Comnet RL1000GW-AC-ESFP-S24, RL1000GW-AC-ESFP-S22, RL1000GW-AC-ESFP-S24-CEU, RL1000GW-AC-ESFP-S22-CEU, RL1000GW-AC-ESFP-S24-CNA User Manual

...

INSTALLATION AND OPERATION MANUAL

RL1000GW

Small Form Factor Substation-Rated Secure Ethernet Layer 3 Router/Gateway with Optional 2G/3G/4G LTE Cellular Radio Link, and 100/1000 Mbps SFP Uplink Port

ComNet product series RL1000GW are substation-rated and industrially hardened layer 3 router/gateways, with a unique and highly robust packet processing SCADAaware security firewall for the most mission-critical and demanding cyber-security applications. The RL1000GW is intended for deployment in environments where high levels of electromagnetic noise and interference (EMI) and severe voltage transients and surges are routinely encountered, such as electrical utility substations and switchyards, heavy manufacturing facilities, track-side electronic equipment, and other difficult out-of-plant installations. Layer 3 routing functionality allows for the participation and foundation of a core network infrastructure. The compact-sized DIN-rail mountable RL1000GW is ideally suited to those installations and applications where space may be limited. These features make the RL1000GW an effective platform for deploying a secure communications and networking gateway for remote electrical utility sites, and other critical infrastructure applications.

The RL1000GW is an ideal platform for deploying a secure communications and networking gateway for remote electrical utility sites, and other critical infrastructure applications.

INSTALLATION AND OPERATION MANUAL RL1000GW

Contents

About This Guide 8

Intended Audience 8

Related Documentation

The following documentation is also available:

» RL1000GW Data sheet » RL1000GW Quick Start Guide » RL1000GW_ES Enhanced Security Software Options Manual » SFP Modules Data sheet

About ComNet

ComNet develops and markets the next generation of video solutions for the CCTV, defense, and homeland security markets. At the core of ComNet’s solutions are a variety of high-end video servers and the ComNet IVS software, which provide the industry with a standard platform for analytics and security management systems enabling leading performance, compact and cost effective solutions.

ComNet products are available in commercial and rugged form.

Website

For information on ComNet’s entire product line, please visit the ComNet website at

http://www.comnet.net

Support

For any questions or technical assistance, please contact your sales person (sales@comnet.net) or the customer service support center (techsupport@comnet.net)

Safety

» Only ComNet service personnel can service the equipment. Please contact ComNet Technical

Support.

» The equipment should be installed in locations with controlled access, or other means of

security, and controlled by persons of authority.

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 9

INSTALLATION AND OPERATION MANUAL RL1000GW

Overview

Introduction

The ComNet Service-aware Industrial Ethernet routers combine a ruggedized Ethernet platform with a unique application-aware processing engine.

As an Industrial Ethernet router the ComNet RL1000GW provide a strong Ethernet and IP featureset with a special emphasis on the fit to the mission-critical industrial environment such as fit to the harsh environment, high reliability and network resiliency.

In addition the ComNet routers have unique service-aware capabilities that enable an integrated handling of application-level requirements such as implementation of security measures.

Such an integrated solution results in simple network architecture with an optimized fit to the application requirements.

Figure 1 - Illustration of ComNet RL1000GW

Key Features

The ComNet RL1000GW devices offer the following features:

» Compact systems » Advanced Router feature-set » Integrated Defense-in-Depth tool-set » Ethernet and Serial interfaces » Fit to harsh industrial environment

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 10

INSTALLATION AND OPERATION MANUAL RL1000GW

Seamless & Reliable Connection to Any Network

The RL1000GW provides connectivity to any copper, fiber optic, or cellular radio-based Ethernet network. Fiber optic networks are supported by the use of the optional 100/1000FX SFP uplink port. The optional highly resilient 2G/3G/4G LTE cellular radio uplink with 2 SIM card slots for network redundancy, is ideal where fiber optic infrastructure is not available, and may be used as a back-up link for those applications where interruption of service is not tolerable.

Extremely Effective Network Security, For the Most Mission-Critical Applications

Service Gateway

The RL1000GW service gateway includes a highly robust application layer, and provides legacy support, a Deep Packet Inspection (DPI) application-aware SCADA firewall, serial tunnelling, protocol gateway, and extremely effective encryption technologies. The service gateway offers a uniquely capable feature set which may serve as the hardware foundation to a secure industrial controls network, and includes Protocol Gateway, VPN, and IPsec features.

Protocol Gateway

Gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU, IED, PLC, or other compatible device is supported. This same functionality is supported across MODBUS TCP to MODBUS RTU, and IEC 61850 101/104 TCP to IEC 61850 101/104 RTU. This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best practice level encryption across a TCP IP-based network.

VPN

VPN tunnels are included for secure inter-site connectivity with IPsec, DM-VPN, and VPN GRE tunnels with key management certificates. The supported VPN modes allow both layer-2 and layer3 services, to best suit the user’s application-specific cyber-protection needs.

IPSec

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet of a communication session. IPsec-VPN as well as IPsec encryption are supported over other VPN technologies. By implementing this level of industry-accepted encryption, data may traverse the network in a guaranteed delivery method, as well as providing a cohesive and secure methodology for network communication across legacy and modern networks.

Identity Management and Authentication Proxy Access (APA)

NERC-CIP-5 defines the important requirement for network security protection of remote and unattended facilities. The capability of identifying the user and creating specific network privileges per identified and authenticated user prior to granting the user access to the network therefore becomes critical

The Authentication Proxy Access (APA) is a highly sophisticated security feature, which allows the network operator to manage the substation or any other facility maintenance process. This feature

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 11

INSTALLATION AND OPERATION MANUAL RL1000GW

gives full control of the maintenance process to the operator by granting the capability to create dynamic policies to specific tasks within an explicitly defined time window. Following this time window, operators receive reporting on activities performed during the task. This audit trail comes in the form of an overview log, and a full packet capture (PCAP) of the session.

Before a user is allowed access to the network, they must log in to ComNet’s internal authentication process with their unique user name and password. Upon validation of the user profile, specific access is granted to predefined devices and functions, and each operation is logged. Multi-factor authentication is available when combined with the Cyber-Physical Integration feature.

X.509 Certificate Exchange for VPN Connections

VPN tunnels for secure inter-site connectivity with IPsec VPN, GRE Tunnels, and DMVPN technologies are fully supported. In addition to IPsec encryption, X.509 key management certificates are provided. This certificate support allows for a secure signed key exchange between a Certificate Authority, and two secure nodes. Having a third-party authority as a signing participant offers end-to-end security that may be managed and reissued from a trusted central source within the user’s network.

Cyber-Physical Integration

Integrated within the enhanced-security RL1000GW, is a physical identity server system, allowing the use of external authentication hardware, such as magnetic card readers, biometric identification sensors, facial recognition cameras, etc., to create a two-factor authentication to the APA feature. This provides an additional level of validation of the user and his/her credentials, prior to granting the user network access. Once the authentication is validated and approved, a set of defined policies allow the authenticated technician to perform their task.

Enhanced SCADA-Aware Firewall

A whitelist-based firewall is provided for every Ethernet and serial data port, so full firewall protection is available at all remote sites within the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the firewall engine for its source and destination, as well as its protocol and packet content.

The structure of the distributed firewall allows the creation of a unique firewall at each access point to the network. This is critical for securing against insider cyber-attacks, compromised field devices, man-in-the-middle attacks, and a myriad of alternate attack vectors, by providing a secure baseline.

Two firewall states are included: Monitoring, and enforcing. The monitoring state provides an alarm at the control center for any network violation, without blocking the network traffic. The enforcing state is extremely effective for blocking suspicious traffic, while also triggering a violation alarm at the control center.

DPI (Deep Packet Inspection) SCADA Protocols Firewall

ComNet’s distributed DPI firewall ensures that the operator will have full control over the network, even when faced with a sophisticated attempt at breaching the network. Monitoring SCADA commands, this highly robust whitelist-based firewall analyses SCADA network traffic, and is

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 12

INSTALLATION AND OPERATION MANUAL RL1000GW

provided for every Ethernet and serial data port, so full firewall protection is available at all remote sites within the network, as well as all IEDs, RTUs, PLCs, or any other device connected to the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the firewall engine for its source and destination, as well as its protocol and its specific packet

Any detected abnormal traffic behavioral patterns are blocked, any affected subnets are isolated, and alerts are automatically generated.

Ease of Installation and Network Integration

High levels of cyber-security experience are not required to successfully deploy the RL1000GW. It is fully supported by ComNet’s Reliance Product Configuration Utility and CLI, allowing the secure switch/router to be easily configured, and to diagnose network and security functions.

Configuration of the secure firewall is also simple. Once connected to the user’s network, the RL1000GW immediately begins to collect and analyse information across the network, including from other connected devices, traffic behavior, etc. Recommended firewall rules are then suggested to the user; the implementation of these rules is optional, and they can be easily edited using the Configuration Utility.

OAM (IEEE 802.3-2005 & IEEE 802.1ag) and QoS are also supported. Strict priority, Weighted Round Robin (WRR), ingress policing, and egress traffic shaping are included for traffic management.

Serial Data Interface

The 2-port serial interface is available for applications including terminal server with protocol gateway and serial tunnelling functionality, and provides direct connectivity to legacy RS-232 or 4-wire RS-485 serial data IEDs, RTUs, PLCs, and other devices.

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 13

INSTALLATION AND OPERATION MANUAL RL1000GW

Hardware and Interfaces

Depending on the RL1000GW hardware variant ordered your router will hold physical Ethernet and Serial ports.

» Serial, RJ 45 ports are RS-232. Max 2 ports » Serial, RJ 45 ports are RS-485. Max 1 ports » Ethernet RJ45 copper ports are 10/100 FE. One port » Ethernet SFP based ports are 100/1000 GE. One port.

Ordering options of Hardware

RL1000GW Standard Models

Part Number Description

RL1000GW/12/E/S22 RL1000GW with 2 x RS-232 and 1 x 10/100 Tx, 12/24V DC

RL1000GW/12/E/S24 RL1000GW with 1 x RS-232, 1 x RS-485 and 1 x 10/100 Tx, 12/24 VDC

RL1000GW/12/ESFP/S22 RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 1 x 100/1000 Fx SFP, 12/24 VDC

RL1000GW/12/ESFP/S24 RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 1 x 100/1000 Fx SFP, 12/24 VDC

RL1000GW/12/E/S22/CH+ RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 2G/3G/HSPA+ Cellular Modem, 12/24 VDC

RL1000GW/12/E/S24/CH+

RL1000GW/12/ESFP/S22/CH+

RL1000GW/12/ESFP/S24/CH+

RL1000GW/12/E/S22/CNA RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 4G LTE Cellular Modem (NA Bands), 12/24 VDC

RL1000GW/12/E/S24/CNA

RL1000GW/12/ESFP/S22/CNA

RL1000GW/12/ESFP/S24/CNA

RL1000GW/12/E/S22/CEU RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 4G LTE Cellular Modem (EU Bands), 12/24 VDC

RL1000GW/12/E/S24/CEU

RL1000GW/12/ESFP/S22/CEU

RL1000GW/12/ESFP/S24/CEU

RL1000GW/48/E/S22 RL1000GW with 2 x RS-232 and 1 x 10/100 Tx, 24/48V DC

RL1000GW/48/E/S24 RL1000GW with 1 x RS-232, 1 x RS-485 and 1 x 10/100 Tx, 24/48 VDC

RL1000GW/48/ESFP/S22 RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 1 x 100/1000 Fx SFP, 24/48 VDC

RL1000GW/48/ESFP/S24 RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 1 x 100/1000 Fx SFP, 24/48 VDC

RL1000GW/48/E/S22/CH+ RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 2G/3G/HSPA+ Cellular Modem, 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 2G/3G/HSPA+ Cellular Modem, 12/24 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 2G/3G/HSPA+ Cellular Modem, 12/24 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 2G/3G/HSPA+ Cellular Modem, 12/24 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 4G LTE Cellular Modem (NA Bands), 12/24 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (NA Bands), 12/24 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (NA Bands), 12/24 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 4G LTE Cellular Modem (EU Bands), 12/24 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (EU Bands), 12/24 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (EU Bands), 12/24 VDC

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 14

INSTALLATION AND OPERATION MANUAL RL1000GW

Part Number Description

RL1000GW/48/E/S24/CH+

RL1000GW/48/ESFP/S22/CH+

RL1000GW/48/ESFP/S24/CH+

RL1000GW/48/E/S22/CNA RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 4G LTE Cellular Modem (NA Bands), 24/48 VDC

RL1000GW/48/E/S24/CNA

RL1000GW/48/ESFP/S22/CNA

RL1000GW/48/ESFP/S24/CNA

RL1000GW/48/E/S22/CEU RL1000GW with 2 x RS-232, 1 x 10/100 Tx and 4G LTE Cellular Modem (EU Bands), 24/48 VDC

RL1000GW/48/E/S24/CEU

RL1000GW/48/ESFP/S22/CEU

RL1000GW/48/ESFP/S24/CEU

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 2G/3G/HSPA+ Cellular Modem, 24/48 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 2G/3G/HSPA+ Cellular Modem, 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 2G/3G/HSPA+ Cellular Modem, 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 4G LTE Cellular Modem (NA Bands), 24/48 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (NA Bands), 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (NA Bands), 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx and 4G LTE Cellular Modem (EU Bands), 24/48 VDC

RL1000GW with 2 x RS-232, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (EU Bands), 24/48 VDC

RL1000GW with 1 x RS-232, 1 x RS-485, 1 x 10/100 Tx, 1 x 100/1000 Fx SFP and 4G LTE Cellular Modem (EU Bands), 24/48 VDC

Options

Optional Part No Description

ANT3G-2M 2G/3G External Grade Cellular Antenna with 2M cable (1 required per switch)

ANT3G-5M 2G/3G External Grade Cellular Antenna with 5M cable (1 required per switch)

ANT4G - 2M 4G LTE External Grade Cellular Antenna with 2M cable (2 required per switch)

ANT4G - 5M 4G LTE External Grade Cellular Antenna with 5M cable (2 required per switch)

Power Supply 12 V, 24 V or 48 V DC DIN Rail power supply

Conformal Coat Add suffix ‘/C’ for Conformally Coated Circuit Boards to extend to condensation conditions

SFP Modules¹ User selection of ComNet SFP (See SFP Modules data sheet for product numbers and compatibility)

DINBKT3 19-inch rack mount panel adapter

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 15

INSTALLATION AND OPERATION MANUAL RL1000GW

Graphic View of Hardware

Figure 2 – RL1000GW Product

Table 1 – RL1000GW Physical Feature Descriptions

Call-out Description Manual Reference

Antenna Female Connection –

SIM Card Ports 1 - 2

Power and Run LED Indicators

Console Interface, Link/Activity (L/A) and Speed LED Indicators

RS-232 Ports 1 - 2, Link/Activity (L/A) and Speed LED Indicators

10/100 TX Port, Link/Activity (L/A) and Speed LED Indicators

SIM1, SIM2, Fast Ethernet Port LED Indicators

Dry Contact DI/DO Interface

USB Interface

Power Interface

Chassis GND Lug

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 16

INSTALLATION AND OPERATION MANUAL RL1000GW

Distance kept for natural air flow

Proper installation depends on natural air flow for cooling. You must maintain a 10cm distance above and below the ComNet switch for proper air flow.

Logical Structure

Figure 4 - Logical system view, illustration

Grounding

To install the grounding wire:

» Prepare a minimum 10 American Wire Gauge (AWG) grounding wire terminated by a crimped two-hole lug with hole diameter and spacing as shown in the below figure. Use a suitable crimping tool to fasten the lug securely to the wire. Adhere to your company’s policy as to the wire gauge and the number of crimps on the lug.

» Apply some anti-oxidant onto the metal surface.

» Mount the lug on the grounding posts, replace the spring-washers and fasten the bolts. Avoid

using excessive torque.

CAUTION – Do not remove the earth connection unless all power supply connections are disconnected.

DANGER – Before connecting power to the platform, make sure that the grounding posts are firmly connected to a reliable ground, as described below.

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 17

INSTALLATION AND OPERATION MANUAL RL1000GW

Connecting to a Power Source

Wiring AC Input voltage connector

For an AC product variant there is a single input connector.

Use a Brown wire for the Line (Phase) conductor, a Green/Yellow for the grounding and a Blue wire for the Neutral conductor. use 18AWG (1mm2) wire, with insulated ferrules.

Power Budget

The following table details power consumption of the Hardware variants with cellular and serial interfaces.

Unit Power feed Max Power [Watt] Version without POE

ports

12vDC 18. 5 80

24vDC 18.5 100

48vDC 18.5 140 (or 260*)

110 vD C 18.5 120

220vDC 18.5 120

110 vAC 20.35 149

220vAC 20.35 149 (or 275*)

* Refers to specific ordering option supporting 240w PoE.

Max Power [Watt] Version with POE ports

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 18

INSTALLATION AND OPERATION MANUAL RL1000GW

Configuration Environment

A CLI based configuration environment is available for the user.

Command Line Interface

The CLI (Command Line Interface) is used to configure the RL1000GW from a console attached to the serial port of the router or from a remote terminal using SSH. The following table lists the CLI environments and modes.

Table 3-1: Command Line Interface

Command Mode

Global Configuration Environment (GCE)

Global Hierarchy Configuration

Application Configuration Environment (ACE)

ACE Config Use the command ‘configure’ to

Application Hierarchy Configuration

Access Method Prompt Exit Method

Following user log in this mode is available to the user.

From the Global Configuration mode command you may drill down to specific feature sub tree. Example is shown here for router configuration sub tree.

The ACE is an alternative configuration environment for supported features

access the ACE Configuration mode

Access the target feature. For example : ‘interface vlan 1’

RL1000GW# To exit this mode would mean the user to log out

from the system. Use the command ‘exit’

[router/] To exit one level back, the ‘..’ (Two dots) is used.

ACE# This mode is not supported at current version

To exit back to the GCE mode use the ‘exit’ command.

ACE(config)# To exit back to the ACE mode use the ‘exit’

command.

ACE(config-if-eth1.1)# To return one level up use ‘exit’.

To return to the ACE use ‘end’.

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 19

INSTALLATION AND OPERATION MANUAL RL1000GW

Supported Functionalities

The RL1000GW is a feature rich industrial router supporting:

» L3 dynamic and static Routing.

» SCADA services.

» Firewall.

» Secure networking.

The below table gives a high level view of the supported features.

Feature Set

TFTP Ethernet ports Serial ports Cellular modem

OSPF Vlan tagging IPSec VPN

Management Authentication SCADA Gateway SCADA Firewall

L3-L4 Firewall QOS Serial services Terminal services

NAT Syslog OSPF RIP*

DHCP Client

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 20

INSTALLATION AND OPERATION MANUAL RL1000GW

The below table details the RL1000GW planned features.

Group Feature

Interfaces Cellular modem with 2 SIM cards X

FE RJ45 Ports X

Fiber Optic port X

Gigabit port X

RS 232 ports X

RS 485 4wire ports X

SFP Port X

Auto Crossing X

Auto Negotiation IEEE 802.3ab X

VLAN segregation Tagging IEEE 802.1q X

Backup / Restore running config X

Conditioned/ scheduled system reboot X

Console serial port X

TFTP client X

Inband Management X

Outband Management X

Remote Upgrade X

Safe Mode X

SFTP Client X

Syslog X

Telnet Client X

Telnet server X

TFTP Client X

Networking QOS X

Protection Conditioned/ scheduled system reboot X

Protection between Cellular ISP (SIM cards backup)

Routing DHCP Client X

IPv4 X

OSPF v2 X

RIPv2 X

Static Routing X

Security ACLs , L3-L4 X

Application aware IPS Firewall for SCADA protocols

IPSec X

Local Authentication X

Port shutdown X

Time Local Time settings X

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 21

INSTALLATION AND OPERATION MANUAL RL1000GW

Group Feature

Diagnostics Counters & statistics per Port X

Led diagnostics X

Ping X

RMON X

Serial Gateway IEC 101/104 gateway X

IEC 104 Firewall X

Serial Transparent Tunneling X

Terminal Server X

VPN L3 mGRE DM-VPN X

System Default state

The following table details the default state of features and interfaces.

Feature Default state

Ethernet Ports All ports are enabled

Serial interfaces Disabled

Cellular modem Disabled

Layer 3 interface No default IP

Authentication local

DHCP Client disabled

SSH server Enabled

SSH client Enabled

Telnet client Enabled

Telnet server Blocked

TACACS disabled

Syslog Enabled

ACLs No ACLs

Firewall Disabled

VPN No VPN settings

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 22

INSTALLATION AND OPERATION MANUAL RL1000GW

Main Commands

The Global Configuration Environment list of main CLI commands is shown below.

+ root

+ Router {interface | route |static |ospf |ip |rip}

+ cellular {connection | continuous-echo| disable |enable| modem| network| refresh| settings|

show| wan}

+ commit

+ capture {delete |export |help |show |start |stop}

+ date

+ discrete {service| show}

+ dns {host| resolver}

+ exit

+ firewall {log| profile| tcp| serial}

+ idle-timeout

+ iec101-gw {cnt| operation| config iec-101| config iec-104| config gw| show}

+ ipsec {enable| disable| isakmp update| policy| preshared| log-show| show| show-sa proto}

+ ipsec-vpn tunnel {show | create | remove}

+ vpn {gre| ipsec| l2}

+ ping

+ reload {cancel| schedule| show}

+ schedule {add |show |remove}

+ serial {card |port| local-end-point| remote-end-point}

+ ssh

+ syslog show

+ telnet

+ terminal-server {admin-status| counters| settings| connections| serial-tunnel| telnet-service}

+ trace

+ version

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 23

INSTALLATION AND OPERATION MANUAL RL1000GW

System Version and Data Base

Configuration Database

User Configuration is taking effect immediately upon entering. No specific COMMIT command is required. In order to have configuration changes available after system reboot a COMMIT must take place.

The user can as well export his running configuration as a file with a chosen name for backup and import the file back to boot the system with when needed.

User configuration is saved using the following command

RL1000GW# commit

Building configuration...

[OK]

Removing all user configuration and setting the router to its factory defaults is done by erasing the RL1000GW.conf with the following command

RL1000GW# delete startup-cfg

RL1000GW# reload

Exporting the database is available using tftp to a tftp server.

RL1000GW# db export filename my-file-name remote-host aa.bb.cc.dd

NOTE: Importing of db file requires system reboot for its activation

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 24

INSTALLATION AND OPERATION MANUAL RL1000GW

OS VERSION

Updating of system version is available by TFTP/SFTP server od safe mode.

Available OS files on the router can be seen with command showed below.

Running OS file is marked with “active”.

RL1000GW#os-image show-list

Versions list:

R F _ R L10 0 0G W _ 4.0.02.67.ta r (a ct iv e)

NOTE: The RL1000GW can hold at its disk maximum two OS image files. Before downloading a

new OS file to the router make sure the RL1000GW has on it only one (the active) file. If needed, delete the unused file before attempting to download new.

Commands Hierarchy

+ Root

- commit

+ delete

- diagnostics

- logs

- startup-cfg

- os-image show-list

- os-image activate version-name <file_name

- os-image delete version-name <file_name>

- os-image download download-sw sftp://user:password@aa.bb.cc.dd/file_name

- os-image download download-sw tftp://aa.bb.cc.dd/file_name

- os-image download-status

-Reload

-db import {remote-host <IP, A.B.C.D>} [filename <>]

-db export {remote-host <IP, A.B.C.D>} [filename <>]

- show disk info

NOTE: System must be rebooted following activation of a new OS image file

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 25

INSTALLATION AND OPERATION MANUAL RL1000GW

Example

The following flow will show how to upgrade the OS image file and export the data base.

1. Connect your PC via serial console cable to the RL1000GW console port

2. Create an IP interface over eth1

RL1000GW#router interface create address-prefix 172.18.212.231/24 physical-interface eth1 purpose application-host

3. Check connectivity to the tftp server from which the software will be downloaded

PING 172.18.212.240 (172.18.212.240): 56 data bytes

64 bytes from 172.18.212.240: seq=0 ttl=64 time=1.026 ms

64 bytes from 172.18.212.240: seq=1 ttl=64 time=0.642 ms

64 bytes from 172.18.212.240: seq=2 ttl=64 time=0.647 ms

4. Display available OS files

RL1000GW# os-image show-list

Versions list:

R F _ R L10 0 0G W _ 4.0.02.57.ta r (ac tiv e)

R F _ R L10 0 0G W _ 4.0.02.56.t a r

5. Deleting unneeded OS files

RL1000GW# os-image delete version-name RF _ RL1000GW _ 4.0.02.56.tar

RL1000GW# os-image show-list

Versions list:

R F _ R L10 0 0G W _ 4.0.02.57.ta r (ac tiv e)

RL1000GW#

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 26

INSTALLATION AND OPERATION MANUAL RL1000GW

6. downloading OS file from TFTP server

Co m m and syntax:

RL1000GW# os-image download download tftp://aa.bb.cc.dd/file _ name

Exa mple:

os-image download download-sw tftp://172.18.212.240/RF _ RL1000GW _ 4.0.02.67.tar

7. following download progress

RL1000GW#os-image download-status

In progress 3 MB

RL1000GW#os-image download-status

In progress 10 MB

RL1000GW#os-image download-status

In progress 16 MB

RL1000GW#os-image download-status

Finished Download

8. Activating desired OS file (will automatically reboot the device)

RL1000GW# os-image activate version-name RF _ RL1000GW _ 4.0.02.67.tar

RL1000GW# os-image show-list

Versions list:

R F _ R L10 0 0G W _ 4.0.02.57.ta r

R F _ R L10 0 0G W _ 4.0.02.67.ta r (a ct iv e)

9. Exporting configuration data base to TFTP server

Co m m and syntax:

RL1000GW# db export filename my-file-name remote-host aa.bb.cc.dd

Exa mple:

RL1000GW# db export filename db-May-14 remote-host 172.18.212.240

10. Importing configuration data base to TFTP server

Co m m and syntax:

RL1000GW# db import filename my-file-name remote-host aa.bb.cc.dd

Exa mple:

RL1000GW# db import filename db-May-14 remote-host 172.18.212.240

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 27

INSTALLATION AND OPERATION MANUAL RL1000GW

Completed OK, reboot to activate

RL1000GW# reload schedule in 0

Safe Mode

The system has two safe mode menus available.

To access safe mode, connect to the router via console cable, reboot the unit and interrupt the boot process at the safe mode prompt.

The first Safe mode is used for approved technician only and should not be used unless specified by ComNet. This safe mode state is available at the prompt

“For first safe mode Press ‘s’...”

The second safe mode is accessible at the following prompt:

##########################

For safe mode Press ‘s’...

##########################

Below screenshot details the 2 safe mode menus and their options for:

1. system reset

2. Load the factory-default configuration for the device

3. Write to EEPROM (should be used only after consulting with ComNet)

4. Recover the device’s images from a package file

5. Export / Import DB (running configuration)

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 28

INSTALLATION AND OPERATION MANUAL RL1000GW

Safe mode view

For first safe mode Press ‘s’...

PHY: fixed-0:02 - Link is Up - 100/Full

-----------------------------------------------------------------------------------------

|safe mode menu: |

| reset | 1 : Reset the device |

| format | 2 : Format flash |

| activate | 3 : Activate sw version on flash |

| install | 4 : Install first sw version from TFTP |

| continue | c : Continue with start up process |

| help | H : Display help about this utility |

Extracting software

01/01/70 00:01:09 Running applications

##########################

For safe mode Press ‘s’...

##########################

-----------------------------------------------------------------------------------------

|safe mode menu:

| reset | 1 : Reset the device

| defcfg | 2 : Load the factory-default configuration for the device

| eeprom | 3 : Write to EEPROM

| recover | 4 : Recover the device’s images from a package file

| db | 5 : Export / Import DB

| continue | c : Continue in start up process

| help | H : Display help about this utility

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 29

INSTALLATION AND OPERATION MANUAL RL1000GW

SW Image Installation

Following steps guides to software first installation.

1. Connect your PC via serial console cable to the RL1000GW console port

2. Rebott the unit and Enter safe mode. Select option 4

-----------------------------------------------------------------------------------------

|safe mode menu: |

| reset | 1 : Reset the device |

| format | 2 : Format flash |

| activate | 3 : Activate sw version on flash |

| install | 4 : Install first sw version from TFTP |

| continue | c : Continue with start up process |

| help | H : Display help about this utility |

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!! T h i s c h o i c e w il l d e l e t e d at a fr o m f l a s h !!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!! C o n t i n u e [ y /n] !!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

3. Assign ip address and subnet to the RL1000GW

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! Connect an ethernet cable to the ETH port and Enter the following parameters (xxx.xxx. xxx.xxx) !

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

DEVICE IP ADDRESS [10.10.10.5]: [enter here an ip for the RL1000GW]

DEVICE IP ADDRESS NETMASK [255.255.255.0]: [enter here subnet ip for the RL1000GW]

TECH SUPPORT: 1.888.678.9427

INS_RL1000GW_REV– 15 Jul 2016 PAGE 30

+ 162 hidden pages

Comnet RL1000GW-AC-ESFP-S24, RL1000GW-AC-ESFP-S22, RL1000GW-AC-ESFP-S24-CEU, RL1000GW-AC-ESFP-S22-CEU, RL1000GW-AC-ESFP-S24-CNA User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual