how to configure SecFlow-1p with IPsec at the Cryptography level.
 To configure IPsec:
1. Navigate to configure crypto.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Creating crypto map
crypto-map <name>
name – crypto map name
Possible values: 1-80 character string
no crypto-map <name>
Configuring IPsec phase 2
policy
ipsec-transform-set <name>
no ipsec-transform-set <name>
See Configuring Crypto Map for available
crypto map configuration tasks.
name –IPsec transform set name
Possible values: 1-80 character string
See Configuring IPsec Transform Set for
available transform set configuration tasks.
SecFlow-1p
6. Traffic Processing
363
Task
Command
Comments
Configuring IKE pre-shared
key (PSK)
isakmp-key <pre-shared-key>
{address <peer-ip-address>
[/<peer-ip-prefix-length>] |
hostname <hostname>}
The pre-shared authentication method (only
available method) requires configuration of
PSKs for pairs of address and prefix length.
no isakmp-key address <peerip-address> [/<peer-ip-prefixlength>]
pre-shared-key – IKE pre-shared key
Possible values: 1-255 character string
peer-ip-address – IKE peer IP address
Possible values: IPv4 address
peer-ip-prefix-length – IKE peer IP prefix
length
Possible values: 0-32
hostname – hostname of IKE peer
Possible value: 1-255 character string
Notes:
• PSKs can be configured for hosts or
subnets. peer-ip-address must be a host
address if IKE key peer address type is 32,
and a subnet (in accordance with IKE peer
address prefix length.
• The prefix length must agree with the
address (e.g. a host address can only be
configured with a prefix length of 32).
• If you configure a PSK for an existing pair
of address and prefix length, the new
command replaces the previous.
Configuring IPsec Phase 1
policy
isakmp-policy <sequencenumber>
sequence-number – IKE policy priority
Possible values: number
no isakmp-policy <sequencenumber>
Note: You can configure up to twenty policies.
For full configuration of IKE policies, see
Configuring IKE Policy.
Configuring Crypto Map
This section describes how to configure a Crypto Map. Once the Crypto Map is configured, you associate
it to a router (see Configuring Router Interfaces) or tunnel interface (See Configuring Tunnel
Interfaces).
 To configure a crypto map:
1. Navigate to configure crypto crypto-map (<name>).
SecFlow-1p
6. Traffic Processing
364
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring local IKE
identity
ike-identity-local {defaultaddress | address <ipaddress> | defaulthostname | hostname
<hostname>}
IKE peer can be identified either by IP
address or by hostname, if IP address is
unknown.
ike-identity-remote
{default-address | address
<ip-address> | hostname
<hostname>}
IKE Peer can be identified either by IP
address or by hostname, if IP address is
unknown.
Configuring IKE SA
lifetime
ike-sa-lifetime <seconds>
Possible values: 60-86400
Configuring IKE SA
negotiation mode
ike-sa-negotiation {main |
aggressive}
Relevant only for ike-version 1
Configuring IKE version
ike-version {1 | 2}
Configuring destination
address to protect
match-destination
address <ipaddress>/<prefix-length>
Configuring remote IKE
identity
no match-destination
address <ipaddress>/<prefix-length>
Configuring source
address to protect
match-source {address
<ip-address>/<prefixlength> | interface
<interface-name>}
no match-source {address
<ip-address>/<prefixlength> | interface
<interface-name>}
For local identity, the default hostname
(which is the device hostname defined as
the MAC address) can be used.
For remote identity, you have to provide the
hostname.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Configuring IPsec peer IP
address
peer-address <ip-address>
ip-address – IP address of the peer with
which the IPsec tunnel is to be established
Possible values: IPv4 address
no peer-address
365
Notes:
• You can configure only one instance of
this command in a crypto map. If you
repeat the command, the last instance
applies.
• no peer-address (the default) sets the
peer address to 0.
Configuring SA lifetime
sa-lifetime [seconds
<seconds>] [kilobytes
<kilobytes>]
no sa-lifetime
seconds – SA lifetime in seconds
Possible values: 60-86400
kilobytes – SA lifetime in kilobytes
Possible values: 76800 – 110592000
Notes:
• You can configure only one instance of
this command in a crypto map. If you
repeat the command, the last instance
applies.
• The command must have at least one
argument.
• The SA is invalidated if the seconds or
kilobytes reach the maximum time
before the SA is renewed.
• no sa-lifetime sets seconds to 3600 and
kilobytes to 4608000 (the defaults).
Configuring Crypto Map
priority
sequence-number
<number>
no sequence-number
number – crypto map priority
Possible values: 1-1000
Notes:
• You can configure only one instance of
this command in a crypto map. If you
repeat the command, the last instance
applies.
• no sequence-number sets number to 10
(the default).
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Associating IPsec phase 2
transform set with crypto
map
transform-set <name-1>
[name-2 [name-3 [name4]]]
name-x – IPsec phase 2 transform set
created at Crypto level (see Configuring
IPsec)
Possible values: 1-80 character string
no transform-set
366
Notes:
• You can configure only one instance of
this command in a crypto map. If you
repeat the command, the last instance
applies.
• no transform-set (the default) sets
name-x to empty string.
Configuring IPsec Transform Set
This section describes how to create an IPsec transform set at the Crypto level. After the Transform Set
has been created and configured, you can bind it to a Crypto Map (see Configuring Crypto Map above).
 To configure IPsec transform set:
1. Navigate to configure crypto ipsec-transform-set <name>.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring IPsec phase 2
algorithms
algorithms <first transform
set algorithm> [second
transform set algorithm]
First transform set algorithm –used for
encryption
Possible values: esp-aes-cbc-128, esp-aescbc-256, esp-aes-gcm-128, esp-aes-gcm256, esp-null, esp-aes-gmac-128, esp-aesgmac-256
Second transform set algorithm –used for
authentication
Possible values: esp-sha1, esp-sha2-256,
esp-sha2-512
Notes:
• You can configure one instance of the
command in a transform set. If you
repeat the command, the last instance
applies.
SecFlow-1p
Task
6. Traffic Processing
Command
367
Comments
• If you configure the first transform set
algorithm (encryption) with an
algorithm used for both encryption
and authentication (esp-aes-gcm-128,
esp-aes-gcm-256, esp-aes-gmac-128,
or esp-aes-gmac-256), you cannot
configure a second algorithm (for
authentication). In this case, the
second algorithm default (esp-sha1)
does not appear in the info command
output.
• If you select for the first transform set
algorithm (encryption) one of the
encryption only algorithms (esp-aescbc-128, esp-aes-cbc-256, or esp-null),
you must select one of the following
second authentication algorithms: espsha1, esp-sha2-256, or esp-sha2-512.
Otherwise, the second algorithm
default (esp-sha1) is selected. Also, the
info command output specifies
whether esp-sha1 was selected as
default or explicitly specified.
Configuring IKE Policy
 To configure an IKE policy:
1. Navigate to configure crypto isakmp-policy <sequence-number>, where sequence number
signifies the IKE policy priority.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Configuring
authentication method
(pre-share)
authentication {pre-share }
Comments
SecFlow-1p
6. Traffic Processing
368
Task
Command
Comments
Configuring encryption
algorithm
encryption {aes-cbc-128 | aes-cbc256}
Possible values: aes-cbc-128, aes-cbc256 (the default)
Note: You can configure only one
instance of the command in a policy.
If you repeat the command, the last
instance applies.
Configuring key exchange
algorithm (Diffie-Hellman
group)
group {1 | 2 | 5 | 14 | 19 | 20}
group – Diffie-Hellman group
Possible values:
1 – 768-bit modulus
2 – 1024-bit modulus
5 – 1536-bit modulus
14 – 2048-bit modulus
19 – 256-bit elliptic curve
20 – 384-bit elliptic curve (default)
Notes:
• You can configure only one
instance of the command in a
policy. If you repeat the
command, the last instance
applies.
• Groups 1, 2, and 5 are not
considered secured and 14 is
acceptable, but not recommended
• If you configure 1, 2, 5, or 14,
SecFlow-1p accepts the command,
but generates the following
message: WARNING: This
algorithm does not provide an
adequate security level against
modern threats and should not
be used to protect sensitive
information.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Configuring hashing
algorithm
hash {sha1 | sha2-256 | sha2-512}
hash – hashing algorithm
369
Possible values:
sha1 – 96-bit (default)
sha2-256 – 128-bit
sha2-512 – 256-bit
Note: You can configure only one
instance of the command in a policy.
If you repeat the command, the last
instance applies.
Configuration Errors
The following table lists the messages generated by SecFlow-1p when a configuration error is detected.
Message
Cause
Corrective Action
Too many crypto maps
You tried configuring more
than twenty crypto maps.
Remove crypto maps that you no longer
need.
IP address already configured
You tried configuring a crypto
map with an IP address (source
or destination) that was
already used in another crypto
map command.
Configure the crypto map command
with a unique IP address.
Too many IP addresses
You tried configuring more
than twenty addresses (source
or destination) on the crypto
map.
Remove IP addresses that you do not
need.
The interface must be a tunnel
interface
You tried configuring a nontunnel interface.
Configure a tunnel interface.
A source interface is already
configured
You tried configuring an
address or another interface,
while one interface has been
already configured.
A source IP address is already
configured
You tried configuring an
interface, while an address has
already been configured.
SecFlow-1p
6. Traffic Processing
370
Message
Cause
Corrective Action
Too many transform sets
You tried configuring more
than one transform set on the
crypto map.
Remove transform set that you do not
need.
Too many keys
You tried configuring more
than twenty IKE pre-shared
keys.
Remove keys that you do not need.
Too many policies
You tried configuring more
than twenty IKE policies.
Remove policies that you do not need.
Configure either source address or
interface, not both
You tried to configure the
router interface anchoring the
tunnel with both an address
and interface.
Remove one of the configurations:
either the address or interface.
Source and destination must be
both IPv4 or both IPv6
You tried to configure tunnel
destination with an IPv4
address while the tunnel
source is an IPv6 address.
Define destination and source with
same type of IP address – both IPv4 or
both IPv6.
You tried to configure tunnel
source with an IPv4 address
while the tunnel destination is
an IPv6 address.
Too many mappings
You tried configuring more
than one mapping per tunnel.
No such mapping
You tried to delete a
nonexistent mapping.
6.5 Network Address Translator (NAT)
Network Address Translation (NAT) is a method that maps IP addresses (IPv4 only) from one IP domain
to another in an attempt to provide transparent routing to hosts.
Applicability and Scaling
•
20,000 entries in the mapping table
•
Up to 32 NAT rules of static NAT, NAPT and Outside to Inside (Static IP:Port)
SecFlow-1p
6. Traffic Processing
371
Functional Description
Traditionally, NAT devices connect networks and hosts having private unregistered addresses to a global
public network with globally unique registered addresses.
IP Address translation is required for the following reasons:
•
The network's internal IP addresses cannot be used outside the network, either because they
are invalid for use outside, or because the internal addressing must be kept private from the
external network.
•
Lack of public IP addresses and the need to represent as many hosts as possible (using private IP
addresses) via a single public address. NAT uses the IP address resource in an efficient way.
The terminology used in this section is described in the following table:
Inside network
Private network side of the NAT function
Outside network
Public network side of the NAT function
Inside local address
IP address assigned to a host on the inside network. This is the address
configured as a parameter of the computer OS or received via dynamic
address allocation protocols, such as DHCP. The address is not likely a
legitimate IP address assigned by the Network Information Center (NIC) or
service provider.
Inside global address
Legitimate IP address assigned by the NIC or service provider; represents one
or more inside local IP addresses to the outside world.
Outside local address
IP address of an outside host as it appears to the inside network. Not
necessarily a legitimate address, it is allocated from an address space routable
on the inside.
Outside global address
IP address assigned to a host on the outside network by the host owner. The
address is allocated from a globally routable address or network space.
Inside network
Private network side of the NAT function
NAT Functionality: Address Translation
NAT translates in the following ways:
•
NAT translations:
 Inside to Outside: Inside (private) IP SA (Inside local)  Outside (public) IP SA (Inside global)
SecFlow-1p

•
6. Traffic Processing
372
Outside to Inside: Outside (public) IP DA (Inside global)  Inside (private) IP DA (Inside local)
NAPT translations – TCP and UDP sessions are translated with port number, in addition to the IP
address:
 Inside to Outside: Inside (private) IP SA:Port (inside local)  Outside (public) IP SA:Port
(Inside global)
 Outside to Inside: Outside (public) IP DA:Port (Inside global)  Inside (private) IP DA:Port
(Inside local)
Traffic that does not match NAT entries, is forwarded per router regular path.
Inside Network
Outside Network
DA
Outside Global
SA
Inside Global
Outside
Host
DA
Outside Local
SA
Inside Local
Inside
Host
NAT
SA
Outside Global
SA
Outside Local
DA
Inside Global
DA
Inside Local
Translate
Supported NAT Types
SecFlow-1p supports the following NAT types:
•
Static (One to One) NAT with the following properties:
 One to One – Translates a single private IPSA to a single public IPSA; does not translate port
 Bidirectional – Sessions can be initiated both from the Inside and Outside
•
NAPT/PAT: In this mode, many hosts on the private (Inside) network are represented by a single
public (Outside) IP, using the TCP or UDP port number to differentiate between the different
sessions.
In this mode, many different IPs (IP:Port) are translated into a single IP:Port, while the translated
port is used to differentiate between the sessions ( as translated IP uses the same IP).
 Many to One – Translate IP and Port for TCP/UDP sessions.
 Unidirectional – Sessions can be initiated only from the Inside
 TCP/UDP – Port mapping functionality valid for TCP/UDP sessions only.
SecFlow-1p
•
6. Traffic Processing
373
Outside destination to Inside hole punching (Static Port configuration):
 One to One – Translates IP DA:Port from the Outside to the Inside
 Unidirectional – Sessions can be initiated only from the Outside.
NAT supports symmetric operation, meaning that NAT sessions are identified by both IPSA (:Port) and IP
DA (:Port).
NAT Instances
SecFlow-1p supports a single instance of NAT, which may be configured over each one of the SecFlow1p VRFs.
Configuring Network Address Translator (NAT)
You can configure a single instance of NAT over one of the device VRFs.
 To configure NAT:
1. At the config>router(<number>)# prompt, enter:
nat
The config>router(<number>)>nat# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring or deleting a
NAT exclude expression
nat-exclude-source-ip <source-ip>
It is possible to add multiple
NAT exclude expressions (up to
10)
no nat-exclude-source-ip <sourceip>
SecFlow-1p
6. Traffic Processing
374
Task
Command
Comments
Configuring, modifying, or
deleting a NAT rule from the
inside to outside
nat-inside-source-static <inside-ip> {
ip <outside-ip> | interface <rif-id> }
inside-ip – IPv4 address of
Inside IP station
no nat-inside-source-static <insideip>
ip – Ipv4 address for translation
interface – number of outside
facing router interace whose IP
address is used for IP
translation.
Notes:
• The static NAT configuration
must be unique, i.e. no
other static NAT entry can
use the same inside local IP
(source IP) or inside global IP
(translated IP).
A NAT rule that is missing info
(yet to be configured) is saved
and applied once you configure
the missing info. There is no
sanity reject.
Configuring, modifying, or
deleting a NAPT rule from
the inside to outside
nat-inside-source-static-port {tcp |
udp} <inside-ip> <port> { ip
<outside-ip> <port>|interface <RIid> <port>}
source – source address
translation
no nat-inside-source-static-port tcp
<inside-ip> <port>
ip – IPv4 address for translation
no nat-inside-source-static-port udp
<inside-ip> <port>
<inside ip/prefix> - IP subnet of
inside Inside network
interface – number of outside
facing router interface whose IP
address is used for IP translation
tcp - range of IP ports to be
used for TCP port translations
udp - range of IP ports to be
used for UDP port translations
Possible values:
start-port : 1024 (default)–
65535
size : 1 – 64511 (default)
SecFlow-1p
6. Traffic Processing
Task
Command
Configuring, modifying, or
deleting a NAPT rule from
the inside to outside
nat-inside-overload source <inside
ip/prefix> { ip <outside-ip> |
interface <RI number> } [ tcp < startport> <size> ] [udp < start-port>
<size> ]
375
Comments
no nat-inside-overload source
<inside ip/prefix> <outside-ip>
no nat-inside-overload source
<inside ip/prefix> interface <RI
number>
Configuring or modifying
NAT translation table entry
timeout
nat-timeout [ tcp < tcp-timeout>] [
udp <udp-timeout> ] [ other <othertimeout> ]
tcp - expiration timeout of TCP
entries in NAT translation table
udp - expiration timeout of UDP
entries in NAT translation table
other - expiration timeout of
other protocol entries in NAT
translation table
Possible values: 60-432000
Default: 60
Displaying NAT translation
table
show nat-translations
Clearing NAT translation
table
clear nat-translations
Displaying NAT statistics
counters
show nat-statistics
Clearing NAT statistics
counters
clear nat-statistics
Viewing NAT Translation Table
You can display the NAT translation table.
 To display the NAT translation table:
•
At the config>router(<number>)>nat # prompt, enter:
show nat-translations
The NAT translation table is displayed.
See Viewing NAT Translation
Table
SecFlow-1p
6. Traffic Processing
config router 1 nat
config>router(1)>nat# show nat-translations
Number of entries : 1
Entry Protocol Inside Local
Inside Global
----------------------------------------------------------------------------1
ICMP
30.30.30.30:1
20.20.20.30:1
The above fields are:
Number of Entries
Total number of entries in the translation table
Possible values: 0-1000
Entry
Entry number
Possible values: 1-1000
Protocol
The associated router interface ID
Possible values: TCP, UDP, ICMP, Other
Inside Local
Inside local address or address/port
Possible Values: IP address: port, where port=1-65535
Note: For Other protocol, only IP address is displayed.
Inside Global
Translated inside global address or address/port
Possible Values: IP address: port, where port=1-65535
Note: For Other protocol, only IP address is displayed.
Viewing NAT Statistics
You can display NAT statistics counters.
 To display NAT statistics:
•
At the config>router(<number>)>nat # prompt, enter:
show nat-statistics
The NAT statistics are displayed.
config>router(1)>nat# show nat-statistics
Translated packets Inside to Outside : 62
Translated packets Outside to Inside : 69
The above fields are:
Translated packets Inside to
Outside
Number of packets translated by NAT at the Inside to Outside direction
376
SecFlow-1p
Translated packets Outside to
Inside
6. Traffic Processing
377
Number of packets translated by NAT at the Outside to Inside direction
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Cannot delete; interface associated
with the router
You tried to delete a router entity
that has router interfaces
associated with it.
Disassociate router interfaces from
router.
Cannot set address; DHCP enabled
You tried adding an IPv4 address
when DHCP is enabled.
Disable DHCP.
Cannot set address; too many
addresses already configured
You tried adding an IP address, but
the amount of IP addresses already
reached its limit.
Delete one of the associated
addresses before associating a new
IP address.
Cannot set address; invalid
You tried adding a multicast IP
address or an interface IPv4
address with prefix length 32 (,
which is only allowed for loopback
interface).
When configuring static-route, you
tried to do one of the following:
• Add a multicast IP network
address.
• Add an IP network address
when it was not allowed.
Use /31 prefix-length on non pointto-point interface cautiously
You tried adding anIPv4 interface
address with prefix length 31.
Cannot modify; activated router
interface
You tried modifying or removing a
bound port while the router
interface was activated (no
shutdown).
You tried adding, modifying, or
removing a VLAN while the router
interface was activated (no
shutdown).
Shut down the router interface and
try again.
SecFlow-1p
6. Traffic Processing
378
Message
Cause
Corrective Action
Cannot enable; IPv4 address exists
You tried enabling DHCP even
though manual IPv4 address exists.
Cannot enable; DHCPv6 is enabled
You tried enabling DHCP even
though DHCPv6 is enabled.
Disable DHCPv6.
Cannot set; DHCPv6 client is
already defined
You tried enabling DHCPv6 client
when there is already one defined
in the device.
Remove existing DHCPv6 client.
Cannot enable; DHCP (v4) is
enabled
You tried enabling DHCPv6 while
DHCPv4 is enabled.
Disable DHCPv4.
Cannot set; Router Interface is
loopback interface
You tried enabling DHCPv6 client
while router interface is defined as
loopback interface.
Associate DHCPv6 client with a
router interface that is not defined
as a loopback interface.
Cannot activate; must be bound to
port
You tried activating a router
interface, which is neither a
loopback interface nor bound to a
port.
Bind the router interface to a
loopback interface or a port.
Cannot activate; bound port in use
by another router interface
You tried activating the router
interface, while the bound port is
already in use by another router
interface.
Cannot activate; bound port+vlan
in use by another router interface
You tried activating the router
interface that is bound to port +
vlan, while bound pair port+vlan is
already in use by another router
interface.
Cannot activate; ip address is set
You tried activating the router
interface bound to PPP port, when
IP address was set.
Cannot activate; dhcp is enable
You tried activating the router
interface bound to PPP port, when
DHCP is enabled.
Address is not IPv4 address.
You configured the IP address of
Inside IP station with a non-IPv4
address.
Configure the IP address of Inside
IP station with an IPv4 address.
SecFlow-1p
6. Traffic Processing
Message
Cause
Timeout is out of range
Expiration timeout of
TCP/UDP/other protocol entries in
NAT translation table is out of the
allowed range (60-43200).
379
Corrective Action
6.6 Policy-Based Routing (PBR)
Policy-based routing allows you to use a policy to bypass the normal routing rules.
Applicability and Scaling
No forwarding is allowed between VRFs.
Only Ethernet, virtual and VLAN ports can be ingress ports.
Benefits
PBR rules can bypass any Layer 3 routing/forwarding thus enabling routing resiliency.
Functional Description
You can set the following PBR entities:
•
ACL – to classify specific traffic
•
Policy – to define where to define the traffic captured by ACL
•
Attach the policy to ingress interface
When PBR is defined on specific ingress interface, the incoming traffic on this ingress interface captured
by the ACL is directed according the policy definition. PBR rule direction is set by the next hop IP address
or by an egress interface.
PBR provides classification based on ACL capabilities and supports:
•
IPv4, IPv6
SecFlow-1p
•
Match options:
 Source IP/prefix-len
 Destination IP/prefix-len
 Source port range
 Destination port range
 Protocol (protocol number, i.e. icmp-1, tcp-6, udp-17)
SecFlow-1p PBR policy supports the following destination definitions:
•
Next hop address
•
Egress interface:
 Broadcast interface with static/dynamic IP address
 Point-to-point interface
SecFlow-1p PBR is supported for the following ingress interfaces:
•
Ethernet ports
•
VLAN ports
•
Virtual ports
Factory Defaults
By default, no PBR exists.
Configuring PBR
 To configure PBR:
1. Create an ACL profile (see Configuring ACL).
2. Define policy on an ingress interface:
a. Match ACL
b. Set direction (next-hop or interface)
c. Set priority
6. Traffic Processing
380
SecFlow-1p
6. Traffic Processing
381
 To define policy on the ingress port:
1. For Ethernet port: Navigate to configure port ethernet <port-name> to select the Ethernet port
on which PBR is configured.
For Ethernet VLAN: Navigate to configure port ethernet <port-name>vlan<vlan-id> to select the
VLAN port on which PBR is configured.
For Virtual port: Navigate to configure port virtual <port-name> to select the Virtual port on
which PBR is configured.
For Cellular port: Navigate to configure port cellular <port-name> to select the Cellular port on
which PBR is configured.
For Wireless port: Navigate to configure port wlan <port-name> access-point <ap-number> to
select the Wireless port on which PBR is configured.
For IP tunnel: Navigate to configure router*(<number>)> tunnel-interface(<number>) to select
the IP tunnel on which PBR is configured.
2. At the prompt, enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Binding PBR rule to this
entity
policy-based-route priority
<priority> match-acl <name> {nexthop <ip-address> | interface <type,
index>}
priority <number> - set PBR rule priority
per interface; the lower is the number, the
higher is the priority
no policy-based-route priority
<priority>
match-acl <name> - attach ACL to PBR rule
Possible values: 1 – 4294967295
Possible values: 1–80 characters string
next-hop <ip-address> – Set next hop IP
address to define the direction of PBR rule
interface <type, index> – Set interface to
define the direction of PBR rule.
Possible values:
• ethernet < port-name>
• ethernet < port-name> vlan <vlannumber>
• virtual <port-number>
• cellular < port-name>
• wlan < port-name> + ap
• router(<number>)>tunnel-interface(<n
umber>)
SecFlow-1p
6. Traffic Processing
382
Configuration Errors
Message
Cause
Corrective Action
PBR rule address type mismatch
In the PBR rule you defined the
address families of the ACL profile
and IP-next-hop are not identical.
Set matching address type for ACL
profile and IP-next-hop.
6.7 Quality of Service (QoS)
SecFlow-1p supports Quality of Service (QoS), i.e. traffic management, on Ethernet ports to ensure that
traffic with specific characteristics, such as management, is guaranteed specific bandwidth with
minimum delay.
QoS support also includes classification – classifying traffic into traffic-classes on the ingress directions of
a port. Traffic class defines actions such as fixed Class of Service (CoS) mapping on the ingress direction
of an Ethernet port and DSCP marking.
Applicability and Scaling
This feature is applicable to all ETX‑1p versions.
The following quantity of QoS elements can be configured in the device:
•
Classifier rules per ingress port: 10
•
Traffic-classes per port: 20
•
Shaper profiles: 20
•
Queue-block profiles: 10
•
Queue-group profiles: 10
Benefits
QoS allows you to optimize bandwidth for traffic at different requirements of speed and quality,
avoiding the allocation of excessive bandwidth.
SecFlow-1p
6. Traffic Processing
383
SecFlow-1p Quality of Service (QoS) traffic prioritization improves the performance level of data flow.
Functional Description
QoS Components
QoS components include:
•
Classifyer (see Classifyer)
•
Traffic Class (see Traffic-class)
•
Queueing (see Queuing)
Factory Defaults
See the following sections for each QoS type’s specific defaults.
Classifier
supports classifying traffic into traffic classes on the ingress direction of a port.
It is possible to define up to ten classifier rules per ingress direction on the Ethernet ports.
Applicability and Scaling
This feature is applicable to all SecFlow-1p devices.
Functional Description
Classifying consists of a set of sequentially numbered rules (similar to ACLs), with the following rule
types:
•
Match – defines a classifier action rule for forwarding packets
•
Delete – deletes a classifier rule or comments
•
Comment – text used for commenting and visually organizing the rules
•
Resequence – updates the sequence numbers of existing classifier actions and comments
SecFlow-1p
6. Traffic Processing
384
Each classifier rule can have an unlimited number of match options.
The following table specifies the criteria.
Classification Criteria
Rule Criterion
Rule Value/Range
Comments
Any
-
Allows match any rules
Layer-3
IP DSCP
Range [0–63]
IP protocol
Value
Source IP address
IP address/length
IPv4 or Ipv6
Destination IP address
IP address/length
Ipv4 or Ipv6
TCP Source Port
Range
IP Layer 4
TCP Destination Port
Range
IP Layer 4
UDP Source Port
Range
IP Layer 4
UDP Destination Port
Range
IP Layer 4
Layer-4
The action rule that you define in the classifier is used to perform classification on the forwarding
frames entering the ingress direction of the port. Those packets that match the defined rules go through
the port.
Traffic packets filtered by the classification rule, enter the traffic-class (defined in the classifier), where
the defined action (e.g. fixed CoS mapping) is performed on the packets.
Benefits
With classifying, you can maintain QoS by classifying traffic classes that set traffic CoS and define other
actions.
Factory Defaults
By default, no classifiers are configured.
SecFlow-1p
6. Traffic Processing
385
Configuring Port Classification
This section describes how to create a classifier for an Ethernet port.
 To configure classifying for a port:
1. For Ethernet port: Navigate to configure port ethernet <port-num> classifier ingress } to select
the Ethernet port classifier to configure.
Where
Ingress indicates that the classifier classification direction is from port to application.
2. At the prompt, perform all required tasks according to the following table.
Task
Command
Comments
Entering free text among the
classifier rules
comment <description>
[sequence <number>]
description - free text describing the following
rules
Possible values: variable length string, up to 252
characters
sequence - sequence number (priority) of the
comment
Possible values: 1-4294967295
Deleting a classifier rule or
comment
delete <sequence-number>
sequence - sequence number of the
match/drop/comment to be deleted
Possible values: 1-4294967295
SecFlow-1p
6. Traffic Processing
386
Task
Command
Comments
Defining a classifier action
rule for forwarding frames
match [{dscp <x..y> |
[protocol <number>] [src-ip
<ip-addr>[/<prefix-length>]]
[dst-ip <ip-addr>[/<prefixlength>]] [tcp-src-port
<x..y>] [tcp-dst-port <x..y>]
[udp-src-port <x..y>] [udpdst-port <x..y>] to-tc <tcname> [sequence
<number>]
dscp – range of IP DSCP values to compare with
Possible values: 0-63
match any to-tc <tc-name>
[sequence <number>]
protocol – value of the IPv4 header Protocol
field or the IPv6 header Next Header field to
compare with
Possible values: 0-255
src-ip – IP address or IP subnet to match against
the packet's source IP address
dst-ip – IP address or IP subnet to match against
the packet's destination IP address
tcp-src-prt – range of TCP source port numbers
to compare with
Possible values: 0-65535
tcp-dst-prt – range of TCP destination port
numbers to compare with
Possible values: 0-65535
udp-src-prt - the range of UDP source port
numbers to compare with
Possible values: 0-65535
udp-dst-prt – range of UDP destination port
numbers to compare with
Possible values: 0-65535
any – Any incoming frame is matched.
Possible value: 0
sequence – sequence number (priority) of the
rule
Possible values: 1-4294967295
to-tc – name of associated tc (traffic-class).
Define this traffic-class using the traffic-class
command (see Configuring Traffic-Class).
Possible values: variable length string, up to 252
characters
Notes:
• Up to five criteria can be specified; they
must be in the same order in which they
appear in the command syntax.
• The same string may be used in separate
match commands of the same classifier.
SecFlow-1p
6. Traffic Processing
387
Task
Command
Comments
Resequencing the rules (of
existing classifier actions and
comments)
resequence [<step>]
If you need to add a rule between existing rules
with consecutive sequence numbers, use this
command to add space between the rule
sequence numbers.
The <step> parameter specifies the interspacing
value. For example, if you apply resequence 30
to a port classification that contains rules 1, 2,
and 3, the rule sequence numbers change to 30,
60, and 90.
step – step between sequence numbers
Possible values: 1-10000
Default: 10
Displaying a sorted list of
port classifier actions
Note
show status
See Viewing Port Classifier Status.
You can remove a classifier from a port, by entering at the prompt,
no classifier ingress.
Viewing Port Classifier Status
You can display the status and configuration of an Ethernet port ingress Classifier.
The following example shows the Ethernet port classifier ingress status.
 To display Ethernet Classifier (ingress) status:
config>port>Ethernet 1> classifier(ingress)# show status
Ingress Classification Rules:
Number of Classification Rules (by this port)
: 10
Sequence
10
20
26
30
40
Action TC Name
_
Match Kuku1
Match Tutu1
Match Tutu1
Match Susu1
Match Fufu1
Admin
Up
Up
Up
Down
N/A
Hits
1200
300
300
0
0
SecFlow-1p
6. Traffic Processing
388
Port Status Parameters
Parameter
Description
Direction (Ingress)
Shows classifier direction (always ingress)
Number of Classification
Rules (by this port)
Possible values: 0-9999
The number of classifier actions defined for this port
Sequence
The sequence number (priority) of the classifier rule
Possible values: 1-4294967295
Action
The type of action
Possible value: Match
TC Name
The name of the associated TC
Possible values: variable length string, up to 252 characters
TC Admin
The administrative status of the associated TC
Possible values: Up, Down, N/A
Hits
The number of incoming frames that matched the rule
Traffic-Class
Traffic packets, filtered by the classifier rules, enter the traffic-class for performing the defined actions
(e.g mapping to transmit queues). SecFlow-1p supports fixed Class of Service (CoS) mapping on the
ingress direction of an Ethernet port and marking of DSCP on traffic class in ingress port (LAN).
Applicability and Scaling
This feature is applicable to all SecFlow-1p devices.
Functional Description
Traffic-Class
Traffic packets that match the rules defined in the classifier are forwarded to the traffic-class defined in
the rules, provided that you defined for the port a traffic-class by that name, and it is in no shutdown
state.
Several rules can point to the same traffic-class.
It is possible to configure up to 20 traffic-classes per port.
SecFlow-1p
6. Traffic Processing
389
CoS Mapping
Packets that enter the TC (traffic-class) can be mapped to a fixed CoS value defined in the TC definition
on the port, or if not defined, to CoS 7 (the default; lowest priority). The packet’s meta-data is marked
with the fixed CoS value across the forwarding path toward the transmit queues.
A packet is transmitted to the queue corresponding to its CoS value. CoS 0 is mapped to Queue 0, …, CoS
7 is mapped to Queue 7.
Marking
Packets that enter the TC (traffic-class) can have their DSCP marked to a value defined in the TC
definition on the port, as follows:
•
DSCP with a pushed IP header (fixed value); possible values: 0-63
If not defined, DSCP is marked with pushed IP header 0.
Configuring Traffic-Class
 To configure a Traffic-Class:
1. Navigate to configure port ethernet <port-index> traffic-class (<tc-name>) to select the
Ethernet port traffic-class to configure. tc-name can be an up to 32-character string.
2. At the prompt, perform all required tasks according to the following table.
Task
Command
Comments
Defining traffic class CoS
(CoS Mapping) by a fixed
value
cos fixed <cos-value>
cos-value – the CoS assigned to the trafficclass (fixed value)
Possible values: 0-7
no cos
Default: 7 (lowest priority)
0 is the highest priority.
CoS 0 is mapped to Queue 0, CoS 1 to Queue
1,…, CoS 7 to Queue 7.
Enter no cos to delete the CoS definition.
Defining the traffic class
with fixed marking
mark {dscp-fixed <dscpvalue>}
no mark
Enabling/disabling
traffic-class activity
shutdown
no shutdown (default)
dscp-value possible values: 0-63
Enter no mark to delete the marking
definition.
SecFlow-1p
Note
6. Traffic Processing
390
You can remove a traffic-class, by entering at the prompt,
no traffic-class <tc-name>.
Example
The following example shows how to configure Ethernet port with traffic-class and fixed CoS mapping,
and define port classification rules.
•
Create traffic-class src_ip-Dst_ip on Ethernet port 1.
•
Define CoS mapping of packets that enter traffic-class src_ip-Dst_ip to CoS 0 (highest priority),
so that packets are transmitted to corresponding Queue 0.
•
Define classifier on ingress direction of port traffic with match rule that determines which
incoming packets are forwarded to traffic-class src_ip-Dst_ip.
•
Create traffic-class src_ip-Dst_ip2 on Ethernet port 1.
•
Define CoS mapping of packets that leave traffic-class src_ip-Dst_ip to CoS 1, so that packets are
transmitted to corresponding Queue 1.
exit all
con port ethernet 1
traffic-class src_ip-Dst_ip
cos fixed 0
exit
classifier ingress
match src-ip 10.10.10.10/32 dst-ip 20.20.20.20/32 to-tc src_ip-Dst_ip
exit
traffic-class src_ip-Dst_ip2
cos fixed 1
exit
Queuing
In order to facilitate congestion management, you can sort traffic by applying queue group profiles and
queue block profiles to queue block entities.
You can also apply shaper profiles to queue group blocks.
SecFlow-1p
6. Traffic Processing
391
Queueing
ETX‑1p traffic management entities are called queue groups. They are configured over physical ports
and represents hierarchical structure of queue-blocks. The queue blocks consist of internal queues. The
queue groups have the following basic structure:
•
1 level (level-0) with 1 queue-block
•
Shaper towards physical port
Shapers operate at per-scheduling-element level to shape traffic into a required traffic profile (CIR).
Level-0
Q
7
Q
6
Q
5
Q
4
Q
3
Q
2
Q
1
Q
0
Scheduler
Shaper
Physical port
Scheduling
SecFlow-1p supports a combination of traffic scheduling techniques, whereby applications requiring low
latency and jitter are mapped to Strict priority queues, while other services are mapped to the
remaining slots using weighted fair queuing (WFQ)
•
The Strict priority queues ensure minimal latency and jitter for the RT traffic, even when a large
amount of bursty data traffic is sent over the same uplink. Strict priority traffic is always
processed first, while flows mapped to the WFQ slots are buffered until the strict priority
queues are empty.
•
The WFQ technique avoids scheduling starvation of lower priority queues and ensures relatively
fair allocation of bandwidth by sharing it among all flows. In this manner, packets belonging to
lower classes of service are not penalized when higher priority queues are not empty and may
still receive transmission time. QoS-conformant scheduling is handled by assigning different
weights to the various queues instead of equally dividing overall bandwidth among all active
flows.
You can map packets to queues according to the packet’s CoS, with CoS 7 mapped to the lower priority
queue (Queue 7), and CoS 0 to the highest (Queue 0).
SecFlow-1p
6. Traffic Processing
392
QoS Data Flow
The following is a description of a full featured packet QoS walkthrough from when the packet is
received in the ingress port.
•
A packet is received in the ingress port.
•
The classifier checks if the incoming traffic matches the rules – first rule is checked first. If the
packet matches the rules, it is classified into the defined TC (traffic-class).
•
The traffic-class ingress actions (fixed CoS mapping, marking) are operated on the packet.
•
The packet is forwarded to a forwarder (router, virtualization, etc).
•
The packet is transmitted from the forwarder to the egress port.
•
Packet is mapped to level-0 queue-block while queue is mapped according to CoS
•
Shaping action is operated on transmit packets towards egress port
•
The packet is transmitted.
SecFlow-1p QoS Data Flow
SecFlow-1p
6. Traffic Processing
Use Case: Prioritization of Management and User Traffic
User traffic - VoIP
Management
User traffic - data
Q
7
Q
6
Q
5
Q
4
Q
3
Q
2
Q
1
Q
0
Scheduler
Ethernet Port
In this case, QoS does the following:
•
Classifies each type of traffic to traffic-class and sets CoS
•
Sets queues as follows:
 Queue 0 to strict with rate limit
 Queue 1 to strict with rate limit
 All other queues to WFQ
•
Traffic is mapped to queues according to CoS.
Configuration Method
You configure QoS in two parts.
•
•
On the physical port, you configure:
 Classifier: classifier match rules into TC
 TC actions: fixed CoS, marking
 Queue-group
On the QoS level, you configure:

shaper-profile

queue-block-profile

queue-group-profile
393
SecFlow-1p
6. Traffic Processing
394
Shaper Profiles
ETX‑1p supports shaper profiles applied to queue group blocks.
Factory Defaults
By default, there is no shaper profile configured.
Configuring Shaper Profiles
You can configure Shaper profiles and apply them to queue group blocks as needed.
 To add a Shaper profile:
1. Navigate to configure qos.
The config>qos# prompt is displayed.
2. Type shaper-profile <shaper-profile-name>
A Shaper profile with the specified name is created and the config>qos>shaper-profile(<shaperprofile-name>)$ prompt is displayed. The new Shaper profile parameters (except for name) are
configured by default as described in Factory Defaults.
3. Configure the Shaper profile as described in Configuring Shaper Profile Parameters.
 To configure Shaper profiles:
1. Navigate to configure qos shaper-profile <shaper-profile-name> to select the Shaper profile to
configure.
The config>qos>shaper-profile(<shaper-profile-name>)# prompt is displayed.
2. Perform the required tasks according to the following table.
Note
To delete a profile, make sure it is used in any queue-group (including the case
when the queue-group is not in use).
Task
Command
Comments
Specifying the CIR (Kbps) and
CBS (bytes) bandwidth limits
bandwidth [cir <cir-kbit-sec>]
CIR allowed values:
• Range: 0 – 4294967295 (in
kbps)
• Default: 1000000
SecFlow-1p
6. Traffic Processing
395
Example
 To create and configure a Shaper profile named Shap2:
•
CIR = 99,840 Kbps
exit all
configure qos shaper-profile Shap2
bandwidth cir 99840
exit all
Queue Block Profiles
In order to facilitate congestion management, you can sort traffic by applying queue block profiles to
queue block entities. A queue block profile contains entries for queues 0–7 (queue 0 has the highest
priority), with the following parameters:
•
Scheduling method:
 Strict – high-priority queues that are always serviced first. If a lower-priority queue is being
serviced and a packet enters a higher queue, that queue is serviced immediately.
 WFQ (weighted fair queuing) – If one port does not transmit, its unused bandwidth is shared
by the ‘transmitting’ queues. WFQ frames are transmitted only after transmission of any
frames associated with Strict queues is completed.
•
Bandwidth:
 CIR – Defines the Committed Information Rate (CIR) for the current profile. The CIR specifies
a bandwidth with committed service guarantee (“green bucket” rate).
 EIR – Defines the Excess Information Rate (EIR). The EIR specifies an extra bandwidth with
no service guarantee (“yellow bucket” rate).
Factory Defaults
ETX‑1p provides a default queue block profile named DefaultQueueBlock1, which defines queues 0–7 as
follows:
•
Scheduling method – WFQ
•
CIR = 0 kbps
•
EIR = 1000000 kbps
The default profile is shown below.
config>qos# info d
echo "Queue Block Profile Configuration"
SecFlow-1p
#
6. Traffic Processing
Queue Block Profile Configuration
queue-block-profile "DefaultQueueBlock1"
queue 0
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 1
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 2
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 3
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 4
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 5
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 6
bandwidth cir 0 eir 1000000
scheduling wfq
exit
queue 7
bandwidth cir 0 eir 1000000
scheduling wfq
exit
exit
exit
exit
config>qos#
The default profile cannot be deleted.
Adding Queue Block Profiles
This section explains how to define queue block profiles.
 To add a queue block profile:
1. Navigate to configure qos.
396
SecFlow-1p
6. Traffic Processing
397
The config>qos# prompt is displayed.
2. Type:
queue-block-profile <queue-block-profile-name> [number-of-queues <number>]
A queue block profile with the specified name, and number of queues, is created, and the
following prompt is displayed: config>qos>queue-block-profile(<queue-block-profile-name>)$
The queues for the new profile are configured by default as described in Factory Defaults.
3. Configure the queue block profile as described in Configuring Queue Block Profile Parameters.
Configuring Queue Block Profile Parameters
 To configure a queue block profile:
1. Navigate to config qos queue-block-profile <queue-block-profile-name> to select the queue
block profile to configure.
The config>qos>queue-block-profile(<queue-block-profile-name>)# prompt is displayed.
2. Perform the following for each queue that you wish to configure:
a. To configure a queue, enter:
queue <queue-ID>
The following prompt is displayed:
config>qos>queue-block-profile(<queue-block-profile-name>)>queue(<queue-ID>)#.
b. Perform the required tasks according to the following table.
c. Type exit to return to the queue block profile context.
Note
To delete a profile, make sure it is used in any queue-group (including the case
when the queue-group is not in use).
Task
Command
Comments
Defining queue bandwidth
attributes
bandwidth [cir <cir-kbitsec>] [eir <eir-kbit-sec>]
CIR allowed values:
• Range: 0 – 4294967295 (in kbps)
• Default: 0
EIR allowed values:
• Range: 0 – 4294967295 (in kbps)
• Default: 1000000 kbps (1Gbps)
CIR + EIR must not exceed the maximum available
bandwidth.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Setting scheduling method
scheduling {strict | wfq }
Default: wfq
Queues defined as strict must be the highest
priority queues in a mixed structure.
Example
 To create and configure a queue block profile named QBlockProf1:
•
Queue 0 set to strict scheduling and cir 524,288
•
Queue 1 set to strict scheduling and eir 212,992
•
Queues 2 and 3 set to WFQ scheduling
exit all
configure qos queue-block-profile QBlockProf1
queue 0
scheduling strict
cir 524288
exit
queue 1
scheduling strict
eir 212992
exit
queue 2
scheduling wfq
exit
queue 3
scheduling wfq
exit
exit all
Queue Group Profiles
In order to facilitate congestion management, you can sort traffic by applying queue group profiles.
Factory Defaults
ETX‑1p provides a default queue group profile named DefaultQueueGroup1, configured as shown:
#
Queue Group Configuration
queue-group-profile "DefaultQueueGroup1"
queue-block 0/1
profile "DefaultQueueBlock1"
no shaper
398
SecFlow-1p
6. Traffic Processing
399
Adding Queue Group Profiles
 To add a queue group profile:
1. Navigate to configure qos.
The config>qos# prompt is displayed.
2. Type:
queue-group-profile <queue-group-profile-name>.
A queue group profile with the specified name is created and the following prompt is displayed:
config>qos>queue-group-profile(<queue-group-profile-name>)$
The queue group profile parameters are configured by default as described in Factory Defaults.
3. Configure the queue group profile as described in Configuring Queue Group .
Configuring Queue Group Parameters
 To configure a queue group profile:
1. Navigate to config qos queue-group-profile <queue-group-profile-name> to select the queue
group profile to configure.
The config>qos>queue-group-profile(<queue-group-profile-name>)# prompt is displayed.
2. Select a queue block in level 0 to configure:
queue-block 0/1
The following prompt is displayed:
config>qos>queue-group-profile(<q-grp-profile-name>)>queue-block(<level/ID>)#
3. Perform the required tasks according to the following table.
4. If you wish to configure another queue block, type exit to return to the queue group profile
context, and start again at step 2.
Task
Command
Assigning a queue block profile
profile <queue-block-profile-name>
Assigning a shaper profile
shaper profile <shaper-profile-name>
Comments
Examples
Note
This example uses the Shaper profile and queue block profile created in the
examples in the preceding sections.
SecFlow-1p
6. Traffic Processing
 To create and configure a queue group profile named QGroupProf1:
•
Queue block 0/1:
 Queue block profile: QBlockProf1
 Shaper profile: Shap2
exit all
configure qos queue-group-profile QGroupProf1
queue-block 0/1
profile QBlockProf1
shaper profile Shap2
exit all
6.8 Router
SecFlow-1p provides Layer-3 forwarding, with multiple (up to 10) Virtual Routing and Forwarding
instances (VRFs).
Applicability and Scaling
This feature is applicable to all SecFlow-1p versions.
ARP table is limited to 255 entries.
Fragmentation does not work on the router interface. Configure the MTU value manually under the
corresponding port.
Standards Compliance
RFC 1812 – Requirements for IP Version 4 Routers
RFC 2460 – Internet Protocol, Version 6 (IPv6) Specification
RFC 2464 – Transmission of IPv6 Packets over Ethernet Networks
RFC 4291 – IP Version 6 Addressing Architecture
RFC 4294 – IPv6 Node Requirements
RFC 4862 – IPv6 Stateless Address Autoconfiguration
400
SecFlow-1p
6. Traffic Processing
401
RFC 2766 – Traditional IP Address Translator
RFC 3489 – Simple Traversal of User Datagram Protocol through Network Address Translator (STUN)
RFC 7857 –Traditional IP Address Translator
RFC 2131 – Dynamic Host Configuration Protocol
RFC 2132 – DHCP Options and BOOTP Vendor Extensions
RFC 1701 – Generic Routing Encapsulation (GRE)
RFC 2890 – Key and Sequence Number Extensions to GRE
ARP Parameters – Address Resolution Protocol (ARP) Parameters
RFC 5859 – TFTP Server Address Option for DHCPv4
Benefits
The router provides IP Routing and Forwarding for IPv4 and IPv6 packets.
Functional Description
SecFlow-1p Layer-3 forwarding has the following main features:
•
Up to 10 routers are supported. Only router 1 can be used for management.
•
The maximum number of router interfaces (including loopback interfaces) is 32.
Note
You may create router interfaces numbered 1-32 in any router (they need not
be contiguous or start at 1), as long as the total number of router interfaces in
the device does not exceed 32
•
IPv4 and IPv6 are both supported.
•
Static routing definitions, BGP, OSPFv2 are supported.
•
You can configure a management IP address, which is used as a source address in sessions that
are initiated by the device, such as ping.
SecFlow-1p
6. Traffic Processing
402
The router maintains a table of IPv6 neighbors, via discovery of neighboring IPv6 nodes. It is
recommended to manage SecFlow-1p via a router interface defined as a loopback interface, as this
router interface remains active. To ensure that packets generated by the router are transmitted with the
loopback IP address, you need to define the management source IP address for IPv4 and IPv6 (refer to
Management Source IP Address in the Management and Security chapter).
Router interface that resides directly on a port uses that port’s MAC address.
The control packets transmitted by the router have a configurable IP DSCP value, so that each router
entity can control its traffic priority by setting its DSCP value for its protocols (see Configuring the
Router on how to configure the DSCP).
The embedded router supports the Border Gateway Protocol (BGP) – See Routing Protocol BGP.
DHCP Client
SecFlow-1p supports DHCP and DHCPv6 client functionality.
Each SecFlow-1p router interface can either have a static IP address assigned to it or can be configured
to acquire a dynamic address via DHCP.
DHCP client configuration is performed inside a router interface.
A router interface supports only one instance of DHCP client, and a DHCP client instance can be bound
to only one router interface.
The DHCPv6 client supports prefix delegation. It can receive from the provider a prefix, out of which
shorter prefixes can be allocated to the user-side router interfaces and the machines behind them. The
prefixes are passed to those machines by IPv6 router advertisements. They cannot be passed with
DHCPv6 server.
RA also passes DNS server addresses and hostname information. Dynamically received data is passed if
none is configured. Otherwise, the configured data is passed. This enables the device to be a DNS proxy,
publishing its own address as DNS server to the user hosts behind it, while using dynamically received
DNS server addresses as the next resolver for its own use.
Note
If a DHCPv6 client is configured to receive prefix delegation information, it
cannot receive an address for its router interface, and vice versa. To work with
PD, you can configure SecFlow-1p to receive an address from a DHCPv6 client
(without PD), and initiate a ZTP process; the ZTP configuration file can
statically configure the address, and activate PD. Another option is to use RA
for receiving address and DHCPv6 client for PD.
SecFlow-1p
6. Traffic Processing
403
Crypto Map
SecFlow-1p supports binding of a defined crypto map (see Configuring Crypto Map) to a router
interface. One map can be associated with multiple interfaces, and multiple maps (up to five) can be
associated with one interface.
If the router interface has multiple IP addresses, by default the lowest one is used as the IPsec tunnel
source.
You can bind a predefined crypto map to an address (even if the router interface has a single address).
In this case:
•
The tunnel source is the one configured.
•
If the interface does not own the configured address, SecFlow-1p ignores the configuration and
behaves as if the map is not bound to the interface.
Factory Defaults
By default, no router interfaces exist. The other router parameters are configured as shown in the
following table.
By default, the source management IP address for IPv4/IPv6 is not configured.
Parameter
Default
Remarks
name
"Router#1”
dhcp-client duid-type
ll
dhcp-client host-name
sys-name
In the DHCP client, the device
name is used as the host name.
dhcp-client vendor-class-id
ent-physical-name
In the DHCP client, the entity
physical name is used as the
vendor class ID.
tunnel-interface
gre-ip
Tunnel type, when tunneling is
configured
SecFlow-1p
6. Traffic Processing
404
Configuring the Router
The router functionality allows SecFlow-1p to establish links to Ethernet ports via SVIs, or to peers that
provide the 1588v2 master clock, or to establish PPPoE sessions via PPP ports.
 To configure the router:
1. At the config# prompt, enter:
router <number>
The config>router(<number>)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Configuring BGP
[no] bgp <as-number>
as-number – local AS
Possible values: 1-4294967295,
Default: 0
See Routing Protocol BGP
Deleting dynamic ARP entities
clear-arp-table [<address>]
Clearing IPv6 neighbor table
clear-neighbor-table
Configuring DHCP client for the
router interface
dhcp-client
Specify the IP address to clear
only the entries corresponding
to it.
Commands in level dhcp-client
Providing host name to DHCP
server
host-name <string>
host-name sys-name
no host-name
Providing vendor ID to DHCP
server
vendor-class-id <string>
vendor-class-id
ent-physical-name
You can specify a name, or
specify sys-name to indicate
that the system name should be
used as the host name.
You can specify an ID, or specify
ent-physical-name to indicate
that the device name should be
used as the vendor ID.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Configuring DHCP client to
request DHCPv6 server for
option 17
dhcpv6-option-request
[vendor-specific-information17]
Relevant for IPv6.
Vendor specific information
option 17 is used to pass data
needed for the Zero Touch
process.
no dhcpv6-option-request
405
Notes:
• The command behaves the
same regardless of whether
you specify vendor-specificinformation-17 optional
keyword.
• If you repeat the command,
the last instance replaces
the previous.
Entering no dhcpv6-optionrequest results in DHCP client
not explicitly requesting option
17.
Configuring DHCPv6 Unique
Identifier (DUID) type
duid-type {en | ll}
Relevant for IPv6.
• en –enterprise number (type
2); comprises an enterprise
number (RAD’s is 164) and
an identifier (MAC address
of the port out of which the
request is sent)
ll – link layer address (type 3);
comprises a hardware type (1
for Ethernet) and a link-layer
address (MAC address of the
port out of which the request is
sent)
Configuring DNS server
dns-name-server <ip-address>
[priority <priority>]
Type [no] dns-name-server <ipaddress> to delete the DNS
server.
ip-address can be IPv4 or IPv6
priority
Possible values: 1–255
Configuring DSCP value for
router entity traffic
dscp <number>
Possible values: 0–63
Default: 0
SecFlow-1p
6. Traffic Processing
406
Task
Command
Comments
Creating a router interface
interface <interface-num>
[{loopback } ]
interface-num – a unique
number assigned to the router
interface
Possible values: 1–32
loopback – sets router interface
as loopback
Type no interface number to
delete a router interface.
See the Configuring Router
Interfaces section for a list of
tasks that can be configured on
a router interface.
Assigning name to router
name <string>
Alphanumeric string
Enter no name to remove
router name.
Enabling, or disabling and
deleting Network Address
Translator (NAT)
nat
Typing no nat disables and
deletes the existing NAT
configuration, including. all
mapping table entries.
Note: You can configure a single
instance of NAT over each one
of the supported VRFs.
For details on configuring NAT
parameters, see Configuring
Network Address Translator
(NAT)
Configuring OSPF
ospf
See Configuring OSPF at the
Router Level
Creating a prefix-list policy
profile for the router
prefix-list <name> {ipv4|ipv6}
Name – unique prefix-list policy
profile name.
1-252 characters
Entering no prefix-list <name>
deletes the router’s prefix-list
policy profile.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Resequencing policy profile
resequence <name>
name –policy profile to
resequence; 1..252 characters
407
number – steps between policy
rules entries numbers
Possible values: 1-100000
Default: 10
Creating the router’s route-map
policy profile
route-map <name>
name – route-map policy profile
unique name. 1-252 characters
Entering no route-map <name>
deletes the router’s route-map
policy profile.
Enabling the static route and the
next gateway (next hop) using
the next hop’s IP address
static-route
<IP-address/IP-mask-of-static-ro
ute> address
<IP-address-of-next-hop>
[metric <metric>][ install | noinstall ]
no static-route <IP
Address/prefix-length> address
<address>
The next hop must be a subnet
of one of the router interfaces.
To set the default-gateway,
configure static route of address
0.0.0.0/0 to next hop default
gateway address. Entering no
static-route deletes static route
entry.
Metric specifies the priority of
the static route
Possible values: 1–255
Note: the value of 255 is
considered as unreachable and
the appropriate route is not be
added to the routing table.
Default: 1
install option forwards a specific
route entry into the FIB.
no-install option does not
forward a specific route entry
into the FIB.
SecFlow-1p
6. Traffic Processing
408
Task
Command
Comments
Enabling the static route and the
router interface number toward
which the destination subnet is
to be routed
static-route
<IP-address/IP-mask-of-static-ro
ute> interface
<router-interface-num> [metric
<metric>][ install | no-install ]
no static-route deletes static
route entry.
no static-route <IP
Address/prefix-length> interface
<router-interface>
<priority> should be an integer
in range 1–255.
Metric specifies the priority of
the static route: 1–255 (default:
1).
Note: the value of 255 is
considered as unreachable and
the appropriate route is not be
added to the routing table.
Install option forwards a specific
route entry into the FIB.
No-install option does not
forward a specific route entry
into the FIB.
Configuring tunnel interface
tunnel-interface <number>
[gre-ip | ipsec]
number – tunnel number 1-256
Entering no tunnel-interface
<number> deletes the tunnel
interface.
See Port Classification for more
details
See Viewing ARP Table
Displaying the address
resolution protocol (ARP) table,
which lists the original MAC
addresses and the associated
(resolved) IP addresses
show arp-table
[ address <ip-address> ]
Displaying DNS resolver
show dns-resolver
Displaying IPv6 neighbors table
show neighbor-table [address
<ip-address>]
See Viewing IPv6 Neighbors
Displaying the IPv4 or IPv6 RIB
(Routing Information Base) table
show rib { ipv4 | ipv6 }
See Viewing RIB
Displaying VRRP summary
show vrrp-summary
Note: The ARP table is limited to
255 entries.
SecFlow-1p
6. Traffic Processing
409
Task
Command
Comments
Displaying the routing table
show routing-table [ address
<IP-address/IP-mask> ]
[protocol {dynamic|static}]
IP-address/IP-mask – View
routing information for a
specific IP address of a specified
prefix length.
See Viewing Routing
Information
Displaying the interface table
show summary-interface
See Viewing Router Interface
Status
Configuring Router Interfaces
You can configure up to 32 router interfaces.
 To configure a router interface:
1. At the config>router(<number>)# prompt, enter:
interface <interface-num> [loopback]
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Assigning an IP address and
prefix length to the router
interface
address
<IP-address/prefix-length>
The IP address can be IPv4 (e.g. 10.10.10.1)
or IPv6 format (e.g.
10:10:10:10:10:10:10:10)
no address
<IP-address/prefix-length>
Prefix length:
• For vitual ports: IPv4 1–32; IPv6 1–128
• For other ports: IPv4 1–31; IPv6 1–127
You cannot define an IP address if the
router interface is bound to a PPP port.
Binding router interface to a
port (Cellular, Ethernet,
Virtual, or PPP), or access
point
bind cellular < port-name>
bind ethernet <port-name> [vlan
<vlan-id>]
bind virtual <port-index> [vlan
<vlan-id>]
bind ppp <port-number>
bind wlan [slot/]port accesspoint <ap-number>
no bind
• port-number (port-name) – number
(name) of device interface port
connected to the router interface.
• vlan-id - port number of the VLAN port
connected to the router interface
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Associating router interface
with a crypto map
crypto-map <name> [address
<ip-address>]
name – crypto map name
Possible values: 1-80 character string
no crypto-map <name>
ip-address – local peer IP address
410
Notes:
• You can associate up to five crypto
maps with one interface.
• If no address is specified, ip-address is
an empty string.
If the specified crypto map is not
defined, SecFlow-1p ignores this
configuration and behaves as if it is not
bound to it.
Enabling/disabling DHCP
client
Configuring DHCP client for
the router interface
dhcp
no dhcp
You cannot enable DHCP (for IPv4) in the
following cases:
•
•
•
•
Router interface is bound to a PPP port.
IPv4 address is configured.
Router interface is not unnumbered.
DHCPv6 is enabled.
dhcp-client
Command in level dhcp-client
Providing client ID (DHCP
option 61) to DHCP server
client-id id <string>
client-id mac
You can specify an ID, or specify mac to
indicate that the device MAC address
should be used as the client ID.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Enabling or disabling DHCPv6
client for the router interface
dhcpv6-client [pd name <prefixname>] [rapid-commit]
no dhcpv6-client
You can enable DHCPv6 client provided
that the following conditions exist:
411
• Router entity is Router # 1.
• There is no other DHCPv6 client defined
in the device.
• DHCPv4 is not enabled.
• The router interface is not defined as
loopback.
It is optional to enable rapid commit or
prefix delegation (pd).
prefix-name – 1-255 character string
Note:
• If the command is repeated, the last
instance applies.
DHCPv6 client, server, and relay are
mutually exclusive on the same interface.
Therefore, it is possible to enable a client,
only if neither a relay nor a server are
configured on the router interface.
Enabling DHPv6 server
dhcpv6-server pool <pool-name>
[rapid-commit] [preference
<value>]
no dhcpv6-server
pool – defines the pool name
rapid-commit – enables DHCPv6 rapid
commit
preference (optional) – configures
preference in DHCPv6 advertisement
messages; possible values: 0 to 255
The DHCPv6 client and server functions are
mutually exclusive on an interface.
Enabling/disabling IP
forwarding
ip-forwarding
Configuring IPv6 address from
prefix
ipv6-address-prefix <prefixname> <prefix-length> [noautoconfig]
no ipv6-address-prefix <prefixname>
If you repeat the command with the same
prefix name, the new command replaces
the previous one.
If you try to repeat the command with a
different prefix name, SecFlow-1p rejects
the command
SecFlow-1p
6. Traffic Processing
412
Task
Command
Comments
Enabling or disabling IPv6
autoconfiguration on router
interface
ipv6-autoconfig
no ipv6-autoconfig
Enter no ipv6-autoconfig to disable IPv6
autoconfiguration.
Configuring interface
management access
management-access {allow-all |
allow-ping}
You can set management access to
allow-all for up to two router interfaces.
Enter no management-access to remove
management access from router interface.
name <interface-name>
Assigning a name to the
router interface
no name
Configuring OSPF
ospf
Enabling or disabling IPv6
router-advertisement
router-advertisement
Displaying ACL summary
show access-list summary
See Viewing Access List Status.
Displaying crypto map
information
show crypto-map-status
[<name>]
name – crypto map name
Possible values: 1-80 character string
Note: If name is specified, the command
displays the data of only that crypto map.
Otherwise, the command displays data of
all the crypto maps associated with the
interface.
See Configuring OSPF at the Interface
Level
no router-advertisement
For a detailed description of the crypto
map parameters, see Viewing Crypto Map
Information below.
Displaying router interface
status
show status
See Viewing Router Interface Status.
Administratively enabling or
disabling the router interface
no shutdown
Entering shutdown disables the interface.
Enable sending of ICMP
Unreachable messages for the
router interface
unreachables
shutdown
no unreachables
Deleting a Router
You can delete a router if there are no router interfaces associated with it.
SecFlow-1p
6. Traffic Processing
 To delete a router:
•
At the config# prompt, enter:
no router <number>
Deleting a Router Interface
 To delete a router interface:
•
At the config>router(<number>)# prompt, enter:
no interface <interface-num>
Viewing Router Information
You can view information on each router by using the show summary-interface command.
 To display the router information:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show summary-interface.
The router interface information is displayed.
config>router(1)# show summary-interface
Router Interface: 1
Name:
RI 1
Admin:Up
Oper: LLD
Bound to:
172.17.161.101/24
ethernet lan1
(manual)
(preferred)
Router Interface: 2
Name:
RI 2
Admin:Up
10.10.10.1/24
Oper: Up
Bound to:
ethernet lan2
(manual)
(preferred)
The above fields are:
Router Interface (number)
Unique number assigned to the router interface
Name
Name of the router interface (alphanumeric string)
413
SecFlow-1p
Admin
6. Traffic Processing
Administrative status:
• Up – ready to pass packets
• Down
Oper
Operational status:
• Up – ready to pass packets
• Down
• LLD – Lower Layer Down; down due to state of lowerlayer interface(s)
Bound to
The port that the router interface is bound to
IP Addresses
IP Address/prefix length
IPv4 or IPv6 address and prefix length
Note: Supported for DHCPv6
origin
Origin of the IP address.
Possible origins are:
• other – for example, link local address
• manual – indicates that the address was manually
configured to a specified address
• dhcp – indicates an address that was assigned to this
system by a DHCP server
• link layer – indicates an address created by IPv6 stateless
auto-configuration
• random – indicates an address chosen by the system at
random
status
Status of the IP address.
Available statuses (from the IPv6 Stateless Address
Autoconfiguration protocol) are:
•
•
•
•
•
•
•
•
preferred (default)
deprecated
invalid
inaccessible
unknown
tentative
duplicate
optimistic
414
SecFlow-1p
6. Traffic Processing
415
Viewing Access List Status
You can view the access list summary using the show access-list summary command.
 To view access-list summary:
1. Navigate to configure router <number> interface <number>.
2. At the config>router(<number>) interface (<number>)# prompt that is displayed, enter show
access-list summary.
3. The access list summary is displayed.
ACL Name Type Bound To Direction
----------------------------------my-acl
IPv4 RI 1/1
Inbound
Viewing ARP Table
 To display the ARP table:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show arp-table.
The ARP table is displayed.
config>router(1)# show arp-table
IP Address
MAC Address
Status
--------------------------------------------------------------172.17.161.1
E0-2F-6D-12-95-42
Dynamic
Viewing Crypto Map Information
You can view information on a specific crypto map or all configured crypto maps using the show cryptomap-status command.
 To display the crypto map information:
1. Navigate to configure router <number>interface<number>.
2. At the config>router(<number> interface (<number>))# prompt that is displayed, enter show
crypto-map-status.
config>router(1)interface(1)# show crypto-map-status
Crypto Map
: my-map-1
Tunnel Peers
: 10.10.10.1 --- 20.20.20.1
Security Association
: Up 111 minutes ago
SecFlow-1p
6. Traffic Processing
IKE
Version
SA Negotiation Mode
Authentication
Encryption
Hashing
Diffie Hellman Group
In SPI
Out SPI
Reauthentication in
Transform Set
Algorithms
In SPI
Out SPI
Remaining Lifetime
In Kilobytes
Out Kilobytes
Seconds
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
2
:
Main
Pre-shared secret
AES-CBC-256
SHA1-96-HMAC
20
7423470e4a9ab53b
987279bf53131617
10 minutes
ESP-AES-GCM-256
c8a473f3
ca7455fb
10000
2000
100
The above fields are:
Tunnel Peers
Local peer --- remote peer
Possible values: ip-address
Local Protected Networks
Local protected network.
Possible values: <ip-address>/<prefix-length>
•
Remote Protected Networks
Remote protected network.
Possible values: <ip-address>/<prefix-length>
•
Security Association
SA status and SA age
Possible values:
SA status – Connecting, Down, Up
SA age – <number> minutes ago
IKE
Version
IKE version
Possible values: 1, 2
SA Negotiation Mode
IKE SA negotiation mode
Possible values: Aggressive, Main
416
SecFlow-1p
6. Traffic Processing
Authentication
IKE authentication method
Possible value: Pre-shared secret
Encryption
IKE encryption algorithm
Possible value: AES-CBC-128, AES-CBC-256
Hashing
IKE hashing algorithm
Possible values: SHA1-96-HMAC, SHA2-256-128-HMAC,
SHA2-512-256-HMAC
Diffie Hellman Group
IKE Diffie Hellman group
Possible values: 1, 2, 5, 14, 19, 20
In SPI
IKE in SPI
Possible values: string
Out SPI
IKE out SPI
Possible values: string
Re-authentication in
Time to IKE key re-authentication
Possible values: <number> minutes/hours/days
Transform Set
Algorithms
Transform set first algorithm
Possible values: ESP-AES-CBC-128, ESP-AES-CBC-256, ESPAES-GCM-128, ESP-AES-GCM-256, ESP-NULL, ESP-AESGMAC-128, ESP-AES-GMAC-256
Transform set second algorithm
Possible values: ESP-SHA1-96-HMAC, ESP-SHA2-256-128HMAC, ESP-SHA2-512-256-HMAC
In SPI
Transform set in SPI
417
SecFlow-1p
Out SPI
6. Traffic Processing
418
Transform set in SPI
Remaining Lifetime
In Kilobytes
Transform set remaining lifetime (in kilobytes)
Out Kilobytes
Transform set remaining lifetime (out kilobytes)
Seconds
Transform set remaining lifetime (seconds)
Viewing IPv6 Neighbors
You can view information on each IPv6 neighbor by using the show neighbor-table command.
 To display the neighbor table:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show neighbor-table.
The IPv6 neighbors are displayed.
config>router(1)# show neighbor-table
IPv6 Address
MAC address
State Interface
=============================================================================
1234:1234:1234:1234:1234:1234:1234:1234 01-01-01-01-01-01 reachable
1
1234:1234:1234:1234:1234:1234:1234:1234 01-01-01-01-01-01 incomplete 28
FE80::200:E8FF:FE00:2A2B
00-00-e8-00-2a-2b stale
2
The above fields are:
IPv6 address
Neighbor IPv6 address
MAC address
Neighbor MAC address
State
The Neighbor Unreachability Detection state for the interface when the
address mapping in this entry is used:
•
•
•
•
•
•
•
reachable – confirmed reachability
stale – unconfirmed reachability
delay – waiting for reachability confirmation before entering probe state
probe – actively probing
invalid – invalidated mapping
unknown – state cannot be determined for some reason
incomplete – address resolution is being performed
SecFlow-1p
interface
6. Traffic Processing
Router interface number
Viewing RIB
You can view the RIB (Routing Information Base) by using the command show rib. This command is
available in the CLI contexts for IPv4 or IPv6, at the router level: config>router(<number>)#.
 To display the IPv4 RIB:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show rib ipv4.
The IPv4 RIB is displayed.
config>router(1)# show rib ipv4
* = Active Route
Network
> Next Hop
RI Proto Metric
=============================================================================
* 0.0.0.0/0
> 172.17.171.1
2 Static
1
* 2.2.2.0/24
> 172.17.171.205
2 BGP
* 3.3.3.0/24
> 0.0.0.0
1 Local
0
3.3.3.0/24
> 172.17.171.205
2 BGP
* 111.222.111.0/24
> 0.0.0.0
2 Local
0
111.222.111.0/24
> 172.17.171.205
2 BGP
 To display the IPv6 RIB:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show rib ipv6.
The IPv6 RIB is displayed.
config>router(1)# show rib ipv6
* = Active Route
Network
> Next Hop
RI Proto Metric
=============================================================================
* ::/0
> 11:11:11:11::1
1 Static
1
* 11:11:11:11::/64
> ::
1 Local
0
* abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
1 Static
1
* fe80::/64
> ::
1 Local
0
The above fields are:
Status (Active Route)
Marks with a “*” an ‘Active Route’, i.e. route entry is forwarded to the FIB
(Forwarding Information Base)
419
SecFlow-1p
6. Traffic Processing
Network
420
IPv4 or IPv6 network address (prefix and prefix length)
IPv4 prefix length can be 0–32; IPv6 prefix length can be 0–128.
Next hop
Route entry next hop IP address
RI
Local interface through which the next hop of this route should be reached
Protocol
Source protocol
Metric
Route entry metric
Viewing Routing Information
You can view all routing information or only information on dynamic or static routes, for all IP addresses
or for a specific IP address and prefix length of a dynamic or static by using the show routing-table
command:
config>router(<number>)>show routing-table [ address <IP-address/IP-mask> ]
[ protocol { dynamic | static } ].
 To display the routing table:
config>router(1)# show routing-table
IP address/prefix
Next Hop
interface
Protocol
Metric
====================================================================
172.17.175.0/24
172.177.170.100
1
Static
250
172.17.176.0/24
0.0.0.0
3
Local
0
1.1.1.1/32
0.0.0.0
4
Local
0
The above fields are:
IP address/prefix
IPv4 or IPv6 address and prefix length
Next Hop
Route entry next hop IP address
Interface
Router interface number
Protocol
Source protocol:
• static
• local
• bgp
Metric
Route entry metric
When protocol is BGP, this is blank.
SecFlow-1p
6. Traffic Processing
421
Viewing Router Interface Status
You can view the router interface status by using the show status command:
config>router(<number>) >interface(<interface-num>) >show status.
 To display the router interface status:
1. Navigate to configure router <number> interface <number>.
2. At the config>router(<number>) interface(<number>)# prompt that is displayed, enter show
status.
The router interface status is displayed.
config>router(1)>interface(1)# show status
Admin: Up
Oper: Up
Ip Addresses:
30.30.30.11/24 (dhcp) (preferred)
IPv4 Default Router : 30.30.30.1
DHCP Client Information
DHCP Status : Holding Lease
Server : 30.30.30.1
Router : 30.30.30.1
Lease Obtained : 2017-02-10 18:21:20
Expires : 2017-02-10 18:26:20
Lease Renewal: : 2017-02-10 18:23:50
Rebinding: : 2017-02-10 18:25:42
TFTP Server : -Bootfile Name : -Host Name : -Static Routes : --
The above fields are:
Admin
Administrative status:
• up – ready to pass packets
• down
Oper
Operational status:
• up – ready to pass packets
• down
IP Addresses
SecFlow-1p
6. Traffic Processing
IP Address/prefix length IPv4 or IPv6 address and prefix length
Note: Supported for DHCPv6
origin
Origin of the IP address.
Possible origins are:
•
•
•
•
•
status
other
manual
DHCP
link layer
random
Status of the IP address.
Available statuses (from the IPv6 Stateless Address Autoconfiguration
protocol) are:
•
•
•
•
•
•
•
•
IPv4 Default Router
preferred (default)
deprecated
invalid
inaccessible
unknown
tentative
duplicate
optimistic
IP address of the IPv4 default router
DHCP Client Information (Section appears only when DHCP is enabled.)
Status
DHCP client operational status. Available options are:
•
•
•
•
•
•
Server
Holding Lease
Not Holding Lease
Failed to Obtain Lease
Waiting for Lease
Initializing
No Lease Address In Use
Displays client server’s address
422
SecFlow-1p
Router
6. Traffic Processing
423
List of default routers, in order of preference
If the first router is in use, (active) is displayed following its address.
The first router is not in use if:
• There is a different static default router.
• The DHCP default router is invalid, i.e., not on the device’s networks.
Lease Obtained
Date and time when the DHCP lease was obtained
Expires
Date and time when the DHCP lease will expire, if not renewed
Lease Renewal
Date and time when the device will try to renew the DHCP lease.
renewal time = (expired - obtained) * 0.5
If the lease last chance for renewal time passes, -- is displayed. Otherwise,
the next renewal time is displayed, as follows:
• Date and time, formatted like other date and time values in the device (by
default as dd mm-yyyy hh:mm:ss)
• If real time clock is not available, time in seconds since startup.
Rebinding
Date and time when the device will try to rebind the DHCP lease
TFTP Server
IP address of TFTP server, received by DHCP
Boot file Name
File to obtain from TFTP server, received by DHCP
Host Name
Host name, received by DHCP
Static Routes
File to obtain from TFTP server, received by DHCP
Viewing Router Statistics
You can view the router statistics using the show statistics command.
 To view router IPv4 traffic statistics:
1. Navigate to configure router <number>.
2. At the config>router(<number>) # prompt that is displayed, enter show statistics ipv4 traffic.
The router interface IPv4 traffic statistics are displayed.
IPv4 statistics:
In:
Receives:
18446744073709551616 Octets:
18446744073709551616
SecFlow-1p
Multicast Packets: 18446744073709551616
Broadcast Packets: 18446744073709551616
No Routes:
4294967296
Unknown Protocols:
4294967296
Forward Packets: 18446744073709551616
Reassembled Ok:
4294967296
Discards:
4294967296
Out:
Requests:
18446744073709551616
Forward Packets:
18446744073709551616
Fragmentation Required:
4294967296
Fragmentation Fails:
4294967296
Transmits:
18446744073709551616
Multicast Packets: 18446744073709551616
Broadcast Packets: 18446744073709551616
6. Traffic Processing
424
Multicast Octets:18446744073709551616
Header Errors:
4294967296
Address Errors:
4294967296
Truncated Packets:
4294967296
Reassembled Required:
4294967296
Reassembled Fails:
4294967296
Delivers:
18446744073709551616
No Routes:
4294967296
Discards:
4294967296
Fragmentation Ok:
4294967296
Fragmentation Creates:
4294967296
Octets:
18446744073709551616
Multicast Octets: 8446744073709551616
 To view router IPv6 traffic statistics:
1. Navigate to configure router <number>.
2. At the config>router(<number>)# prompt that is displayed, enter show statistics ipv6 traffic.
The router interface IPv6 traffic statistics are displayed.
IPv6 statistics:
In:
Receives:
18446744073709551616
Multicast Packets: 18446744073709551616
Broadcast Packets: 18446744073709551616
No Routes:
4294967296
Unknown Protocols:
4294967296
Forward Packets:
18446744073709551616
Reassembled Ok:
4294967296
Discards:
4294967296
Out:
Requests:
18446744073709551616
Forward Packets:
18446744073709551616
Fragmentation Required:
4294967296
Fragmentation Fails:
4294967296
Transmits:
18446744073709551616
Multicast Packets: 18446744073709551616
Broadcast Packets: 18446744073709551616
Octets:
18446744073709551616
Multicast Octets:18446744073709551616
Header Errors:
4294967296
Address Errors:
4294967296
Truncated Packets:
4294967296
Reassembled Required:
4294967296
Reassembled Fails:
4294967296
Delivers:
18446744073709551616
No Routes:
4294967296
Discards:
4294967296
Fragmentation Ok:
4294967296
Fragmentation Creates:
4294967296
Octets:
18446744073709551616
Multicast Octets:18446744073709551616
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
SecFlow-1p
6. Traffic Processing
425
Message
Cause
Corrective Action
Cannot delete; interface associated
with the router
You tried to delete a router entity
that has router interfaces
associated with it.
Disassociate router interfaces from
router.
Cannot set address; DHCP enabled
You tried adding an IPv4 address
when DHCP is enabled.
Disable DHCP.
Cannot set address; too many
addresses already configured
You tried adding an IP address, but
the amount of IP addresses already
reached its limit.
Delete one of the associated
addresses before associating a new
IP address.
Cannot set address; invalid
You tried adding a multicast IP
address or an interface IPv4
address with prefix length 32 (,
which is only allowed for loopback
interface).
When configuring static-route, you
tried to do one of the following:
• Add a multicast IP network
address.
• Add an IP network address
when it was not allowed.
Use /31 prefix-length on non pointto-point interface cautiously
You tried adding anIPv4 interface
address with prefix length 31.
Cannot modify; activated router
interface
You tried modifying or removing a
bound port while the router
interface was activated (no
shutdown).
Shut down the router interface and
try again.
You tried adding, modifying, or
removing a VLAN while the router
interface was activated (no
shutdown).
Cannot enable; IPv4 address exists
You tried enabling DHCP even
though manual IPv4 address exists.
Cannot enable; DHCPv6 is enabled
You tried enabling DHCP even
though DHCPv6 is enabled.
Disable DHCPv6.
Cannot set; DHCPv6 client is
already defined
You tried enabling DHCPv6 client
when there is already one defined
in the device.
Remove existing DHCPv6 client.
SecFlow-1p
6. Traffic Processing
426
Message
Cause
Corrective Action
Cannot enable; DHCP (v4) is
enabled
You tried enabling DHCPv6 while
DHCPv4 is enabled.
Disable DHCPv4.
Cannot set; Router Interface is
loopback interface
You tried enabling DHCPv6 client
while router interface is defined as
loopback interface.
Associate DHCPv6 client with a
router interface that is not defined
as a loopback interface.
Cannot activate; must be bound to
port
You tried activating a router
interface, which is neither a
loopback interface nor bound to a
port.
Bind the router interface to a
loopback interface or a port.
Cannot activate; bound port in use
by another router interface
You tried activating the router
interface, while the bound port is
already in use by another router
interface.
Cannot activate; bound port+vlan
in use by another router interface
You tried activating the router
interface that is bound to port +
vlan, while bound pair port+vlan is
already in use by another router
interface.
Cannot activate; ip address is set
You tried activating the router
interface bound to PPP port, when
IP address was set.
Cannot activate; dhcp is enable
You tried activating the router
interface bound to PPP port, when
DHCP is enabled.
Address is not IPv4 address.
You configured the IP address of
Inside IP station with a non-IPv4
address.
Configure the IP address of Inside
IP station with an IPv4 address.
Too many crypto maps associated
with the interface
You tried associating more than
five crypto maps with the router
interface.
Disassociate at least one crypto
map from the router interface.
6.9 Routing Protocol BGP
BGP (Border Gateway Protocol) is a path-vector protocol for dynamic routing, used for route distribution
between Autonomous Systems (AS) across the internet and other large networks.
SecFlow-1p
6. Traffic Processing
427
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
RFC 4271 - A Border Gateway Protocol 4 (BGP-4)
RFC 4893 - BGP Support for Four-octet AS Number Space
RFC 5396 - Textual Representation of Autonomous System (AS) Numbers
RFC 2385 - Protection of BGP Sessions via the TCP MD5 Signature Option
RFC 2545 - Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
The following BGP features are not supported:
•
Graceful restart (RFC 4724)
•
Interaction with ECMP
Benefits
Dynamic routing protocols enable routing tables to automatically adapt to changing networks. BGP is
the de-facto standard in the internet for communicating routing information between Autonomous
Systems (AS), making it the only option for AS boundary routers (ASBR) to enable route communication
with other ASes.
Functional Description
BGP is intended for use on customer-premises equipment (CPE) at the boundary of a large customer
network that is an independent ‘stub’ AS connected to only one other AS (the service provider network).
BGP functionality is explained in the following sections.
Dynamic Routing Protocols
Routers direct packets through their various interfaces according to their routing tables, which specify
an exit interface for each destination IP network. While routing tables can include static, manually
SecFlow-1p
6. Traffic Processing
428
configured routes, an optimized routing table requires knowledge of remote network topology and
complex path calculations. Dynamic routing protocols define how routers communicate network
topology with each other and how they accordingly calculate optimized network paths and create their
routing tables.
The internet is divided into Autonomous Systems (AS). An AS is usually the network of an Internet
Service Provider (ISP) or another large organization that administers the AS-internal routing policy.
Routing information inside each AS is communicated and determined by an Interior Gateway Protocol
(IGP) such as OSPF; routing information between ASes is communicated by the Border Gateway Protocol
(BGP).
BGP: Path-Vector Routing
BGP is a path-vector routing protocol. As opposed to link-state protocols, in which network topology is
communicated throughout a network, and as opposed to distance-vector protocols, in which routers
communicate destination distances, routers using a path-vector protocol communicate actual paths, or
routes, to destinations.
In BGP, communicated paths for each destination contain the IP address of the first hop, and the list of
ASes, by AS numbers (ASN), which need to be traversed to reach the destination. BGP aggregates routes,
and, to prevent loops and to choose among the path alternatives, each BGP router decides which actual
routes to adopt among BGP updates received from its neighbors and which of its known routes to
advertise to its neighbors. BGP makes these decisions using optimization algorithms and (in other BGP
implementations) additional criteria from a locally configurable policy.
BGP Neighbors
BGP is configured only on AS Boundary Routers (ASBR). Each BGP router recognizes a limited list of BGP
neighbors from which it receives route updates and to which it advertises route updates. A BGP
neighbor relationship needs to be manually defined on both BGP routers. BGP routers identify neighbors
by their IP addresses and AS numbers.
BGP neighbors always belong to the IPv4 unicast address family, and can optionally belong to the IPv6
unicast address family.
AS-Internal Destination Injection
To be able to advertise its local AS-internal destinations to the rest of the internet, BGP needs to know
what destination networks are included in its local AS. BGP can become aware of these networks in
several configurable ways:
•
BGP can be configured to redistribute static routes from the router’s routing table.
SecFlow-1p
6. Traffic Processing
429
•
BGP can be configured to redistribute connected networks.
•
BGP can be configured to redistribute routes from the AS’ IGP (OSPF). Supported only for IPv4
address family.
•
Specified network addresses can be manually configured in BGP. These destinations are
advertised only if they are found in the local routing table.
AS Numbers (ASN)
BGP communicates paths as a list of numbers of the ASes that need to be traversed to reach
destinations. Generally, ASNs uniquely define the AS, and are allocated for the individual AS by the
Internet Assigned Numbers Authority (IANA); however, ISPs can define private ASes for their customer
networks with ASNs in the range 64512–65534.
Limiting Received Routes
The number of routes received can be limited for each neighbor. When the number of received routes
reaches 90% of the configured value, the device generates an alarm and sends an SNMP trap. When the
configured value is exceeded, the session goes down for five minutes.
BGP Session Timers
BGP neighbors send each other keep-alive messages to confirm the connection’s health. Two
parameters are defined:
keepalive is the interval, in seconds, between messages confirming connection health to the neighbor. If
the value is 0, these messages are disabled.
holdtime is the interval, in seconds, after which the connection with the neighbor is considered down if
no keep-alive messages have been received from the neighbor. If the value is 0, the neighbor is never
considered down.
Upon session initiation, the neighbors negotiate for each of these two parameters and then both use the
lower of their values. Negotiated values can be viewed (see Viewing Neighbor Connection Status).
Either both parameters must be non-zero or both must be zero.
Routing Preferences
When there are conflicts between routes received from different sources, such as static routes,
connected networks, and BGP routes, the router’s Routing Table Manager (RTM) chooses among the
SecFlow-1p
6. Traffic Processing
430
sources according to configurable source preference indices (lowest number indicates highest priority).
Separate preference indices are defined for BGP routes received from BGP neighbors in the same AS
(Internal BGP) and for BGP routes received from BGP neighbors in other ASes (External BGP).
BGP Path Attributes
Path attributes are contained in BGP update packets. The path attributes of advertised routes are used
to select the route from multiple routes, and to propagate policy.
BGP path attributes have the following types:
Well-known mandatory
Must be supported and propagated
Well-known discretionary
Must be supported; propagation optional
Optional transitive
Marked as partial if unsupported by neighbor
Optional nontransitive
Deleted if unsupported by neighbor
The following table lists the path attributes.
Name
Description
Path Type
1 Origin
Origin type (IGP, EGP, or unknown)
Well-known mandatory
2 AS Path
List of autonomous systems which
the advertisement has traversed
Well-known mandatory
3 Next Hop
External peer in neighboring AS
Well-known mandatory
5 Local Preference
Metric for internal neighbors to
reach external destinations (default
100)
Well-known discretionary
8 Community
Route tag
Well-known discretionary
4 Multiple Exit Discriminator (MED)
Metric for external neighbors to
reach the local AS (default 0)
Optional nontransitive
BGP Policies
The BGP functionality provides a flexible filtering mechanism to ensure that the router processes only
relevant BGP update packets. The filtering is done by means of defining BGP policy profiles of the
following types:
Prefix lists
Filter by prefix and prefix length, where prefix is specified by IP
address and mask, with prefix length between 24 and 26
SecFlow-1p
Route maps
6. Traffic Processing
431
Permit/deny if packet matches community in the form x:y. The
community is a BGP path attribute (see BGP Path Attributes) that is
usually set by each network.
BGP policy profiles are assigned per IPv4/IPv6 unicast address family per neighbor. One of each policy
profile type can be assigned in the inbound direction (to be applied to received packets) and outbound
direction (to be applied to advertised packets), per IPv4/IPv6 unicast address family per neighbor.
BGP policy profiles comprise sequentially numbered rules, each of which can be one of the following:
Permit action
Specifies criteria for permitting packet, and optionally sets action in
case of route map profile
Deny action
Specifies criteria for dropping a packet
Remark
Used for commenting and visually organizing rules
If there is a need to add a rule between already existing rules with consecutive sequence numbers, the
rules can be interspaced to accommodate additional rules between them.
•
The packet filtering is done as follows: Each BGP update packet is checked according to the
associated prefix list policy (if exists), and then the associated route map policy (if exists),
starting with the first rule.
•
If the packet doesn’t match a rule, the next rule according to the sequence number is checked.
•
If the packet matches a deny rule, it is dropped, and the filtering ends.
•
If the packet matches a permit rule, the packet is permitted. Any set operation in the rule is
performed, in the case of route map profile.
•
If the packet doesn’t match any rule, it is dropped.
Maintained Information
BGP maintains the following network information, all of which can be viewed (see Viewing BGP Status):
•
Neighbor connectivity details
•
Per-neighbor received routes
•
Per-neighbor advertised routes
•
Per-neighbor policy profiles
•
Per-neighbor communities
•
Per-neighbor RIB
SecFlow-1p
•
6. Traffic Processing
432
Per neighbor summary
Factory Defaults
By default, BGP is not configured on RAD routers. The following tables show the default values when it is
configured.
Router
The following parameters determine BGP behavior for the whole router, for all interfaces:
Parameter
Description
Default Value
bgp
Whether BGP is defined (but not
necessarily enabled) on this router,
and the local ASN
no bgp
router-id
ID for router in BGP
communications, in IP address
format
-(mandatory configuration)
shutdown
Enable (no shutdown) / disable
(shutdown) BGP on the router
shutdown
IPv4 and IPv6 Unicast Address Family
The following parameters characterize behavior for the IPv4/IPv6 unicast address families, for all BGP
neighbors. The parameters for IPv4 and IPv6 have the same names but are defined in separate levels.
Parameter
Description
Default Value
external-preference
Preference index for external BGP
routes. See Routing Preferences.
20
internal-preference
Preference index for internal BGP
routes. See Routing Preferences.
200
network
AS-internal networks that should
be advertised to BGP neighbors.
See AS-Internal Destination
Injection.
no network
SecFlow-1p
6. Traffic Processing
Parameter
Description
Default Value
redistribute
Sources other than BGP of routes
that should be advertised to BGP
neighbors. See AS-Internal
Destination Injection.
no redistribute
433
Neighbor
The following parameters determine BGP behavior per neighbor:
Parameter
Description
Default Value
active
Whether IPv6 is enabled (active) or disabled (no
active) for the neighbor
no active
local-address
The local IP address from which to advertise BGP
updates to the neighbor
-(Uses closest interface to neighbor)
max-prefixes
The maximum number of destination networks
to receive from the neighbor
0
(=no limit)
password
Secret key for authentication of and to the
neighbor
no password
remote-as
The neighbor’s ASN
-(mandatory configuration)
shutdown
Whether the neighbor is administratively enabled
(no shutdown) or disabled (shutdown) for
shutdown
keepalive
Interval, in seconds, between messages
confirming connection health to the neighbor
30
holdtime
Interval, in seconds, after which the connection
with the neighbor is considered down if no
keepalive messages have been received from the
neighbor
90
Configuring BGP
You can configure BGP on a RAD router that is at the boundary of an AS, after the router itself has been
properly configured. To configure BGP properly, you need to know your network BGP design, including
the router’s IP address and ASN, designated BGP neighbors’ IP addresses and ASNs, whether IPv6 is
required, and the desired method of passing AS-internal destinations to BGP.
SecFlow-1p
6. Traffic Processing
434
When multiple VPN routers are configured on a device, each router should be configured with its own
instance of BGP. All of these BGP instances must share the same ASN.
BGP parameters are configured at the following levels:
•
Configuring BGP at Router Level: Parameters that determine BGP behavior for the whole
router, for all IP families and neighbors
•
Configuring BGP Neighbors: Per-neighbor parameters
•
Configuring IPv4/IPv6 Unicast Address Families: Parameters that characterize BGP behavior for
IPv4/IPv6 unicast address families.
Follow these steps to configure BGP:
1. Define the BGP router IP address and ASN (see Configuring BGP at Router Level).
2. Administratively enable BGP.
3. Define any necessary BGP neighbors, along with the remote AS to which the neighbor belongs
(see Configuring BGP Neighbors).
4. Administratively enable the BGP neighbors.
5. If it is necessary for BGP to be aware of AS-internal destinations that need to be advertised,
configure redistribution (of OSPF routes, static routes, and/or connected networks) or explicit
networks, for IPv4 and IPV6 unicast address families (see Configuring IPv4/IPv6 Unicast Address
Families).
6. For each BGP neighbor, if network design requires any non-default values for IPv4 and IPV6
unicast address families, configure the parameters (see Configuring Neighbor Parameters).
Configuring BGP at Router Level
 To configure BGP:
1. At the config>router(<number>)# prompt, type:
bgp <ASN>
The config>router(<number>)>bgp(<ASN>)# prompt is displayed.
Note
•
•
<ASN> is the number of the local AS where the router is located
Type no bgp <ASN> to remove BGP from the router (if no neighbors are
defined).
2. Enter all necessary commands according to the tasks listed below.
SecFlow-1p
6. Traffic Processing
435
Task
Command
Comments
Enabling BGP on the router
[no] bgp <ASN>
<ASN> is the number of the local
AS where the router is located.
Restarting a BGP session with
neighbor and reloading BGP
policy profiles
clear-neighbor <IP-address>
[soft]
<IP-address> is the neighbor’s IP
address (IPv4 or IPv6).
Configuring BGP parameters for
IPv4 or IPv6 unicast address
family
ipv4-unicast-af
ipv6-unicast-af
Configuring BGP neighbor
neighbor <IP-address>
If you specify soft, the link with
the neighbor is not reset, but
the BGP policy profiles are
reloaded.
See Configuring IPv4/IPv6
Unicast Address Families.
<IP-address> is the neighbor’s IP
address (IPv4 or IPv6). See
Configuring BGP Neighbors.
no neighbor <IP-address>
removes the neighbor from BGP
configuration.
SecFlow-1p
Defining IP address for the
router in BGP communications
6. Traffic Processing
router-id <IP-address>
| | +---neighbor <ipaddress>
| | | |
| | | +---active
| | | | no active
| | | |
| | | |
| | | +---route-map-bind
<name> {in|out}
| | | | no route-mapbind <name> {in|out}
| | | |
| | | +---show advertisedroute
| | | |
| | | +---show receivedroute
| | | |
| | | +---show route-map
| | |
| | +---network <prefix>
| | | no network <prefix>
| | |
| | +---redistribute
{connected|static|ospf}
| | | no redistribute
{connected|static|ospf}
| |
| +---ipv6-unicast-af
| | |
| | +---external-preference
<priority>
| | |
| | +---internal-preference
<priority>
| | |
| | +---neighbor <ipaddress>
| | | |
| | | +---active
436
To simplify management, the IP
address can be the actual IP
address of one of the router’s
interfaces, or there may be
some other organizational
convention.
Defining or changing the router
IP address requires BGP to be
administratively disabled
(shutdown).
SecFlow-1p
6. Traffic Processing
| | | | no active
| | | |
| | | |
| | | +---route-map-bind
<name> {in|out}
| | | | no route-mapbind <name> {in|out}
| | | |
| | | +---show advertisedroute
| | | |
| | | +---show receivedroute
| | | |
| | | +---show route-map
| | |
| | +---network <prefix>
| | | no network <prefix>
| | |
| | +---redistribute
{connected|static}
| | | no redistribute
{connected|static}
| |
| +---neighbor <ip-address>
| | no neighbor <ipaddress>
| | |
| | +---local-address <ipaddress>
| | | no local-address
| | |
| | +---max-prefixes
<number>
| | |
| | +---password <string>
[hash]
| | | no password
| | |
| | +---remote-as <asnumber>
437
SecFlow-1p
Task
6. Traffic Processing
Command
438
Comments
| | |
| | +---shutdown
| | | no shutdown
| | |
| | +---timers [keepalive
<keepalive>] [holdtime
<holdtime>]
| | |
| | +---show neighborconnection
| |
| +---router-id <ip-address>
| |
Displaying the IPv4 or IPv6
community table
show community { ipv4 | ipv6 }
See Viewing BGP Communities.
Displaying the IPv4 or IPv6 RIB
(Routing Information Base) table
show rib { ipv4 | ipv6 }
See Viewing BGP RIB.
Displaying summary of neighbor
connections information
show summary
See Viewing BGP Summary.
Administratively enabling or
disabling BGP on the router
[no] shutdown
To disable: shutdown; to
enable: no shutdown
When BGP is disabled,
operational status of BGP
neighbors moves down.
Configuring BGP Neighbors
You can define BGP neighbors to represent neighboring routers from which the BGP router entity
receives route updates and to which it advertises route updates.
 To configure BGP neighbors:
1. At the config>router(<number>)>bgp(<ASN>)# prompt, type:
neighbor <IP-address>
The config>router(<number>)>bgp(<ASN>)> neighbor(<IP-address>)# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
SecFlow-1p
6. Traffic Processing
439
Task
Command
Comments
Defining the local IP address from
which to advertise BGP updates to
the neighbor
[no] local-address [<IP-address>]
local-address <IP-address> sets a
parameter value; no local-address
clears the parameter. When no
local address is set (default), BGP
uses the closest interface to the
neighbor.
The change takes effect only after
clear-neighbor or shutdown.
Setting the maximum number of
routes to accept from the neighbor
max-prefixes <prefixes>
<prefixes> is a number in range:
0–2147483647. 0 means no limit.
See Limiting Received Routes.
Change takes effect only after
clear-neighbor or shutdown.
Setting password for neighbor
session
[no] password <password> [hash]
The <password> can be up to 80
characters.
hash specifies that the password
should be encrypted.
no password deletes the password.
Change takes effect only after
clear-neighbor or shutdown.
Defining neighbor’s ASN
remote-as <ASN>
Available only when
communication with the neighbor
is disabled (shutdown).
Setting keepalive and holdtime
timers
timers <keepalive> <holdtime>
See BGP Session Timers
Viewing connectivity details
show neighbor-connection
See Viewing Neighbor Connection
Status
Enabling or disabling BGP
communication with the neighbor
[no] shutdown
To enable: no shutdown (requires
remote-as to have been
configured)
To disable: shutdown .
Change takes effect only after
clear-neighbor or shutdown.
SecFlow-1p
6. Traffic Processing
440
Configuring IPv4/IPv6 Unicast Address Families
The parameters for IPv4/IPv6 unicast address families are configured in the levels configure router
<number> bgp <ASN> ipv4-unicast-af and configure router <number> bgp <ASN> ipv6-unicast-af,
respectively. You can configure general parameters for the unicast address families, or neighbor
parameters.
Configuring Unicast Address Family Parameters
 To configure IPv4/IPv6 unicast address families:
1. At the config>router(<number>)>bgp(<ASN>)# prompt, type one of the following, according to
whether you wish to configure BGP parameters for IPv4 or IPv6 unicast address families:
 ipv4-unicast-af
 ipv6-unicast-af
The prompt config>router(<number>)>bgp(<ASN>)>ipv4-unicast-af# or
config>router(<number>)>bgp (<ASN>)>ipv6-unicast-af# is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Defining the preference index
for external BGP routes
external-preference
<priority>
<priority> should be an integer in range 1–255.
Defining the preference index
for internal BGP routes
internal-preference
<priority>
Note: the value of 255 is considered as
unreachable and the appropriate route is not be
added to the routing table.
See Routing Preferences.
Note: Priority can be changed at any time; the
change takes effect only after
clear-neighborclear-neighborclear-neighborclea
r-neighbor or shutdown.
Specifying a neighbor router
neighbor <IP-address>
See Configuring Neighbor Parameters.
Defining an explicit network
that should be advertised to
BGP neighbors as a
destination in this AS
network
<IP-address>/<netmask>
<IP-address> is the network’s IP address, and
<netmask> is the length of the network part
(CIDR notation).
Each added network requires a separate
command.
To delete the network entity: no network
<IP-address>/<netmask See AS-Internal
Destination Injection.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Defining non-BGP sources of
routes that should be
advertised to BGP neighbors
[no] redistribute
{connected | static | ospf}
To disable distribution: no redistribute {
connected | static | ospf}.
441
Each source protocol (connected, static, ospf)
requires a separate command.
For IPv6, only the connected and static options
are supported.
See AS-Internal Destination Injection.
Configuring Neighbor Parameters
 To configure BGP neighbor parameters under IPv4/IPv6 unicast address families:
1. At the prompt config>router(<number>)>bgp(<ASN>)> ipv4-unicast-af# or
config>router(<number>)>bgp(<ASN>)> ipv6-unicast-af#, type:
neighbor <IP-address>
The prompt config>router(<number>)>bgp(<ASN>)>ipv4-unicast-af>
neighbor(<IP-address>)# or config>router(<number>)>bgp(<ASN>)>
ipv6-unicast-af neighbor>(<IP-address>)# is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Enabling or disabling IPv4 or IPv6
BGP for the neighbor
[no] active
Enable – active
Disable – no active
You cannot type no active for IPv4,
as the address family IPv4 unicast is
always enabled for all neighbors.
Associating prefix list BGP policy
with the neighbor unicast address
family for incoming or outgoing
direction
prefix-list-bind <name> {in | out}
Type no before the command to
remove the association with the
prefix list.
Associating route map BGP policy
to the neighbor unicast address
family for incoming or outgoing
direction
route-map-bind <name>{in | out}
Type no before the command to
remove the association with the
route map.
Viewing routes advertised to the
neighbor
show advertised-route
See Viewing Advertised Routes.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Displaying any associated prefix list
policy profiles and rules related to
a BGP neighbor per AF
show prefix-list
See Viewing BGP Policy Profiles.
Viewing routes received from the
neighbor
show received-route
See Viewing Received Routes.
Displaying any associated route
map policy profiles and rules
related to a BGP neighbor per AF
show route-map
See Viewing BGP Policy Profiles.
442
Configuring BGP Policy Profiles
BGP policy profiles are configured at the router level. They can be prefix list or route map policy profiles
(see BGP Policies for more information). After changing a policy profile, you should use the command
clear-neighbor with the soft parameter, to ensure that the change is applied to the neighbor BGP
policies.
 To configure BGP policy profiles:
1. Navigate to configure router <number>.
2. Enter the necessary commands according to the table below.
3. See Configuring Prefix List Rules or Configuring Route Map Rules respectively, for commands to
configure the rules in a prefix list policy profile or route map policy profile.
Task
Command
Comments
Configuring prefix list
policy profile, for
IPv4/IPv6
prefix-list <name> {ipv4 | ipv6}
Type no prefix-list <name> to
delete the prefix list.
Configuring route map
policy profile
route-map <name>
Type no before the command to
delete the route map.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Resequencing the rules in
a policy profile
resequence <name> [<number>]
This command can be used when
you need to insert rules in the
middle of a policy profile.
443
<name> – name of the policy
profile
<number> – steps to insert
between the rule sequence
numbers. For instance, if you
specify 10, the rule sequence
numbers are changed to 10, 20, 30,
etc.
Range for <number>: 1–100000.
Configuring Prefix List Rules
 To configure the rules in a prefix list policy profile:
1. Navigate to configure router prefix-list <name> {ipv4 | ipv6}.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Comments
Removing a rule
delete <sequence>
<sequence> – sequence number of
the rule to delete
SecFlow-1p
6. Traffic Processing
444
Task
Command
Comments
Adding a deny rule
deny <prefix>/<length>
[ge <ge-value>] [le <le-value>]
[sequence <sequence>]
• <prefix>/<length> – prefix and
length identifying the network
that this rule matches, in the
following form according to
IPv4 or IPv6:
(IPv4) <IPv4 address>/<1–32>
(IPv6) <IPv6 address>/<1–128>
• ge – Rule matches packets with
prefix length greater than or
equal to <ge-value>.
• le – Rule matches packets with
prefix length less than or equal
to <le-value>.
• sequence – assigns <sequence>
as the sequence number of the
rule. Sequence number range:
1–2147483648
The ge and le parameters are
validated as follows:
• (IPv4) Prefix length <ge < le <=
32
• (IPv6) Prefix length <ge < le <=
128
Adding a permit rule
permit <prefix>/<length>
[ge <ge-value>] [le <le-value>]
[sequence <sequence>]
For an explanation of the
parameters, see the comments
above for the deny rule.
Adding a remark
remark [<description>] [sequence
<sequence>]
The description can contain up to
252 characters.
Configuring Route Map Rules
 To configure the rules in a route map policy profile:
1. Navigate to configure router route-map <name>.
2. Enter the necessary commands according to the tasks listed below.
SecFlow-1p
6. Traffic Processing
445
Task
Command
Comments
Removing a
rule
delete <sequence>
<sequence> – sequence number of the rule to delete
Adding a deny
rule
deny [match [as-path
string] [community string]
[ prefix-list string]
][sequence sequence>]
as-path – BGP AS Path that this rule uses to match to a
route in ASCII format; in regular expression format
(permitted length 0–127 characters).
Note: AS numbers are matched as decimal numbers. For
example, the AS number '0x0123' should be represented
in the regular expression string as '291'. A NULL string
indicates that the field is not in use.
community – BGP community that this rule matches, in
the form aa:nn (permitted length 0–127 characters). If
community is not specified, this rule matches all packets.
Note: Community has the new-format decimal notation.
For example, the community '0x00120101' should be
represented in the string as '18:257'.
prefix-list - BGP policy prefix-list profile name that this
rule matches; permitted length 0–80 characters
sequence – Assigns <sequence> as the sequence number
of the rule.
Sequence number range: 1–2147483648
Adding a
permit rule,
and optionally
specifying set
actions
permit[match [as-path
string] [community string]
[ prefix-list string] ][set
[as2-path-prepend string]
[as4-path-prepend string]
[community string] [localpreference number] [med
number] ][sequence
sequence>]
as-path – BGP AS Path that this rule uses to match to a
route in ASCII format; in regular expression format
(permitted length 0–127 characters).
Note: AS numbers are matched as decimal numbers. For
example, the AS number '0x0123' should be represented
in the regular expression string as '291'. A NULL string
indicates that the field is not in use.
community – BGP community that this rule matches, in
the form aa:nn (permitted length 0–127 characters). If
community is not specified, this rule matches all packets.
Note: Community has the new-format decimal notation.
For example, the community '0x00120101' should be
represented in the string as '18:257'.
prefix-list - BGP policy prefix-list profile name that this
rule matches; permitted length 0–80 characters
set – Specify set actions for BGP path attributes (see BGP
Path Attributes).
SecFlow-1p
Task
6. Traffic Processing
Command
446
Comments
as2-path-prepend/as4-path-prepend – Set AS prepend
(for 2/4 octets AS size) to <string>; permitted length 0–
127 characters
Note: You can define only one as-path-prepend
statement - as2-path-prepend or as4-path-prepend.
community – Set community to a string in the form
aa:nn (permitted length 0–127 characters.
local-preference – Set local preference to <number>.
Possible values: 0–4294967295
med – Set Multiple Exit Discriminator (MED) to
<number>.
Possible values: 0–4294967295
sequence – Assigns <sequence> as the sequence number
of the rule.
Sequence number range:
1–2147483648
Adding a
remark
remark [<description>]
[sequence <sequence>]
The description can contain up to 255 characters.
Examples
This section illustrates configuring BGP policy profiles.
 To configure prefix list (IPv4):
•
BGP AS = 65530
•
Neighbor IP address = 120.120.120.120
•
Permit routes with prefix 100.102.0.0/11, and prefix length 24–26
exit all
#****** Configure the prefix list
configure router 1
prefix-list subnetsIN ipv4
permit 100.102.0.0/11 ge 24 le 26 sequence 10
remark "permit 100.102.0.0/11 with prefix length 24 to 26" sequence 10000
exit
#****** Bind the prefix list
bgp 65530 ipv4-unicast-af neighbor 120.120.120.120
prefix-list-bind subnetsIN in
exit all
SecFlow-1p
6. Traffic Processing
#****** Reload BGP policy profiles for the neighbor
configure router 1 bgp 65530
clear-neighbor 120.120.120.120 soft
save
 To configure prefix list (IPv6):
•
BGP AS = 65530
•
Neighbor IP address = 78:78:78::78
•
Permit routes with prefix 123a:bbb1::/28 and prefix length 50–66
exit all
#****** Configure the prefix list
configure router 1
prefix-list subnetsIN ipv6
permit 123a:bbb1::/28 ge 50 le 66 sequence 10
remark "permit 123a:bbb1::/28 with prefix length 50 to 66" sequence 10000
exit
#****** Bind the prefix list
bgp 65530 ipv6-unicast-af neighbor 78:78:78::78
prefix-list-bind subnetsIN in
exit all
#****** Reload BGP policy profiles for the neighbor
configure router 1 bgp 65530
clear-neighbor 78:78:78::78 soft
save
 To configure route map (IPv4):
•
BGP AS = 65530
•
Neighbor IP address = 120.120.120.120
•
Deny subnets with community 1:10
exit all
#****** Configure the route map
configure router 1
route-map commIN
deny match community 1:10 sequence 10
remark "deny subnets with community 1:10" sequence 10000
exit
#****** Bind the route map
bgp 65530 ipv4-unicast-af neighbor 120.120.120.120
route-map-bind commIN in
exit all
447
SecFlow-1p
6. Traffic Processing
448
#****** Reload BGP policy profiles for the neighbor
configure router 1 bgp 65530
clear-neighbor 120.120.120.120 soft
save
 To configure route map (IPv6):
•
BGP AS = 65530
•
Neighbor IP address = 78:78:78::78
•
Permit subnets with community 1:10
exit all
#****** Configure the route map
configure router 1
route-map commIN
permit match community 1:10 sequence 10
remark "permit subnets with community 1:10" sequence 10000
exit
#****** Bind the route map
bgp 65530 ipv6-unicast-af neighbor 78:78:78::78
route-map-bind commIN in
exit all
#****** Reload BGP policy profiles for the neighbor
configure router 1 bgp 65530
clear-neighbor 78:78:78::78 soft
save
Example
In this example, a customer-premises RAD device has been placed at the boundary of an organization’s
network, which is an independent AS. The RAD device needs to be configured for BGP.
The only BGP neighbor is the Provider Edge (PE) router. Since this is a stub AS, it has been decided that
AS-internal destinations should be aggregated and manually defined (with the network command)
rather than enabling automatic redistribution. IPv6 is required for this network.
Device
IP
ASN
CPE ASBR (the device being
configured for BGP)
10.10.1.1
64515
PE (BGP neighbor)
10.10.10.1
613
SecFlow-1p
6. Traffic Processing
449
The configuration process for this example is:
#***** Configure BGP on router
configure router 1
bgp 64515
router-id 10.10.1.1
no shutdown
#***** define AS-internal networks for advertisement
ipv4-unicast-af
network 10.10.1.0/24
exit
ipv6-unicast-af
network fc00:1234:a1b1:0000:0000:0000:0000:0000/48
exit
#***** configure neighbor
neighbor 10.10.10.1
remote-as 613
no shutdown
exit all
save
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Cannot delete; BGP neighbor exist
You tried to run no bgp, but there
are configured BGP neighbors.
Delete all neighbors and try again.
Cannot create; AS number must be
equal for all BGP entities
You tried to define BGP with an
ASN different from the BGP ASN
configured for another router on
this device.
Use the same ASN for BGP on all
the device’s routers.
Cannot clear; unknown neighbor
You tried to run clear-neighbor on
an IP address that is not configured
for any defined BGP neighbor.
Use the correct IP address
configured for the neighbor.
Cannot set; AS number change
requires deletion of all BGP entities
You tried changing the BGP ASN
before deleting all BGP entities.
Delete all BGP entities, and then
change the ASN.
Cannot set; change requires bgp
shutdown
You tried to set the router-id with
BGP running.
Run shutdown and then try again.
Cannot activate; router-id number
must be set
You tried to enable BGP (no
shutdown) without having set the
router-id.
Set the router-id and try again.
SecFlow-1p
6. Traffic Processing
450
Message
Cause
Corrective Action
Cannot set; No such neighbor
You tried to enter an IP / neighbor
context, but you specified an IP
address that is not configured for
any neighbor.
Use the correct IP address
configured for the neighbor.
Cannot set; ipv4 unicast address
family always enable
You tried using the active
command in the IPv4 neighbor CLI
context.
IPv4 cannot be disabled for any
neighbors. If you meant to enable
or disable IPv6, navigate to
config>router(<number>)>bgp(<AS
N>)>ipv6-unicast-af>neighbor(<IPaddress>)# and try again.
Cannot activate; remote IP address
and AS number must be set
You tried to run no shutdown for a
BGP neighbor, but this neighbor
does not yet have an ASN.
Set the neighbor’s ASN (with the
remote-as command) and then try
again.
Cannot set; Hold time should be
greater than the keepalive time
You tried to run the timers
command with hold time less than
or equal to keepalive time.
Run the command again with hold
time greater than keepalive time.
Cannot bind; policy profile type
does not match
You tried to bind a policy profile
that does not match the required
policy type (prefix-list-ipv4 or
prefix-list-ipv6).
Change policy type to prefix-listipv4 or prefix-list-ipv6).
Cannot bind; prefix-list profile
already in use in match statement
You tried to bind prefix-list profile
when route-map profile with
‘match prefix-list’ statement is
already bound to the same BGP
connection.
Unbind route-map profile with
‘match prefix-list’ statement from
the BGP connection.
Cannot bind; no such policy profile
You tried to bind a policy profile
that does not exist.
Create the policy profile that you
want to bind.
Cannot bind; policy profile type
does not match
You tried to bind a policy profile
that does not match the required
type (route-map)
Bind the policy profile to routemap.
Cannot bind; address-family
mismatch with match statement
You tried to bind a route-map
profile with ‘match prefix-list’
statement with a prefix-list
address-family that is not identical
to bound connection addressfamily.
Create a prefix-list address-family
that is identical to bound
connection address-family.
SecFlow-1p
6. Traffic Processing
451
Message
Cause
Corrective Action
Cannot bind; prefix-list profile
already bound
You tried to bind a route-map
profile with ‘match prefix-list’
statement when prefix-list profile is
bound to the same BGP
connection.
Unbind prefix-list profile from the
BGP connection.
Cannot delete; prefix list is
matched in a route-map
You tried to delete a prefix –list
that is matched in a route-map.
Unbind the policy profile from all
entities bound to it.
Cannot create; name already in use
You tried creating a prefix-list
policy profile with a name that
already exists in the system.
Choose a unique name for the
newly created prefix-list policy
profile.
Cannot add statement; wrong
prefix address type
You tried adding a rule with an
address type (ipv4 or ipv6) that is
not related to the profile type.
Use the appropriate address type.
Cannot add statement; wrong
length parameters
You tried adding a rule with
incorrect length parameters.
Correct the length parameters so
that length < ge-value <= le-value
<= address length of family (32 or
128).
Cannot add statement; regular
expression is incorrect
The regular expression that you
entered does not translate into a
valid AS path.
Enter a new regular expression for
the AS path.
Cannot add statement; no such
policy profile
You tried adding a statement with
a prefix-list profile that does not
exist.
Create the prefix-list profile or use
an existing prefix-list profile.
Cannot add statement; prefix-list
address-family mismatch
You tried adding a statement with
a prefix-list profile address-family
that is different than similar
previous statements.
Use a prefix-list profile addressfamily that is similar to previous
statements.
Cannot add statement; the routemap is bound to bgp connection
with bound prefix-list
You tried adding a statement, but
the route-map profile (with the
new ‘match prefix-list’ statement)
is bound to a connection with a
bound prefix-list profile.
Unbind the route map from the
bgp connection.
Warning: prefix list profile contains
permit statement
You used a prefix-list profile that
contains at least one “permit”
statement.
Use another prefix-list profile or
remove all “permit” statements
from the current prefix-list profile.
SecFlow-1p
6. Traffic Processing
Message
Cause
Corrective Action
Set timer to ‘0’ requires holdtime =
keepalive = 0
You tried to run the timers
command with one 0 value. Either
both or neither must be 0.
Run the command again with
either both or neither parameter
being 0.
452
Viewing BGP Status
You can view the current configuration (see Viewing the Current Configuration), status of the
connection with each configured neighbor (see Viewing Neighbor Connection Status), and routes
received from and advertised to each neighbor (see Viewing Received Routes and Viewing Advertised
Routes). This information can be used for testing (see Testing BGP) and debugging.
Viewing the Current Configuration
To view the configuration, use the commands info (to include only non-default configuration) and info
detail (to include default configuration).
You can view this info at any of the following configuration levels:
Level
Context Prompt
Router
config>router(<number>)>bgp(<ASN>)#
IPv4/IPv6 unicast
address family
config>router(<number>)>bgp(<ASN>)>ipv4-unicast-af#
config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af#
Neighbor
config>router(<number>)>bgp(<ASN>)>neighbor(<IP-address>)#
IPv6 neighbor
config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af>neighbor(<IP-address>)#
For example:
config>router(1)>bgp(64515)# info detail
router-id 10.10.1.1
no shutdown
echo "BGP Neighbor Configuration"#
#
BGP Neighbor Configuration
neighbor 10.10.10.1
local-address 0.0.0.0
max-prefixes 0
password "" hash
remote-as 613
no shutdown
timers keepalive 30 holdtime 90
exit
SecFlow-1p
#
#
#
#
6. Traffic Processing
echo "IPv4 Unicast Address Family Configuration"
IPv4 Unicast Address Family Configuration
ipv4-unicast-af
external-preference 20
internal-preference 200
redistribute ospf
echo "IPv4 Unicast Address Family - Neighbor Configuration"
IPv4 Unicast Address Family - Neighbor Configuration
neighbor 10.10.10.1
active
exit
exit
echo "IPv6 Unicast Address Family Configuration"
IPv6 Unicast Address Family Configuration
ipv6-unicast-af
external-preference 20
internal-preference 200
echo "IPv6 Unicast Address Family - Neighbor Configuration"
IPv6 Unicast Address Family - Neighbor Configuration
neighbor 10.10.10.1
no active
exit
exit
Viewing Neighbor Connection Status
You can view connectivity details with any configured BGP neighbor by using the show
neighbor-connection command. This command is available in the BGP neighbor CLI context:
config>router(<number>)>bgp(<ASN>)>neighbor(<IP-address>)#. You can use this information for
troubleshooting and testing.
For example:
config>router(1)>bgp(64515)>neighbor(10.10.10.1)# show neighbor-connection
Remote Host: 10.10.10.1
Remote Port: 179
Local Host : 0.0.0.0
Local Port : 36586
Remote AS : 613
BGP State: Active
Hold Time (seconds) : 180
Up for 12d 06:23:53
Keepalive Interval (seconds): 60
Last Error : None
Neighbor Advertised Capabilities
--------------------------------------------------------------------------Address Family IPv4 Unicast : Advertised and received
Address Family IPv6 Unicast : Advertised and received
Route refresh
: Advertised and received
453
SecFlow-1p
6. Traffic Processing
Graceful Restart
Four Octet AS
454
: None
: Received
Viewing Received Routes
You can view the database of routes received from a particular neighbor by using the show receivedroute command. This command is available in the CLI contexts for IPv4 or IPv6 unicast address families,
at the neighbor level: config>router(<number>)>bgp(<ASN>)>ipv4-unicast-af>neighbor(<IP-address>)#
or config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af>
neighbor(<IP-address>)#.
To display the received routes for IPv4 unicast address families:
config>router(1)>bgp(1)>ipv4-unicast-af>neighbor(2.2.2.2)# show received-route
Network
> Next Hop
MED
LocPrf Path
================================================================================
0.0.0.0/0
> 172.17.171.1
1000
2000
3000 1000 100 2333
111.222.111.220/30 > 111.222.111.223 65200 65200 4000 800 65500
 To display the received routes for IPv6 unicast address families:
config>router(1)>bgp(1)>ipv6-unicast-af>neighbor(1:1:1:1::2)# show received-route
Network
> Next Hop
MED
LocPrf Path
================================================================================
::/0
> 11:11:11:11::1
1000
2000
3000 1000 100 2333
11:11:11:11::/64
> ::
1000
2000
3000 1000 100
abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200 65200 4000 80 65500
The above fields are:
Network
IPv4 or IPv6 network address (prefix and prefix length)
IPv4 prefix length can be 0–32; IPv6 prefix length can be 0–128.
Next Hop
Neighbor IPv4 or IPv6 address
MED
Number of Multi-exit Discriminators (in decimal value)
Possible values: 0–4294967295
LocPrf
Local preference
Possible values: 0–4294967295
Path
AS path details
SecFlow-1p
6. Traffic Processing
Viewing Advertised Routes
You can view the database of routes that are advertised to a particular neighbor by using the show
advertised-route command. This command is available in the CLI contexts for IPv4 or IPv6 unicast
address families, at the neighbor level: config>router(<number>)>bgp(<ASN>)>ipv4-unicastaf>neighbor(<IP-address>)# or config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af>
neighbor(<IP-address>)#.
 To display the advertised routes for IPv4 unicast address families:
config>router(1)>bgp(1)>ipv4-unicast-af>neighbor(1.1.1.1)# show advertised-route
A = advertised, S = suppressed, E = endingWithdrawal W = withdrawn
Network
> Next Hop
MED
LocPrf Path
================================================================================
A 0.0.0.0/0
> 172.17.171.1
1000
2000
3000 1000 100 2333
A 111.222.111.220/30 > 111.222.111.223 65200 65200 4000 800 65500
 To display the advertised routes for IPv6 unicast address families:
config>router(1)>bgp(1)>ipv6-unicast-af>neighbor(1:1:1:1::2)# show advertised-route
A = advertised, S = suppressed, E = endingWithdrawal W = withdrawn
Network
> Next Hop
MED
LocPrf Path
================================================================================
A ::/0
> 11:11:11:11::1
1000
2000
3000 1000 100 2333
S 11:11:11:11::/64
> ::
1000
2000
3000 1000 100
A abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200 65200 4000 80 65500
The above fields are:
Status
Status of route
Possible values are:
•
•
•
•
Neighbor
A – advertised
S – suppressed
E – endingWithdrawal
W – withdrawn
IPv4 or IPv6 network address (prefix and prefix length)
IPv4 prefix length can be 0–32; IPv6 prefix length can be 0–128.
Next hop
Neighbor IPv4 or IPv6 address
MED
Number of Multi-exit Discriminators (in decimal value)
Possible values: 0–4294967295
455
SecFlow-1p
LocPrf
6. Traffic Processing
456
Local preference
Possible values: 0–4294967295
Path
Network prefix and prefix length
Value: string with interpretation of two octets or four octets
Viewing BGP Policy Profiles
You can view the BGP policy profiles assigned to a particular neighbor by using the command show
prefix-list or show route-map. These commands are available in the CLI contexts for IPv4 or IPv6 unicast
address families, at the neighbor level: config>router(<number>)>bgp(<ASN>)>ipv4-unicastaf>neighbor(<IP-address>)# or config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af>
neighbor(<IP-address>)#.
 To display the prefix list policy profiles assigned to the neighbor 1.1.1.1 IPv4 unicast family:
config>router(1)>bgp(64515)>ipv4-unicast-af>neighbor(1.1.1.1)# show prefix-list
Name: aaaaaAAAAAbbbbbBBBBBcccccCCCCCdddddDDDDD (In)
10 deny 10.10.10.0/24 (hit count: 2)
20 permit 3.3.3.0/24 ge 25 le 27 (hit count: 35)
Name: XXXX (Out)
100000 permit 2.2.2.0/24 10 (hit count: 35)
 To display the prefix list policy profiles assigned to the neighbor 10:10:10::10 IPv6 unicast family:
config>router(1)>bgp(64515)>ipv6-unicast-af>neighbor(10:10:10::10)# show prefix-list
Name: aaaaaAAAAAbbbbbBBBBBcccccCCCCCdddddDDDDD (In)
100000 permit 1234:1234:1234:1234:1234:1234:1234:1234/100 ge 110 le 120
(hit count: 4294967295)
Name: XXXX (Out)
20 permit 2:2:2::0/64 (hit count: 15)
 To display the route map policy profiles assigned to the neighbor 1.1.1.1 IPv4 unicast family:
config>router(1)>bgp(64515)>ipv4-unicast-af>neighbor(1.1.1.1)# show route-map
Name: aaaaaAAAAAbbbbbBBBBBcccccCCCCCdddddDDDDD (In)
10 permit (hit count: 0)
match community 1:2
set community 2:3 med 456799 local-pref 123456
20 deny (hit count: 2)
match community 1000:2000
Name: XXXX (Out)
10 permit (hit count: 10)
match community 3000:4000
SecFlow-1p
6. Traffic Processing
457
set community 1000:2000 local-pref 110
20 permit (hit count: 1)
match community 100:200
40 permit (hit count: 2)
match as-path _150$ prefix-list AAAA community 10:20
set as2-path-prepend “100 100” community 30:40
 To display the route map policy profiles assigned to the neighbor 10:10:10::10 IPv6 unicast family:
config>router(1)>bgp(64515)>ipv6-unicast-af>neighbor(10:10:10::10)# show route-map
Name: aaaaaAAAAAbbbbbBBBBBcccccCCCCCdddddDDDDD (In)
10 permit (hit count: 0)
match community 1:2
set community 2:3 med 456799 local-pref 123456
20 deny (hit count: 2)
match community 1000:2000
Name: XXXX (Out)
10 permit (hit count: 10)
match community 3000:4000
set community 1000:2000 local-pref 110
20 permit (hit count: 1)
match community 100:200
40 permit (hit count: 2)
match as-path _150$ prefix-list AAAA community 10:20
set as2-path-prepend “100 100” community 30:40
The above fields are:
Name
Profile name
(In)/(Out)
Policy direction: inbound or outbound
Sequence number
Policy rule sequence number
Type
Policy rule type
Possible options are:
• Deny
• Permit
Route map rule
information
Route-map rule information
SecFlow-1p
6. Traffic Processing
458
Viewing BGP Communities
You can view the received communities of all neighbors by using the command show community. This
command is available in the CLI contexts for IPv4 or IPv6, at the BGP level:
config>router(<number>)>bgp(<ASN>)#.
 To display the IPv4 BGP communities received by all neighbors:
config>router(1)>bgp(1)# show community ipv4
Network
Community
===============================================================
Neighbor 2.2.2.2
0.0.0.0/0
65000:65000
111.222.111.220/30
20:20
Neighbor 33.33.33.33
0.0.0.0/0
1000:2000
111.222.111.220/30
100:100 200:200 300:300 400:400
 To display the IPv6 BGP communities received by all neighbors:
config>router(1)> bgp(1)# show community ipv6
Network
Community
=============================================================================
Neighbor 2:2:2:2::2
::/0
> 11:11:11:11::1
65000:65000 1000:2000 3000:1000
11:11:11:11::/64
> ::
1000:2000
abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200:65200
Neighbor 33:33:33:33::33
::/0
> 11:11:11:11::1
20:30
11:11:11:11::/64
> ::
400:400
abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200:65200 4000:65500
The above fields are:
Neighbor
Neighbor IPv4 or IPv6 address
Network
IPv4 or IPv6 network address (prefix and prefix length)
IPv4 prefix length can be 0–32; IPv6 prefix length can be 0–128.
Community
Decimal value, in format xxxx:yyyy
Possible values: 00000:00000–65535:65535
SecFlow-1p
6. Traffic Processing
459
Viewing BGP RIB
You can view the BGP RIB (Routing Information Base) for each neighbor by using the command show rib.
This command is available in the CLI contexts for IPv4 or IPv6, at the BGP level:
config>router(<number>)>bgp(<ASN>) #.
 To display the IPv4 BGP RIB:
config>router(1)>bgp(1)# show rib ipv4
* = Best Route
Network
> Next Hop
MED
LocPrf Path
=============================================================================
Neighbor 2.2.2.2
* 0.0.0.0/0
> 172.17.171.1
1000
2000
3000 1000 100 2333
* 111.222.111.220/30 > 111.222.111.223 65200 65200 4000 800 65500
Neighbor 33.33.33.33
0.0.0.0/0
> 172.17.171.1
1000
2000
3000 1000 100 2333
111.222.111.220/30 > 111.222.111.223 65200 65200 4000 800 65500
 To display the IPv6 BGP RIB:
config>router(1)> bgp(1)# show rib ipv6
* = Best Route
Network
> Next Hop
MED
LocPrf Path
=============================================================================
Neighbor 2:2:2:2::2
* ::/0
> 11:11:11:11::1
1000
2000
3000 1000 100 2333
11:11:11:11::/64
> ::
1000
2000
3000 1000 100
* abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200 65200 4000 80 65500
Neighbor 33:33:33:33::33
::/0
> 11:11:11:11::1
1000
2000
3000 1000 100 2333
* 11:11:11:11::/64
> ::
1000
2000
3000 1000 100
abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd/126
> abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd
65200 65200 4000 80 65500
The above fields are:
Neighbor
Neighbor IPv4 or IPv6 address
Status (Best Route)
Marks with a “*” the ‘Best Route’, i.e. the route entry
forwarded to the Router’s RIB (Routing Information Base)
Network
IPv4 or IPv6 network address (prefix and prefix length)
IPv4 prefix length can be 0–32; IPv6 prefix length can be 0–128.
Next hop
Network prefix and prefix length
SecFlow-1p
6. Traffic Processing
MED
460
Number of Multi-exit Discriminators (in decimal value)
Possible values: 0–4294967295
LocPrf
Local preference
Possible values: 0–4294967295
Path
Network prefix and prefix length
Value: string with interpretation of two octets or four octets
Viewing BGP Summary
You can view the summary of neighbor connections information by using the command show summary.
This command is available in the CLI contexts for IPv4 and IPv6, at the BGP level:
config>router(<number>)>bgp(<ASN>)#.
IPv4 AF connections appear on top, followed by IPv6 AF connections.
 To display the BGP summary:
config>router(1)>bgp(1)# show summary
Neighbor
AS
Up/Down
State
=============================================================================
11:11:11:11::205
209
never
Active
3.3.3.2
3000
never
Idle
172.17.171.205
209
12d 06:23:53 Established
172.17.171.218
209
12d 06:23:53 Active
abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd 65200 never
Active
The above fields are:
Neighbor
Neighbor IPv4 or IPv6 address
AS
Remote AS number
Possible values: 0..35655 or 0..4294967295
Up/Down
Amount of time that the underlying TCP connection has been in existence, i.e.
how long this peer has been in the Established state.
Note: Up/Down time is set to zero when a new peer is configured or the
router is booted.
Possible values: 0 - 4294967295 seconds
When up/down time = 0, displays “never”.
Otherwise displays in format number of days, hours, minutes, and seconds,
for example: “12d 06:23:53”
SecFlow-1p
State
6. Traffic Processing
461
BGP session state
Possible values are:
•
•
•
•
•
•
Idle
Connect
Active
Opensent
Openconfirm
Established
After configuring BGP on a router in an existing BGP environment, you should test that BGP is working
properly.
 To test BGP:
1. Wait a few seconds after configuration for BGP communications to take place.
2. For each configured BGP neighbor:
a. Navigate to the BGP neighbor CLI context
(config>router(<number>)>bgp(<ASN>)>neighbor(<IP-address>)#).
b. Enter show neighbor-connection and check that communication has been successfully
established.
c. Navigate to the IPv4 unicast address family neighbor context
(config>router(<number>)>bgp(<ASN>)>ipv4-unicast-af>
neighbor(<IP-address>)#).
d. Enter show advertised-route and check that the correct destination routes are being
advertised.
e. Enter show received-route and check that BGP routes are being received.
3. If IPv6 has been configured for this neighbor:
a. Navigate to the IPv6 unicast address family neighbor context
(config>router(<number>)>bgp(<ASN>)>ipv6-unicast-af>
neighbor(<IP-address>)#).
b. Enter show advertised-route and check that the correct destination routes are being
advertised.
c. Enter show received-route and check that BGP routes are being received.
4. Navigate out of the BGP context, to the router CLI context.
5. Enter show routing-table and check that there are new routes marked as originating in BGP.
SecFlow-1p
6. Traffic Processing
462
6.10 Routing Protocol OSPF
Open Shortest Path First (OSPF) is a link-state interior-gateway protocol for dynamic routing. The
current implementation is OSPFv2 (handles IPv4 only).
Applicability and Scaling
The following functionality is not supported in OSPF version 2:
Note
OSPF does not support the BFD protocol.
Standards Compliance
Standard
Name
Unsupported functionality
RFC 2328
OSPF Version 2
• IPv6 (supported only in OSPF v.3)
• Multiple OSPF instances on a router
• Area-to-backbone virtual links
RFC 3101
The OSPF Not-So-Stubby Area (NSSA) Option
RFC 3509
Alternative Implementations of OSPF Area
Border Routers
RFC 4750
OSPF Version 2 Management Information Base
RFC 4940
IANA Considerations for OSPF
Benefits
Dynamic routing protocols enable routing tables to automatically adapt to changing networks. Link-state
dynamic routing protocols such as OSPF quickly adapt to network changes, enable intelligent decisions
for best routing paths, and are highly scalable.
All the routers in an Autonomous System (AS) must use the same Interior Gateway Protocol (IGP).
SecFlow-1p
6. Traffic Processing
463
Functional Description
OSPF functionality is explained in the following sections.
Dynamic Routing Protocols
Routers direct packets through their various interfaces according to their routing tables, which specify
an exit interface for each destination IP network. While routing tables can include static, manually
configured routes, an optimized routing table requires knowledge of remote network topology and
complex path calculations. Dynamic routing protocols define how routers communicate network
topology with each other and how they accordingly calculate optimized network paths and create their
routing tables.
The internet is divided into Autonomous Systems (AS). An AS is usually the network of an Internet
Service Provider (ISP) or another large organization that administers the AS-internal routing policy.
Routing information inside each AS is communicated and determined by an Interior Gateway Protocol
(IGP) such as OSPF; Routing information between ASes is communicated by the Border Gateway
Protocol (BGP).
Link-State Routing
Link-state routing is one of the two main types of IGPs, along with distance-vector routing. OSPF is a linkstate routing protocol.
In link-state protocols, each router creates and maintains a relatively full map of network connectivity.
The connectivity map, called the Link-State Database (LSDB), includes information on which routers are
connected to which other routers, and each connection’s cost metric, which takes into account things
like round-trip time, throughput, and link availability. The map’s completeness enables the router to
intelligently calculate the optimal path from itself to any network destination, without having to rely on
partial path calculations made in other parts of the network. These optimal paths are used to
dynamically create a routing table.
To supply information for LSDBs, each router in the network notifies the network about its own
immediate neighboring routers and the costs of its connections with them. Routers collect this link-state
information and issue Link-State Advertisements (LSAs) to their neighbors. Upon receiving an LSA, each
router updates its LSDB.
To inform their neighbors of their existence, routers send periodical HELLO messages. When HELLO
messages stop coming from a router, the connection with that router is considered to have failed, and
an LSA is generated to inform the network of the lost connection.
SecFlow-1p
6. Traffic Processing
464
OSPF Network Architecture
To reduce routing traffic and LSDB size, an AS that uses OSPF is divided into OSPF areas. Each area is a
group of contiguous networks which appears to OSPF externally as a single unit with an invisible internal
topology.
The AS must have a single designated backbone area so that each other area is directly connected to the
backbone. A router that connects an area to the backbone (that is, it has an interface in the backbone
and an interface in another area) is called an Area Border Router (ABR). An ABR summarizes its area’s
topology for external distribution, and maintains an LSDB for all areas to which it is connected.
AS-External Information
To enable routing to destinations outside the AS, designated Autonomous System Boundary Routers
(ASBRs) receive topology information about other ASs, and distribute it to internal routers. ASBRs can be
configured whether to distribute topology from specified external sources (static routes or from BGP).
However, to reduce traffic, LSDB size, and routing table size, areas can be configured so that only the
area ABR is aware of the AS-external topology, and the internal routers route traffic with destinations
outside the AS through the ABR. Two types of such areas can be configured:
SecFlow-1p
6. Traffic Processing
465
Stub Area
Cannot originate nor import AS-external topology. Internal routers in this area
route through the ABR.
Not So Stubby Area (NSSA)
Cannot originate but can import AS-external topology
An area which is neither stub nor NSSA is called a transit area. The backbone area must always be a
transit area.
Link-State Summarization
For AS-internal topology information, there is by default no difference between the different types of
non-backbone areas: ABRs of stub, NSSA and transit (except for backbone) areas summarize AS-internal,
area-external link-state information for distribution to area-internal routers. However, a stub or NSSA
ABR can be optionally configured to suppress summary-LSAs, instead becoming the area’s single default
gateway.
Designated Routers
To reduce network traffic, each network selects a Designated Router (DR) to send LSAs outside of the
network. A Backup Designated Router (BDR) is also selected in case of DR failure. Routers are selected
according to configurable router priority indexes (lowest number indicates highest priority).
Authentication
OSPF can be configured to perform authentication, in which case OSPF information is accepted only
from password-authenticated routers.
Routing Preferences
When there are conflicts between routes received from different sources, such as static routes, OSPF
AS-internal routes, and OSPF AS-external routes, the Routing Table Manager (RTM) chooses among the
sources according to configurable source preference indices (lowest number indicates highest priority).
Explicit Range Aggregation
To reduce route lists, explicit ranges can be configured to replace included subnets. Specifically, internal
IP address ranges can be configured to be summarized by a transit area ABR, or external IP address
SecFlow-1p
6. Traffic Processing
466
ranges can be aggregated by an NSSA ABR. For a transit area ABR, an internal range can also be
configured to be hidden from other areas.
Maintained Information
OSPF maintains the following network information, all of which can be viewed (see Viewing OSPF
Status):
•
Neighbor list
•
Interface information
•
LSDB
•
LSA counters (see Viewing OSPF Statistics)
Factory Defaults
OSPF parameters are configured at these levels:
•
Configuring OSPF at the Router Level: Parameters that determine OSPF behavior for the whole
router, for all interfaces
•
Configuring OSPF at the Area Level: Parameters that characterize an area, for all interfaces that
are configured as belonging in this area
•
Configuring OSPF at the Interface Level: Per-interface parameters
Router OSPF Parameters
The following parameters determine OSPF behavior for the whole router, for all interfaces:
Parameter
Description
Default Value
external-preference
Preference index for OSPF AS-external routes. See
Routing Preferences.
110
internal-preference
Preference index for OSPF AS-internal routes. See Routing
Preferences.
10
ospf
Whether OSPF configuration is defined (but not
necessarily enabled) on this router
no ospf
redistribute
Whether to distribute routes from specified external
sources (connected, static or BGP) to the rest of the AS.
See AS-External Information.
no redistribute
SecFlow-1p
6. Traffic Processing
467
Parameter
Description
Default Value
router-id
ID for router in OSPF communications, in format like IP
address. Must be unique in AS
-(mandatory configuration)
shutdown
Enable (no shutdown) / disable (shutdown) OSPF on the
router.
shutdown
Area OSPF Parameters
The following parameters characterize an area (see OSPF Network Architecture), for all interfaces that
are configured as belonging in this area:
Parameter
Description
Default Value
area-id
ID for area in OSPF communications. Must be unique in AS.
Format is like IP address. Can be same as IP address of a
network in the area. Backbone area must have ID 0.0.0.0
--
default-cost
Cost metric of default route, for stub area ABR to advertise
into the area. See Link-State Routing.
1
nssa
Whether area is NSSA, and whether the area ABR will provide
area routers with summary LSAs (or just rely on its default
route). See AS-External Information and Link-State
Summarization.
no nssa, no-summary
range
Internal IP address range(s) to be summarized or hidden by a
transit area ABR, or external IP address range(s) to be
aggregated by an NSSA ABR. See Explicit Range Aggregation.
--
shutdown
Enable (no shutdown) / disable (shutdown) the area
shutdown
stub
Whether area is a stub area, and whether the area ABR will
provide area routers with summary LSAs (rather than just rely
on its default route). See AS-External Information and LinkState Summarization.
no stub, no-summary
Interface OSPF Parameters
The following parameters determine OSPF behavior per-interface:
Parameter
Description
Default Value
area
ID of area to which interface belongs. See OSPF Network
Architecture.
no area
SecFlow-1p
6. Traffic Processing
Parameter
Description
Default Value
authentication-key
Password for OSPF authentication. See Authentication.
--
authentication-type
Whether OSPF information should be passwordauthenticated. See Authentication.
no authentication
dead-interval
Time after which the connection with a silent neighbor is
considered failed. See Link-State Routing.
40
hello-interval
Time, in seconds, between sending HELLO packets. See LinkState Routing.
10
metric
Explicit network cost of the interface for OSPF path
calculation. See Link-State Routing.
1
ospf
Whether OSPF configuration is defined (but not necessarily
enabled) on this interface
no ospf
passive
Whether OSPF packets can (no passive) or cannot (passive)
be sent through this interface
no passive
priority
Priority index for becoming DR or BDR. See Designated
Routers.
1
retransmit-interval
Time, in seconds, between retransmissions of
unacknowledged adjacency LSAs and of other network
advertisements. See Link-State Routing.
5
shutdown
Enable (no shutdown) / disable (shutdown) OSPF on the
interface
shutdown
transit-delay
Time, in seconds, to be added to the LSA’s age before
transmission. Should be the estimated time of LSA
transmission over the interface including propagation delays
1
468
Configuring OSPF
OSPF is not configured by default on RAD routers. On a router that does not have OSPF defined, once
the router itself and its interfaces have been properly configured, you can configure OSPF. To configure
OSPF properly, you will need to know your network OSPF design.
 To configure OSPF on a fresh router:
1. Define OSPF on the router by entering the following commands in the device CLI:
configure
router <number>
SecFlow-1p
6. Traffic Processing
469
ospf
OSPF is defined on the router, and the CLI ospf context is provided.
2. In the router ospf context, define the router ID:
router-id <id>
where <id> is an ID for the router in OSPF communications, in IP address format (<0-255>.<0255>.<0-255>.<0-255>). The ID must be unique in the AS. To simplify management, the ID can
be the actual IP address of one of the router’s interfaces, or there may be some other
organizational convention.
3. Where network design requires that this router have non-default values (see Parameters and
Factory Defaults) for any router-level OSPF parameters, configure them (see Configuring OSPF
at the Router Level).
4. Still in the router ospf context, enable OSPF on the router by entering:
no shutdown
5. Configure each OSPF area (see OSPF Network Architecture) that the router should be in
according to network design:
d. In the router OSPF context (config>router(<router_number>)>ospf#), define the are ID:
area <area-id>
where <area-id> is an ID for the area in OSPF communications, in IP address format (<0255>.<0-255>.<0-255>.<0-255>). The ID must be unique in the AS. To simplify management,
the ID can be the actual IP address of a network in the area, or there may be some other
organizational convention. The backbone area ID must be 0.0.0.0 .
The area is defined, and the CLI area context is provided.
e. In the area context (config>router(<router_number>)>ospf>area(<area-id>)#):

If according to network design the area should be a stub area, enter:
stub

If according to network design the area should be an NSSA area, enter:
nssa
f.
Where network design requires that this router have non-default values (see Parameters
and Factory Defaults) for any area-level OSPF parameters, configure them (see Configuring
OSPF at the Area Level).
g. Still in the area context, enable the area by entering:
no shutdown
An enabled area means that OSPF interfaces connected to it can be enabled, and that the
area’s type (stub / NSSA / transit) cannot be changed.
h. Exit the area context.
SecFlow-1p
6. Traffic Processing
470
6. Exit the router OSPF context to return to the router CLI context.
7. Configure OSPF on each interface:
a. Go into the interface CLI context (config>router(<router_number>)>
interface(<interface_number>)#), and define OSPF on the interface:
ospf
OSPF is defined on the interface, and the CLI interface ospf context is provided.
b. In the interface OSPF context, set the area with which to associate the interface:
area <area-id>
where <area-id> is the area’s ID, according to network design.
c. Where network design requires that this interface have non-default values (see Parameters
and Factory Defaults) for any interface-level OSPF parameters, configure them (see
Configuring OSPF at the Interface Level).
d. Still in the interface OSPF context, activate OSPF on the interface by entering:
no shutdown
e. Exit the interface OSPF context, and exit the interface context.
Configuring OSPF at the Router Level
The following commands are available in the CLI router OSPF context:
config>router(<router_number>)>ospf# . The exception to this is the ospf command itself, which is
performed in the router context: config>router(<router_number>)# .
Task
Command
Comments
Define OSPF on the router (if not yet
defined), and provide the router CLI
ospf context
[no] ospf
After defining OSPF on the router, OSPF still
needs to be enabled (after setting router-id)
with no shutdown.
no ospf removes OSPF from the router (if no
areas are defined).
Define ID for the router in OSPF
communications
router-id <id>
<id> is in IP address format: <0-255>.<0255>.<0-255>.<0-255> . The ID must be unique
in the AS. To simplify management, the ID can
be the actual IP address of one of the router’s
interfaces, or there may be some other
organizational convention.
SecFlow-1p
6. Traffic Processing
471
Task
Command
Comments
Enable / disable OSPF on the router
[no] shutdown
To disable: shutdown . To enable: no
shutdown
Define / remove OSPF area, with an
ID for the area in OSPF
communications
[no] area <area-id>
<area-id> is in IP address format: <0-255>.<0255>.<0-255>.<0-255>. The ID must be unique
in the AS. To simplify management, the ID can
be the actual IP address of a network in the
area, or there may be some other
organizational convention. The backbone area
ID must be 0.0.0.0 .
no area <area-id> removes the area from
router OSPF configuration (if the area is not
associated with any interfaces).
To further configure the area, see Configuring
OSPF at the Area Level
Set ASBR to distribute routes from
specified external sources (static or
BGP) to the rest of the AS, or disable
distribution
[no] redistribute
{connected | static |
bgp}
To disable distribution: no redistribute .
Set preference index for OSPF ASexternal routes
external-preference
<priority>
<priority> should be an integer in range 1–255.
See AS-External Information
Note: The redistribute bgp command does not
work for local BGPs. To redistribute routes into
local (directly connected) OSPF and advertise
the BGP, use redistribute connected.
Note: the value of 255 is considered as
unreachable and the appropriate route is not
be added to the routing table.
See Routing Preferences
Set preference index for OSPF ASinternal routes
internal-preference
<priority>
<priority> should be an integer in range 1–255.
Note: the value of 255 is considered as
unreachable and the appropriate route is not
be added to the routing table.
See Routing Preferences
View Link-State Database (LSDB)
show database
View OSPF interface information
show interface-table
View OSPF neighbors
show neighbor-table
See Viewing OSPF Status
SecFlow-1p
6. Traffic Processing
472
Configuring OSPF at the Area Level
The following commands are available in the CLI OSPF area context:
config>router(<router_number>)>ospf>area(<area-id>)# . Note that the area command, which is
performed in the router OSPF context: config>router(<router_number>)>ospf#, appears under
Configuring OSPF at the Router Level.
Task
Command
Comments
Setting cost metric of
default route, for stub
area ABR to advertise
into the area
default-cost <metric>
Use only on stub area ABR.
Making area an NSSA
area, or changing an
NSSA area back to a
transit area
[no] nssa [summary |
no-summary]
Possible values: 1–16777215 (24-bit)
See Link-State Routing.
All routers in an NSSA area must be configured as
such. See AS-External Information.
This command is effective regardless of the area’s
current type (transit or stub).
For the area ABR to just rely on its default route
rather than provide area routers with summary
LSAs, use nssa no-summary. For it to go back to
providing summary LSAs, use nssa summary. See
Link-State Summarization.
To change an NSSA area back to a transit area, use
no nssa
Setting internal IP
address range(s) to be
summarized or hidden
by a transit area ABR
[no] range <ip-address>/
<mask-length> [advertise |
not-advertise]
To set internal transit area summarization, on the
transit ABR use: range <ip-address>/<mask-length>
advertise.
To set internal transit area hiding, on the transit ABR
use: range <ip-address>/<mask-length> notadvertise.
<ip-address> should represent an IP range, in IP
address format. <mask-length> should be an integer
in range 1–32, representing the number of first bits
in <ip-address> that are the network mask.
To delete a configured range, use: no range <ipaddress>/<mask-length>.
See Explicit Range Aggregation.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Making area a stub area,
or change a stub area
back to a transit area
[no] stub [summary |
no-summary]
All routers in a stub area must be configured as
such. See AS-External Information.
473
This command is effective regardless of the area’s
current type (transit or NSSA).
For the area ABR to just rely on its default route
rather than provide area routers with summary
LSAs, use stub no-summary . For it to go back to
providing summary LSAs, use stub summary. See
Link-State Summarization.
To change a stub area back to a transit area, use no
stub
Enable / disable the area
[no] shutdown
To disable: shutdown. To enable: no shutdown
Configuring OSPF at the Interface Level
The following commands are available in the CLI interface OSPF context:
config>router(<router_number>)>interface(<interface_number>)>ospf# . The exception to this is the
interface ospf command, which is performed in the interface OSPF context:
config>router(<router_number>)>interface(<
interface_number>)# .
Task
Command
Comments
Define OSPF on the
interface (if not yet
defined), and provide the
interface CLI ospf context
ospf
After defining OSPF on the interface, OSPF still
needs to be enabled (after associating the
interface with an area) with no shutdown.
Associate interface with an
area
[no] area <area-id>
Set password
authentication for OSPF
communications
[no] authentication-type
[simple-password]
no ospf removes OSPF from the interface (if no
areas are defined)
Specify the area with its <area-id>.
To disassociate the interface from any area, use
no area <area-id>.
To set authentication, use: authentication-type
password . To disable authentication, use: no
authentication.
See Authentication.
SecFlow-1p
6. Traffic Processing
474
Task
Command
Comments
Set password for OSPF
authentication, if enabled
authentication-key
<authentication-key> [hash]
<authentication-key> can be any combination
of up to 8 ASCII characters. Use the hash option
to specify that the provided key should be
encrypted, in which case the key can be up to
22 characters.
See Authentication.
Enable / disable OSPF on
the interface
[no] shutdown
To disable: shutdown . To enable: no shutdown
Set the time after which the
connection with a silent
neighbor is considered
failed
dead-interval <seconds>
Possible values: 1–2147483647.
Set the time between
sending HELLO packets
hello-interval <seconds>
Explicitly set the network
cost of the interface for
OSPF path calculation
metric <number>
Set the priority index for
becoming DR or BDR
priority <priority>
Prevent OSPF packets from
being sent through the
interface
[no] passive
See Link-State Routing.
<seconds> should be in range 1–65535.
See Link-State Routing.
Possible values: 1–65535
See Link-State Routing.
Possible values: 0–255.
See Designated Routers
A passive interface is still advertised as an OSPF
interface, but doesn’t itself run the OSPF
protocol.
To re-enable sending OSPF packets, use no
passive
Set the time between
retransmissions of
unacknowledged adjacency
LSAs and of other network
advertisements
retransmit-interval <seconds>
Set the time to be added to
the LSA’s age before
transmission
transit-delay <seconds>
Possible values: 0–3600.
See Link-State Routing.
The estimated time of LSA transmission over
the interface including propagation delays
Possible values: 0–3600
SecFlow-1p
6. Traffic Processing
475
Example
In this example, a router needs to be configured for OSPF. According to network design, this router is a
stub area ABR with two interfaces, one in the backbone and one in a stub area. Authentication is used in
both areas, but each area uses a different password.
The relevant part of the network design is:
Router ID
Interface
Area
Password
10.10.1.1
Interface 1
0.0.0.0
12345672
Interface 2
10.10.0.0
abcdefgh
The actual configuration process for this example is:
configure
router 1
remark Configure OSPF on router
ospf
router-id 10.10.1.1
no shutdown
remark Configure OSPF Areas
area 0.0.0.0
no shutdown
exit
area 10.10.0.0
stub no-summary
no shutdown
exit
exit
remark Configure OSPF with authentication on interfaces
interface 1
ospf
area 0.0.0.0
authentication-type simple-password
authentication-key 12345678
no shutdown
exit
exit
interface 2
ospf
area 10.10.0.0
authentication-type simple-password
authentication-key abcdefgh
no shutdown
exit
exit
SecFlow-1p
6. Traffic Processing
476
Configuration Errors
The table below lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Cannot be modified; OSPF interface
is administratively enabled
You tried to associate an interface with
an area, but the interface is OSPFenabled
Enter shutdown and try again.
Cannot create OSPF interface; IP
address wasn’t configured
You tried to run ospf in the interface
context, but the interface itself has no
fixed IP address (it is possibly DHCP)
Set a fixed IP address for the
interface.
Cannot create OSPF interface; more
than one IP address is configured
You tried to run ospf in the interface
context, but the interface itself has
multiple IPv4 addresses
Remove interface IP addresses
to leave only one, and try
again.
Cannot delete area; There is an
OSPF interface associated with the
Area
You tried to run no area (router OSPF
context) on an area associated with an
interface
Go to the relevant interface
OSPF context and enter no
area <area-id>.
Cannot delete ospf; ospf area or
OSPF interface exist
You tried to run no ospf (router context)
with existing areas or OSPF interfaces
Remove OSPF from all
interfaces, delete all areas, and
try again.
cannot enable OSPF interface; areaid is not defined
You tried to enable OSPF on an interface
without an associated area
Set an area for the interface
and try again.
Cannot enable OSPF; router-id is
not configured
You tried to run no shutdown (router
OSPF context) with no OSPF router ID
Set router-id and try again.
Cannot execute, license required
You tried to run ospf (router context)
without an OSPF license
Contact your RAD sales
representative to obtain a
license.
Cannot modify area parameter;
area is administratively enable
You tried to make an enabled area into
a stub or NSSA
Enter shutdown and try again.
Cannot modify; OSPF is enabled
You tried to change router-id with OSPF
enabled
Enter shutdown and try again.
Cannot set area as nssa; area-id
0.0.0.0 cannot be nssa
You tried to make the backbone a stub
or NSSA
If this is not the backbone,
change the area ID and try
again.
Cannot set metric; Area is a Transit
You tried to run the default-cost
command on a transit area
If this area should be a stub
area, enter stub and try again.
SecFlow-1p
6. Traffic Processing
477
Message
Cause
Corrective Action
OSPF entity shall be initiated before
interface’s configuration
You tried to run ospf in the interface
context, but OSPF hasn’t been defined
on the router
Exit to the router context and
enter ospf. Then try again.
Viewing OSPF Status
You can view the current configuration (see Viewing the Current Configuration), and you can also view
several types of dynamic and traffic-based OSPF information (see sections below). This information can
be used for testing (see Testing OSPF) and debugging.
Viewing the Current Configuration
To view the current configuration, use the standard RAD commands: info (to view only non-default
configuration) and info detail (to include default configuration).
You can view this info at any of the following configuration levels:
Level
Context Prompt
Router
config>router(<router_number>)>ospf#
Area
config>router(<router_number>)>ospf>area(<area-id>)#
Interface
config>router(<router_number>)>interface(<interface_number>)>ospf#
For example:
configure
config# router 1
config>router(1)# ospf
config>router(1)>ospf# info detail
router-id 1.2.3.4
external-preference 110
internal-preference 30
shutdown
echo "OSPF AREA Configuration"
#
OSPF AREA Configuration
area 0.0.0.0
no nssa
no stub
no shutdown
exit
config>router(1)>ospf#
SecFlow-1p
6. Traffic Processing
478
Viewing the Link-State Database
You can view the current Link-State Database by using the show database command. This command is
available in the CLI router OSPF context: (config>router(<router_number>)>ospf#), and can be used for
testing (see Testing OSPF) and debugging.
For example:
Area ID
Type
LS ID Router ID
Sequence
Age
Checksum
-------------------------------------------------------------------------------100.100.100.100
1
000.000.010.010
000.000.010.010
0x80000096
0x609b
100.100.100.100
1
050.050.050.020
050.050.050.020
0x80000006
0x49d4
000.000.000.000
2
020.020.020.020
020.020.020.030
0x80000008
0x3c3a
000.000.000.000
3
050.050.050.000
000.000.010.010
0x8000000d
0xcbd9
000.000.000.000
4
000.000.010.010
050.050.050.020
0x80000002
0x83f7
938
839
946
764
840
The above fields are:
Area ID
<area-id> of an OSPF area
Type
One of the following LSA types:
1 – Router-LSA: Describes collected states of router's interfaces
2 – Network-LSA: Describes routers attached to network
3 – Network summary-LSA: Describes inter-area routes to networks, summarized by
ABR
4 – ASBR summary-LSA: Describes inter-area routes to ASBRs, summarized by ABR
5 – AS-external-LSA: Originated by ASBR, describes routes to AS-external
destinations or a default route for the AS
7 – NSSA-external-LSA: Describes external route information within an NSSA
LS ID
Router ID or IP address (depending on Type) of domain described by the LSA
Router ID
ID of originating router
Sequence
Signed 32-bit integer, incremented each time the router originates a new instance of
the LSA. Used to detect old and duplicate LSAs
Age
LSA age in seconds
Checksum
Checksum of complete LSA contents except for Age field
SecFlow-1p
6. Traffic Processing
479
Viewing OSPF Interface States
You can view current interface states by using the show interface-table command. This command is
available in the CLI router OSPF context: (config>router(<router_number>)>ospf#), and can be used for
testing (see Testing OSPF) and debugging.
For example:
IP Address
Area ID
Type
Priority
DR
BDR
State
------------------------------------------------------------------------------------000.000.000.000
000.000.000.001
P-T-P 0001
000.000.000.000
000.000.000.000
Down
192.168.001.001
000.000.000.003
BRDCST 0001
192.168.001.007
192.168.001.002
Up
The above fields are:
IP Address
Interface IP address
Area ID
ID of area with which the interface is associated
Type
Broadcast or point-to-point
Priority
Priority index for becoming DR or BDR
DR
Designated Router in this network
BDR
Backup Designated Router in this network
State
UP if all of the following are true: OSPF is enabled (no shutdown), the IP
interface’s operational status is UP, and the OSPF interface is enabled (no
shutdown)
Viewing OSPF Neighbors
You can view the current OSPF neighbors by using the show neighbor-table command. This command is
available in the CLI router OSPF context: (config>router(<router_number>)>ospf#), and can be used for
testing (see Testing OSPF) and debugging.
For example:
Neighbor
Neighbor ID Priority
State Interface
Port
---------------------------------------------------------------------------192.168.001.003
192.168.001.009
0001
Full
192.168.001.002
Ethernet 1
192.168.001.007
000.000.000.004
0004
Full
192.168.001.002
Ethernet 1
10.10.001.001
000.000.000.005
0005
Full
10.10.001.002
Ethernet 2
SecFlow-1p
6. Traffic Processing
480
The above fields are:
Neighbor
IP address used by this neighbor as its source address
Neighbor ID
The neighbor’s OSPF router-id
Priority
The neighbor’s priority index for becoming DR or BDR
State
The state of the connection with this neighbor. One of:
• Down
• Attempt
• Init
• Twoway
• Exchangestart
• Exchange
• Loading
• Full*
*OSPF adjacency is not full if there is MTU mismatch between RAD and other vendors
equipment. If this is the case, change the default egress-mtu value from 1790 to the value
of the other vendor (e.g. 1500). (so that egress-mtu values should be equal in both OSPF
adjacencies.
Interface
IP address of the neighbor’s interface with which a connection is established
Port
Name of the neighbor’s interface with which a connection is established
Viewing OSPF Statistics
You can view LSA counters by using the show statistics command. This command is available in the CLI
router OSPF context: (config>router(<router_number>)>ospf#).
For example:
Count Checksum
-------------------------------------External LSA 50
0x3245
AS LSA
1059
0x7843
New LSAs Originated 45
New LSAs Received
1024
-
The above fields are:
Count
The number of LSAs of this type
SecFlow-1p
Checksum
6. Traffic Processing
481
32-bit sum of the checksums of the LSAs of this type. Can be used to check if an
LSDB has changed or to compare LSDBs.
Testing OSPF
After configuring OSPF on a router in an existing OSPF environment, you should test that OSPF is
working properly.
 To test OSPF:
1. Wait a few seconds after configuration for OSPF communications to take place.
2. Navigate to the CLI router OSPF context (config>router(<router_number>)>
ospf#).
3. Enter show interface-table and check that a DR and a BDR have been successfully elected.
4. Enter show neighbor-table and check that connections have been established with all neighbors.
5. Enter show routing-table and check that expected routes have been learned from OSPF
neighbors.
6. Exit the OSPF context, to the router CLI context.
7. Enter show routing-table and check that there are new routes marked as originating in OSPF.
6.11 Tunneling
SecFlow-1p supports route-based IPsec tunnels.
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
RFC 4087: IP Tunnel MIB
SecFlow-1p
6. Traffic Processing
482
Functional Description
SecFlow-1p supports configuration of tunnel interfaces under the router level.
Both delivery (encapsulating) and payload (encapsulated) protocols can be either IPv4 or IPv6,
independently of each other.
IPsec tunnels are employed in route-based IPsec mode. Crypto maps connected to router interfaces
work in policy-based IPsec mode. You cannot have both types in the same device, so if there is an IPsec
tunnel, and you cannot to bind a crypto map to a router interface.
IPsec tunnels cannot be configured within VRFs.
If the interface has multiple IP addresses, by default, the lowest one is used as tunnel source. You can
bind a map to an address (even if the interface has a single address). In this case:
•
The tunnel source will be the one configured.
•
If the interface does not own the configured address, SecFlow-1p ignores the configuration and
behaves as if the map is not bound to the interface.
Once an IPsec tunnel is enabled, it becomes and remains operationally up when you configure all of the
following:
•
Tunnel source address or interface
•
Tunnel destination
•
IP address
•
Crypto map
An IPsec tunnel becomes operationally down under any of the following conditions:
•
There is no route to the tunnel destination address.
•
The route to the tunnel destination address is through the tunnel itself.
•
You configure the tunnel address indirectly by anchoring the tunnel to a router interface, and
that router interface does not have an address of the same type (IPv4 or non-link-local IPv6) as
the tunnel, or has multiple such addresses.
•
The interface that anchors the tunnel source is down.
Notes
The tunnel remains operationally down as long as the anchoring router
interface is not active and does not have a valid IP address.
SecFlow-1p
6. Traffic Processing
483
Both ends of the tunnel should be on the same network.
You can configure a tunnel source IP address. This address binds the tunnel to a router interface.
•
The tunnel and the router interface anchoring it are on the same router.
•
You can configure the address directly, by providing an IPv4 or a non-link-local IPv6.
Alternatively, the address can be configured indirectly, by providing a router interface. For such
configuration, the tunnel is operationally up only if the anchoring router interface has a single address of
the same type (IPv4 or non-link-local IPv6) as the tunnel.
Notes
The tunnel remains operationally down as long as there is no active router
interface configured with this address.
You can configure a tunnel destination IP address that can be either IPv4 or non-link-local IPv6.
Note
The tunnel destination address should be configured at the other end of the
tunnel as the tunnel source address.
Configure proper routing to use a tunnel. The next hop should be either the address of the other end of
the tunnel or the tunnel interface. The tunnel address can be propagated by routing protocols such as
OSPF or BGP.
SecFlow-1p supports IP fragmentation and defragmentation in tunnels, for packets that are larger than
the tunnel IP MTU.
Route-Based IPsec Redundancy
You can configure backup tunnels for route-based IPsec redundancy.
1. Assign each backup a unique priority. The configurable range is 1-254 (higher values indicate
higher priorities). Multiple backups of a tunnel must have unique priorities.
2. If an IPsec tunnel has backup tunnels, only one backup may be active at any time. First, SecFlow1p tries to establish the primary tunnel.
3. If it fails, SecFlow-1p tries the backup with the highest priority. If that backup fails, it proceeds to
the one with the next highest priority, and so on, until a tunnel comes up.
4. If all the backups are exhausted, SecFlow-1p returns to the primary tunnel.
SecFlow-1p
6. Traffic Processing
484
If the active tunnel fails, SecFlow-1p follows the same procedure, starting with the primary (or the
highest prioritized backup, if the primary was the one that failed).
While searching for an operating backup, SecFlow-1p skips non-existent and disabled tunnels.
Dead peer detection timers are as follows:
•
Packet retransmission: 1 seconds.
•
Time after which a tunnel is considered failed if not responding: 9 seconds.
•
Time after which tunnel establishment is considered to fail: 30 seconds.
Factory Defaults
Parameter
Description
Default Value
ip-mtu
IP MTU of tunnel
0
shutdown
Enable (no shutdown) / disable (shutdown) IPsec tunnel.
no shutdown
transport-router
No transport-router is configured
no transport-router
Configuring Tunnels
Configuring Tunnel Interfaces
 To configure tunnel interface:
1. Navigate to configure router <number> to select the router on which to configure IPsec tunnels.
2. At the config>router(<number>)# prompt that is displayed, enter
tunnel-interface <number> ipsec.
The config>router(<number>)>tunnel-interface(<number>) is displayed.
The tunnel is identified by this number.
3. Enter all necessary commands according to the tasks listed below.
4. In order to activate the tunnel following configuration change, perform “shutdown” command
and then “no shutdown“.
SecFlow-1p
6. Traffic Processing
Task
Command
Comments
Configuring backup
tunnel
backup tunnel-interface
<interface-number> priority
<number>
number – backup priority
485
Possible values: 1–254
no backup tunnel-interface
<interface-number>
Clearing tunnel statistics
clear-statistics
Associating interface
with crypto map
crypto-map
See Configuring Crypto Map
Defining tunnel IP
address and prefix
length
ip-address {static <ipaddress/prefix-length |
negotiated }>
Entering no ip-address removes the tunnel
IP address.
ip-address – valid static unicast IPv4 or
non-link-local IPv6 address with compatible
prefix length
negotiated – IPsec tunnel IP address is to
be learned from a responder
Notes:
• A tunnel can have only one address. If
you repeat the command, the last
instance applies.
• The address cannot be an address of a
tunnel or a router interface.
• Both ends of the tunnel should be on
the same network.
Defining tunnel IP MTU
ip-mtu <number>
Entering no ip-mtu removes IP MTU from
the tunnel interface.
Possible values: 0 (no IP MTU), 128-–65535
Note: 0 means that the MTU is to be
calculated according to the delivery
protocol. For IPv4 it is 1476 and for IPv6
1456.
Defining tunnel name
name <tunnel-name>
tunnel-name – 0–64 character string
Entering no name returns the tunnel name
to its default value.
Displaying crypto map
status
show crypto-map-status
[<name>]
See Viewing Crypto Map Information
Showing tunnel status
show status
See Viewing Tunnel Status
SecFlow-1p
6. Traffic Processing
486
Task
Command
Comments
Disabling tunnel
interface
shutdown
Entering no shutdown enables the tunnel
interface.
Configuring an underlay
router
transport-router <routernumber>
no transport-router
Defining tunnel
destination IP address
tunnel-destination <ip-address>
router-number – is always 1
This means that the tunnel should be
configured on a router other than 1.
Entering no tunnel-destination removes
the address.
Possible values: Valid unicast IPv4 or nonlink-local IPv6 address
Notes:
• The source and destination addresses
must be both IPv4 or IPv6.
• The tunnel destination address should
be configured at the other end of the
tunnel as the tunnel source address.
Defining source IP
address or router
interface number used
to bind the tunnel to a
router interface
tunnel-source [<ip-address>]
[router-interface <number>]
Entering no tunnel-source removes the
address.
Possible values:
ip-address – valid unicast IPv4 or non-link
local IPv6 address
number - number of a router interface
Notes:
• Either IP address or router interface
number must be defined; not both.
• The tunnel and the router interface
anchoring it must be on the same
router.
• If you configure the tunnel source IP
address, the tunnel goes up only if
there is an active router interface
configured with this IP address.
• If you configure the router interface
number, the tunnel goes up only if the
router interface has a single address of
the same type (IPv4 or non-link-local
IPv6) as the tunnel.
• The source and destination addresses
must be both IPv4 or IPv6.
SecFlow-1p
6. Traffic Processing
Task
Command
487
Comments
• The tunnel source address should be
configured at the other end of the
tunnel as the tunnel destination
address.
Removing a Tunnel
 To remove a tunnel:
1. Navigate to configure router <number> to select the router from which to remove a tunnel.
2. At the config>router(<number>)# prompt that is displayed, enter no tunnel-interface
<number>.
Examples
This example demonstrates how a tunnel interface is created and bound to a previously defined crypto
map.
•
Creating an access-control list
configure
access-control
access-list "tunnel1"
permit ip any any sequence 10
exit
exit
•
Defining IPsec parameters
crypto
ipsec-transform-set "tunnel1"
algorithms esp-aes-cbc-128 esp-sha1
exit
isakmp-key "abcd1234" address 20.20.20.2
isakmp-key "abcd1234" address 30.30.30.2
isakmp-policy 1
encryption aes-cbc-128
group 14
exit
•
Creating a crypto map tunnel1 (IPsec profile)
crypto-map "tunnel1"
SecFlow-1p
6. Traffic Processing
match-address "tunnel1"
peer-address 20.20.20.2
pfs-group 14
sa-lifetime seconds 8000
transform-set "tunnel1"
sequence-number 11
exit
•
Creating a crypto map tunnel2 (IPsec profile)
crypto-map "tunnel2"
match-address "tunnel1"
peer-address 30.30.30.2
pfs-group 14
sa-lifetime seconds 8000
transform-set "tunnel1"
sequence-number 11
exit
exit
•
•
Creating Ethernet interfaces
router 1
name "Router#1"
interface 1
address 40.40.40.1/24
bind ethernet 1
dhcp-client
client-id mac
exit
no shutdown
exit
interface 2
address 20.20.20.1/24
bind ethernet 2
dhcp-client
client-id mac
exit
no shutdown
exit
Creating static route
static-route 0.0.0.0/0 address 172.17.233.1 metric 1
•
Creating a tunnel interface 1 and binding it to the crypto map
tunnel-interface 1 ipsec
no shutdown
tunnel-source 20.20.20.1
tunnel-destination 20.20.20.2
ip-address 60.60.60.1/24
crypto-map "tunnel1"
exit
488
SecFlow-1p
•
6. Traffic Processing
489
Creating a tunnel interface 2 and binding it to the crypto map
tunnel-interface 2 ipsec
no shutdown
tunnel-source 30.30.30.1
tunnel-destination 30.30.30.2
ip-address 70.70.70.1/24
crypto-map "tunnel2"
exit
exit
exit
Configuration Errors
Message
Cause
Corrective Action
Tunnel exists with a different type
You tried changing the type of an
existing tunnel.
Create a new tunnel of the new
type.
There is a crypto map connected
to a router interface
You tried to configure an IPsec
tunnel, while the crypto map was
connected to a router interface.
Cancel policy-based IPsec mode;
then you can connect a crypto
map to a tunnel interface and
configure an IPsec tunnel.
Maximum number of tunnels
exceeded
You tried to create more tunnels
than SecFlow-1p allows.
Delete unnecessary tunnels and
create a new one.
Invalid address; enter a unicast
address
You assigned a broadcast or
multicast address to the tunnel.
Assign a unicast address to the
tunnel.
The address is assigned to another
interface
You tried to configure the tunnel
with an address of an already
existing tunnel or router interface.
Assign a unique address to the
tunnel.
Configure either source address or
interface, not both
You tried to configure the router
interface anchoring the tunnel
with both an address and
interface.
Remove one of the configurations:
either the address or interface.
Source and destination must be
both IPv4 or both IPv6
You tried to configure tunnel
destination with an IPv4 address,
while the tunnel source is an IPv6
address.
Define destination and source with
same type of IP address – both
IPv4 or both IPv6.
You tried to configure tunnel
source with an IPv4 address while
the tunnel destination is an IPv6
address.
SecFlow-1p
6. Traffic Processing
Message
Cause
Corrective Action
This priority is in use by another
backup
You tried to configure multiple
backups with the same priority
Use unique value of priority with
each tunnel
This tunnel is a backup of another
tunnel
You tried to configure a tunnel as
primary, while it is already a
backup of another tunnel
Create a new tunnel to serve as a
primary tunnel
The backup tunnel is a backup of
another tunnel
You tried to configure a tunnel as
backup, while it is already a
backup of another tunnel
Create a new tunnel to serve as a
backup tunnel
The backup tunnel has a backup
tunnel
You tried to configure a tunnel as
backup, while it is already a
primary tunnel (i.e. it is configured
with a backup)
Create a new tunnel to serve as a
backup tunnel
A tunnel cannot be a backup of
itself
You tried to configure a tunnel as
a backup of itself
Create a new tunnel to serve as a
backup tunnel
This priority is in use by another
backup
You tried to configure multiple
backups with the same priority
Use a unique priority for each
backup
Viewing Tunnel Status
You can display the current tunnel status.
 To display tunnel status:
•
At the config>router(<number>)>tunnel-interface(<number>)# prompt, enter:
show status
The tunnel status is displayed.
config>router(1)>tunnel-interface(1)# show status
Tunnel
: 1
Type
: IPSEC
Status
: Up
Tunnel Address
: 60.60.60.2/24 (IKEv2 acquired)
Tunnel Source
Interface
: Router Interface 1/2 (Ethernet
Address
: 192.168.1.11
Tunnel destination : 192.168.1.10
Transport Router
: 1
IP MTU
: 1476 (Calculated)
3)
490
SecFlow-1p
6. Traffic Processing
Up For : 1 Day(s), 10:25:01
Packets
Tunnel Encapsulated
150
Tunnel Decapsulated
150
Bytes
10000
5000
Status Parameters
Parameter
Description
Tunnel
Tunnel number
Type
Tunnel type
Possible value: IPsec
Status
Tunnel administrative and operational status
Possible values: Up, Down
Tunnel Address
Tunnel IP address
Possible values:
• -- (Tunnel source IP address is not configured.)
• IPv4 or IPv6 unicast addres
• Acquired By IKEv2 (If IPsec tunnel address was acquired by IKEv2)
Tunnel Source
Interface
Router interface anchoring the tunnel
Possible values:
• -- (No interface is configured.)
• Router Interface <router number>/<interface number>
or
Physical interface bound to the router interface anchoring the tunnel
Possible values:
• -- (empty string)
• (<port-type> <port-number>)
Tunnel Source
Address
Tunnel source IP address
Possible values:
• -- (Tunnel source IP address is not configured.)
• IPv4 or IPv6 unicast address
Tunnel Destination
Tunnel destination IP address
Possible values:
• -- (Tunnel destination IP address is not configured.)
• IPv4 or IPv6 unicast address
491
SecFlow-1p
6. Traffic Processing
Parameter
Description
Transport Router
Number of tunnel transport router
492
Possible values:
• number
IP MTU
Tunnel IP MTU
Possible values: -- or number.
If Tunnel IP MTU configuration method is non-zero, it is printed
If Tunnel IP MTU configuration method is zero:
• If tunnel source address type is IPv4, 1476 is printed.
• If tunnel source address type is IPv6, 1456 is printed.
• If tunnel source address type is unknown, -- is printed.
Up For
Tunnel uptime in seconds
Display hint: ddd Days, hh:mm:ss
Input Bytes
Number of Rx bytes since tunnel uptime
Inout Packets
Number of Rx packets since tunnel uptime
Output Bytes
Number of Tx bytes since tunnel uptime
Output Packets
Number of Tx packets since tunnel uptime
Viewing Crypto Map Information
You can view information on a specific crypto map or all configured crypto maps using the show cryptomap-status command.
 To display the crypto map information:
1. Navigate to configure router <number>tunnel-interface<number>.
2. At the config>router(<number>tunnel-interface (<number>))# prompt that is displayed, enter
show crypto-map-status [<tunnel-name>].
config>router(1)tunnel-interface(1)# show crypto-map-status tunnel1
Crypto Map
: tunnel1
Tunnel Peers
: 20.20.20.1 --- 20.20.20.2
Security Association
: Up 0 minutes ago
IKE
----------------------------------------------------------------------------Version
: 2
SA Negotiation Mode : NA
Authentication
: Pre-shared secret
SecFlow-1p
Encryption
Hashing
Diffie Hellman Group
In SPI
Out SPI
Reauthentication in
6. Traffic Processing
:
:
:
:
:
:
AES-CBC-128
SHA1
14
e047c3660524fdd4
93d0e80fd8d1b0a6
999 days
Transform Set
----------------------------------------------------------------------------Algorithms : ESP-AES-CBC-128 ESP-SHA-1
In SPI
: 00000000ca0944c9
Out SPI
: 00000000c71e1971
Remaining Lifetime
----------------------------------------------------------------------------In Kilobytes : 4608000
Out Kilobytes : 4608000
Seconds
: 6960
The above fields are:
Tunnel Peers
Local peer --- remote peer
Possible values: ip-address
Security Association
SA status and SA age
Possible values:
SA status – Connecting, Down, Up
SA age – <number> minutes ago
IKE version
SA Negotiation Mode
IKE SA negotiation mode
Possible values: Aggressive, Main
Authentication
IKE authentication method
Possible value: Pre-shared secret
Encryption
IKE encryption algorithm
Possible value: AES-CBC-128, AES-CBC-256
Hashing
IKE hashing algorithm
Possible values: SHA1-96-HMAC, SHA2-256-128-HMAC,
SHA2-512-256-HMAC
493
SecFlow-1p
6. Traffic Processing
Diffie Hellman Group
IKE Diffie Hellman group
Possible values: 1, 2, 5, 14, 19, 20
In SPI
IKE in SPI
Possible values: string
Out SPI
IKE out SPI
Possible values: string
Re-authentication in
Time to IKE key re-authentication
Possible values: <number> minutes/hours/days
Transform Set
Algorithms
Transform set first algorithm
Possible values: ESP-AES-CBC-128, ESP-AES-CBC-256, ESPAES-GCM-128, ESP-AES-GCM-256, ESP-NULL, ESP-AESGMAC-128,
ESP-AES-GMAC-256
Transform set second algorithm
Possible values: ESP-SHA1-96-HMAC, ESP-SHA2-256-128HMAC, ESP-SHA2-512-256-HMAC
In SPI
Transform set in SPI
Out SPI
Transform set in SPI
Remaining Lifetime
In Kilobytes
Transform set remaining lifetime (in kilobytes)
Out Kilobytes
Transform set remaining lifetime (out kilobytes)
Seconds
Transform set remaining lifetime (seconds)
494
SecFlow-1p
6. Traffic Processing
495
6.12 Virtual Router Redundancy Protocol (VRRP)
Virtual Router Redundancy Protocol (VRRP) enables a group of routers to act as a virtual router with a
virtual IP address that can be configured as the default gateway for access devices in a LAN.
A static default gateway router is a potential single point of failure, which is eliminated by VRRP.
Standards Compliance and MIBs
The VRRP feature complies with the following standards.
Standard
Title
RFC 5798
Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
RFC 6527
Definitions of Managed Objects for the Virtual Router Redundancy Protocol Version 3
(VRRPv3)
Functional Description
VRRP Group
A VRRP group is defined as a group of routers that share one or more virtual IP addresses. If a router’s
physical IP address matches a virtual IP address, it is referred to as the address owner. The routers in the
group are assigned priorities ranging from 1–255, with 255 being the highest priority, however only
priorities 1–254 are configurable. Priority 255 is automatically assigned to the address owner regardless
of the configured priority. Up to 4 VRRP groups are supported per device.
Master Router
At any time, one of the routers is the master (active) and the others are backups. The router with the
highest priority is selected as the master, therefore the address owner is the master unless it has failed.
If more than one router has the highest priority, the one with the highest primary IP address is selected
as master. The primary IP address is one of the router interface’s real (IPv4) or link-local (IPv6) IP
addresses. It is used as the source address in VRRP advertisements
The master router forwards upstream traffic packets destined for the virtual IP address(es), and sends
periodic advertisements to the backup routers at a user-configurable interval. If the backup routers do
SecFlow-1p
6. Traffic Processing
496
not receive an advertisement for a set period, the backup router with the next highest priority takes
over as master.
Preemption
If preemption is enabled, then when a new router is added to a VRRP group and its priority is higher
than any of the routers in the group, it preempts the master role. When a router with priority 255
(address owner) is added to a VRRP group or becomes active, it preempts all lower-priority routers, even
if preemption is disabled. If no router has priority 255 and preemption is disabled, then no preemption
occurs.
Factory Defaults
By default, no VRRP groups exist. When a VRRP group is created, its default configuration is the
following:
Parameter
Default
Remarks
description
virtual router <ip-ver> group <id>
• <ip-ver> is either IPv4 or IPv6.
• <id> is the group VRID.
The description does not affect the device
behavior; it is solely provided for better
readability
preempt
preempt
Preemption is enabled by default.
priority
100
shutdown
shutdown
timer-advertise
100 centiseconds
VRRP is disabled by default; at least one
virtual IP address must be associated with
the group before the group can be
enabled.
Configuring VRRP
You configure VRRP group parameters at the router interface level.
SecFlow-1p
Note
6. Traffic Processing
497
A VRRP group cannot be associated with a router interface for which any of
the following is true:
•
•
The router interface is bound to a port other than Ethernet or wifi access
point (e.g. PPP port).
The router interface is a loopback interface.
 To configure VRRP group parameters:
1. At the config>router(<number>)>interface(<interface-num>)# prompt, enter the following,
specifying the VRRP group ID (1–255) and IP version:
vrrp <vrid> [{ipv4 | ipv6}]
One of the following prompts is displayed, depending on the IP version entered:
config>router(<number>)>interface(<interface-num>)>vrrp(<vrid>,ipv4)#
config>router(<number>)>interface(<interface-num>)>vrrp(<vrid>,ipv6)#
2. Perform the required tasks according to the following table.
Task
Command
Comments
Configuring VRRP group
description
description <string>
Type no description to use an
empty (NULL) string.
Associating a virtual IP address
with the VRRP group
ip <ip-address>
• Type no ip <ip-address> to
delete the association with
the IP address.
• The IP address must be in the
correct form for the
configured IP version.
Enabling preemption
preempt
Type no preempt to disable
preemption.
Configuring VRRP priority
priority <number>
Possible values for number:
1–254
If the device is an address owner
it overrides the configured
priority with 255 (which is not a
configurable value)
Configuring interval between
sending advertisement
messages
timer-advertise
<centiseconds>
Viewing VRRP status
show status
Possible values:
1–4095
SecFlow-1p
6. Traffic Processing
498
Task
Command
Comments
Administratively enabling or
disabling VRRP for router
interface
no shutdown
• Type shutdown to
administratively disable VRRP.
• VRRP can be enabled only if at
least one virtual IP address
has been associated.
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Too many VRRP groups on this
interface
You tried to create more than
four groups.
Delete one of the VRRP groups from the
interface.
The address must be a valid
unicast IP
You tried to configure an invalid
IP address.
Configure a valid unicast IP address.
The port bound to the router
interface does not support VRRP
You tried to to configure VRRP
on an active router interface
bound to a port other than
Ethernet or wifi access point
(e.g. PPP), or activate a router
interface with VRRP
Configure VRRP on a router interface
bound to a port on which VRRP can run.
VRRP is not allowed on a
loopback router interface
You tried to configure VRRP on
a router interface that is a
loopback router interface.
Configure VRRP on a router interface
bound to a port on which VRRP can run.
Too many addresses are
configured for the VRRP group
You tried to configure more
than four addresses.
Delete one of the associated addresses
before associating a new IP address with
the group.
IP version of the address and the
VRRP group are incompatible
You tried to associate an IPv4
address with an IPv6 group or
an IPv6 address with an IPv4
group.
Associate an IPv4 address with an IPv4
group, or an IPv6 address with an IPv6
group.
SecFlow-1p
6. Traffic Processing
499
Viewing VRRP Status
You can view VRRP status by using the show status command. This command is available in one of the
following CLI contexts, depending on the IP version of the VRRP group:
config>router(<number>)>interface(<interface-num>)>vrrp(<vrid>,ipv4)#
config>router(<number>)>interface(<interface-num>)>vrrp(<vrid>,ipv6)#
For example:
# configure router(1)>interface(7)>vrrp(1,ipv4)# show status
Router/Interface
: 1/7
Physical Port
: Ethernet 2/2
VRRP Group
: 1 (IPv4)
Administrative Status
: Enabled
Operational Status
: Master
Uptime (seconds)
: 1111
Primary IP Address
: 10.20.0.01/24
Protected IP Address
: 10.20.0.01/24
: 10.20.0.10/24
Virtual MAC Address
: 00:00:5e:00:01:01
Advertisement Interval (seconds) : 1
Preemption
: Enabled
Priority
: 255
Field
Description
Router/Interface
Router and interface where the VRRP group is configured
Physical Port
Physical interface that is bound to the router interface
VRRP Group
VRRP group ID
Administrative Status
VRRP group administrative status – Disabled or Enabled
Operational Status
VRRP role:
•
•
•
•
Backup – Router interface is acting as backup.
Master – Router interface is acting as master.
Init – Router interface VRRP group parameters are being initialized.
Lower Layer Down – The interface with which the group is associated is
non-operational.
Uptime (seconds)
Time since VRRP role changed from Init to Backup or Master
Primary IP Address
Primary IP address and mask of the VRRP group
Protected IP Address
One or more virtual IP address(es) protected by the VRRP group; one output line is
displayed for each protected IP address.
SecFlow-1p
6. Traffic Processing
Field
Description
Virtual MAC Address
Virtual MAC address of the VRRP group
Advertisement Interval
(seconds)
Interval between VRRP advertisements (if the router is acting as master)
Preemption
Preemption state – Disabled or Enabled
Priority
Router VRRP priority (0–255)
500
Viewing VRRP Summary
You can view a VRRP group summary by using the show vrrp-summary command for router, or show
summary-vrrp command for router interface. This command is available in the following CLI contexts:
•
config>system>router – displays information for all VRRP groups in the device
•
config>router(<number>) – displays information for all VRRP groups configured for any router
interfaces belonging to the router
•
config>router(<number>)>interface – displays information for all VRRP groups configured for
the router interface
For example:
#configure router(1)>interface(1)#
Rtr If Phys If
Group
Pri
1/1
Ethernet 1/2 111(IPv4) 100
1/1
Ethernet 1/2 222(IPv6) 200
show summary-vrrp
Own Pre State Primary Address
Yes Ena Master 10.10.10.10
-- Dis Backup FE80::1234
Field
Description
Rtr
Router and interface where the VRRP group is configured
Phys If
Physical interface that is bound to the router interface
Group
VRRP group ID
Pri
Router VRRP priority (0–255)
Own
Indicates if VRRP group is address owner: Yes or --
Pre
Preemption state – Dis or Ena
SecFlow-1p
6. Traffic Processing
Field
Description
State
VRRP role:
•
•
•
•
Primary Address
Backup – Router interface is acting as backup.
Master – Router interface is acting as master.
Init – Router interface VRRP group parameters are being initialized.
LLD – The router interface where the VRRP group is configured, is not
operational.
Primary IP address of the VRRP group
501
SecFlow-1p
7
7. Containerization
502
Containerization
SecFlow-1p supports Linux Containers (LXC) as a virtualization method by running multiple isolated Linux
systems (containers) using a single Linux kernel. This functionality is implemented via the container
management extension called LXD.
Containerization allows limitation and prioritization of resources (CPU, memory, block I/O, network,
etc.) without the need for starting any virtual machines. Containers use very small storage space
because they share many components with the container host. A fresh Ubuntu image, for example,
consumes only a few megabytes of the disk space. All containers also share memory and CPU resources.
In this way, a much higher density can be achieved compared to virtual machines, which requires
considerably more resources.
This functionality supports dynamic resource restrictions, container migration and efficient live
migration.
7.1 Applicability and Scaling
Configuring LXD is available only via web interface. This interface can be enabled only using a CLI
command.
SecFlow-1p limits the size of LXD components (images, containers, snapshots) to up to 3 GB of its disk
space.
Note
It is recommended not exceed the 2.5Gb limit of the component size;
otherwise, creation of an additional image/snapshot/container consumes too
much disk space that can lead to unexpected behavior.
7.2 Functional Description
LXD main components are typically visible in the LXD directory structure, in its command line client and
in the API structure. They include:
SecFlow-1p
7. Containerization
•
Containers
•
Snapshots
•
Images
•
Profiles
•
Network
503
SecFlow-1p has an LXD web graphic user interface that allows to manage all LXD components.
Containers
Containers consist of:
•
filesystem (rootfs)
•
list of configuration options, including resource limits, environment, and security options
•
a number of devices, such as disks, character / block Unix devices, and network interfaces
•
set of profiles from which the container inherits a configuration
•
container properties (name, architecture, ephemeral/persistent)
•
container runtime state
SecFlow-1p supports up to two containers working in parallel.
Any network interface can be mapped to the container, up to four network interfaces per container. Any
serial interface can be mapped to the container, up to two serial interfaces.
SecFlow-1p allows resources configuration (memory, disk, CPU allocation) per container.
You can add a new container using one of the following methods:
1. Create from an LXD image located on a remote server, which is preconfigured in CLI as a
“remote-image-server“. Internet connection is required for this action.
2. Create from local images installed in SecFlow-1p.
You can perform the actions of delete, start/stop, restart, and freeze/unfreeze on an existing container.
Using the web interface, you can also:
•
Push and pull files from / to the container
•
Display container’s status
SecFlow-1p
7. Containerization
•
Make container’s snapshot
•
Restore container from a snapshot
•
Change the container’s name by the “move” action
•
Clone a container
•
Access the container’s Terminal shell (“bash”)
•
Export an image from the container. This image can be used later on by SecFlow-1p and
create a new container. Likewise, it can be copied to an image of a remote-server to be
published to other devices
504
Snapshots
Container snapshots are identical to containers in a sense that they can be renamed, destroyed, or
restored, but unlike containers, the snapshots cannot be modified.
The snapshots are stateful, i.e. depending on the container state, because the container runtime state
can be stored. This means that you can roll back the container state, including its CPU and memory
state, at the time of the snapshot. This functionality enables:
•
Restoring the container from a specific snapshot
•
Creating a new container based on a snapshot restored from another container
Images
LXD is image-based, so every LXD container comes from an image. Images are typically clean Linux
distribution images similar to what you would use for a virtual machine.
A container can be published by making from it an image that can be used later by the local or remote
LXD hosts.
In addition to the default local images, you can connect to an image remote server to download other
required images. Although the image may have come from a remote image server, eventually, every LXD
container is created from a local image.
SecFlow-1p
7. Containerization
505
Profiles
Profiles allow to define container configuration and container devices in one place and then to apply
them to any number of containers.
A container can have multiple profiles applied to it. When the final container configuration (known as
expanded configuration) is built, the profiles are applied in the same order as they were defined,
overriding each other when the same configuration key or device is found. Then the local container
configuration is applied on top of that, overriding anything that came from a profile.
Network
LXD supports creating and managing bridges. A single or multiple containers can be updated with it,
when a network is created and running.
Using LXD network, you can:
•
Create a new bridge with random IPv4 or user-configurable IPv4 & subnet
•
Select whether to allocate addresses using DHCP and assign start/stop DHCP address
•
Update IPv4 with or without NAT, according to your choice
•
Assign physical device interface to the bridge
7.3 Factory Defaults
LXD comes preconfigured with two local images:
•
Alpine 3.8 armhf - Alpine Version 3.8 for ARM
•
Ubuntu xenial armh - Ubuntu Base 16.04.5 LTS (Xenial Xerus) for ARM
SecFlow-1p has three preconfigured profiles:
•
default profile is automatically applied to all containers unless an alternative list of profiles is
provided by the user. This profile currently define only the “rootfs” location.
•
serial1 is a profile that defines serial device number 1 for the container
•
serial2 is a profile that defines serial device number 2 for the container
SecFlow-1p
7. Containerization
506
7.4 Configuring LXD Containers
CLI Configuration
Some part of LXD functionality is set from CLI, while Containers are configured via the web interface.
CLI allows you to perform the following:
•
Enable or disable LXD functionality
•
Update LXD remote image server
•
Delete LXD remote image server
•
Display LXD configuration
 To set LXD via CLI:
1. Go to lxd.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Enabling/disabling LXD
functionality
[no] shutdown
Updating/deleting remote
server IP address
[no] remote-image-server <ipaddress>
Comments
Web Configuration
Web configuration of LXD containers is possible only when the LXD administrative status is enabled via
CLI (refer to CLI Configuration).
Creating Containers
A new container instance is created from an image on Images or Containers page.
SecFlow-1p
7. Containerization
 To create a new container using the Images page:
1. In the web interface, navigate to Containers (LXD) > Images > Local and select the image the
container will be created from.
2. Click the <Launch Container(s)> button.
A new page opens.
507
SecFlow-1p
7. Containerization
508
3. Type in the container name in the corresponding field, otherwise, a random name will be
chosen for the container. The name is given according to the following rules:
 Contains 1 to 24 alphanumerical characters and hyphens
 Cannot start with a numerical character or hyphen
 Cannot end with a hyphen
4. In the Quantity, set the number of containers that you want to create from the selected image.
5. By default, all containers are persistent, in other words, all changes made within the container
persist over time, until the container is deleted. By clearing the check-box next to Persistent, you
can make LXD behave more like Docker, where all container configuration (network info,
profiles, snapshots, advanced configuration) is lost as soon as the container is stopped.
6. Clear the Autostart check-box if you want to restore the last state of the container upon the LXD
start. Otherwise, the container starts at the same time as LXD does.
7. Set how much CPU can be used by the container by adjusting the slider next to CPU allocation
(%) for a soft limit, or by typing in a chunk of time for a hard limit. Note that the container
cannot exceed the hard limit, while it can exceed its CPU soft limit, when extra host CPU is
available.
8. Set how much memory can be used by the container by adjusting the slider next to Memory
usage in MB for a soft limit, or by typing in a chunk of time for a hard limit. Note that the
SecFlow-1p
7. Containerization
container cannot exceed the hard limit, while it can exceed its memory soft limit, when extra
host memory is available.
9. Select profiles applied to the container from the list of defined profiles.
10. Define the advanced settings according to the Command Line Interface table below and click
<Create>.
 To create a new container instance using the Containers page:
1. In the web interface, navigate to Containers (LXD) > Containers and click the <New Instance>
button.
A new page opens.
509
SecFlow-1p
7. Containerization
510
2. Since all LXD containers are created from images, select one of the images from the Select
image list.
3. Select the check box next to Non-ubuntu image (Alpine), if your image is not based on Ubuntu
OS.
4. Go through the steps 3 to 9 of the description above for creating a container from an image.
5. Define the advanced settings according to the table below and click <Create>:
Command Line Interface
Key
Type
Default
Live
update
Description
boot.autostart
boolean
-
n/a
Always start the container when
LXD starts (if not set, restore last
state)
boot.autostart.delay
integer
0
n/a
Number of seconds to wait after
the container started before
starting the next one
boot.autostart.priority
integer
0
n/a
What order to start the containers
in (starting with highest)
SecFlow-1p
7. Containerization
Key
Type
Default
Live
update
Description
boot.host_shutdown_
timeout
integer
30
yes
Seconds to wait for container to
shutdown before it is force
stopped
boot.stop.priority
integer
0
n/a
What order to shutdown the
containers (starting with highest)
environment.*
string
-
yes
(exec)
key/value environment variables
to export to the container and set
on exec
limits.cpu
string
- (all)
Number or range of CPUs to
expose to the container
limits.cpu.allowance
string
100%
yes
How much of the CPU can be
used. Can be a percentage (e.g.
50%) for a soft limit or hard a
chunk of time (25ms/100ms)
limits.cpu.priority
integer
10
(maximum)
yes
CPU scheduling priority compared
to other containers sharing the
same CPUs (overcommit) (integer
between 0 and 10)
limits.disk.priority
integer
5 (medium)
yes
When under load, how much
priority to give to the container's
I/O requests (integer between 0
and 10)
limits.kernel.*
string
-
no
This limits kernel resources per
container (e.g. number of open
files)
limits.memory
string
- (all)
yes
Percentage of the host's memory
or fixed value in bytes (supports
kB, MB, GB, TB, PB and EB suffixes)
limits.memory.enforce
string
hard
yes
If hard, container can't exceed its
memory limit. If soft, the
container can exceed its memory
limit when extra host memory is
available.
limits.memory.swap
boolean
true
yes
Whether to allow some of the
container's memory to be
swapped out to disk
511
SecFlow-1p
7. Containerization
Key
Type
Default
Live
update
Description
limits.memory.swap.p
riority
integer
10
(maximum)
yes
The higher this is set, the least
likely the container is to be
swapped to disk (integer between
0 and 10)
limits.network.priority
integer
0 (minimum)
yes
When under load, how much
priority to give to the container's
network requests (integer
between 0 and 10)
limits.processes
integer
- (max)
yes
Maximum number of processes
that can run in the container
linux.kernel_modules
string
-
yes
Comma separated list of kernel
modules to load before starting
the container
migration.incremental
.memory
boolean
false
yes
Incremental memory transfer of
the container's memory to reduce
downtime.
migration.incremental
.memory.goal
integer
70
yes
Percentage of memory to have in
sync before stopping the
container.
migration.incremental
.memory.iterations
integer
10
yes
Maximum number of transfer
operations to go through before
stopping the container.
Performing Actions with Containers
The following actions can be performed using the container’s menu buttons:
•
Start: Starting the container
•
Stop: Stopping the container
•
Restart: Restarting the container
•
Delete: Deleting the container
•
Freeze: Halting all the processes running inside the container. The processes are blocked
until they are explicitly restored by the Unfreeze command. This command is useful for
batch managers to schedule a group of processes.
•
Unfreeze: Restoring all the container's processes.
512
SecFlow-1p
7. Containerization
513
The following actions can be performed using the Actions button in each container’s row:
•
Terminal: Opening the container shell (bash/sh…)
•
Snapshot: Making snapshots and restoring containers from them. Snapshots include the
entire container state, together with running state, if Stateful condition is used, which
means all the container configuration, container devices and container file system.
•
Clone: Copying a container and cloning it into a new one. The destination container will be
identical in every way to the source one, except that it won’t have any snapshot, and its
volatile keys (MAC address) will be reset.
Note
Do not start both the parent and cloned containers at the same time, to avoid
conflicts in the network setup or interfaces attachments.
•
Move: Renaming a container.
•
Export: Exporting an image from the container. The image can be used later on by your
device to create a new container, or can be copied to an image remote-server for being
published to other devices.
Some of the actions can be performed from the Container Details page that opens by clicking the
container’s name.
Container File Operations
LXD has direct access to the container’s file system, so it can directly read and write to any file inside the
container. This can be very useful for pulling log files or exchanging files in the container.
SecFlow-1p
7. Containerization
The following file operations are available:
•
New
•
Upload
•
Download
•
View
•
Edit
•
Delete
514
SecFlow-1p
7. Containerization
515
Downloading Remote Images
Before downloading an image from a remote server, make sure that the server is configured in CLI (see
CLI Configuration) and that it is operational with the Internet connection.
 To download a remote image:
1. In the web interface, navigate to Containers (LXD) > Images > Remote and select the image from
the list.
2. Click the <Download> button.
The image is downloaded to the local device.
Creating and Deleting Profiles
 To create a new profile:
1. In the web interface, navigate to Containers (LXD) > Profiles and select the <New Profile>
button.
SecFlow-1p
7. Containerization
A new page opens.
2. Set the profile name and click the <Create Profile> button.
 To delete a profile:
1. In the Profiles page, select the profile and click the <Delete> button.
516
SecFlow-1p
7. Containerization
Creating Bridge Networks
 To create a bridge network:
1. Navigate to Containers (LXD) > Network and select the <New Bridge Network> button.
A new page opens.
517
SecFlow-1p
7. Containerization
518
2. Under the Internal bridge tab, set a new Bridge name in the corresponding field.
3. Select “Yes” next to NAT, if the address should work with NAT, or “No” otherwise.
4. Set the IPv4 address manually, otherwise, it will be allocated automatically.
5. Set the network mask.
6. Select the starting IP for DHCP range.
7. Select the ending IP for DHCP range.
9. Optionally, you can define a direct interconnection from the container’s bridge to the physical
interface of SecFlow-1p. Under the Bridge to physical interface tab, select the host physical
interface for the bridge, choosing one of six (1-6) ports.
SecFlow-1p
7. Containerization
519
Displaying Storage Information
The LXD Info page contains 2 different storage information sections:
•
Containers Storage Information. This section displays the space used by the currently installed
containers. Containers that were created from the same image do not increase the storage
space, which allows you to install multiple containers without affecting the disk space (unless a
container was changed or updated). Containers from different images do increase the used disk
space.
•
Operational Storage Information. This sections displays the space used for all other operations
that require disk space, such as downloading images, exporting containers to images, creating
snapshots from containers and etc.
SecFlow-1p
7. Containerization
520
7.5 Example: Suricata TAP Mode Container
This example shows how to install a new container used as Suricata detection engine.
Suricata is an open-source Intrusion Detection and Prevention (OISF IDP) engine. It inspects the network
traffic using a powerful and extensive rules and signature language, and has powerful scripting support
for detection of complex threats.
SecFlow-1p has a container with SCADA firewall capability available via Suricata engine. When working
in TAP mode, it passively monitors the traffic without taking actions. If any malicious activity is found, it
can send an indication to a syslog server and report which threats are discovered, all according to the
rules defined by the user.
Suricata Container
TAP Mode
Public/Private Cloud
Fiber
Packet
Network
SIEM/
Analytics
Microsoft
LAN
Amazon
SecFlow-1p
LTE
Mobile
Goggle
Cloud
Applications
SecFlow-1p
7. Containerization
521
Configuring the container includes the following stages:
•
creating internal bridges
•
creating a container based on an image
•
checking communication
•
establishing SSH access to the container (optional)
•
updating Suricata rules
•
configuring Syslog
•
checking Syslog connectivity
Creating Internal Bridges
 To create internal bridges:
•


In the Network page, create two new bridge networks:
tapbr0 – This bridge is used to listen to traffic mirrored from the LAN ports of SecFlow-1p.
Set 10.0.1.1/24 as an internal IP address of this network bridge, since the container image
includes corresponding address connected to this network.
mgtbr0 – This bridge is used for the Suricata container management/ monitoring. Set
10.0.2.1/24 as an internal IP address of this network bridge, since the container image
includes corresponding address connected to this network.
This interface can be ran through NAT (ipvX.nat: true), if it Syslog events should be sent via the Internet
or a routed network over fiber or cellular.
If you want to send Syslog events via a VPN tunnel, configure the interface without NAT ipvX.nat: false)
and set it as a left subnet of VPN.
SecFlow-1p
7. Containerization
522
Creating a Container Based on Image
 To create a container:
1. In the Images page, select the Suricata Alpine 3.8 TAP mode image located on your image server
and click <Launch Container(s)>.
SecFlow-1p
The Create Container from Image page opens.
2. Set the name and other container parameters and click <Create>.
The new container appears in the Containers page.
7. Containerization
523
SecFlow-1p
3. Click the containers name and open the Networking tab.
4.
Assign to the container two interfaces with static IP addresses:
 eth0, connected to tapbr0, IP address 10.0.1.10
 eth1, connected to mgtbr0, IP address 10.0.2.10
5. Configure the eth ports in the container OS.
7. Containerization
524
SecFlow-1p
7. Containerization
525
6. The port configuration and file can be different in different OS, for example:
auto eth0
iface eth0 inet static
address 10.0.1.10
netmask 255.255.255.0
auto eth1
iface eth1 inet static
address 10.0.2.10
netmask 255.255.255.0
gateway 10.0.2.1
dns-nameservers 8.8.8.8 8.8.4.4
Checking Communication
Restart the container and connect to the container through terminal.
Check communication between the container and its bridges (10.0.1.1 and 10.0.2.1) and bridge ports
(10.0.1.10 and 10.0.2.10).
Establishing SSH Access
Optionally, you can provide SSH access to the container.
 To provide SSH access:
1. Using CLI, create static NAT to forward management traffic to the container management port:
router nat static create original-port 2222 modified-ip 10.0.2.10 modified-port 22
protocol tcp
2. Create or change the user in the container that should be used for SSH connection. For example,
in the current configuration supplied via the image, user: suricata; password: admin.
 add a new user:
adduser -s /bin/ash -G users suricata
password: admin
3. Change password:
chpasswd
suricata:suricata1
SecFlow-1p
7. Containerization
526
Updating Suricata Rules
To update Suricata rules, copy or update the suricata.yaml and suricata.rules files to /etc/suricata and
/etc/suricata/rules, respectively, inside the container.
Configuring Syslog
 To configure Syslog:
1. Change “/etc/rsyslog.conf” to send alerts to IP of your Syslog server:
“# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
local5.* @50.50.50.5:514“
2. Configure SNAT to allow container communicate over the IPsec tunnel, for example:
a. Set : “sudo iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 4.4.4.5”
b. Write the rules to disk: “sudo /etc/init.d/iptables save”
c. Set iptables to start on reboot : “rc-update add iptables”
Checking Syslog Connectivity
Check connectivity to syslog devices such as RAD SIEM or syslog server. You can use any Syslog server
monitoring application, for example Syslog Watcher, that listens to the UDP port configured in the
container’s “rsyslog.conf” file (50.50.50.5:514) and verifies that Suricata engine is sending all reported
hit actions to this server.
SecFlow-1p
7. Containerization
527
7.6 Viewing Container Status
 To view the container status:
1. From the list of available containers on the Containers page, select the container by clicking its
name.
The Container Details: <container name> page opens.
2. Choose the Details tab to see all available information regarding the container parameters:
 CPU
 Memory:

current–current memory allocated by the container

peak–peak memory allocated by the container

available–memory available to use by the host
 Disk

root–disk usage for the running container
SecFlow-1p
7. Containerization
528
available–disk space available to use by the host
Network, etc.


3. Choose the Networking tab to see all available information regarding the network interfaces:
 Interface (Ethernet port) name and operational status (up/down)
 Name of the bridge connected to the interface
 Physical Ethernet port hosting this interface (HOST IFC)
 IP address of the bridge/physical ETH port
 MAC address of the interface
 Network mask
 Number of sent and received packets and bytes
 Port mapping
You can use the <Add +> button to add a new interface or port mapping.
4. Choose the Snapshots tab to see all snapshots created from this container.
You can either create a new container or restore the current container based on the selected
snapshot.
5. Choose the Advanced tab to see all advanced setting of the currently running container.
6. Choose the File Manager tab to display the container file system. For more information on file
operations, refer to Container File Operations.
SecFlow-1p
8. Timing and Synchronization
529
8 Timing and Synchronization
8.1 GNSS location reporting
GNSS (Global Navigation Satellite System) is a part of satellite navigation system which allow users to
determine their current position from the signals received from satellite systems called constellations.
Each constellation consists of a set of satellites which continuously transmits signals towards the Earth.
GNSS satellites continuously broadcast satellite position and timing data. The antenna in the device
receives the RF signals from at least 4 satellites and these signals are passed to the GNSS receiver for
computing the actual position. The receiver does not transmit any signal to the satellite.
Functional Description
The device supports GPS, GLONASS, BeiDou and Galileo satellite constellations depending upon the
hardware used.
GPS is always ON and works as the only primary GNSS system. Glonass, Galileo or BeiDou can be set as
secondary system. If BeiDou is set, at least one of the other systems must be set too.
When GNSS is enabled, the device starts receiving signals from the satellites and begins the tracking
process. It must be locked to the satellite as long as the satellite is visible.
Note
Depending on the satellite constellation and other factors, time to satellite
locking (time taken by the device to acquire satellite data and calculate
position) can take as much as approximately 1 minute, if sufficient number of
satellites are available.
Factory Defaults
The default configuration of GNSS is shown below.
Parameter
Default Value
name
gnss<port-number>
SecFlow-1p
8. Timing and Synchronization
Parameter
Default Value
shutdown
no shutdown
secondary-system
no secondary-system
530
Configuring GNSS
 To configure the GNSS receiver in the CLI:
1. Navigate to configure system clock gnss.
The config>system>clock>gnss# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Assigning the name to GNSS
port
name <port-name>
1-64 characters
no name
Administratively enabling
GNSS receiver
no shutdown
Using shutdown disables the GNSS
receiver
Defining secondary GNSS
system
secondary-system [glonass]
[galileo] [beidou]
At least one system must be specified
Viewing GNSS status
no secondary-system
If Beidou is set, at least one of the
other systems must be set as well
show status
See Viewing GNSS Status
Viewing GNSS Status
You can view the GNSS status to see if the GNSS receiver is fully locked to the GNSS signals, and view the
satellite statuses, if applicable.
The information depends upon the track-status (Not tracking, Tracking satellites or Locked – see below).
If GNSS functionality is lost after a position was received, the current position information is retained
until a new position is acquired.
 To view the GNSS status:
•
Navigate to configure system clock gnss.
SecFlow-1p
8. Timing and Synchronization
531
The config>system>clock>gnss# prompt is displayed.
•
Enter:
show status
The GNSS status is displayed followed by the Satellite Status table. The GNSS status displays the
following (depending on the tracking status):
•
Administrative Status
•
Operational Status. The operational status depends upon the administrative status and the
actual operation status of GNSS. Operational status is down if the device is not tracking satellites
and becomes up if the device starts tracking the satellites
•
Primary System (always GPS)
•
Secondary Systems (Glonass, Galileo, Beidou)
•
Tracking status:
 GNSS Disabled – GNSS is administratively disabled
 GNSS Locked – GNSS is fully operational (locked to satellites)
 Not Tracking Satellites – GNSS is not operational (not tracking satellites)
 Tracking Satellites – GNSS is tracking satellites, but not locked
The table of satellites displays the following:
•
Satellite number
•
GNSS system (GPS, Glonass, Galileo, Beidou)
•
Signal to noise ratio (dB)
•
Satellite health (Yes, No)
•
Azimuth (degrees)
•
Elevation (degrees)
Note
If track-status is Not Tracking, the table of satellites is not printed.
Examples
 To configure GLONASS as secondary system:
exit all
configure system clock gnss gnss1
secondary-system glonass
SecFlow-1p
8. Timing and Synchronization
exit all
save
 To view the GNSS status:
config>system>clock>gnss(gnss1)# show status
***state is Not Tracking and there are active alarms***
Port Name
: gnss 1
Administrative Status: Up
Operational Status
: Down
Primary System
: GPS
Secondary Systems
: Glonass, Galileo
Position Mode
: Auto
Tracking Status
: Not Tracking Satellites
***state is Not Tracking and there is no active alarm***
Port Name
: gnss 1
Administrative Status: Up
Operational Status
: Down
Primary System
: GPS
Secondary Systems
: Glonass, Galileo
Position Mode
: Auto
Tracking Status
: Not Tracking Satellites
***state is other than
Port Name
:
Administrative Status:
Operational Status
:
Primary System
:
Secondary Systems
:
Position Mode
:
Tracking Status
:
Latitude
Longitude
Height
Not Tracking)***
gnss 1
Up
Up
GPS
-Auto
Tracking Satellites
: N22:11:00.001
: E111:22:00.111
: 12345
Satellite Status
Num | System | SNR | Healthy | Azimuth | Elevation
-------------------------------------------------1
| GPS
| 42 | Yes
| 57
| 24
15 | GPS
| 40 | Yes
| 240
| 47
532
SecFlow-1p
8. Timing and Synchronization
533
8.2 Date and Time
You can configure the SecFlow-1p internal real-time clock as free running or with Network Time Protocol
(NTPv4).
Applicability and Scaling
This feature is relevant for all the device versions.
Standards Compliance
RFC 3231 – Definitions of Managed Objects for Scheduling Management Operations
RFC 2863 – The Interfaces Group MIB
RFC 3418 – Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)
RFC 4330 –Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
Benefits
NTP synchronizes the internal clocks of network devices to a single time reference source. It provides
comprehensive mechanisms to access national time dissemination services, organize the NTP subnet of
servers and clients, and adjust the system clock in each participant. It improves the timekeeping quality
of the network by using redundant reference sources and diverse paths for time distribution.
Functional Description
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer
systems over packet-switched, variable-latency data networks. NTP, a large and very complex
application for the synchronization of computers and computer networks, incorporates complex
statistical algorithms that filters out small discrepancies in time and makes time adjustments. It
synchronizes all participating computers to within a few milliseconds of Coordinated Universal Time
(UTC).
SecFlow-1p
8. Timing and Synchronization
Factory Defaults
The default system date and time parameters are as follows:
Parameter
Default Value
date-format
yyyy-mm-dd
zone utc
+00:00
By default, no NTP servers are defined.
When an NTP server is defined, its default configuration is:
Parameter
Default Value
address
0.0.0.0
prefer
no prefer
shutdown
shutdown
Configuring Date and Time
 To set the system date and time:
1. Navigate to configure system date-and-time.
The config>system>date-time# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Specifying the desired date
format
date-format {yyyy-mm-dd |
dd-mm-yyyy | mm-dd-yyyy |
yyyy-dd-mm}
Defining the date
date <date>
Configuring NTP
ntp
Comments
Date is according to the
configured date format.
534
SecFlow-1p
8. Timing and Synchronization
535
Task
Command
Comments
Scheduling adjustment of
product time for daylight
saving time start and stop
[no] summer-time
Typing no summer-time
removes daylight saving time
scheduling.
See Configuring Daylight
Saving Time Scheduling
Displaying daylight saving time
scheduling information
show summer-time
Defining the time
time <hh:mm[:ss]>
Defining the time zone relative
to Universal Time Coordinated
(UTC)
zone utc [<[{+|-}]hh[:mm]>]
See Viewing Scheduled
Daylight Saving Time
Possible values:
-12:00 to +12:00, in
30-minute increments
You can configure the time on the SecFlow-1p internal clock with the time on an NTP server.
This section explains how to receive the clock signal from NTP servers in the network. One of the active
NTP servers can be designated the preferred server, so that NTP requests are sent to the preferred
server. If there is no preferred server or if the preferred server does not answer, NTP requests are sent
to any enabled servers.
 To configure NTP:
1. Navigate to configure system date-and-time ntp.
The config>system>date-time>ntp# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Defining and configuring NTP
servers
server <server-id>
Typing no server removes
NTP server.
ё1Displaying NTP status
show status
See Viewing NTP Status
 To configure an NTP server:
1. Navigate to config system date-and-time ntp.
The config>system>date-time>ntp# prompt is displayed.
2. Type server <server-id> to define an NTP server with ID <server-id>.
The following prompt is displayed: config>system>date-time>ntp>server(<server-id>)$.
SecFlow-1p
8. Timing and Synchronization
536
3. Enter all necessary commands according to the tasks listed below.
Task
Command
Setting the IP address of the NTP
server
address <IP-address>
Set NTP server as preferred server.
prefer
Comments
Type no prefer to remove
preference.
Note: Only one server can be
preferred.
Administratively enabling server
no shutdown
Sending an NTP polling request to
check server status
query-server
Examples
Setting Date and Time
 To set the date and time:
•
Format = mm-dd-yyyy
•
Date = May 17, 2017
•
Time = 5:40 pm
•
Zone = UTC –4 hours and 30 minutes
exit all
configure system date-and-time
date-format mm-dd-yyyy
date 05-17-2017
time 17:40
zone utc -04:30
Defining the NTP Server
 To define the NTP server:
•
Server ID = 1
Entering shutdown disables
the server.
SecFlow-1p
•
IP address = 172.17.171.141
•
Preferred
•
Administratively enabled
8. Timing and Synchronization
exit all
configure system
date-and-time
zone utc +03:00
ntp
server 1
address 172.17.171.141
prefer
no shutdown
exit
Viewing Status
Viewing Date and Time Status
 To display the date and time:
•
From the system context (config>system), enter:
show system-date
config>system# show system-date
2017-06-13
09:15:05 UTC +00:00
Viewing NTP Status
 To display the NTP status:
1. Navigate to config system date-and-time ntp.
The config>system>date-time>ntp# prompt is displayed.
2. Type show status.
The following screen is displayed.
config>system>date-time>ntp# show status
System Uptime
: 000 Days 18:45:45
System Time (Local) : 2017-10-31
Current Source : NTP
09:28:22
537
SecFlow-1p
8. Timing and Synchronization
538
Locking Status : In Limits
NTP Server
Prefer
Admin
Stratum
----------------------------------------------------------------------------172.17.171.141
Prefer
Enabled
1
8.3 Daylight Saving Time
You can schedule SecFlow-1p to change its system time to daylight saving time (also known as summer
time), at a specific date and time.
Applicability and Scaling
This feature is relevant for all the device versions.
Functional Description
You can specify when the device local system time should reflect the start of daylight saving time by
adding an offset, and when it should reflect the end of daylight saving time by subtracting the offset.
You can schedule daylight saving time in one of the following ways:
One shot
Daylight saving time starts and ends once, at a specified date and
time (e.g. November 6 2017).
Recurring
Daylight saving time starts and ends every year at a specified time,
and a date specified according to the weekday and month (e.g. first
Sunday in October).
The daylight saving time schedule is saved in nonvolatile (permanent) memory, in order to be available
after device reboot.
Note
SecFlow-1p logs the start and end of daylight saving time with the events
summer_time_started and summer_time_ended, respectively. Each event is
also sent as an SNMP notification to management stations.
SecFlow-1p
8. Timing and Synchronization
539
Factory Defaults
By default, no scheduling is configured.
The default value for daylight saving time offset is 60 minutes.
Configuring Daylight Saving Time Scheduling
When you configure daylight saving time scheduling, the first set of parameters in the commands
specifies when daylight saving time starts, and the second set of parameters specifies when daylight
saving time ends.
 To configure daylight saving time:
•
Navigate to the config>system>date-time level and enter the summer-time command
according to the type of schedule:
 One shot – Enter:
summer-time date {january | february | march | april | may | june | july | august |
september | october | november | december} <dd> <yyyy> <hh>:<mm> {january |
february | march | april | may | june | july | august | september | october | november |
december} <dd> <yyyy> <hh>:<mm> [<offset>]
 Recurring – Enter:
summer-time recurring { 1 | 2 | 3 | 4 | last} {sunday | monday | tuesday | wednesday |
thursday | friday | saturday} {january | february | march | april | may | june | july |
august | september | october | november | december} <hh>:<mm> { 1 | 2 | 3 | 4 | last}
{sunday | monday | tuesday | wednesday | thursday | friday | saturday} {january |
february | march | april | may | june | july | august | september | october | november |
december} <hh>:<mm>[<offset>]
The parameter {1 | 2 | 3 | 4 | last} specifies the week of the month.
For both schedule types, <offset> specifies (in minutes) the time to add at daylight saving time start, or
subtract at daylight saving time end. Its range is 1–1440.
 To delete daylight saving time scheduling:
•
Navigate to the config>system>date-time level and enter:
no summer-time
SecFlow-1p
8. Timing and Synchronization
540
Examples
 To schedule daylight saving time starting March 27 2017 at 1:00 and ending October 27 2017 at
2:00:
config>system>date-time#summer-time date march 27 2017 01:00 october 27 2017 12:59
 To schedule daylight saving time starting on the first Friday in March at 2:00 and ending on the
last Sunday in October at 3:00:
configure system date-and-time
summer-time recurring 1 friday march 02:00 last sunday october 03:00
Configuration Errors
The following table lists the messages generated by the device when a configuration error is detected.
Message
Cause
Corrective Action
Schedule with this
name already
configured
You tried to create a new schedule
with a name that is used by an existing
schedule.
Specify a name that is not being
used by an existing schedule.
Summer-time already
configured
You entered the summer-time
command to configure daylight saving
time, but the scheduling of
summer-time has already been
configured.
Delete the existing summer-time
configuration; and then re-enter
the summer-time command.
Recurring
summer-time start
and end must be on
different months
You tried to configure summer-time
start and end in the same month.
Enter the summer-time command
with summer-time start and end in
different months.
Summer-time cannot
end before it starts
You entered the summer-time
command (with one-shot schedule
type) with summer-time end time
earlier than summer-time start.
Enter the summer-time command
with summer-time start time
earlier than the end time.
SecFlow-1p
8. Timing and Synchronization
541
Viewing Scheduled Daylight Saving Time
 To view daylight saving time:
•
Navigate to the config>system>date-time level and enter:
show summer-time
config>system>date-time# show summer-time
Current date:
13 August 2019
10:30:51
+00:00
Start (Date) : 29 March 2019 02:00
End
(Date) : 27 October 2019 02:00
Offset
: 60
For details and an example on how to view in your device scheduled data, including daylight saving time,
refer to Viewing Scheduling Information.
9 Administration
9.1 Product Information
The SecFlow-1p management software allows you to assign a name and description to the product, and
assign a contact person.
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
RFC 3841 - Caller Preferences for the Session Initiation Protocol (SIP)
Setting Parameters
 To configure product information:
1. Navigate to configure system.
The config>system# prompt is displayed.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Comments
Specifying contact person
contact <contact-person>
Typing no contact removes contact person.
SecFlow-1p
9. Administration
543
Task
Command
Comments
Assigning product name
name <product-name>
The product name can be 0-255 characters;
however, the product prompt displays only up to
20 characters, therefore if you enter a name with
more than 20 characters, the prompt displays
the first 19 characters followed by *.
For example, a command that defines a product
with a name longer than 20 characters:
config sys name 12345678901234567SF-1p
results in this prompt:
12345678901234567vC*#
You can view the complete product name by
typing show device-information.
Typing no name removes the name entirely.
Specifying location
location <device-location>
Displaying copyright
information
show copyright
Displaying product
information, MAC address,
and amount of time product
has been running
show device-information
Displaying information
output of a predefined
series of commands
show tech-support
Example
 To configure SecFlow-1p product information:
•
Product name – SecFlow-1p
Unified output of the following commands:
•
•
•
•
•
•
•
•
show configure system system-date
show configure system device-information
show file sw-pack
show file copy
show configure port summary
show configure router 1 arp-table
show configure router 1 routing-table
show configure management users-details
SecFlow-1p
•
Location – floor-8
•
Contact – Engineer-1
9. Administration
exit all
configure system
name SecFlow-1p
location floor-8
contact Engineer-1
exit all
 To display configuration for your needs or for technical support:
config>system# show tech-support
# Execute tech-support-script
# 2019-08-14 08:41:28 UTC +00:00, system uptime: 67645 seconds
show configure system system-date
2019-08-14
08:41:28 UTC +00:00
# 2019-08-14 08:41:28 UTC +00:00, system uptime: 67645 seconds
show configure system device-information
Description
: SF-1p Hw: 0.4, Sw: 5.0.5.26
Name
: SF-1p
Model
: SF-1P superset
Firmware
: SF-1P/E1/ACEX/4U2S/2RS/L1/G/WF
Location
: The location of this device
Contact
: Name of contact person
MAC Address
: 18-06-F5-D1-96-69
Engine Time
: 18:39:56
# 2019-08-14 08:41:28 UTC +00:00, system uptime: 67645 seconds
show file sw-pack
Name
Version
Creation Time
Actual
----------------------------------------------------------------------------sw-pack-1
5.0.0.40
2019-07-16
06:02:00 active
# 2019-08-14 08:41:28 UTC +00:00, system uptime: 67646 seconds
show file copy
# 2019-08-14 08:41:28 UTC +00:00, system uptime: 67646 seconds
show configure port summary
config>port# show summary
544
SecFlow-1p
9. Administration
Panel
Name
Admin Oper
Speed
----------------------------------------------------------------------------Ethernet 1
Ethernet 1
Down
Down
0
Ethernet 2
Ethernet 2
Down
Down
0
Ethernet 3
Ethernet 3
Up
LLD
0
Ethernet 4
Ethernet 4
Up
Up
1G
Ethernet 5
Ethernet 5
Up
LLD
0
Ethernet 6
Ethernet 6
Up
LLD
0
Cellular lte
Cellular lte
Down
Down
0
WLAN 1
WLAN 1
Up
Up
0
WLAN 2
WLAN 2
Up
Up
0
Virtual 1
Virtual 1
Down
Down
0
Virtual 2
Virtual 2
Down
Down
0
Virtual 3
Virtual 3
Down
Down
0
Virtual 4
Virtual 4
Down
Down
0
Virtual 5
Virtual 5
Down
Down
0
Virtual 6
Virtual 6
Down
Down
0
Virtual 7
Virtual 7
Down
Down
0
Virtual 8
Virtual 8
Down
Down
0
Virtual 9
Virtual 9
Down
Down
0
Virtual 10
Virtual 10
Down
Down
0
# 2019-08-14 08:41:29 UTC +00:00, system uptime: 67646 seconds
show configure router 1 arp-table
IP Address
MAC Address
Status
----------------------------------------------------------------------------# 2019-08-14 08:41:29 UTC +00:00, system uptime: 67646 seconds
show configure router 1 routing-table
IP Address/Prefix Length Next Hop
Interface
Protocol
Metric
----------------------------------------------------------------------------169.254.0.0/16
0.0.0.0
32
Local
0
IPv6 Address/Prefix Length
via Next Hop
Interface Protocol
Metric
----------------------------------------------------------------------------fe80::/64
via
0.0.0.0
32
Local
0
# 2019-08-14 08:41:32 UTC +00:00, system uptime: 67649 seconds
show configure management users-details
User:su Level:su Popup:Enabled
From:Serial For(sec):438
545
SecFlow-1p
9. Administration
546
9.2 File Operations
You can perform the following operations:
•
Transfer files via SFTP/SCP/FTP/FTPs
•
Copy files within SecFlow-1p
•
Display files
•
Delete files
Applicability and Scaling
File operations are applicable to all the device versions.
Functional Description
For the list of files that SecFlow-1p supports, refer to Configuration and Software Files.
User Directory
The SecFlow-1p file system contains a directory for user files, called user. The size of the user directory
varies per device and is determined by the disk space that the device can allocate. You can copy files to
and from the user directory, and delete files that are not in use. User file names are strings between 1
and 32 characters long.
Commands for Copying Files
You can copy or transfer files via the copy command, or via the commands shown in the table below.
Some commands that reset SecFlow-1p also erase the saved user configuration by copying another file
to it before the reset.
Command
Level
Copies…
Additional
Actions
Manual Section
save
Global
running-config to startup-config
None
Saving Configuration
Changes
SecFlow-1p
9. Administration
Command
Level
Copies…
Additional
Actions
Manual Section
factory-default
Admin
factory-default to startup-config
Unit resets
after copying
Resetting to Factory
Defaults
user-default
Admin
user-default-config to
startup-config
Unit resets
after copying
Resetting to User
Defaults
547
Using SFTP or SCP
You can download or upload files to SecFlow-1p via SFTP/SCP. Normally the types of files copied are
configuration files and software files.
For details on upgrading the product software, refer to Software Upgrade.
SFTP Application
The SFTP protocol is used to provide secure file transfers via the product's Ethernet interface. SFTP is a
version of FTP that encrypts commands and data transfers, keeping your data secure and your session
private. For SFTP file transfers, an SFTP server application must be installed on the computer.
A variety of third-party applications offers SFTP server software. For more information, refer to the
documentation of these applications.
Note
SFTP file transfers are carried out through any TCP port (default is 22). You
should check that the firewalls you are using on the computer and Windows
allow communication through the port defined for SFTP connection. If not,
configure the firewall settings to open the desired TCP port.
SCP Application
The SCP protocol is typically used to provide secure file transfers between a local host and a remote
host. For SCP file transfers, an SCP server application must be installed on the computer.
A variety of third-party SCP applications are available that allow the instant creation of a SCP server on a
client computer. For more information, refer to the documentation of these applications.
SecFlow-1p
Note
9. Administration
SCP file transfers are carried out through TCP port 22. You should check that
the firewalls you are using on the computer and Windows allow
communication through this port. If not, configure the firewall settings to
open TCP port 22.
Copying Files
You can use the copy command to copy files within the device, as well as to download/upload files to
the device via SFTP/SCP. You can also download/upload software pack files via FTP and FTPs.
Note
The Firewall database cannot be uploaded/downloaded using the CLI
command.
Note
The Syslog local accounting-log file can be uploaded; it cannot be
downloaded.
 To copy files:
•
At any prompt, enter:
copy <source-file-url> <destination-file-url>
Where:
•
<file-url> = <url-prefix> <file>
•
<url-prefix> can be empty, or one of the following:
 tftp://<ipv4-address>/
 tftp://[<ipv6-address>]/
 sftp://<username>:<password>@<ipv4-address>[:<port>]/
 sftp://<username>:<password>@[<ipv6-address>][:<port>]/
 scp:// user:password@ipv4-address:port/
 scp://user:password@[ipv6-address]:port/
 ftp://<username>:<password>@<ipv4-address>:<port>/
 ftp://<username>:<password>@[<ipv6-address>]:<port>/
 ftps://<username>:<password>@<ipv4-address>:<port>/
 ftps://<username>:<password>@[<ipv6-address>]:<port>/
 flash-<flash-number>:
548
SecFlow-1p
Notes
9. Administration
•
•
•
•
The length of the SFTP server URL and of the filename is limited to 96
characters.
The total length of flash file URL (i.e. media name + path + filename) is
limited to 96 characters.
It is not necessary to specify <port> when using a well-known port.
<file> can be empty, one of the following files, or the file name on a remote computer if
applicable. If <file> is on a remote computer, it can contain a path and file name, or just a file
name.
 startup-config
 restore-point-config
 rollback-config
 running-config
 user-default-config
 factory-default-config
 sw-pack-1, sw-pack-2
 zero-touch-config-xml
 pm-0
 db-schema
 db-config
 schedule-log
 user/<filename>
 <file> =

startup-config

restore-point-config

rollback-config

running-config

user-default-config

factory-default-config

log

sw-pack-1

sw-pack-2

zero-touch-config-xml

banner-text
549
SecFlow-1p












•
9. Administration
pm-0
db-schema
db-config
ltm_1
ltm_9
schedule-log
accounting-log
sniffer-file
user-script
script-result
sw-update-1
sw-update-2
The maximum length/range is:
 <username> – 1–60 characters
 <password> – 1–60 characters
 <file> – 1–96 characters
 <port> – 1–65535
Viewing Copy Status
You can display the status of current and past copy operations, sorted by session start time.
 To display copy status:
•
At the file# prompt, enter:
show copy [summary]
Viewing Information on Files
You can display the following information:
•
SecFlow-1p files
•
SecFlow-1p user files
550
SecFlow-1p
9. Administration
•
Information on the configuration files
•
Contents of configuration text files
•
Information on the software files (software packs and updates).
551
Viewing SecFlow-1p Files
You can display a list of all non-hidden files on the SecFlow-1p host. The list is sorted by type, and then
by name.
Note
•
•
If time of creation is unknown, SecFlow-1p displays the time when it
became aware of the file’s existence.
If the file size is unknown, SecFlow-1p displays the size as ‘--’.
 To display SecFlow-1p files:
•
At the file# prompt, enter:
dir
A list of the file names and types is displayed.
Viewing User Directory Files
SecFlow-1p supports the user-file-dir command to list the user files in its user directory, sorted by name.
 To display user files:
•
At the file# prompt, enter user-file-dir.
Note
It is optional to enter folder-name, as user is currently the only available
folder.
Viewing Configuration Files
You can display a list of configuration files in the system, and when each was last modified, and if valid.
 To display information on the configuration files:
•
At the file# prompt, enter:
show configuration-files
SecFlow-1p
9. Administration
552
Information on the configuration files is displayed.
Viewing Configuration Text File Contents
You can display the contents of each configuration text file stored in the file system.
 To display the contents of non-user configuration text files:
•
At the file# prompt, enter one of the following:
 show factory-default-config
 show rollback-config
 show startup-config
 show user-default-config
The contents of the specified configuration file are displayed.
 To display the contents of user text files (i.e. files stored in the /user directory):
•
At the file# prompt, enter show user-dir <filename>.
Note
You can display the contents of a user file that is not binary and contains only
printable characters.
 To display the contents of the running-config file:
•
From any level (global command), enter show running-config.
Viewing Software File Details
SecFlow-1p supports a command to display details of installed software packs.
 To display information on the software files:
•
At the file# prompt, enter:
show sw-pack [refresh [<sec>]]
where sec represents the refresh timeout, with range 3–100.
Information on the software files is displayed. The State of a SW file can be one of the following:
active, ready, corrupted, downloading, previous active.
SecFlow-1p
9. Administration
Deleting Files
You can delete the following files:
•
restore-point-config
•
sw-pack-<n>
•
sw-update-<n>
•
rollback-config
•
startup-config
•
user-default-config
•
zero-touch-config-xml
Note
•
•
Use caution in deleting files.
You cannot delete the active software pack
When software packs are downloaded, SecFlow-1p extracts software packs into corresponding
partitions. If a software pack is deleted, SecFlow-1p erases its corresponding partition.
Deleting software updates does not affect the active software, even if the update has been already
installed.
 To delete a file:
1. At the file# prompt, enter:
delete <file-name>
You are prompted to confirm the deletion.
2. Confirm the deletion.
Examples
Copying Files within the Device
•
Source file name – running-config
•
Destination file name – startup-config
copy running-config startup-config
553
SecFlow-1p
9. Administration
Downloading via SFTP
•
SFTP server address – 192.20.20.20
•
SFTP user name – admin
•
SFTP password – 1234
•
Source file name – bin/SF-1p.img
•
Destination file name – sw-pack-2
copy sftp://admin:1234@192.20.20.20/bin/SF-1p.img sw-pack-2
Uploading via SFTP
•
SFTP server address – 192.20.20.20
•
SFTP user name – admin
•
SFTP password – 1234
•
Source file name – startup-config
•
Destination file name – config/db1conf.cfg
copy startup-config sftp://admin:1234@192.20.20.20/config/db1conf.cfg
Copying Files from the Device to SD Card
•
Source file name – startup-config
•
Destination file name – startup-backup
copy startup-config flash-1:startup-backup
Copying Files from SD Card to the Device
•
Source file name – startup-backup
•
Destination file name – startup-config
copy flash-1:startup-backup startup-config
Viewing SecFlow-1p Files
file
file# dir
Codes: C-Configuration
S-Software
L-License
LO-Log
O-Other
B-Banner
554
SecFlow-1p
Name
9. Administration
Type Size(Bytes) Creation Date Status
db-config
LO
--
db-schema
LO
--
pm-0
LO
9858
schedule-log
LO
1202
sw-pack-1
S
22355036
sw-pack-2
S
22398987
startup-config
C
964
rollback-config
C
94753
user-default-config
C
784
factory-default-config C
144
running-config
C
--
restore-point-config
C
784
log
LO
126
zero-touch-config-xml
X
31124
Total Bytes : 2781732864Free Bytes
2017-06-07
13:00:46
2017-06-07
13:00:46
2078-12-01
12:48:02
2017-06-07
13:00:46
2017-04-12
15:10:50
2017-05-29
10:42:45
2017-06-07
12:58:58
2017-05-29
16:19:40
2017-05-29
15:01:10
2017-06-07
13:00:48
2017-06-12
12:40:39
2017-06-04
17:37:48
2017-10-21
18:11:14
2017-10-21
18:29:28
File In Use
Read Only
File In Use
Read Only
File In Use
File In Use
Read Only
File In Use
Prev In Use
Read Only
: 1150779392
Bytes Available for PM : 4990142
Viewing User Directory Files
file
file# user-file-dir
Name
Type Size (bytes) Creation Date
Status
-------------------------------------------------------------------my-default-config U
2500
01.10.2017
read only
00:00:10
Total Bytes : 4004028416 Free Bytes : 1958920192
Viewing Configuration Files
file
file# show configuration-files
Configuration
Last Modified
Valid
555
SecFlow-1p
9. Administration
-----------------------------------------------------------------------------startup-config
2017-06-07 12:58:58 Yes
rollback-config
2017-05-29 16:19:40 Yes
user-default-config
2017-05-29 15:01:10 Yes
factory-default-config2017-06-07 13:00:48 Yes
running-config
2017-06-12 12:40:39 Yes
Device loaded from : startup-config
startup-config equals running-config
Viewing Configuration File Contents
file# show startup-config
# configuration file
exit all
#
#
configure
Management configuration
management
SNMP Configuration
snmp
snmp-engine-id mac 00-00-00-00-00-00
exit
exit
router 1
name "Router#1"
interface 1
address 172.17.161.37/24
name "eth0"
bind ethernet lan4
dhcp-client
client-id mac
exit
no shutdown
exit
static-route 0.0.0.0/0 address 172.17.161.1 metric 1
exit
exit
Viewing Software Pack Information
show file sw-pack
Name
Version
Creation Time
Actual
----------------------------------------------------------------------------sw-pack-1
5.0.0.40
2020-09-06
11:04:57 active
sw-pack-2
5.0.0.39
2020-09-02
18:52:56 ready
556
SecFlow-1p
9. Administration
557
Deleting a File
file# delete startup-config
! The file will be erased. Are you sure? [yes/no] _yes
9.3 Resetting to Default
SecFlow-1p supports the following types of reset:
•
Reset to factory defaults
•
Reset to user defaults
•
Overall reset (restart) of the product
Note
You can request that the active software pack be confirmed after the next
reboot of SecFlow-1p. Refer to the description of installing software in the
Installation and Setup chapter for details.
Resetting to Factory Defaults
SecFlow-1p can be reset to its factory defaults using either of the following commands:
•
factory-default – for customer use
•
factory-default-all – not recommended for customer use
The factory-default and factory-default-all commands have the following differences:
•
factory-default always reloads SecFlow-1p with factory-default-config. factory-default-all
reloads SecFlow-1p with user-default-config, if it exists; otherwise, with factory-default-config.
•
factory-default copies factory-default-config into startup-config.
factory-default-all clears the log files and deletes most files, with the exception of
factory-default-config, user-default-config, software, pm, db-schema, and db-config. It also
resets file creation times in the file system.
•
factory-default-all resets the snmpEngineBoots parameter to 1. This parameter counts the
number of times the SNMP engine was restarted, and is maintained throughout reboots to
prevent replay attacks.
Note
The Firewall database cannot be reset using the CLI command.
SecFlow-1p
Note
Caution
9. Administration
558
It is not recommended for customers to use the factory-default-all command,
as it resets the SNMP object (snmpEngineBoots). This can result in the
management station incorrectly assuming that the original device was
replaced by another impersonating device, and therefore the management
station will refuse to communicate with the device. In such cases, the
manager must manually delete the device from the map and then redraw it.
To avoid such issues resulting from the resetting of snmpEngineBoots, it is
recommended to use instead user-default or factory-default and then
manually delete unneeded files and clear logs, as required
Setting SecFlow-1p to factory defaults deletes all existing virtualization
entities and instances, regardless of the configured management mode.
 To reset SecFlow-1p to factory defaults:
1. At the admin# prompt enter:
factory-default
A confirmation message is displayed:
Current configuration will be erased and device will reboot with
factory default configuration. Are you sure? [yes/no]
2. Enter yes to confirm the reset to factory defaults.
The factory-default-config file is copied to the startup-config file. The unit resets, and after it
completes its startup the factory defaults are loaded. If a startup-config confirm request was
active, it is canceled.
 To reset SecFlow-1p to factory defaults and delete its entire database:
1. At the admin# prompt enter: factory-default-all
A confirmation message is displayed:
The device will delete its entire database and reboot. Are you sure?
[yes/no]
2. Enter yes to confirm the reset to factory defaults with configuration and counter reset.
The configuration and counter reset explained above is performed, the unit resets, and after it
completes its startup the factory defaults are loaded. If a startup-config confirm request was
active, it is canceled.
SecFlow-1p
9. Administration
559
Resetting to User Defaults
You can use the user-default command to reset SecFlow-1p to the configuration stored in user-defaultconfig, a file which contains user default parameters that are usually different from RAD’s factory
default parameters.
 To reset SecFlow-1p to user defaults:
1. At the admin# prompt enter: user-default
A confirmation message is displayed:
Current configuration will be erased and device will reboot with user
default configuration. Are you sure? [yes/no]
2. Enter yes to confirm the reset to user defaults.
The user-default-config file is copied to the startup-config file. The unit resets, and after it
completes its startup the user defaults are loaded. If a startup-config confirm request was
active, it is canceled.
Restarting SecFlow-1p
If necessary, you can restart SecFlow-1p without interrupting the power supply.
 To restart SecFlow-1p:
1. At the admin# prompt enter: reboot
A confirmation message is displayed:
Device will reboot. Are you sure? [yes/no]
2. Enter yes to confirm the reset.
The unit restarts.
9.4 Inventory
SecFlow-1p supports the display of an inventory table of all the third-party device components,
hardware and software revisions, and power supply types. You can display an inventory table that shows
all installed components, and you can display more detailed information for each component. The
inventory display differs for each product according to the different chassis components and port
configurations.
SecFlow-1p
9. Administration
560
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
RFC 4133 – Entity MIB
Benefits
You can monitor the installed components and hardware/software revisions.
Viewing Inventory Information
 To display the inventory table:
•
At the config>system# prompt, enter:
show summary-inventory
The inventory table is displayed (see Example for a typical inventory table output).
You can display more information for each installed inventory component. To do so, you need to enter
the inventory level with the corresponding inventory component index, which is displayed in the Index
column in the output of show summary-inventory.
 To display the inventory component information:
1. Navigate to configure system inventory <index>.
2. Enter:
show status
Information for the corresponding inventory component is displayed according to the following
parameters:
SecFlow-1p
9. Administration
561
Parameter
Description
Description
Description of component type, in the form:
RAD.<device-name>.< Physical Class>, e.g. RAD.ETX­2i.Port
Contained In
Index of the component that contains the component for which information is
being displayed. This is 0 for the chassis, as it is not contained in any component,
and 1001 for all other components, as they are all contained in the chassis.
Physical Class
Class of component
Possible values: Chassis, CPU, Power Supply, Fan, Sensor, Port, Container,
Module
Relative Position
Contains the relative position of this component among other components in
the same index range (e.g. index 4001–4002, etc.)
Name
Name of component
Possible values (according to component type):
<device-name> – Chassis
CPU
PS-AC/DC <n>
PS-AC <n>
PS-DC <n>
Fan <n>
Temperature Sensor <n>
External Clock
ETH Port [<slot>/]<n>
MNG Port
RS-232 Control Port
Time of Day Port
Mini BNC
External Clock Port
HW Rev
Hardware version (relevant only for chassis)
SW Rev
Software version (relevant only for chassis)
FW Rev
Firmware version (relevant only for chassis)
Serial No.
Serial number (blank if unknown for component)
MFG Name
Manufacturer name (blank if unknown for component)
Model Name
Model name (blank if unknown for component)
Alias
Alias name for component
SecFlow-1p
9. Administration
Parameter
Description
Asset ID
Identification information for component
FRU
Indicates whether this component is a field replaceable unit that can be
replaced on site.
For ETX­2i this is normally true only for the chassis, and for the dual power
supplies.
Processor
Processor name
Possible processors:
Intel Atom Rangeley C2558
Intel Atom Rangeley C2758
Cores
Core size
Possible values:
4 – Quad
8 – Octal
Core Frequency
2.4 GHz
RAM
RAM volume
8 GByte
HD Type
Hard Drive type
SSD M2.0 format
HD Volume
128 GByte
Examples
 To display inventory information for power supply (index 4002):
config system
config>system# inventory 4002
config>system>inventory(4002)# show status
Description
: Power Supply
Contained In
: 1001
Physical Class
: Power Supply
Relative Position : 2
Name
: PS 1
HW Ver
:
SW Ver
:
562
SecFlow-1p
FW Ver
Serial Number
MFG Name
Model Name
Alias
Asset ID
FRU
9. Administration
563
:
:
: RAD
:
:
:
: False
config>system>inventory(4002)#
 To display inventory information for chassis (index 1001):
config>port# show summary
Panel
Name
Admin Oper
Speed
----------------------------------------------------------------------------config>system>inventory(1001)# show status
Description
: Chassis
Contained In
: 0
Physical Class
: Chassis
Relative Position : 1
Name
: SF-1p
HW Ver
: 1.0/a
SW Ver
: 5.0.1.137
FW Ver
:
Serial Number
: 00-55-44-33-2B-41
MFG Name
: RAD
Model Name
: SF-1P/E1/ACEX/4U2S/2RS/L1/G/WF
Alias
:
Asset ID
:
FRU
: True
9.5 Login Banner
You can define a banner to be displayed before the login prompt for user name (using the CLI command
login-message), as well as a banner to be displayed following successful login (using the CLI command
announcement).
Note
If you are accessing SecFlow-1p via SSH, the banner is printed between the
user name prompt and the password prompt.
SecFlow-1p
9. Administration
564
Applicability and Scaling
This feature is applicable to all the device versions.
Functional Description
Pre-login and post-login banner messages must satisfy the following:
•
Message must be enclosed in single quotation marks.
•
Pressing <Enter> before entering a closing quotation mark, results in the warning message:
Enter message. End with the single quotation character (‘).
•
A message that spans multiple lines is interpreted as if it were written in one line; <cr> and <lf>
between lines in the configuration file or command are ignored.
•
A message can contain printable characters, as well as the following special characters (only
relevant for CLI; from SNMP, these characters should be entered normally):
 \n – new line
 \t – horizontal tab
 \’ – single quotation mark
 \\ – backslash
•
Usage of special characters reduces the maximum number of printable characters that the
banner can contain. For example, if the banner contains \n, up to 1998 additional printable
characters can be used.
•
The banner can be up to 2000 characters (including the escape / characters). An attempt to
configure a longer banner results in the CLI error: Banner may not exceed 2000 characters.
Configuring Login Banners
 To configure a pre-login banner:
1. Navigate to configure system.
The config>system# prompt is displayed.
2. Type login-message <message>, enclosing the message in quotes.
At the next login, this pre-login banner is displayed.
SecFlow-1p
Note
9. Administration
565
Type no login-message to remove a previously configured pre-login banner.
 To configure a post-login banner:
1. Navigate to configure system.
The config>system# prompt is displayed.
2. Type announcement <message>, enclosing the message in quotes.
After the next login, this post-login banner is displayed.
Note
Type no announcement to remove a previously configured post-login banner.
You can display the banners configured for SecFlow-1p by navigating to the product level and entering
info.
Example
info
configure
echo "System Configuration"
#
System Configuration
system
login-message 'Authorized Users Only'
announcement 'Successful Login!'
exit
The configured banners are displayed before and after login, as shown below.
Authorized Users Only
user>su
password>****
Successful Login!
SecFlow-1p
10. Monitoring and Diagnostics
566
10 Monitoring and Diagnostics
10.1 Dry Contacts
SecFlow-1p can display system and feature alarms as relay output. Alarm relay allows to control an
external circuit. When a certain event occurs, the alarm input can produce a warning signal to report the
event.
For setting the alarms, four optocoupler contacts marked “I/O ALARM” (or “DRY CONTACT”) are used.
Applicability and Scaling
Input signals should be in voltage range 10–57 V and provide minimum current 10mA at higher voltage.
Functional Description
See Connecting to a Dry Contacts Terminal section in the Installation and Setup chapter.
Factory Defaults
By default, the alarms are disabled.
Configuring Alarms
This section describes how to configure dry contact alarm properties.
Factory Defaults
Configuration defaults are listed in the table below.
Parameter
Description
Default Value
active
Alarm-input: active state of the port input line
off
SecFlow-1p
10. Monitoring and Diagnostics
567
 To configure dry contact alarm properties:
1. Navigate to configure reporting.
The config>reporting# prompt is displayed.
2. Enter all necessary commands according to the tasks listed below.
Task
Command
Comments
Setting the active state of
the port input line and
alarm description
alarm-input <input-port> [active
{high | low | off}] [description
<description-string>]
<input-port> values are 1..2 or 1..3
(according to the ordering option)
high – Active alarm input is
indicated by high voltage
low – Active alarm input is indicated
by low voltage
off – Alarm input is disabled
Description-string – a free-text
alarm name
Displaying the state of
input alarms and
configured voltage for
each input line
show alarm-input
Status:
• Active – an active external alarm
is present on the port
• Inactive – external alarm is not
active or port in shutdown state
Voltage: as defined by alarm-input
<slot>/<port> [active {high | low |
off}] command
• Description: as configured in
alarm-input command
SecFlow-1p
10. Monitoring and Diagnostics
Task
Command
Comments
Defining the output relay
(dry contact) and its state
when an alarm is present
alarm-output port <alarmoutput-number>
energized {yes | no}
Energizing:
568
• energized yes – The
corresponding relay is normally
unenergized and switches to the
energized state when the alarm
is active.
• energized no – The
corresponding relay is normally
energized and switches to the
unenergized state when the
alarm is active.
The relay contacts are normally
open.
The maximum number of possible
alarm outputs is 2 or 3, depending
on the device ordering option.
Temporarily silence active
alarm output
alarm-cut-off port <alarmoutput-number>
Binding an alarm of
specific source type to an
alarm output port
[no] bind-alarm-to-relay <sourcetype> {<alarm-name> | all}
alarm-output <alarm-outputnumber>
For the list of source types and
corresponding alarm names, refer to
the alarm list under Alarms and
Events in this chapter.
For example: bind-alarm-to-relay
ethernet alarm los alarm-output 1
bind-alarm-to-relay ethernet alarm
all alarm-output 1
Using no before the command
cancels the alarm binding
If the specified alarm output is
already bound, by this command or
by bind-alarm-source-to-relay, the
new command replaces the
previous binding
SecFlow-1p
Task
Binding an alarm of
specific source type on a
specific user port to an
alarm output port
10. Monitoring and Diagnostics
Command
bind-alarm-source-to-relay
<source-type> {<alarm-name> |
all} <source-id> alarm-output
<alarm-output-number>
569
Comments
For the list of source types and
corresponding alarm names, refer to
Alarm list in this chapter.
For example:
bind-alarm-source-to-relay
ethernet all wan1 alarm-output 1
bind-alarm-source-to-relay
ethernet los wan1 alarm-output 1
no bind-alarm-to-relay cancels the
alarm binding.
If the specified alarm output is
already bound, by this command or
by bind-alarm-to-relay, the new
command replaces the previous
binding
Displaying all the alarm
outputs
show alarm-outputs
10.2 Syslog
SecFlow-1p uses the Syslog protocol to generate and transport event notification messages over IP
networks to Syslog servers.
Syslog protocol collects heterogeneous data into a single data repository. It provides system
administrators with a single point of management for collecting, distributing, and processing audit data.
Syslog standardizes log file formats, making it easier to examine log data with various standard tools.
Data logging can be used for:
•
Long-term auditing
•
Intrusion detection
•
Tracking user and administrator activity
•
Product operation management
SecFlow-1p
10. Monitoring and Diagnostics
570
Applicability and Scaling
This feature is applicable to all the device versions.
Standards Compliance
RFC 3164 - The BSD syslog Protocol
RFC 5674 - Alarms in Syslog
Functional Description
The Syslog protocol provides an instrument for generating and transporting event notification messages
from SecFlow-1p to servers across IP networks.
Elements
Typical Syslog topology includes message senders (clients) and message receivers (servers). SecFlow-1p
supports Syslog client functionality. It can send messages to up to five Syslog servers. The receiver
displays, stores, or forwards logged information.
Transport Protocol
Usually, Syslog uses UDP port 514 for its transport, but devices and servers can be defined to use any
port for communication.
Message Format
The length of a Syslog message is 1024 bytes or less. It contains the following information:
•
Facility and severity (see below)
•
Host name or IP address of the device
•
Timestamp
•
Message content
A typical Syslog message looks like this:
<145>Jan 15 13:24:07 172.17.160.69 Eth 1: Loss of signal (LOS)
SecFlow-1p
10. Monitoring and Diagnostics
571
Facilities and Severities
Facility designates a device or application that sends a message. The standard includes some predefined
facilities in the 0–15 range. For originator identification, SecFlow-1p can be configured to use facilities
local1– local7; local1 is the default facility.
Severity is assigned to a message to specify its importance. SecFlow-1p uses the following severity
designations:
Code
Syslog Type
Description
0
Emergency
Emergency message, not in use
1
Alert
Critical alarm
2
Critical
Major alarm
3
Error
Minor alarm
4
Warning
Event
5
Notice
Cleared alarm and accounting message
6
Informational
Informational message, not in use
7
Debug
Debug-level messages, not in use
Factory Defaults
By default, Syslog operation is disabled. When enabled, the default parameters are as follows:
Parameter
Default Value
facility
local1
port
514
severity-level
informational
shutdown
shutdown
SecFlow-1p
10. Monitoring and Diagnostics
572
Configuring Syslog Parameters
When configuring Syslog parameters, it is necessary to enable Syslog device (client) and define Syslog
servers. The remaining configuration is optional.
 To configure Syslog device:
1. Navigate to configure system syslog device.
The config>system>syslog(device)# prompt is displayed.
2. Enter the necessary commands according to the tasks listed below.
Task
Command
Defining a facility from
which Syslog messages
are sent
facility {local1 | local2 | local3 |
local4 | local5 | local6 | local7}
Defining Syslog device
UDP port for
communication
port <udp-port-number>
Defining severity level
severity-level { emergency | alert |
critical | error | warning | notice |
informational | debug}
Comments
Possible values: 1–65535
Port configuration is allowed only if
a Syslog device is administratively
disabled.
The log messages that contain
severity level above or equal to the
specified level are transmitted.
• emergency – emergency
messages
• alert – critical alarms
• critical – major alarms
• error – minor alarms
• warning – events
• notice – cleared alarms,
accounting messages
• informational – informational
messages; not in use
• debug – debug messages; not in
use
Administratively enabling
Syslog device
no shutdown
shutdown administratively disables
the Syslog device.
Displaying Syslog
statistics
show statistics
See Viewing Syslog Statistics
SecFlow-1p
10. Monitoring and Diagnostics
Task
Command
Clearing Syslog statistics
clear-statistics
573
Comments
 To configure a Syslog server:
1. Navigate to configure system.
The config>system# prompt is displayed.
2. At the config>system# prompt, enter syslog server <server-ID> to specify the server to receive
Syslog messages, where <server-ID> is 1 to 5.
The config>system>syslog(server/<server-ID>)# prompt is displayed.
3. Enter the necessary commands according to the tasks listed below.
Task
Command
Comments
Enabling Syslog commands
accounting (logging of
command entries)
[no] accounting
commands
To disable command logging, enter no
accounting
Defining Syslog server IP
address
address <ip-address>
ip-addrees – Syslog server IP address
Possible values:
0.0.0.0–255.255.255.255
Defining Syslog server UDP
port for communication
port
<udp-port-number>
udp-port-number – UDP port
Possible values: 1–65535
Administratively enabling
Syslog server
no shutdown
shutdown administratively disables Syslog
server.
Note: This command is available only after
you define the Syslog server IP address.
Example
•
Server IP address: 178.16.173.152
•
UDP port: 155
exit all
configure system
syslog device
no shutdown
exit
syslog server 1
SecFlow-1p
10. Monitoring and Diagnostics
address 178.16.173.152
port 155
no shutdown
save
exit all
Configuration Errors
The following table lists messages generated by SecFlow-1p when a configuration error is detected.
Message
Description
Syslog Port is out of range
Selected UDP port value is out of allowed range (1–65535).
Port is illegal or Device Port is already
in use
Selected UDP port is already in use.
Parameter cannot be changed if
Logging Status/Server Access is
enabled
Device/server UDP port or server IP address cannot be changed
while Syslog server is enabled.
Illegal Severity
Invalid severity value
Illegal Facility
Invalid facility value
Illegal Server IP Address
Invalid server IP address
Viewing Syslog Statistics
 To display Syslog statistics:
1. Navigate to configure system syslog device.
The config>system>syslog(device)# prompt is displayed.
2. At the config>system>syslog(device)#, enter show statistics.
Syslog statistics appear as shown below. The counters are described in the following table.
config>system>syslog(device)# show statistics
Total Tx Messages
: 356
Non-queued Dropped Messages
: 265
574
SecFlow-1p
10. Monitoring and Diagnostics
575
Parameter
Description
Total Tx Messages
The total number of Syslog messages transmitted
Non-queued Dropped
Messages
The total number of Syslog messages that were dropped before being
queued
 To clear Syslog statistics:
1. Navigate to configure system syslog device.
The config>system>syslog(device)# prompt is displayed.
2. At the config>system>syslog(device)# prompt, enter clear-statistics.
The Syslog statistic counters are set to 0.
10.3 Performance Management
VCPE-OS supports collection of performance management (PM) statistics for analyzing the device’s
service quality. The device periodically collects PM statistics into a pm-0 binary file for retrieval and
analysis by RADview and for display in the RADview PM portal (refer to the RADview System User
Manual for further details on the PM portal).
The PM collection process can be globally enabled (the default) or disabled for the entire device. In
addition, the statistics collection can be enabled for all entities of a specific type, or for specific entities,
enabling collection of necessary data only.
Functional Description
PM Statistics Collection
PM statistics collection is configured for the device, entity type, and specific entities. PM statistics are
collected for the following types of entities:
•
Ethernet ports
•
System parameters: memory usage and CPU utilization
If PM statistics collection is disabled for a particular entity type, then no PM statistics collection is done
for any entity of that type, except those for which PM statistics collection is enabled.
SecFlow-1p
10. Monitoring and Diagnostics
576
When PM statistics collection is enabled for all entities of the same type, then when a new entity of that
type is added the device automatically starts collecting PM statistics for it, as soon as PM statistics
maintenance (if applicable) is enabled for the entity.
Note
If you are using the RADview PM Portal, it is recommended to enable PM
statistics collection for all relevant entities. See Examples for a script that you
can use for this purpose.
PM statistics collection is performed at user-configurable intervals of one second to 15 minutes. A
different interval can be configured for each entity type, and for specific entities.
If different intervals are scheduled for collection at the same time, VCPE-OS collects the PM statistics
starting with the interval that has the highest frequency, and ending with the interval that has the
lowest frequency. If VCPE-OS has not finished collecting the statistics for an interval when the scheduled
time for another interval arrives, the following action is taken according to whether the new interval is
the next interval, or an interval with higher frequency:
•
If it is the next interval, then the next interval is canceled, and a PM record indicating the
cancellation is inserted in the PM data.
•
If it is an interval with higher frequency, then VCPE-OS collects the higher frequency interval
statistics and then resumes collecting the lower frequency interval statistics. The PM data is
retrieved from VCPE-OS by RADview via TFTP or SFTP. After PM data is retrieved, VCPE-OS
deletes the file and opens a new one for further data.
The PM file includes the following information: buffer (kernel) memory utilization and TCA, CPU
utilization, memory utilization, flash memory utilization, and device uptime.
Factory Defaults
Command
Level under config
Default
Remarks
pm
reporting
pm
PM statistics collection in device is
globally enabled by default.
pm-collection
Specific entity level
Disabled
PM statistics collection for specific
entities is not explicitly configured
by default; therefore, it is disabled
until statistics collection is enabled
for the entity type or entity.
SecFlow-1p
10. Monitoring and Diagnostics
577
Command
Level under config
Default
Remarks
pm-collection
ethernet
reporting
Disabled
PM statistics collection for
Ethernet ports is not explicitly
configured by default; therefore, it
is disabled.
pm-collection system
reporting
Disabled
PM statistics collection for
memory usage and CPU utilization
is not explicitly configured by
default; therefore, it is disabled.
Configuring Performance Management
You can configure PM statistics collection for the entire device via the pm command, and for entity
types via the pm-collection command, in the reporting level. For specific entities, you can configure PM
statistics collection via pm-collection, in the specific entity level.
You can configure the device to record statistics at fixed intervals using the pm-collection interval
<seconds> command. For parameters that are not zeroed regularly, it is recommended to record
statistics at fixed intervals. The interval parameter for the pm-collection command can range from 1 to
900 seconds (15 minutes); however, the value must divide evenly into 3600. It is also recommended to
set the interval value at 60 seconds or higher. Different intervals can be specified for an entity type and
for specific entities of that type, up to a supported maximum number of intervals. For example, if the
PM statistics collection interval for all Ethernet ports is configured to 15 minutes, and the PM statistics
collection interval for Ethernet 1 port is configured to 1 minute, the data displayed in the RADview PM
portal shows Ethernet data for every 15 minutes, and Ethernet 1 data for every minute.
The following shows the PM statistics collection configuration tasks, and their corresponding
commands, as well as the level of each command.
Task
Level under config
Command
Comments
Enabling PM
statistics collection
for a specific
Ethernet port
port >
ethernet(<port-name>)
pm-collection
interval <seconds>
PM collection can be enabled
at a defined interval.
It is recommended to set the
interval value at 60 seconds or
higher.
Enter no pm-collection to
disable PM statistics collection
for the Ethernet port.
SecFlow-1p
10. Monitoring and Diagnostics
Task
Level under config
Command
Comments
Globally enabling PM
statistics collection
for device
reporting
pm
Enter no pm to disable all PM
statistics collection in VCPE-OS.
Enabling PM
statistics collection
for Ethernet ports
reporting
578
Note: no pm stops all PM
collection regardless of other
PM configuration; however, it
does not change other
configurations.
It deletes any collected PM
data and PM files, as well.
pm-collection
ethernet
{interval <seconds>}
PM collection can be enabled
at a defined interval.
It is recommended to set the
interval value at 60 seconds or
higher.
Enter no pm-collection eth to
disable PM statistics collection
for Ethernet ports.
Enabling PM
statistics collection
for system
parameters
reporting
pm-collection
system {interval
<seconds> }
PM collection can be enabled
at a defined interval.
It is recommended to set the
interval value at 60 seconds or
higher.
Enter no pm-collection system
to disable PM statistics
collection for system
parameters.
Note
PM statistics are collected for entities for which PM statistics collection is
specifically enabled in the entity level via pm-collection, even if PM statistics
collection for the entity type is disabled.
Viewing Performance Management Configuration
You can use the info detail command to view the performance management configuration.
SecFlow-1p
10. Monitoring and Diagnostics
 To view the performance management configuration for the device and for entity types:
1. Navigate to configure reporting.
2. Enter info detail | include pm to view PM-related commands in the configuration.
 To view the performance management configuration for specific entities:
1. Navigate to the specific entity level.
2. Enter info detail | include pm to view PM-related commands in the configuration.
Examples
 To enable PM for all relevant entities in the device:
•
PM statistics collection enabled for device
•
PM statistics collection enabled for all relevant entities, every five minutes.
exit all
configure reporting
#**** Enable PM in device
pm
#**** Enable PM for Eth ports, collection interval=5 min
pm-collection ethernet interval 300
exit all
save
 To configure the following PM:
•
PM statistics collection enabled for device.
•
PM statistics collection enabled for Ethernet ports, every two minutes.
•
PM statistics collection for Ethernet port 3 configured to every minute.
exit all
configure reporting
#**** Enable PM in device
pm
#**** Enable PM for Eth ports, collection interval=2 min
pm-collection eth interval 120
exit all
#**** Configure PM statistics collection interval for Ethernet port
configure port ethernet 3
pm-collection interval 60
3, to 1 min
579
SecFlow-1p
10. Monitoring and Diagnostics
580
exit all
save
 To display PM configuration from above example:
# configure reporting
config>reporting# info detail | include pm
pm
pm-collection ethernet interval 120
config>reporting# exit all
# configure port ethernet 3 config>port>eth(3)# info detail | include pm
pm-collection interval 60
Configuration Errors
The following table lists the messages displayed by SecFlow-1p when a configuration error is detected.
Message
Description
Invalid interval; must divide evenly into
3600
The pm-collection command was entered with an interval value
that does not divide evenly into 3600.
Cannot execute; too many different
intervals
Attempt was made to configure more than 5 different intervals.
10.4 Detecting Problems
An alarm is an indication of a fault in SecFlow-1p. An event is an occurrence in SecFlow-1p that may be a
fault, user login, change in port status, etc. An SNMP trap can be sent to management stations as the
result of an alarm or event. Besides traps, Syslog messages can also sent as a result of alarms or events
(see Syslog above). In addition, NETCONF notifications are sent to each NETCONF client that has created
a notification subscription (see NETCONF-Based Network Management in the Management and
Security chapter).
You can configure alarms and events to pop up on the serial CLI terminal.
Alarms and events have the following properties:
SecFlow-1p
Source Type
10. Monitoring and Diagnostics
581
An entity for which alarms and events can be generated. The
source consists of a source type (e.g. Ethernet port) and source ID
(e.g. port number, in case of Ethernet port)
Available source types: system, bgp-peer, gre-tunnel
Name
Unique alphanumeric identification of the alarm/event, up to
32 characters
Description
Alphanumeric description that provides details on the
alarm/event
Trap Name
Name of trap
ID
Unique numeric identification of the alarm/event
Default Severity
Alarms only; Critical, Major, or Minor
Controlling Popup Behavior
Alarms and events are displayed (pop up) on active CLI terminals as soon as they occur. You can disable
the popups per management session. It is relevant only for a management session (serial or SSH) for
which it is configured, and does not affect any other active session.
The current alarm/event popup status is available in the show users-details screen (see below).
 To disable or enable alarm/event popups:
•
At any level, enter popup-suspend to disable alarm/event popups.
•
Enter no popup-suspend to enable alarm/event popups.
 To display the user information:
•
In the configure>management# prompt, enter show users-details.
configure management show users-details
User:1234 Level:su Popup:Disabled
From:Serial For(sec):281744
User:123456 Level:su Popup: Enabled
From:100.100.100.100/SSH For(sec):4510
Alarms and Events
You can view the full lists of alarms and events supported by SecFlow-1p.
SecFlow-1p
Note
10. Monitoring and Diagnostics
582
When viewing this file online, embedded attachments may not open due to
your browser settings. Downloading this file from www.rad.com and viewing
it offline guarantees that embedded files always open.
 To view the alarms table:
•
Double-click the paper clip image
on the following line.
 To view the events table:
•
Double-click the paper clip image
Note
on the following line.
Virtualization alarms and events are not relevant to this version of SecFlow1p.
10.5 Running a Ping Test
You can ping a remote IPv4 or IPv6 host to check the SecFlow-1p IP connectivity with that host.
Applicability and Scaling
This feature is applicable to all the device versions.
Functional Description
You can define the number of pings (packets) to generate or configure a continuous ping (infinite). The
ping generator continues to generate ping requests according to the number of configured pings, or
until you manually disrupt it (by pressing Ctrl+C).
SecFlow-1p
10. Monitoring and Diagnostics
583
Configuring a Ping Test
 To ping an IP host:
•
In any level, start pinging the host specifying its IP address (IPv4 or IPv6) and optionally the
number of packets to send, payload size (in bytes), router entity number and source address:
ping <ip-address> [number-of-packets <packets>] [payload-size <bytes>]
[router-entity <number>] [source-address <address>]
Ping Test Parameters
Parameter
Description
Value
<ip-address>
Destination IP address
Valid IPv4 or IPv6 address (any
unicast address)
Note: Multicast address is not
allowed.
number-of-packets
Number of pings
Possible values:
0 (forever), 1-10000
Default: 5
payload-size
Packet size
Possible values:
32-1450 bytes
router-entity
Related router-entity
Possible values: 1-max-vrf-number
source-address
Source IP address
Valid IPv4 or IPv6 address (any
unicast address)
If the remote host answers, SecFlow-1p displays the ping results including the round trip delay, rounded
as in the following table.
Ping Round Trip Results
Round Trip Delay
Displayed in Ping Results
<= 10 msec
time < 10 ms
>= 11 msec and <= 20 msec
time < 20 ms
>= 21 msec and <= 30 msec
time < 30 ms
>= 31 msec and <= 40 msec
time < 40 ms
SecFlow-1p
10. Monitoring and Diagnostics
584
Examples
#ping 10.10.10.10
Reply from 10.10.10.10: bytes = 32, packet number = 0, time < 10 ms
Reply from 10.10.10.10: bytes = 32, packet number = 1, time < 10 ms
Reply from 10.10.10.10.44: bytes = 32, packet number = 2, time < 10 ms
config>router(1)# ping 35.35.35.2 source-address 12.12.12.12
Reply from 35.35.35.2: bytes = 32, packet number = 0, time
Reply from 35.35.35.2: bytes = 32, packet number = 1, time
Reply from 35.35.35.2: bytes = 32, packet number = 2, time
Reply from 35.35.35.2: bytes = 32, packet number = 3, time
Reply from 35.35.35.2: bytes = 32, packet number = 4, time
5 packets transmitted. 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 1/1/1
<=
<=
<=
<=
<=
1
1
1
1
1
ms
ms
ms
ms
ms
10.6 Tracing the Route
This diagnostic utility traces the route through the network from SecFlow-1p to the destination host.
The trace route utility supports up to 30 hops.
Applicability and Scaling
This feature is applicable to all the device versions.
Running Trace Route
 To trace a route:
•
In any level, start the trace route and specify the IP address (IPv4 or IPv6) of the host to which
you intend to trace route:
trace-route <1.1.1.1–255.255.255.255>
SecFlow-1p
10. Monitoring and Diagnostics
585
10.7 Technical Support
For technical support of registered products, contact your local authorized RAD partner or go to
RADCare Online (if you have a valid RADCare service package).
RAD would like your help in improving its product documentation. Please send us an e-mail with your
comments.
Thank you for your assistance!
11 Software Upgrade
This chapter explains how to upgrade SecFlow-1p for software version 5.x.x.
Software upgrade is required to fix product limitations, enable new features, or make the unit
compatible with other devices that are already running the new software version.
The device can store up to two software images, referred to as software packs. It is recommended to
name these software packs sw-pack-1 and sw-pack-2. You can designate any of the software packs as
active.
vCPE-OS also supports partial software updates. Partial software updates include “update” in the
software image name. They should be downloaded to the device as sw-update-1 and sw-update-2 and
installed. Each update includes patches and contains all the previous updates of the same baseline
software. During installation, the device installs all the updates that are not already installed. Software
update files and are usually delivered as small size files for saving installation time and bandwidth.
Each software pack is protected by a digital signature, signed by a dedicated RAD CA (Certification
Authorization). The signature verifies the following:
•
This is vCPE-OS software
•
This software was created by RAD
• The software was not changed
Any unsigned software pack will be rejected. This security mechanism prohibits the unauthorized
software to be installed.
The information in this chapter includes the following:
•
Software packs that can be loaded into each device
•
Detailed conditions required for the upgrade
•
Any impact the upgrade may have on the system
•
Description of downloading options
SecFlow-1p
11. Software Upgrade
587
Application software can be downloaded to SecFlow-1p using the copy command via FTP, FTPS, SFTP, or
SCP.
You can install the downloaded device software pack as the active software via the admin software
install sw-pack-n command, admin software install sw-update-n command.
Note
Software upgrade relates to upgrading from the product’s previous version to
current version. To upgrade from an older version, you may not be able to
upgrade directly to the latest version, but may be required to upgrade one
version at a time. Refer to the relevant User Manual for upgrade instructions.
11.1 Compatibility Requirements
The following software releases can be upgraded to Ver. 5.x.x: Ver. 5.x.x.
11.2 Impact
During the software upgrade process, service is disrupted.
11.3 Prerequisites
SFTP/FTP/TFTP Prerequisites
Prior to upgrading via SFTP/FTP/TFTP, verify that you have the following:
•
Operational SecFlow-1p unit with valid IP parameters configured
•
Connection to a PC with an SFTP/FTP/TFTP server application and a valid IP address
•
Software image file stored on the PC. The image file (and exact name) can be obtained from the
local RAD business partner from whom the device was purchased.
SecFlow-1p
11. Software Upgrade
588
Software Packs
SecFlow-1p software download options include two sw-packs and two sw-updates from the available
options listed in the following table.
Device
File Name
Description
SecFlow-1p
sw-pack-x.x.x.xx.tar.gz
sw-pack filename
sw-update-x.x.x.xx.tar.gz
sw-update filename
11.4 Upgrading Software via CLI
The recommended software downloading method is to use the copy command.
Network administrators can use this procedure to distribute new software releases to all the managed
SecFlow-1p units in the network from a central location.
Use the following procedure to download software release 5.x.x to SecFlow-1p via CLI.
1. Verify that the image file is stored on the PC with the SFTP/TFTP server application.
2. Verify that the SecFlow-1p router has been configured with valid IP parameters.
3. Ping the PC to verify the connection.
4. Activate the SFTP/TFTP server application.
5. Download the image file from the PC to SecFlow-1p.
6. Install the image as the active software.
Note
Configuration values shown in this chapter are examples only.
Verifying the Host Parameters
In order to be able to establish communication with the SFTP/TFTP server, the SecFlow-1p router must
have IP parameters configured according to your network requirements. Refer to the following manual
sections for additional information:
•
Connecting to a Terminal in the Installation and Setup chapter
SecFlow-1p
11. Software Upgrade
•
Working with Terminal in the Operation and Maintenance chapter
•
Router in the Traffic Processing chapter
589
Pinging the PC
Check the integrity of the communication link between SecFlow-1p and the PC by pinging the PC from
SecFlow-1p.
 To ping the PC:
1. In any level, start pinging the PC specifying its IP address and optionally the number of packets
to send:
ping <ip-address> [number-of-packets <num-packets>][payload-size <bytes>]
Where
num-packets can be 1-10,000 or 0 (forever) for a continuous ping. Default is 5.
bytes can be 32-1450.
A reply from the PC indicates a proper communication link.
2. If the ping request times out, check the link between SecFlow-1p and the PC (physical path,
configuration parameters, etc.).
Activating the SFTP Server
Once the SFTP server is activated on the PC, it waits for any SFTP file transfer request originating from
the product, and carries out the received request automatically.
SFTP file transfers are carried out through TCP port 22. Make sure that the firewall you are using on the
server allows communication through this port (refer to the Administration chapter for details).
Activating the TFTP Server
Once the TFTP server is activated on the PC, it waits for any TFTP file transfer request originating from
the product, and carries out the received request automatically.
TFTP file transfers are carried out through port 69. Make sure that the firewall you are using on the
server allows communication through this port (refer to the Administration chapter for details).
SecFlow-1p
Note
11. Software Upgrade
590
Configure the connection timeout of the TFTP server to be more than
30 seconds to prevent an automatic disconnection during the backup partition
deletion (about 25 seconds).
Downloading the New Device Software Release File
This procedure is used to download a new SecFlow-1p software version.
 To copy the image file to the SecFlow-1p unit:
•
In any level, enter:
copy sftp://<username>:<password>@<ip-address>/<image-file-name> {<sw-pack-n> |
<sw-update-n>}
Where <ip-address> is the IP address of the PC where the SFTP server is installed and <n> is the
index of the software pack/update.
Or
copy tftp://<tftp-ip-address>/<image-file-name> <sw-pack-n>
Where tftp-ip-address is the IP address of the PC where the TFTP server is installed and <n> is
the index of the software pack.
Note
Choose an index that is not being used by the active software, or by a
software pack that you do not want to overwrite.
The software download is performed. See Activating the Device Software for instructions on
installing the downloaded software as the active software.
Activating the Device Software
After software is downloaded to SecFlow-1p, it has to be installed via the install command as the active
software. When you install software, by default SecFlow-1p creates a restore point, so that if there is a
problem with the new software pack, you can perform a rollback to the previous software pack and
startup-config file. This ensures that if you changed the startup-config file before noticing that
something was wrong with the newly installed software, you can restore the startup-config that was
running before the last installation.
Note
The file startup-config must exist before you can install software with creation
of a restore point.
SecFlow-1p
11. Software Upgrade
591
Prior to installing the software, you can request (via command software-confirm-required) that the user
confirm the next installed software (via command software-confirm) following the next SecFlow-1p
reboot. This software confirmation command verifies that the user has regained connection to the
device following installation. If confirmation is requested, but the user does not confirm the software
(via command software-confirm) within the configured timeout period, SecFlow-1p automatically falls
back to its previous software. This precaution prevents a permanent loss of connection to the remote
device following installation.
 To request software confirmation:
•
At the admin>software# prompt, enter:
software-confirm-required [time-to-confirm <minutes>]
The confirmation timeout can be from five minutes to 24 hours. If you do not specify it, the
default is five minutes.
Note
You can cancel the software confirmation request by entering
no software-confirm-required.
Next time SecFlow-1p reboots and loads new software, it starts a confirmation timer. See the
following procedure for more details on the confirmation.
 To install a device software pack as active:
Note
•
•
If startup-config does not exist, you must install the software pack
without creating a restore point.
As a defective startup-config can cause a loss of connection, it is not
recommended to install software and change startup-config at the same
time. However, if you must do both at the same time, first install the
software and only after verifying it, make the needed configuration
changes (or vice versa).
1. At the admin>software# prompt, enter:
install {sw-pack-1|sw-pack-2|sw-update-1|sw-update-2} [no-restore-point]
Where n is 1 or 2, provided sw-pack-n is a non-active software pack. If you specify
no-restore-point, then after the software is installed, it is not possible to roll back to the
previous software.
You are prompted to confirm the operation.
!Device will install file and reboot. Are you sure? [yes/no] _
2. Type yes to confirm.
SecFlow-1p
11. Software Upgrade
592
If a restore point is being created, then startup-config is copied to restore-point-config.
SecFlow-1p designates the specified software pack as active, then reboots. If a software
confirmation request is active, SecFlow-1p starts a timer with the specified timeout period.
Note
While the confirmation timer is running, SecFlow-1p does not allow any
commands that change its configuration.
3. If the software-confirm command is entered before the timer expires, the software is
considered to be confirmed.
If the software-confirm command is not entered before the timer expires, then restore-point-config is
deleted, SecFlow-1p designates the previously active software pack as active, then reboots.
Note
If the software pack is activated on SecFlow-1p, the device reboots.
Activating the Software
To activate a software pack, you need to designate it as active and load it.
 To activate a software pack:
1. To set the software as active, enter:
set-active <index>.
A confirmation similar to the following is displayed:
SW set active 2 completed successfully.
2. To load the active software, type: run.
A sequence of messages similar to the following is displayed:
Loading/un-compressing sw-pack-2...
Starting the APPLICATION off address 0x10000...
After a few more seconds, the login prompt is displayed.
11.5 Verifying Upgrade Results
You can verify that the upgrade was successful by logging on to SecFlow-1p via a terminal emulation
program, and in the Inventory table (show summary-inventory at prompt config>system#), checking
the active software version in the SW Rev column.
SecFlow-1p
11. Software Upgrade
593
11.6 Restoring the Previous Version
If the installed software malfunctions and was installed with a restore point (restore-point-config must
exist on device), you can perform rollback to the previous active software.
 To roll back to the previous active software pack:
1. At the admin>software# prompt, enter:
undo-install
You are prompted to confirm the operation.
! Falling back to restore point ! Are you sure? [yes/no] _
2. Type yes to confirm.
The file restore-point-config is renamed to startup-config. SecFlow-1p designates the previously
active software pack as active, then reboots.
A
Connection Data
A.1 Ethernet Connector
The Ethernet electrical interfaces terminate in 8-pin RJ-45 connectors, of type 10/100BaseT or
10/100/1000BaseT, wired in accordance with the table below. The connector supports both MDI and
MDIX modes.
10/100/1000BaseT Connector Pinout
Pin
MDI
MDIX
1
A+
B+
2
A-
B-
3
B+
A+
4
C+
D+
5
C-
D-
6
B-
A-
7
D+
C+
8
D-
C-
A.2 Serial Port
The SecFlow-1p UART serial ports are terminated with RJ-45 connectors. SecFlow-1p acts as a DCE
communication device.
Serial hardware protocols RS-232 and RS-485 are defined according to the ordering options.
Refer to the table below for the RJ-45 connector pinout.
SecFlow-1p
A. Connection Data
Serial Port Pin Assignment
RJ45 Connector Pin
RS232 DCE Signal as per EIA-561
1
-
2
-
3
RTS
4
GND
5
RxD
6
TxD
7
CTS
8
-
RAD recommends using the RS-232 adapter cable CBL-RJ45/D9/F/6FT to connect to user serial
equipment terminated with a DB9 male connector.
CBL-RJ45/D9/F/6FT Cable
The cable pinout is shown in the table below.
595
SecFlow-1p
A. Connection Data
CBL-RJ45/D9/F/6FT Cable Pinout for Serial Port
RJ45 DCE Side
Signal
Pin
-
1
-
Direction
DB-9 DTE Side
Pin
Signal
-
6
-
2
-
1
-
RTS
3

4
RTS
GND
4
-
5
GND
RxD
5

2
RxD
TxD
6

3
TxD
CTS
7

8
CTS
-
8
-
7
-
RS-485 user equipment can be connected using RAD’s CBL-SF-RJ45-RS485 shielded cable.
DRAIN WIRE
CBL-SF-RJ45-RS485
CBL-SF-RJ45-RS485
CBL-SF-RJ45-RS485 Cable Pinout
RJ45
Color
Open 2W
3
white/orange
+ Tx/Rx
4
blue
GND
orange
- Tx/Rx
1
2
5
6
7
596
SecFlow-1p
A. Connection Data
597
International Headquarters
North American Headquarters
24 Raoul Wallenberg St., Tel Aviv 6971923, Israel
Tel 972-3-6458181 | Fax 972-3-7604732
Email market@rad.com
900 Corporate Drive, Mahwah, NJ 07430, USA
Tel 201-529-1100 | Toll Free: 800-444-7234 | Fax: 201-529-5777
Email market@radusa.com
www.rad.com | radcare-online.rad.com
Publication No. 743-200-05/22