Settings

Print version

7. Settings

Information provided in this chapter is identical with the content of Helps for individual menu. which will be gradually added on all screens.

7.1. Interfaces

7.1.1. Ethernet

RipEX2 provides 5 physical Ethernet ports ETH1, ETH2, ETH3, ETH4 and ETH5. First 4 ETH ports are metallic, the 5th port is a SFP port. There is a possibility to define an Ethernet bridge – a logical Network interface – by bridging (joining) together multiple physical Ethernet interfaces. All interfaces bridged together share the same traffic.

The Network interface (technically – an Ethernet bridge) is identified by a name. The name always begins with a “LAN-” prefix. Multiple Network interfaces can be defined. Multiple physical Ethernet interfaces can be bridged together by using single Network interface.

When unit is operating in Bridge mode – the default Network interface bridges together not only physical Ethernet ports, but also the Radio interface. All the ethernet traffic received by those Ethernet ports is transferred to the Radion interface and transmit by the Radio channel and vice versa.

When unit is operating in Router mode – the Radio channel transmits only the traffic, which is destined to the Radio interface by Routing rules.

The radio unit default setting bridges all Ethernet ports together. New Network interfaces can be defined to split the ethernet traffic of the individual ports. Any single Ethernet port can be detached from an existing Network interface and added to another Network interface.

Single or multiple Ethernet subnets can be defined within one Network interface. Each subnet is identified by its IP address&mask. Use the optional field. Note to keep your network configuration in human readable manner.

Enable / Disable: enables / disables specific Ethernet subnet

IP address: IP address&mask of the specific Ethernet subnet (in CIDR notation). IP address represents the Network interface in the Layer 3 Ethernet network.

Note Ethernet subnet description (optional).

[Note]Note

VLAN (IEEE 802.1Q) settings are accessible via ADVANCED menu only.

7.1.2. Radio

Radio interface behavior is heavily affected by a Radio protocol. There are several protocols available:

  • Transparent – This protocol is very simple; no channel access mechanism takes place. Suitable for star topology with maximum one repeater along the packet path. Available in Bridge mode.

  • Base driven – TCP/IP optimized protocol having deterministic channel access mechanism. Suitable for star topology with maximum one repeater along the packet path. Available in Router mode.

  • Flexible – Suitable for master or even multi master-slave polling and report by exception from remotes concurrently. No limits in network design – each radio can work as base station, a repeater, a remote, or all of these simultaneously.

Radio channel parameters (such as frequency, output power etc.) are common for all protocols. They are described later in this chapter.

 

7.1.2.1. Radio channel parameters

  • TX frequency
    Transmitting frequency in Hz. Step 5 kHz (for 25 kHz channel spacing) or 6.25 kHz (for 12.5 or 6.25 kHz channel spacing).

    The value entered must be within the frequency tuning range of the product as follows:

    RipEX2-1A: 135-175 MHz

    RipEX2-3A: 285-335 MHz

    RipEX2-3B: 335-400 MHz

    RipEX2-4A: 400-470 MHz

    RipEX2-4B: 450–520 MHz

  • RX frequency
    Receiving frequency, the same format and rules apply as for TX frequency.

  • Antenna configuration
    List box {Single (Tx/Rx); Dual (Rx, Tx/Rx)}, default = “Dual (Rx; Tx/Rx)”

    See chapter 1.2.1. Antenna for details

  • RF power PEP
    Setting of RF power in dBm (PEP) for the maximum power for individual modulations and the relationship between PEP and RMS see Section 7.1.2.3, “Base driven protocol (Router mode)” of this manual.

  • Channel spacing [kHz]
    List box {possible values}, default = “25 kHz”

    [Note]Note

    Channels 250 and 300 kHz are available only in Bridge mode.

  • Occupied bandwidth limit [kHz]
    List box {possible values}, default = “25 kHz”

    Occupied bandwidth is limited by granted radio channel. The standards supported by using individual OBW limits are in Section 9.1, “ Detailed radio channel parameters of this manual.

  • Modulation type
    List box {FSK, QAM}, default = “FSK”

    • FSK
      Suitable for difficult conditions – longer radio hops, non-line of sight, noise / interferences on Radio channel…

      [Note]Note

      FSK belongs to the continuous-phase frequency-shift keying family of non-linear modulations. Compared to QAM (linear modulations), FSK is characterized by narrower bandwidth, a lower symbol rate and higher sensitivity. As a result, the system gain is higher, power efficiency is higher, but spectral efficiency is lower.

    • QAM
      Suitable for normal conditions offering higher data throughput.

      [Note]Note

      QAM belongs to the phase shift keying family of linear modulations. Compared to FSK (non-linear modulations), QAM is characterized by wider bandwidth. The spectral efficiency is higher, power efficiency is lower and system gain is typically lower.

  • Modulation

    • FSK modulations:
      List box {2CPFSK; 4CPFSK}, default = “2CPFSK”

    • QAM modulations:
      List box {DPSK; π/4DQPSK; D8PSK; 16DEQAM; 64QAM; 256QAM}, default = “DPSK”

  • FEC
    List box {2/3; 3/4; 5/6; Off}, default = “Off”

    FEC (Forward Error Correction) is a very effective method to minimize radio channel impairments. Basically, the sender inserts some redundant data into its messages. This redundancy allows the receiver to detect and correct errors; used is Trellis code with Viterbi soft-decoder. The improvement comes at the expense of the bitrate. The lower the FEC ratio, the better the capability of error correction and the lower the bitrate. Bitrate = Modulation rate × FEC ratio.

  • Encryption
    List box {Off; AES 256-CCM}, default = “Off”

    AES 256-CCM (Advanced Encryption Standard) can be used to protect your data from an intrusion on Radio channel. When AES 256 is On, control block of 16 Bytes length is attached to each frame on Radio channel. AES requires an encryption key. The length of key is 256 bits (32 Bytes, 64 hexa chars). The same key must be stored in all units within the network.

  • Mode
    List box {Passphrase; Key}, default = “Passphrase”

    • PassphraseThe key can be automatically generated based on a Passphrase. Fill in your Passphrase (any printable ASCII character, min. 1 char, max. 128 char). The same Passphrase must be set in all units within the network

    • Key [64 hex digits] The key can be configured manually (fill in 32 Bytes of 64 hexa chars). The same key must be in all units within the network.

7.1.2.2. Transparent protocol (Bridge mode)

Bridge mode with fully transparent Radio protocol is suitable for all polling (request-response) applications with star network topologies, however repeater(s) are possible.

A packet received through any interface (bridged with the radio interface) is broadcasted to the appropriate interfaces of all units within the network.

Any unit can be configured as a repeater. A repeater relays all packets it receives through the radio channel. The network implements safety mechanisms which prevent cyclic loops in the radio channel (e.g. when a repeater receives a packet from another repeater) or duplicate packets delivered to the user interface (e.g. when RipEX2 receives a packet directly and then from a repeater).

Transparent protocol does not solve collisions on the radio channel protocol. There is a CRC check of data integrity, however, i.e. once a message is delivered, it is 100% error free.

  • Radio protocol
    List box {Transparent; Base driven; None}, default = “Transparent”

  • Communication mode
    List box {Half Duplex; Full Duplex}, default = “Half Duplex”
    Full duplex mode is intended to be used mainly for Point-to-Point communication. Full duplex operation is not possible in networks with repeaters.

  • Unit is repeater
    List box {On; Off}, default = “Off”
    Each RipEX2 may work simultaneously as a Repeater (Relay) in addition to the standard Bridge operation mode.

    If “On”, every frame received from Radio channel is transmitted to the respective user interface (ETH, COM) and to the Radio channel again.

    The Bridge functionality is not affected, i.e. only frames whose recipients belong to the local LAN are transmitted from the ETH interface.

    It is possible to use more than one Repeater within a network. To eliminate the risk of creating a loop, the “Number of repeaters” has to be set in all units in the network, including the Repeater units themselves.

    Warning: Should Repeater mode be enabled “Modulation rate” and “FEC” must be set to the same value throughout the whole network to prevent frame collisions occurring.

  • No of repeaters
    Number {0 – 7}, default = 0
    If there is a repeater (or more of them) in the network, the total number of repeaters within the network MUST be set in all units in the network, including the Repeater units themselves. After transmitting to or receiving from the Radio channel, further transmission (from this RipEX2) is blocked for a period calculated to prevent collision with a frame transmitted by a Repeater. Furthermore, a copy of every frame transmitted to or received from the Radio channel is stored (for a period). Whenever a duplicate of a stored frame is received, it is discarded to avoid possible looping. These measures are not taken when the parameter “Number of repeaters” is zero, i.e. in a network without repeaters.

  • Tx delay [B]
    Number {0 – 1600}, default = 0
    This parameter should be used when all substations (RTU) reply to a broadcast query from the master station. In such case massive collisions would ensue because all substations (RTU) would reply at nearly the same time. To prevent such collision, TX delay should be set individually in each slave RipEX2. The length of responding frame, the length of Radio protocol overhead, modulation rate have to be taken into account.

7.1.2.3. Base driven protocol (Router mode)

Router mode with Base driven protocol (BDP) is suitable for a star network topology with up to 256 Remotes under one Base station. Each Remote can work as a Repeater for one or more additional Remotes. This protocol is optimized for TCP/IP traffic and/or ‘hidden’ Remotes in report-by-exception networks, when a Remote is not be heard by other Remotes and/or different Rx and Tx frequencies are used.

Frame acknowledgement, retransmissions and CRC check guarantee data delivery and integrity even under harsh interference conditions on the Radio channel.

[Note]Note

There is no need to set any routes in Routing table(s) for Remote stations located behind Repeater. Forwarding of frames from the Base station over the Repeater in either direction is serviced transparently by the Base driven protocol.

[Note]Note

When Remote to Remote communication is required, respective routes via Base station have to be set in Routing tables in Remotes.

7.1.2.3.1. Radio protocol – Base station

  • Station type
    List box {Base; Remote}, default = “Base”

    [Note]Note

    Only one Base station should be present within one radio coverage when Base driven protocol is used.

7.1.2.3.2. Base station – List of Remote stations

  • BDP address (from), BDP address (to)
    Protocol address [0 to 255] is the unique address assigned to each Remote and is only used by Base driven protocol. It is set in Remote unit in its Radio protocol settings. The default and recommended setting assigns Protocol address to be equal to the Radio IP last byte (Protocol address mode in Remote unit is set to Automatic then). If a specific address is required, fill both windows with the same number. If and interval is required, fill both windows with needed numbers.

  • Modulation type
    List box {2CPFSK; 4CPFSK; DPSK; π/4DQPSK; D8PSK; 16DEQAM; 64QAM; 256QAM}, default = “2CPFSK”

  • FEC
    List box {Off; 2/3; 3/4; 5/6}, default = “Off”

  • ACK
    List box {On; Off}, default = “On”

  • Retries
    Number {0 – 15}, default = 3

    Set value is used in one direction from Base to Remote (Remote to Base direction is configured in Remote unit in its Radio protocol settings). If the Remote station is behind Repeater, set value is used for both radio hops: Base station – Repeater and Repeater – Remote.

  • CTS Retries
    Number {0 – 15}, default = 3

    Based on sophisticated internal algorithm, Base station sends a CTS (Clear To Send) packet which allows Remote station to transmit. If the Remote station is connected directly to the Base station (not behind Repeater), and the Base station doesn’t receive a frame from the Remote station, the Base station repeats permission to transmit.

  • Connection
    List box {Direct; Direct & Repeater; Behind repeater}, default = “Direct”

7.1.2.3.3. Radio protocol – Remote station

  • Automatic address mode
    List box {On; Off}, default = “On”

  • BDP address

  • ACK
    List box {On; Off}, default = “On”

7.1.2.4. Flexible Protocol (router mode)

Router mode with Flexible protocol is suitable for Multipoint networks of all topologies with unlimited number of repeaters on the way, and all types of network traffic where Multi-master applications and any combination of simultaneous polling and/or report-by-exception protocols can be used.

  • IP / Mask
    IP address of the radio interface and the mask of the radio network.

  • ACK
    List box {On; Off}, default = “On”

    Genetral setting of acknowledging of received packets. It can be set differently in individual link options.

  • Retries [No.]
    Number {0 .. 15}, default = 3

  • Foreign packets RSS threshold [-dBm]
    Number {50..150}, default = 120

    When the received foreign packet (the packet which is not addressed to the actual unit) has weaker signal (the listed number bigger, e.g. the limit 120 – in minus dBm – compared with actual RSS -126 dBm ), the channel is evaluated as free. If the foreign packet RSS is over this limit, the channel is occupied and the unit will wait till the end of it with the procedure of transmission.

  • Repeat COM broadcast
    List box {On; Off}, default = “Off”

    When On the broadcasted COM packets will be retranslated into the radio channel. When Off these packets will not be repeated.

7.1.2.4.1. Individual link option

It is possible to add some exeptions for radio links with particular conditions (e.g. longer or shorter ones than common).

The individual link is defined by Counterpart radio IP. For this link it is possible to set individually Modulation, FEC, ACK, Retries.

Retries are used to set a number of repeats, when the packet is not acknowledged (in case of ACK ON). The standard number of retries is 3.

7.1.2.5. Advanced radio parameters

The Advanced setting option allows to customize radio and radio protocol parameters. Typically these parameters should remain on default values.

These settings you can find in ADVANCED/Interfaces/Radio/ menu

7.1.2.5.1. Radio parameters – advanced

There is only one advanced radio parameter

  • Maximal distance
    Number {0 to 200}, default = 100

    This parameter allows to set a maximal distance of a radio hop (in km). The same number shall be used for the whole network. We recommend to change the value only in case that the network uses radio hops longer than 100 km.

  • Resilience
    List box {High sensitivity; Auto; High resilience}, default = “Auto”

    RipEX2 is equipped with cognitive function of receiving mode selection. When exposed in a radio environment where strong interfering signals (stronger than -45 dBm) are present, RipEX2 senses them and adaptively increases its resistence to interference (by lowering its sensitivity by up to 2-3 dB).

    Resilience parameter controls this functionality. By default the Auto is set – when intereference holds, RipEX2 stays in High resilience mode of receiver operation and signals this state by turning the yellow RX LED on. Once the interfering signals fade away, RipEX2 automatically returns to its High sensitivity mode of receiver operation. It is possible to switch this functonality permanently off (High sensitivity) or permanetly on (High resilience).

  • High resilience LED indication
    List box {On; Off}, default = “Off”

    Enables indication of High resilience mode by yellow RX status LED.

7.1.2.5.2. Queues
  • TX Buffers
    The Radio protocol transmission buffer handles data waiting to be transmitted. Its size is defined by both the number of records (Queue length) and total storage space (Queue size) requirement. Records are held in a queue which is considered full, if either the Queue length or Queue size is reached. New incoming frames are not accepted when the queue is full.

    The TX buffer is active for all radio protocols.

    This functionality is available in ADVANCED/Interfaces/Radio/Queues menu

  • Queue length [packets]
    Number {1 – 31}, default = 5

    Queue length dictates the maximum number of records held in the queue.

  • Queue size [kB]
    Number {1 – 48}, default = 5

    Queue size dictates the total size of all records that can be held in the queue.

  • TX Buffer timeout enabled
    List box {Off; On}, default = “Off “

    The frames waiting for transmission in the Radio protocol output frame queue will be discarded after the TX Buffer timeout expires. This parameter should be enabled for types of applications where sending old frames brings no benefit.

    When the frame is discarded the event is recorded, both in the statistics (as “Rejected”) and in the monitoring (the respective frame is displayed with the “Tx buffer timeout” tag).

  • TX Buffer store timeout [s]
    Number {0.01 – 150}, granularity 0.01, default = 5

    Radio protocol transmit buffer timeout. The “TX Buffer timeout” must be enabled for this parameter to be initiated.

7.1.2.5.3. Flexible – advanced

This settings allows to customize individual length and numbers of slots used for accessing of the radio channel or waiting with retransmissions of an undelivered packet.

The length of the slots has to be same in all radio units within on radio network. It is highly recommended to consult changes of these parameters with our technical support.

7.1.3. COM

Data incoming to the RipEX2 unit from the COM port are received by the Protocol module. The Protocol module behavior depends on the Protocol selected. In case of Transparent protocol (available in Bridge mode only), it is transparently transmitted to the RipEX2 network and send out through all COM ports with Transparent protocol selected. If any other protocol is selected, the incoming frame from the COM port is processed by the Protocol module, translated into UDP frame, forwarded to the RipEX2 router module and further processed according to router rules. Such UDP frames received by the RipEX2 unit from the RipEX2 network (based on the unit IP address and UDP port of the Protocol module) are translated into original frame format (by the Protocol module) and send out through the COM port.

When expansion board “C” is installed two additional COM ports (RS232) are available. Their setting is simmilar to the COM1 port.

The menu is divided to two parts:

7.1.3.1. COM port parameters

This settings of Baud rate, Data bits, Parity and Stop bits of COM port and setting of connected device must match.

  • Type
    List box {possible values}, default = “RS232”

    COM port can be configured to either RS232 or RS485.

  • Baud rate [b/s]
    List box {standard series of rates from 600 to 1152000 b/s}, default = “19200”

    Select Baud rate from the list box: 600 to 1152000 b/s rates are available.

    Serial ports use two-level (binary) signaling, so the data rate in bits per second is equal to the symbol rate in bauds.

  • Data bits
    List box {8; 7}, default = “8”

    The number of data bits in each character.

  • Parity
    List box: {None; Odd; Even}, default = “None”

    Wikipedia: Parity is a method of detecting errors in transmission. When parity is used with a serial port, an extra data bit is sent with each data character, arranged so that the number of 1-bits in each character, including the parity bit, is always odd or always even. If a byte is received with the wrong number of 1-bits, then it must have been corrupted. However, an even number of errors can pass the parity check.

  • Stop bits
    List box {possible values}, default = 1

    Wikipedia: Stop bits send at the end of every character allow the receiving signal hardware to detect the end of a character and to resynchronize with the character stream.

  • Idle [ms]
    Number {10 – 16383}, default = 20

    This parameter defines the maximum gap (in milliseconds) in the received data stream. If the gap exceeds the value set, the link is considered idle, the received frame is closed and forwarded to the network.

  • MRU [B]
    Number {1 – 2047}, default = 1500

    MRU (Maximum Reception Unit) — an incoming frame is closed at this size even if the stream of bytes continues. Consequently, a permanent data stream coming to a COM results in a sequence of MRU-sized frames sent over the network.

    [Note]Note

    1. Very long frames (>800 B) require good signal conditions on the Radio channel and the probability of a collision increases rapidly with the length of the frames. Hence if your application can work with smaller MTU, it is recommended to use values in 200 – 400 bytes range.

    [Note]Note

    2. This MRU and the MTU in Radio settings are independent, however MTU should be greater or equal to MRU.

  • Flow control
    List box {None; RTS/CTS}, default = “None”

    RTS/CTS (Request To Send / Clear To Send) hardware flow control (handshake) between the DTE (Data Terminal Equipment) and RipEX2 (DCE – Data Communications Equipment) can be enabled in order to pause and resume the transmission of data. If RX buffer of RipEX2 is full, the CTS goes down.

    [Note]Note

    RTS/CTS Flow control requires a 5-wire connection to the COM port.

7.1.3.2. Common Protocol parameters

Each SCADA protocol used on serial interface is more or less unique. The COM port protocol module performs conversion to standard UDP datagrams to travel across RipEX2 Radio network.

  • Protocol
    List box {None; Transparent; Async Link; DNP3; DF1; IEC101; Modbus RTU; PR2000; RDS; S3964R; UNI}, default = “None”

    Transparent protocol can be used when unit operates in Bridge mode only. All the traffic is bridged transparently to RipEX2 network.

  • Broadcast
    List box {On; Off}, default = “On”

    Some Master SCADA units sends broadcast messages to all Slave units. SCADA application typically uses a specific address for such messages. RipEX2 (Protocol module) converts such message to a customized IP broadcast and broadcasts it to all RipEX2 units resp. to all SCADA units within the network.

  • Broadcast address
    Number {0 – 65535}, default = 255

    The protocol address which is treated as broadcast address.

  • Address translation
    List box {Mask; Table}, default = “Mask”

    SCADA protocol address is translated to the IP address using either Mask (common rule for all addresses) or Table (specific rule per address) type of conversion

    • Mask

      [Note]Note

      − all IP addresses used have to be within the same subnet, which is defined by this Mask

      − the same UDP port is used for all the SCADA units, which results in the following limitations:

      • − SCADA devices on all sites have to be connected to the same interface

      • − only one SCADA device to one COM port can be connected, even if the RS485 interface is used.

    • Base IP / Mask
      A part of Base IP address defined by this Mask is replaced by ‘Protocol address’. The SCADA protocol address is typically 1 byte long, so Mask 24 (255.255.255.0) is most frequently used.

    • Destination UDP port
      List box {Manual; COM1 .. COM3; TS1 .. TS5}, default = “COM1”

      The same UDP port will be used for all destination. This UDP port is used as the destination UDP port in UDP datagram in which serial SCADA packet received from COM is encapsulated. Default UDP ports for COM or Terminal servers can be used or UDP port can be set manually. If the destination IP address belongs to a RipEX2 and the UDP port is not assigned to COM or to a Terminal server or to any other special SW module running in the destination RipEX2, the packet is discarded.

    • Table
      The Address translation is defined in a table. There are no limitations such as when the “Mask” translation is used. If there are more SCADA units connected via the RS485 interface, their multiple “Protocol addresses” are translated to the same IP address and UDP port pair.

      [Note]Note

      You may add a note to each address with your comments (UTF8 is supported) for your convenience.

    • Protocol address (from)
      This is the address which is used by SCADA protocol.

      The typical Protocol address length is 1 Byte. Some protocols, e.g. DNP3 are using 2 Bytes long addresses.

    • Protocol address (to)
      Several consecutive SCADA addresses shall be tranlated using one rule.

    • IP address (base)
      IP address to which Protocol address will be translated. This IP address is used as destination IP address in UDP datagram into which serial SCADA packet received from COM is encapsulated. When several addresses are used, this will be the first IP address, the following one will have +1 etc.

    • Destination (UDP port)
      List box {MANUAL; COM1 .. COM3; TS1 .. TS5}, default = “COM1”

      This is UDP port number which is used as destination UDP port into UDP datagram in which the serial SCADA message, received from COM, is encapsulated. Different Destination UDP ports can be used in different rules.

7.1.3.3. Individual protocol parameters

In some protocols in the Slave mode of connected device is possible to choose the target of the responese

  • Response target mode
    List box {LASTRCV; TARGET}, default = “LASTRCV”

    Response for the incomming frame shall be directed to the IP address of the Master who sent the frame (LASTRCV) or to a specified IP address (TARGET).

  • Response target IP

    IP adddress to which the response will be send when TARGET is chosen in the Response targed mode.

7.1.3.3.1. None

The None protocol switches the COM port off. All incomming data will be thown away, No data will be send into the COM interface.

7.1.3.3.2. Transparent protocol

Operates in Bridge mode only. All the traffic is bridged transparently to RipEX2 network (see Section 5.1, “Bridge mode” for details).

7.1.3.3.3. Async link

Async link creates an asynchronous link between two COM ports on different RipEX2 units. Received frames from COM port or from a Terminal server are sent without any processing transparently to Radio channel to set IP destination and UDP port. Received frames from Radio channel are sent to COM or Terminal server according to Destination (UDP port) parameter.

  • Destination IP
    This is IP address of destination RipEX2, either ETH or Radio interface.

  • Transmit as broadcasts
    List box {On; Off}, default = “Off”

    Allows sending of the packets incomming from COM port as broadcast.

  • Accept broadcasts
    List box {On; Off}, default = “Off”

    On: Broadcast packets from the radio channel will be send to the COM port.

    Off: Only unicast packets will be send to the COM port.

7.1.3.3.4. DNP3

Each frame in the DNP3 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in terms of the RipEX2 configuration. The DNP3 allows both Master-Slave polling as well as spontaneous communication from the remote units.

The common parameters (e.g. address translation) shall be set.

  • Broadcast
    List box {On; OFF}, default = “On”

    [Note]Note

    There is not an option to set the Broadcast address, since DNP3 broadcast messages always have addresses in the range 0xFFFD – 0xFFFF. Hence when Broadcast is On, packets with these destinations are handled as broadcasts.

7.1.3.3.5. DF1

Each frame in the Allen-Bradley DF1 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in the Full duplex mode in terms of RipEX2 configuration.

  • Connected service mode
    List box {Master; Slave}, default = “Slave”

    SCADA application follows Master-Slave scheme, where the structure of the message is different for Master and Slave SCADA units. Because of that it is necessary to set which type of SCADA unit is connected to the RipEX2.

    [Note]Note

    For connected SCADA Master set Master, for connected SCADA Slave set Slave.

  • Block control mode
    List box {BCC; CRC}, default = “BCC”

    According to the DF1 specification, either BCC or CRC for Block control mode (data integrity) can be used.

    [Note]Note

    According to the DF1 specification, packets for the destination address 0xFF are considered broadcasts. Hence when Broadcast is On, packets with this destination are handled as broadcasts.

7.1.3.3.6. IEC101
  • ComProt_IECMode
    List box {Primary; Secondary; Combined}, default = “Primary”

  • ComProt_IECAddrMode
    List box {8bit; 16 bit; 8bit w/o ctrl bytem 8bit swpctrl byte; No addr}, default = “8bit”

  • Broadcast
    List box {On; Off}, default = “On”

7.1.3.3.7. Mars-A

MARS-A is a full duplex protocol featuring:

  • – 32bit long addresses

  • – error detection (based on 16 bit checksum (XOR) or 16 bit CRC)

  • – error correction

MARS-A was widely used by legacy RACOM radio modems in the MORSE system from the year 1999.

The new implementation of this protocol in RipEX2 is limited to the parts of the complex protocol which can be used together with modern packet type of radio routers:

  • USER DATA (0x09) from router to the serial interface (e.g. to RTU),

  • USER DATA (0x09) and PROT DATA (0x0A) from serial interface (e.g. from RTU) to the router.

  • Mars-A headers are removed from the packet prior to transmitting to the network – only data are transmitted.

  • ACK timeout [ms]
    Number {0 – 16383}, default = 1000

    Serial interface acknowledge timeout.

  • Repeats
    Number {0 – 31}, default = 3

    Number of repeats. Repetition is triggered when NAK frame is received or if ACK frame was not received within ACK timeout.

  • Security bit
    List box {On; Off}, default = “Off”

    Needed for compatibility with legacy MORSE network implementations. This parameter does not change protocol behaviour.

  • CRC
    List box {On; Off}, default = “Off”

    Error detection algorithm:

    • On – CRC algorithm is used

    • Off – XOR algorithm is used

7.1.3.3.8. Modbus RTU

Modbus RTU is a serial polling-type communication protocol used by Master-Slave application.

When RipEX radio network run in Router mode, more Modbus Masters can be used within one Radio network and one Slave can be polled by more Masters.

  • Mode of Connected device
    Listbox {Master; Slave}, default = “Master”

  • Mode of connected device: MASTER

    • Broadcast address
      It is possible to set address, which will be handled as a broadcast address while Broadcast = “On”. Default broadcast address of the Modbus RTU protocol is 0.

  • Mode of connected device: SLAVE

    • Response timeout
      Number { 0 – 8190}, default = 300

      The Response timeout parameter controls how long the unit waits for an acknowledgement frame. The timeout is started when the original frame received from the Radio channel is transmitted to the connected device (over the serial channel). Transmission of any other frame to the connected device is temporarily blocked, whilst Response timeout is active. Response timeout = 0 disables this feature.

7.1.3.3.9. PR2000

PR2000 is an abbreviation for the PROTEUS 2000 SCADA protocol. This protocol is used in Master-Slave applications.

The PR2000 protocol is implemented in a fully transparent manner. The original protocol frames are transported over the RipEX network in their entirety.

7.1.3.3.10. Siemens 3964(R)

The 3964 protocol is utilized by the Siemens Company as a Point-to-Point connection between two controllers. Meanwhile it has developed into an industry standard that can be found on many devices as a universal communications interface. 3964R is the same as 3964, in addition it only uses BCC (Block Check Character). 3964(R) handles only the link layer (L2 in OSI model), hence RipEX uses a similar way to read “SCADA address” as in UNI protocol.

There is a handshake STX(0x02) – DLE(Ox10) on the start of communication and DLE+ETX – DLE on the end. This handshake is performed by RipEX locally, it is not transferred over the RipEX network.

Communication goes as follows:
LocalRTU -> STX -> LocalRipEX
LocalRipEX -> DLE -> LocalRTU
LocalRTU -> DATA+DLE+ETX+BCC -> LocalRipEX
LocalRipEX -> DATA -> RemoteRipEX*
LocalRipEX -> DLE -> LocalRTU
RemoteRipEX -> STX -> RemoteRTU
RemoteRTU -> DLE -> RemoteRipEX
RemoteRipEX -> DATA+DLE+ETX+BCC -> RemoteRTU
RemoteRTU -> DLE -> RemoteRipEX

* only this packet is transferred over the RipEX network, all the other ones are handled locally.

  • Master

    • Address mode

      List box {Binary (1 B); Binary (2B LSB first); Binary (2B MSB first)}, default = “Binary (1 B)”

      RipEX reads the Protocol address in the format and length set (in Bytes).

    • Address position

      Specify the sequence number of the byte, where the Protocol address starts.

      [Note]Note

      3964(R) protocol is using escape sequence (control sequence) for DLE(0x10). I.e. when 0x10 is in user data, 0x1010 is sent instead. When address position is calculated, the bytes added by escape sequence algorithm are not taken into account.

      [Note]Note

      The first byte in the packet has the sequence number 1, not 0.

  • Slave

    • DLE timeout [ms]

      Number {300 – 8190}, default = 1000

      RipEX expects a response (DLE) from the connected device (RTU) within the set timeout. If it is not received, RipEX repeats the frame according to the “Retries” setting.

    • Retries [No]

      Number {0 – 7}, default = 3

      When DLE packet is not received from the connected device (RTU) within the set DLE timeout, RipEX retransmits the frame. The number of possible retries is specified.

    • Priority

      List box {Low; High}, default = “Low”

      When the equipment sends STX and receives STX instead of DLE, there is a collision, both equipments want to start communication. In such a case, one unit has to have a priority. If the Priority is High, RipEX waits for DLE. When it is Low, RipEX send DLE.

      [Note]Note

      Obviously, two pieces of equipment which are communicating together must be set so that one has High priority and the other has Low.

    • BCC

      List box {On; Off}, default = “On”

      BCC (Block Check Character) is a control byte used for data integrity control, it makes the reliability higher. BCC is used by 3964R, 3964 does not use it.

      RipEX checks (calculates itself) this byte while receiving a packet on COM. RipEX transmits DLE (accepts the frame) only when the check result is OK. BCC byte is not transferred over the RipEX network, it is calculated locally in the end RipEX and appended to the received data.

7.1.3.3.11. RDS

RDS protocol is a protocol used in MRxx networks. It supports network communication; any node in the network can talk to any other (unlike Master-Slave type of protocols). The RDS protocol should only be used when combining RipEX and MRxx networks or SCADA networks adapted to MRxx networks.Frames are received from the Radio channel and sent to COM1-3 or Terminal server 1-5 according to UDP port settings and vice versa – from wire to radio channel.

  • ACK
    List box {On; Off}, default = “On”

    Frame acknowledgement when transmitted over wire (COM or Ethernet) interface. ACK (0x06) frames are transmitted on successful reception and NAK (0x15) on unsuccessful frame reception.

  • ACK timeout [ms]
    Number {0 – 16383}, default = 1000

    [Note]Note

    ACK timeout is measured from the beggining of the packet transmission.

    When “ACK” is enabled, RipEX is waiting “ACK timeout [ms]” after transmitting frame to receive acknowledgement. If the ACK frame isn’t received, the frame is re-transmitted. Frame re-transmission happens up to “Repeats” number of times.

  • Repeats
    Number {0 – 31}, default = 3

    Number of frame re-transmissions.

  • Reverse mode (will be available in a future FW release)
    List box {On; Off}, default = “On”

    If a frame is going to be transmitted over a wire channel, source and destination addresses in the frame must be reversed.

  • Reverse address (Hex)
    HEX number {0x00 – 0xFF}, default = 00

    When Reverse mode is enabled, the frame destination address is overwritten by the Reverse address. It takes place after the frame reception from the wire channel before it is transmitted to the air channel. This only happens if the Reverse mode is enabled.

7.1.3.3.12. UNI

UNI is the ‘Universal’ protocol utility designed for RipEX. It is supposed to be used when the required application protocol is not available in RipEX and the network communication is using addressed mode (which is a typical scenario). The key prerequisite is: messages generated by the Master application device must always contain the respective Slave address and the address position, relative to the beginning of the message (packet, frame), is always the same (Address position). Generally, two communication modes are typical for UNI protocol: In the first one, communication is always initiated by the Master and only one response to a request is supported; in the second mode, Master-Master communication or combination of UNI protocol with ASYNC LINK protocol and spontaneous packets generation on remote sites are possible.

The UNI protocol is fully transparent, i.e. all messages are transported and delivered without any modifications.

  • Mode of Connected device
    Listbox: {Master, Slave}, default = Master

  • Adress mode
    List box {Binary (1B); ASCII (2B); Binary (2B LSB first); Binary (2B MSB first)}, default = “Binary (1B)”

    Protocol address format and length (in Bytes).The ASCII 2-Byte format is read as 2-character hexadecimal representation of one-byte value. E.g. ASCII characters AB are read as 0xAB hex (10101011 binary, 171 decimal) value (the ASCII-2-Byte format function will be available in a future FW release).

  • Address position
    Number {1 – 255}, default = 1

    Specify the sequence number of the byte, where the Protocol address starts. Note that the first byte in the packet has the sequence number 1, not 0

  • Poll response control
    List box {On; Off}, default = “On”

    “On” – The Master accepts only one response per a request and it must come from the specific remote to which the request has been sent. All other packets are discarded. This applies to the Master – Slave communication scheme.

    [Note]Note

    It may happen, that a response from a slave (No.1) is delivered after the respective timeout expired and the Master generates the request for the next slave (No.2) in the meantime. In such case the delayed response from No.1 would have been considered as the response from No.2. When Poll response control is On, the delayed response from the slave No.1 is discarded and the Master stays ready for the response from No.2.

    “Off” – The Master does not check packets incoming from the RF channel – all packets are passed to the application, including broadcasts. That allows e.g. spontaneous packets to be generated at remote sites. This mode is suitable for Master-Master communication scheme or a combination of the UNI and ASYNC LINK protocols.

  • Mode of Connected device: SLAVE

    • Accept broadcasts
      List box {On; Off}, default = “On”

      “On” – Broadcast packets received at the radio channel are forwarded to the COM port.

      “Off” – Broadcast packets (received at the radio channel) are discarded. Unicast packets are forwarded to the COM port.

7.1.4. Terminal servers

Generally, a Terminal Server (also referred to as a Serial Server) enables connection of devices with serial interface to a RipEX2 over the local area network (LAN). It is a virtual substitute for devices used as serial-to-TCP(UDP) converters.

In some special cases, the Terminal server can be also used for reducing the network load from applications using TCP. A TCP session can be terminated locally at the Terminal server in RipEX2, user data extracted from TCP messages and processed like it comes from a COM port. When data reaches the destination RipEX2, it can be transferred to the RTU either via a serial interface or via TCP (UDP), using the Terminal server again.

Up to 5 independent Terminal servers can be set up. Each one can be either TCP or UDP Type, TCP Inactivity is the timeout in seconds for which the TCP socket in RipEX2 is kept active after the last data reception or transmission. As source IP address of a Terminal server will be used the IP address of the RipEX2 ETH interface (Local preferred source address if exists see Section 7.2.1, “ Static), Source (my) port can be set as required. Destination (peer) IP and Destination (peer) port values belong to the locally connected application (e.g. a virtual serial interface). In some cases, applications dynamically change the IP port with each datagram. In such a case set Destination port=0. RipEX2 will then send replies to the port from which the last response was received. This feature allows to extend the number of simultaneously opened TCP connections between a RipEX2 and locally connected application to any value up to 10 on each Terminal server. Protocol follows the same principles as a protocol on COM interface.

[Note]Note

Max. user data length in a single datagram processed by the Terminal server is 8192 bytes.

7.1.5. Cellular

RipEX2 optionally provides cellular WWAN interface using embedded cellular module. Two SIM cards are available, only one can be active at a time.

APN must always be set up, all other parameters can keep their default values.

  • Enable / Disable: enables / disables the cellular WWAN connection. When disabled, the module power is off.

  • SIM
    List box {SIM1; SIM2}, default = “SIM1”

    Active SIM card selection.

  • Prefered service
    List box {2G (GSM) first; 2G (GSM) only; 3G (UMTS) first; 3G (UMTS) only; 2G/3G (GSM/UMTS) only; 4G (LTE) first; 4G (LTE) only; 3G/4G (UMTS/LTE) only}, default = “4G (LTE) first”

    Sets preferences and/or permission of the individual cellular network services. Sets preferences and/or permission of the individual cellular network services.

  • Header compression
    List box {On; Off}, default = “Off”

    Enables / disables the user data traffic IP headers compression. Not used with 4G service.

  • Data compression
    List box {On; Off}, default = “Off”

    Enables / disables the user data traffic data compression. Not used with 4G service.

  • MTU [B]
    Number {70 – 1500}, default = 1500

    Outgoing packets MTU.

  • Masquerade
    List box {On; Off}, default = “On”

    Enables / disables SNAT (MASQUERADE) for the packets outgoing to the WWAN interface.

    When on, the source address of packets outgoing via the cellular WWAN interface will be changed to the address assigned to this interface. Returning packets will be correctly routed to this interface.

  • Management enabled
    Enables / disables access into the unit’s management via the cellular WWAN interface.

    SIM1 and SIM2 tabs contain the same setting for SIM1 and SIM2 respectively.

  • PIN protection
    List box {On; Off}, default = “Off”

    Enables / disables the SIM module PIN protection. It has to be switched on if the PIN is required. The parameter is ignored if the SIM does not require a PIN.

  • PIN code
    String {0000 – 9999}, default = “0000”

    The PIN is used only when PIN protection is On and the module requires the PIN.

  • Network selection
    List box {Automatic; Prefer manual; Lock to manual; Lock to home}, default = “Automatic”

    Defines the network selection preferences:

    • Automatic– network is selected automatically.

    • Prefer manual – the network according to the Location area identity (LAI) is preferred. Other network will be selected when the preferred network is not available.

    • Lock to manual– the network according to the LAI can only be used.

    • Lock to home – only the home network can be used (if the SIM supports PLMN reading).

  • Location area identity (LAI)
    String {00000 – 999999}, default = 00000

    The Public Land Mobile Network (PLMN) identification number of the cellular network.

  • Access point name (APN)
    String {up to 99 char}, default = <empty>

    The APN for the access into the cellular network.

  • Authentication
    List box {None; PAP (legacy); CHAP}, default = “None”

    • None – no authentication is used for the APN access.

    • PAP (legacy) –PAP (Password Authentication Protocol) authentication. We do not recommend to use this option because of security issues (the option is provided to offer legacy systems compatibility). Username and Password are required.

    • CHAP – CHAP (Challenge-Handshake Authentication Protocol) authentication. Username and Password are required.

    [Note]Note

    Routing Mode “WWAN (AUX)” is added to the Static routing rules definition. When this mode is selected, the routing Gateway parameter is ignored. The packet is forwarded to the Cellular (WWAN) interface instead.

    Routing rules are added / removed automatically when the Cellular (WWAN) interface is opened / closed.

7.2. Routing

RipEX router supports both static and dynamic IP routing.

Static routing is based on fixed – static – definition of routing tables. Dynamic routing is based on automatic creating and updating of routing tables. Various methods and protocols are used for this purpose. OSPF and BGP standard routing protocols are available in RipEX networks.

7.2.1.  Static

RipEX2 works as a standard IP router with multiple independent interfaces: Radio interface, Network interfaces (bridging physical Ethernet interfaces), COM ports, Terminal servers, optional Cellular interface etc. Each of the interfaces has its own IP addresses and Masks. All IP packets are processed according to the Routing table.

Unlimited number of subnets can be defined on the Network interface. They are routed independently.

The COM ports are treated in the standard way as router devices, messages can be delivered to them as UDP datagrams to selected UDP port numbers. Destination IP address of COM port is either IP of a Network interface (bridging Ethernet interfaces) or IP of Radio interface. The IP address source of outgoing packets from COM ports is equal to IP address of interface (either Radio or Network interface) through which packet has been sent. The source address can also be assigned to Local preferred source address value – see description below. Outgoing interface is determined in Routing table according to the destination IP.

The IP addressing scheme can be chosen arbitrarily, only 127.0.0.0/8 and 192.0.2.233/30 and 192.0.2.228/30 restriction applies. It may happen that also the subsequent addresses from the 192.0.2.0/24 subnet according to RFC5737 may be reserved for internal usage in the future.

  • Active {On / Off}
    Switches the rule on / off

  • Destination IP / mask
    Each IP packet, received by RipEX2 through any interface (Radio, ETH, COM, …), has got a destination IP address. RipEX2 (router) forwards the received packet either directly to the destination IP address or to the respective Gateway, according to the Routing table. Any Gateway has to be within the network defined by IP and Mask of one of the interfaces, otherwise the packet is discarded.

    Each item in the routing table defines a Gateway (the route, the next hop) for the network (group of addresses) defined by Destination IP and Mask. When the Gateway for the respective destination IP address is not found in the Routing table, the packet is forwarded to the Default gateway, when Default gateway (0.0.0.0/0) is not defined, the packet is discarded.

    The network (Destination and Mask) is written in CIDR format, e.g. 10.11.12.13/24.

    [Note]Note

    Networks defined by IP and Mask for Radio and other interfaces must not overlap.

  • Mode {Static}
    Used for static IP routing rules. If the next hop on the specific route is over the radio channel, the Radio IP is used as a Gateway. If Base driven protocol is used and the destination Remote is behind a Repeater, the destination Remote Radio IP is used as a Gateway (not the Repeater address).

  • Name: You may add a name to each route with your comments up to 16 characters (UTF8 is supported) for your convenience.

  • Menu ADVANCED / Routing / Static allows to set additional parameter:

    Local preferred source address: (Routing_LocalUseSrcAddr) Local IP address used as a source address for packets originating in the local RipEX2 unit being routed by this routing rule. It might be for example packets originating from the COM port or from the Terminal Server. If the address is set to 0.0.0.0 it is not considered active. The IP address has to belong to some of the following interfaces: Radio interface, Network interfaces.

7.2.2. OSPF

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). OSPF Version 2 defined in RFC 2328 (1998) for IPv4 is implemented in the RipEX router. OSPF provides Layer 2 dynamic routing. In the context of RipEX networks it is typically used for the backhaul network routing.

7.2.2.1. Description

OSPF splits the network into “areas” to simplify the network topology. There is a primary “backbone” (0.0.0.0) area and the other areas are connected to this backbone area via border routers.

The route decision process is affected by the path “metric”. There are two types of metrics:

  • Metric Type 1 – path length; individual interfaces pass-over costs are added.

  • Metric Type 2 – is setup on the rules which are exported to the OSPF from outside. Rules having metric ‘Type 2’ are always treated as worse (i.e. longer path) comparing to metric ‘Type 1’.

Routers in a specific area are always connected via interfaces.

  • An address range can be defined for an interface where is the OSPF working. Multiple address ranges can be defined (behaving as another interface).

  • Router to router interconnection can be protected by encryption with the password.¨

  • Specific “Cost” is defined for each interface which is added to metric ‘Type 1.’

  • There are multiple types of interfaces:

    • Stub – interface only announces to OSPF: its presence and its address ranges to be propagated further to the network.

    • Broadcast – to be used in the network where all the participants always hear each other (Ethernet). Designated Router (DR) and Backup DR (BDR) are setup between the neighbors. They are responsible for the update propagation (broadcast).

    • NBMA (Non-Broadcast Multiple Access) – to be used in the network where only specific participants can communicate between each other; all the participants hear each other but multicast is not available. DR and BDR is setup.

    • Point2Point – network having only two participants. They discover each other using multicast.

    • Point2Multipoint – network where only predefined pairs of participants can hear each other (e.g. star topology); multicast is not available.

  • Static rules can be defined. Such a routing rules are propagated to the network from this router.

  • It is possible to define exported routing rules aggregation or specific routing rule hiding.

  • It is possible to control the routing rules which are imported into the RipEX unit from the OSPF protocol and those that are exported into the OSPF protocol from the unit by using ‘filters’.

    • Export filters – to control rules exported from the unit to the OSPF protocol which is propagating them further.

    • Import filters – to control rules imported from the OSPF into the unit.

7.2.2.2. Common – Common settings

  • Active
    List box {On; Off}, default = “Off”
    Enables the dynamic routing and the OSPF protocol.

  • Router ID
    IP address, default = 0.0.0.0
    RipEX unit acts in the OSPF network as a dynamic router. Every router is identified by an ID having the format of IP address. This IP address does not have to be ‘real’.
    Router ID is shared with the BGP protocol.

  • Instance ID
    Number {0 – 255}, default = 0
    OSPF protocol instance number. This number is needed in case of running multiple OSPF protocols (for example on the border of 2 independent OSPF networks).

7.2.2.3. Network – Areas and interfaces – Areas

OSPF areas RipEX unit belongs to are described here. Maximum number of areas is 32.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the area.

  • Area ID
    IP address, default = 0.0.0.0
    OSPF area identifier. The ID has a format of an IP address. This IP address does not have to be ‘real’. The ‘Router ID’ value is used typically. The default value of 0.0.0.0 is called ‘backbone’ and it has to be present somewhere in the OSPF network.

  • Stub area
    List box {On; Off}, default = “Off”
    Defines if the area is of a ‘stub’ type – which means, the traffic is not routed through such an area. Every traffic is originated or terminated in the ‘stub’ area.

  • Stub default GW
    List box {On; Off}, default = “On”
    If ‘On’ – only default GW is routed to the ‘stub’ area. Of ‘Off’ – individual routes are routing the traffic into the area. It may be effective to disable this parameter when multiple border routers are present.

  • Note
    Informational note. It is a good practice to enter some descriptive area name since this value is displayed (when filled) instead of the Area ID as an Area name in other configuration dialogs (e.g. Networks configuration).

7.2.2.4. Network – Areas and interfaces – Interfaces

OSPF interfaces of the respective OSPF area are defined here. Maximum number of interfaces is 128.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the interface.

  • Interface
    String {a..z A..Z 0..9}, max 16 char, default = <empty>
    OSPF interface name. Name of an existing unit interface has to be used. Following interfaces can be used:

    • LAN – “if_” prefix must be used followed by Network interface name, e.g. “if_LAN-141”

    • VLAN – “if_” prefix must be used followed by Network interface name, ‘.’ dot and VLAN number, e.g. “if_LAN-141.29”

    • Radio – “radio”

    • Hot standby – “hstdby”

    • GRE L3 – “gre_tunX” where ‘X’ is the tunnel number, starting from zero

    • Cellular – “aux”

  • Network IP / Network mask
    IP address and mask of the address range above which the OSPF protocol will be working on this interface. The default value is 0.0.0.0/0, which means the whole address range on this interface is available for the OSPF protocol.

  • Network type
    IP address and mask of the address range above which the OSPF protocol will be working on this interface. The default value is 0.0.0.0/0, which means the whole address range on this interface is available for the OSPF protocol.

  • Cost
    Number {1 – 65535}, default = 10
    The cost of traffic over this interface. The higher the Cost, the worse the path. It is added to OSPF metric ‘Type 1’.

  • Hello interval
    Number {1 – 3600}, default = 10
    Interval (in seconds) of sending Hello packets. The interval must be the same for the all participants of the given interface.

  • Poll interval
    Number {1 – 3600}, default = 20
    Interval (in seconds) of sending Hello packets to inactive neighbors in the NMBA type of interface.

  • Retransmit interval
    Number {1 – 3600}, default = 5
    Interval (in seconds) of repeating unacknowledged packets.

  • Dead count
    Number {2 – 64}, default = 4
    Number of lost Hello packets from the neighbor to treat the connection as interrupted.

  • TTL security
    List box {On; Off}, default = “On”
    Protection against OSPF packets spoofing.

  • Authentication, Password
    List box {None; Keyed MD5 (OSPFv2); HMAC SHA256; HMAC SHA384; HMAC SHA512}, default = “None”

    Selection of a method to authenticate the OSPF messages. Password is used as a secret key for the selected hash function. Maximum length of the password is 128 characters.

  • Priority
    Number {0 – 255}, default = 1
    Priority is used to select primary or backup router responsible for the routing updates propagation. The higher the number, the higher the priority. ‘0’ states the router cannot be used as a primary or backup router.

  • Use broadcast
    List box {On; Off}, default = “Off”
    Defines if OSPF packets distribution is provided using multicasts (default behavior) or broadcasts (nonstandard behavior).

  • Note
    Informational note. It is possible to enter some descriptive OSPF interface name. This value is used (when filled) instead of the original Interface identification as an Interface name in other configuration dialogs (e.g. Neighbors configuration).

7.2.2.5. Network – Areas and interfaces – Neighbors

Network neighbors of Point2Multipoint and NBMA types of OSPF interfaces are defined here. Maximum number of neighbors is 512.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the interface.

  • Interface
    List box {list of existing OSPF interfaces}
    OSPF interface the neighbor belongs to. The interface – Note value is used when defined. The interface – Interface value is used otherwise.

  • IP
    IP address of the neighbor.

  • Note
    Informational note

7.2.2.6. Network – Areas and interfaces – Networks

The Networks table modifies networks announced out of the area. It enables partial networks aggregation into the common prefixes or specific network hiding. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the interface.

  • Area
    List box {list of existing OSPF areas}
    OSPF area the record belongs to.

  • IP / mask
    IP address and mask of the range (i.e. network) which will be aggregated or hidden.

  • Action
    List box {Aggregate; Hide}, default = “Aggregate”

    • Aggregate – small network prefixes will be exported from this area aggregated into this range (defined by IP / mask)

    • Hide – this network prefix will be hidden and will not be exported

    Example:
    Area 0.0.0.1 exports two subnets: 192.168.1.0/24 and 192.168.2.0/24. Area border router between Area 0.0.0.1 and 0.0.0.0 defines a rule for network aggregation: 192.168.0.0/16. As a result of this, the area border router announces to the area 0.0.0.0 only one route 192.168.0.0/16 instead of the two individual routes.

  • Note
    Informational note

7.2.2.7. Static rules

Pre-defined static routing rules to be exported over the OSPF protocol. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the static routing rule.

  • Destination IP / Destination mask
    IP address, default = 0.0.0.0/0
    IP address and mask defining the exported routing rule address range.

  • Metric type
    List box {Type 1; Type 2}, default = “Type 1”
    Metric type of the routing rule. Metric 1 is added to the path cost. Metric 2 stays apart and compared to metric 1 is always bigger.

  • Metric
    Number {1 – 65535}, default = 1000
    Routing rule metric value.

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag is added to a rule at the moment of its insertion to the network. The tag travels through the OSPF without any modification so it can be used to distinguish the rule in the filters.

  • Note
    Informational note.

7.2.2.8. Import filter

OSPF import filter rules. The order of rules matters. Each incoming routing rule is processed by those Import filters. Maximum number of filter rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the filter rule.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Method of the routing rule target range comparison.

  • Network IP / Network mask
    IP address and mask defining the network range to be compared.

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

    Examples:

    • Rule 0.0.0.0/0{0,32} captures all IP ranges

    • Rule 192.168.1.0/24{24,32} captures 192.168.1.0/24 and all subnets (for example 192.168.1.1/32)

    • Rule 10.9.8.7/32{8,32} captures all ranges having the mask longer than 8 covering the address 10.9.8.7 (e.g. 10.9.0.0/16)

  • Filter source
    List box {Off; Match; Not match}, default = “Off”
    Method of the OSPF routing rule source comparison.

  • Source
    List box {Internal; Inter-area; External type 1; External type 2}, default = “External type 1”

    Source types comments:

    • Internal – internally generated rule, for example interface range

    • Inter-area – rule generated on the area border

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Method of the OSPF routing rule OSPF tag comparison

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag to be compared.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Type of action to be performed when the filter rules above matches the incoming routing rule.

  • Set preference
    List box {On; Off}, default = “Off”
    When enabled, the Preference (see next parameter) will be set to this rule.

  • Preference
    Number {0 – 65535}, default = 200
    Routing rule preference in the routing table (to be used when Set preference is enabled). The higher the number the better the preference.

  • Local preferred source address
    IP address, default = 0.0.0.0
    Preferred source IP address for the locally generated packets. When disabled (default value 0.0.0.0 is used), the source IP address is set according to the outgoing interface.

  • Note
    Informational note

7.2.2.9. Export filter

OSPF export filter rules define set of routing rules to be exported from the unit into the OSPF area. The order of rules matters. Maximum number of filter rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the filter rule.

  • Note
    Informational note

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; BGP; BGP external; BGP internal}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table.

  • Filter BGP path
    List box {Off; Is empty; Not empty}, default = “Off”
    Compares BGP routing rule path if it is empty (i.e. the rule originates in this AS).

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

7.2.3. BGP

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.

7.2.3.1. Description

BGP splits the network into Autonomous Systems (AS) which are identified by a specific number. Individual BGP routers are interconnected with their neighbors using TCP connections. Any connection can travel over multiple hops. Any connection can be secured using MD5 signatures.

Connections inside the AS are called ‘internal’ (iBGP):

  • All BGP routers within given AS must be fully interconnected – every router must have connection to all other routers.

  • It is possible to define ‘Route reflectors’ – they must be fully interconnected. The other routers behave as Route reflector clients and they need a connection to their reflector only. Route reflector and its clients form a ‘cluster’. It is possible to create a cluster with multiple Route reflectors for the purpose of backup.

  • The iBGP router having a higher local preference will be preferred during the internal AS path selection.

Connections to another AS are called ‘external’ (eBGP):

  • It is possible to communicate from the router to the neighbor AS the MED (Multi-Exit Discriminator) metric designating which of the AS border routers will be used as an input point.

When the routing rules are spread across the multiple AS, those AS are added into the accumulated path (BGP path). Path length is the primary criteria during the decision which of the routing rules will be used.

It is possible to prescribe routing rules toward this router which will be spread across the network (Static rules).

It is possible to control the routing rules which are imported into the RipEX unit from the BGP protocol and those that are exported into the BGP protocol from the unit by using ‘filters’.

  • Import IGP filter – controls which of the routing rules from the BGP are accepted to the dynamic routing table and how

  • Export IGP filter – controls which of the routing rules from the dynamic routing table are exported to the BGP and how

  • Import OUT filter – controls which of the routing rules from the other AS are accepted to the BGP and how

  • Export OUT filter – controls which of the routing rules are exported from the BGP to other AS and how

  • Routing rules passed on between iBGP and BGP tables are not filtered

7.2.3.2. Common – Common settings

  • Active
    List box {On; Off}, default = “Off”
    Enables the dynamic routing and the BGP protocol.

  • Router ID
    IP address, default = 0.0.0.0
    RipEX unit acts in the BGP network as a dynamic router. Every router is identified by an ID having the format of an IP address. This IP address does not have to be ‘real’.
    Router ID is shared with the OSPF protocol.

  • Local AS
    Number {0 – 232-1}, default = 65000
    Local Autonomous System identification number. AS numbers are assigned by IANA. Part of the range is reserved for private network usage: 64512 – 65534 and 4200000000 – 4294967294. AS numbers from this range can be safely used by anyone.

  • Preference
    Number {0 – 232-1}, default = 100
    Router preference within the local AS. The higher the number, the higher the preference.

  • MED (Multi-Exit Discriminator)
    List box {Off; Static; OSPF metric 1}, default = “Off”
    Setting of MED (Multi-Exit Discriminator) on the routing rules being exported to other AS. MED makes it possible to advertise which of the routers in the local AS is the preferred input point to the AS. “Static” option sets the fixed value for all rules (Static MED). “OSPF metric 1” copies the OSPF metric to MED; for the rules which are not from the OSPF it enters the fixed value Static MED.

  • Static MED
    Number {0 – 232– 1}, default = 0
    Metric to be used for the preferred input point to the AS selection (see MED (Multi-Exit Discriminator) description). The higher the number the lower the preference.

  • Route reflector
    List box {Off; On}, default = “Off”
    Enables the Route reflector function on this router. iBGP requires connection in between all routers under normal circumstances. Route reflector makes it possible to avoid this requirement by distributing routing updates to all its clients. Such clients do not need any other connection except connection to this Route reflector. Route reflector and its clients form a ‘cluster’. See more details at the beginning of the BGP chapter.

  • Cluster ID type
    List box {Router ID; Manual}, default = “Router ID”
    Controls the iBGP cluster identification. Cluster identification must be the same inside the cluster and it has to be different in another cluster. If the “Router ID” is selected, the Router ID value is used as a cluster id.

  • Cluster ID
    IP address, default = 0.0.0.0
    Cluster identification in the format of an IP address. This IP address does not have to be ‘real’ (valid).

7.2.3.3. Neighbors

Neighboring BGP routers. Maximum number of neighbors is 256.

  • Active
    List box {On; Off}, default = “On”
    Enables the specific neighbor.

  • Note
    Informational note.

  • Neighbor type
    List box {Internal; External}, default = “External”
    Neighbor router type selection. “Internal” neighbor belongs to the same AS (iBGP). “External” belongs to other AS (eBGP).

  • Neighbor AS
    Number {0 – 232-1}, default = 65000
    Neighbor AS number.

  • Neighbor IP
    IP address, default = 0.0.0.0
    Neighbor router IP address.

  • Local IP of the connection
    IP address, default = 0.0.0.0
    Local IP address of the connection. Default value 0.0.0.0 provides automatic set up of this address – from the routing.

  • Neighbor connection
    List box {Direct; Multihop}, default = “Direct”
    Network connection type between the neighbors. “Direct” means direct – one hop – connection. This is typical for eBGP routers. “Multihop” means connection over the multiple routers. This is typical for iBGP routers.

  • MD5 authentication
    List box {On; Off}, default = “Off”
    Enables BGP packets authentication using TCP MD5 Signature extension.

  • Password
    String {up to 128 char}
    Password for the MD5 authentication.

  • Passive
    List box {On; Off}, default = “Off”
    Passive BGP router does not initiate connection to a neighbor, it is waiting for the neighbor activity.

  • Hold interval [s]
    Number {3 – 10800}, default = 240
    Time (in seconds) to wait for the keepalive message from the neighbor. It is negotiated with the neighbor. When it expires, the connection is treated as interrupted.

  • Keepalive interval [s]
    Number {1 – 3600}, default = 80
    Period (in seconds) of sending keepalive messages. It should not be longer than 1/3 of the Hold interval.

  • Connection retry interval [s]
    Number {1 – 3600}, default = 120
    Time (in seconds) to wait before trying to re-connect the interrupted connection.

  • TTL security
    List box {On; Off}, default = “On”
    Protection against BGP packets spoofing.[PP1] The Generalized TTL Security Mechanism (GTSM – RFC 5082) is used. BGP transmits packets with known TTL value. Incoming packets having lower than expected value (expected number of hops) are discarded.

  • Expected hops
    Number {2 – 32}, default = 2
    Number of expected hops between the neighbors

  • Route reflector client
    List box {On; Off}, default = “Off”
    Defines if this neighbor is a client of this (this unit) Route reflector.

  • Set cost
    List box {On; Off}, default = “Off”
    Enables to set a specific Cost of the BGP connection.

  • Cost
    Number {0 – 232-1}, default = 10
    The cost of connection to this neighbor. The higher the number the higher the cost. It enables to make decisions inside the router between multiple paths from the same neighbor.

  • Next hop self
    List box {Off; Always; Internal; External}, default = “Off”
    Defines it the exported routing rules should have ‘next hop’ addresses overwritten to the address of this router. “Internal” overwrites only the rules from the local AS. “External” overwrites only the rules from the other AS.

7.2.3.4. Static rules

Pre-defined static routing rules to be exported over the BGP protocol. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the static routing rule.

  • Destination IP / Destination mask
    IP address, default = 0.0.0.0/32
    IP address and mask defining the exported routing rule destination address range.

  • Note
    Informational note.

7.2.3.5. Import IGP filter

Import IGP filter [PP1] rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Reject”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Import IGP filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter source
    List box {Off; Internal; External}, default = “Off”
    Selection based on the routing rule source. “Internal” selects rules received from the internal (iBGP) connection. “External” selects rules received from the other AS (eBGP).

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule was originated from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the captured [PP1] routing rule. “Pass” continues in processing.

  • Set preference
    List box {Off; On}, default = “Off”
    Defines if the specific Preference will be set up for this rule.

  • Preference
    Number {0 – 65535}, default = 100
    Routing rule preference in the routing table. The higher the number the higher the preference.

  • Local preferred source address
    IP address, default = 0.0.0.0
    Preferred source IP address for the locally generated packets. When disabled (default value 0.0.0.0 is used), the source IP address is set according to the outgoing interface.

7.2.3.6. Export IGP filter

Export IGP filter rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Reject”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Export IGP filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; OSPF}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table. “OSPF” stands for rules from the OSPF protocol.

  • Filter OSPF source
    List box {Off; Match; Not match}, default = “Off”
    Selects the OSPF routing rule source comparison mode.

  • OSPF source
    List box {Internal; Inter-area; External type 1; External type 2}, default = “External type 2”
    OSPF sources. “Internal” – stands for internally generated rule (e.g. interface range). “Inter-area” – stands for rule generated on the area borders.

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Selects the way of filtering based on OSPF tag.

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag to be compared. The tag is added to a rule when inserted to OSPF.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

7.2.3.7. Import OUT rules

Import OUT filter [PP1] rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Accept”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Import OUT filter.

  • Filter limit
    Number {1 – 65535}, default = 1024
    Limit of the accepted routing rules from the neighbor. The limit applies before this Import OUT filter. Excess rules are dropped.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule originates from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken with the matching routing rule. “Pass” continues in processing.

  • Prepend local AS
    Number {0 – 8}, default = 0
    Enables to append (even multiple times) local AS number to the BGP path end – making the path virtually longer. The longer path is handicapped during the comparisons and selections.

7.2.3.8. Export OUT filter

Export OUT filter rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Accept”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Export OUT filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    List box {Off; Match; Not match}, default = “Off”
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; OSPF; BGP; BGP external; BGP internal}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table.

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Selects the way of filtering based on OSPF tag.

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag to be compared. The tag is added to a rule when inserted to OSPF.

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule was originated from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

7.3. Firewall

7.3.1. Firewall L2

  • Filter mode
    list box {Blacklist, Whitelist}, default = “Blacklist”

    • Blacklist

      The MAC addresses listed in the table are blocked, i.e. all packets to/from them are discarded. The traffic to/from other MAC addresses is allowed.

    • Whitelist

      Only the MAC addresses listed in the table are allowed, i.e. only packets to/from them are allowed. The traffic to/from other MAC addresses is blocked.

  • Active
    List box {Off; On}, default = “On”

    If “On”, Layer 2 Linux firewall is activated.

  • Interface
    List box {All; ETH1..ETH5}, default = “All”

  • MAC
    IPv4 MAC address

7.3.2. Firewall L3

Firewall L3 active
switches L3 firewall Off, On; default is Off

Each individual firewall rule is described by the following items:

  • Protocol
    List box {All; ICMP; UDP; TCP; GRE; ESP; Other}, default = “All”

  • Source IP / Mask source IP address and mask.
    The rule with narrower mask has higher priority. The rule’s order does not affect priority.

  • Source port (from) and (to) interval of source ports

  • Input interface
    List box {All; Radio; All ETH; ETH1..ETH5; Other}, default = “All”

  • Action
    List box {Deny; Allow}, default = “Deny”

  • Destination IP / Mask

  • Destination port (from) and (to) interval of destination ports

  • Output interface
    List box {All; Radio; All ETH; Other}, default = “All”

  • Connection state New
    List box {Off; On}, default = “Off” – active only for TCP protocol
    Relates to the first packet when a TCP connection starts (Request from TCP client to TCP server for opening a new TCP connection). Used e.g. for allowing to open TCP only from RipEX2 network to outside.

  • Connection state Established
    List box {Off; On}, default = “Off” – active only for TCP protocol
    Relates to an already existing TCP connection. Used e.g. for allowing to get replies for TCP connections created from RipEX2 network to outside.

  • Connection state Related
    List box {Off; On} default = “Off”, active only for TCP protocol
    A connection related to the “Established” one. e.g. FTP typically uses 2 TCP connections control and data, where data connection is created automatically by using dynamic ports.

    [Note]Note

    L2/L3 firewall settings do not impact the local ETH access, i.e. settings never deny access to a locally connected RipEX2 (web interface, ping, …).

    [Note]Note

    Ports 443 and 8889 are used (by default, can be overridden) internally for service access. Exercise caution when making rules which may affect datagrams to/from these ports in L3 Firewall settings. Management connection to a remote RipEX2 may be lost, when another RipEX2 acts as a router along the management packets route and port 443 (or 8889) is disabled in firewall settings of that routing RipEX2 (RipEX2 units uses iptables “forward”).

    [Note]Note

    L3 Firewall settings do not impact packets received and redirected from/to Radio channel. The problem described in NOTE 2 will not happen, if the affected RipEX2 router is a radio repeater, i.e. when it uses solely the radio channel for input and output.

7.4. VPN

VPN (Virtual Private Network) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

7.4.1. IPsec

Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating within the Internet Layer of the Internet Protocol Suite. IPsec is recognized as a secure, standardized and well-proven solution by the professional public.

Although there are 2 modes of operation RipEX2 only offers Tunnel mode. In Tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encapsulating Security Payloads) with a new IP header.

Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged. The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and the newer version 2 are available in RipEX2.

IKE protocol communication with the peer is established using UDP frames on port 500. However, if NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.

[Note]Note

NAT-T is automatically recognized by IPsec implementation in RipEX2.

The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:

  • IKE SA: IKE Security Association providing SA keys exchange with the peer.

  • CHILD SA: IPsec Security Association providing packet encryption.

Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.

Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication method: Both link partners share the same key (password).

As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.

As and when the IKE SA version IKEv1 expires – new authentication and key exchange occurs and a new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.

As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:

  • If the re-authentication is required – the behavior is similar to IKEv1 (see above).

  • It the re-authentication is not required – only new IKE SA keys are generated and exchanged.

  • Configuration

    Active {On, Off}
    IPsec system turning On/Off

  • Make-before-break {On, Off}, default Off
    This parameter is valid for all IKE SA using IKEv2 with re-authentication. A temporary connection breaks during IKE_SA re-authentication is suppressed by this parameter. This function may not operate correctly with some IPsec implementations (on peer side).

  • Peer Address
    Default = 0.0.0.0

    IKE peer IP address.

  • Local ID
    IP address or FQDN (Fully Qualified Domain Name) is used as the Local side identification. It must be the same as “Peer ID” of the IKE peer.

  • Peer ID
    IP address or FQDN (Fully Qualified Domain Name) is used as the IKE peer identification. It must be the same as “Local ID” of the IKE peer. The “Peer ID” must be unique in the whole table.

  • Add / Edit IPsec associations
    Every item in the table represents one IKE SA. There can be a maximum of 8 active IKE SA (limited by system resources).

    • Start state
      List box {Passive; On demand; Start}, default = “Passive”

    • MOBIKE
      List box {On; Off}, default = “On”

      Enables MOBIKE for IKEv2 supporting mobility or migration of the tunnels. Please note IKE is moved from port 500 to port 4500 when MOBIKE is enabled. The peer configuration must match.

    • Dead Peer Detection
      List box {On; Off}, default = “On”

      Detection of lost connection with the peer. IKE test packets are sent periodically. When packets are not acknowledged after several attempts, the connection is closed (corresponding actions are initialized). In the case when Detection is not enabled, a connection loss is discovered when regular key exchange process is initiated.

    • Phase 1 IKE
      Parameters related to IKE SA (IKE Security Association) provide SA keys exchange with the peer.

      • IKE version
        List box {IKEv1; IKEv2}, default = “IKEv2”

        IKE version selection. The IKE peer must use the same version.

      • Authentication method
        List box {PSK}

        Peer authentication method. Peer configuration must match.

        The “main mode” negotiation is the only option supported. The “aggressive mode” is not supported; it is recognized as unsafe when combined with PSK type of authentication

      • Encryption algorithm
        List box {3DES (legacy); AES128; AES192; AES256}, default = “AES128”

        IKE SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm
        List box {MD5 (legacy); SHA1 (legacy); SHA256; SHA384; SHA512}, default = “SHA256”

        IKE SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)
        List box {None (legacy); Group 2 (MODP1024, legacy); Group 5 (MODP1536, legacy);

        Group 14 (MODP2048); Group 15 (MODP3072); Group 25 (ECP192); Group 26 (ECP224);

        Group 19 (ECP256); Group 20 (ECP384); Group 21 (ECP521); Group 27 (ECP224BP);

        Group 28 (ECP256BP); Group 29 (ECP384BP); Group 30 (ECP512BP)}, default = “Group 15

        (MODP3072)”

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Reauthentication
        List box {On; Off}, default = “Off”

        This parameter is valid if IKEv2 is used. It determines the next action after IKE SA has expired. When enabled: the new IKE SA is negotiated including new peer authentication. When disabled: only the new keys are exchanged.

      • SA lifetime [s]
        Number {180 – 86400}, default = 14400 s (4 hours)

        Time of SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        Unfortunately, the more frequent the key exchange, the higher the network and CPU load.

    • Phase 2 – IPsec
      Certain parameters are shared by all subordinate CHILD SA. IPsec Security Association provides packet encryption (user traffic encryption).

      • Encryption algorithm
        List box {3DES (legacy); AES128; AES192; AES256}, default = “AES128”

        IKE CHILD SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm
        List box {MD5 (legacy); SHA1 (legacy); SHA256; SHA384; SHA512}, default = “SHA256”

        IKE CHILD SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)
        List box {None (legacy); Group 2 (MODP1024, legacy); Group 5 (MODP1536, legacy);

        Group 14 (MODP2048); Group 15 (MODP3072); Group 25 (ECP192); Group 26 (ECP224),

        Group 19 (ECP256); Group 20 (ECP384); Group 21 (ECP521); Group 27 (ECP224BP);

        Group 28 (ECP256BP); Group 29 (ECP384BP); Group 30 (ECP512BP)}, default = “Group 15 (MODP3072)”

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE CHILD SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Payload compression
        List box {On; Off}, default = “Off”

        This parameter enables payload compression. This takes place before encryption. Peer configuration must match

      • SA lifetime [s]
        Number {180 – 86400}, default = 3600 s (1 hour)

        Time of CHILD SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        The SA lifetime for CHILD SA is normally much shorter than SA lifetime for IKE SA because the CHILD SA normally transfers much more data than IKE SA (key exchange only). Changing the keys serves as protection against breaking the cypher by analyzing big amounts of data encrypted by the same cypher.

    • PSK
      PSK (Pre-shared key) authentication is used for IKE SA authentication. The relevant peer is identified using it’s “Peer ID”. The key must be the same for both local and peer side of the IPsec.

      • Passphrase
        The PSK key is entered as a password. Empty password is not allowed. It is possible to set 256 bits long Key instead of Passphrase in the ADVANCED / VPN / IPsec menu.

  • Traffic selector
    Defines which traffic is forwarded to the IPsec tunnel. The rule that defines this selection matches an incoming packet to “Local network …” and “Remote network …” address ranges.

  • Basic rules:
    Each line contains the configuration settings of one CHILD SA and indicates its association to a specific IKE SA.

    There can be a maximum of 16 active CHILD SA (in total over all Active IKE SA).

    Every “Active” line must have an equivalent on the peer side with reversed “Local network…” and “Remote network…” fields.

    “Local network…” and “Remote network…” fields must contain different address ranges and must not interfere with the USB service connection (10.9.8.7/28) or internal connection to FPGA (192.0.2.233/30).

    Each “Active” Traffic selector in the configuration table must be unique.

  • Local network address / Mask
    Source IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Remote network address / Mask
    Destination IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Active {On, Off}, default On
    Relevant CHILD SA can be enabled/disabled.

7.4.1.1. Advanced menu

Several additional parameters are available in menu: ADVANCED / VPN / IPsec

  • DPD check period [s]
    Number {5 – 28800}, default = 30

    Dead Peer Detection check period

  • DPD action
    List box {Clear; Hold; Restart}, default = “Hold”

    One of three connection states automatically activated when connection loss is detected:

    • Clear – connection is closed and waiting

    • Hold – connection is closed. Connection is established when first packet transmission through tunnel is attempted.

    • Restart – connection is established immediately

7.4.2. GRE L2

GRE L2 tunnel is interconnected to the bridge (LAN interface) as one of the bridge’s port, it captures Ethernet frames of the bridge and sends them to the other end of the tunnel. It enables to build bridge via the complex network and combine the local partial networks to one network.

GRE L2 tunnel can be used to tunnel the IPv6 traffic over the RipEX IPv4 network.

  • GRE L2 Enable – switches all L2 tunnels On or Off

Individual L2 tunnels:

  • Enable – enables actual L2 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Network interface name – has to be set as one of existing bridge’s name in SETTING/Interfaces/Ethernet/ Network interface Name

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel
    Number {0 – 4,294,967,295}, default = 0

  • MTU [B] – MTU of the L2 tunnel.
    Number {74 – 1500}, default = 1462

    Overhead of the L2 tunnel is 38 B, so it should be GRE MTU = Path MTU – 38.

7.4.3. GRE L3

GRE L3 tunnel works as an additional unit’s interface with its own IP address (and mask). The routing rules are used for sending packets to this interface. It bridges part of the network, so it seems to be one hop for the user traffic.

  • GRE L3 Enable – switches all L3 tunnels On or Off

Individual L3 tunnels:

  • Enable – enables actual L3 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Tunnel address / Mask – IP address and mask of the GRE tunnel interface

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel
    Number {0 – 4,294,967,295}, default = 0

  • MTU – MTU of the L2 tunnel.
    Number {70 – 1476}, default = 1476

    Overhead of the L3 tunnel is 24 B, so it should be GRE MTU = Path MTU – 24. If the MTUZ is bigger than is allowed along the route, the GRE packets will be discarded and ICMP report will be send back to the source of the original packet (Path MTU discovery).

7.5. Security

User authentication is required to access RipEX unit management. There are two types of user authentication which differ in the user account location:

  • Local authentication – user accounts are stored directly in the RipEX unit

  • Remote authentication – user accounts are stored on a remote authentication server (RADIUS is implemented)

There are four different levels of user access privileges – they are bound with four different user access roles:

  • Guest (role_guest)
    Read only access for configuration parameters (except secured part of configuration). Diagnostics tools are available.

  • Technician (role_tech)
    All privileges of Guest role plus: write access for non-secured part of configuration.

  • Security technician (role_sectech)
    All privileges of Technician role plus: write access for secured part of configuration (except unit authentication related parts); unit firmware up/down-grade

  • Administrator (role_admin)
    No access level restrictions. All privileges of Security technician role plus: user accounts management; remote authentication configuration.

Limitations:

  • At least one Administrator type of account must be defined in the unit.

  • Maximal number of concurrently active sessions is 64. One user can have multiple sessions opened in the same time. If this limit is reached and a new session is to be opened, the oldest active session is deactivated and a new one is opened.

  • Maximal number of Local user accounts (all roles together) is 100.

    [Note]Note

    The Remote access uses local identity and role of the user – there is no additional login to the remote unit (the login into local unit serves as login to the whole network).

7.5.1. Local authentication

The following settings are available only for user with the Administrator role.

Following user account parameters can be changed: password, user role. Any account (expect the last one of Administrator role) can be deleted.

Export all users button provides backup of all Local user accounts into a file.

Import all user button provides restoration of all Local user accounts from a backup file. Active session is logged out automatically after this command.

+ Add user account button invokes new user account creation dialog:

  • Username
    String {1..128 char}, default = <empty>

    New Username. Every username in the unit must be unique.

  • Password
    String {5..128 char}, default = <empty>

    Password is stored in a secure way.

  • Role
    List box {Admin; Security Technician; Technician; Guest}, default = “Admin”

    [Note]Note

    It is highly recommended to create a new administrator type of account and delete the default “Admin” account.

Advanced feature

When the user account is not active for some time, the user will be automatically log-out. The inactivity timeout of the account is set for 1 day by default. It is possible to change in the range of 5 minutes up-to 2 days (menu ADVANCED/Generic/UserAccess – Web inactivity timeout).

[Note]Note

It is necessary to install firmware version 1.4.5.0 or higher to assure proper functionality of Local and Remote authentication.

7.5.2. Remote authentication

Setings of the remote authentication using RADIUS is available in ADVANCED/Security/RADIUS menu.

7.6. Device

7.6.1. Unit

7.6.1.1. General

The general settings affecting the whole unit.

  • Mode
    List box {Bridge; Router}, default = “Bridge”
    Selecting Bridge or Router mode affects many other parameters across the unit. See Section 5.1, “Bridge mode” and Section 5.2, “Router mode” for detailed description.

  • Unit name
    This name is used as a real name of the Linux router, so the allowed characters are strictly limited to:

    _a..zA..Z0..9

  • Unit note
    Longer unit name without special characters restrictions.

  • Unit location, Unit contact
    Additional SNMP information. All the fields above are typically used in the NMS systems to identify the specific unit.

7.6.1.2. Service USB

The USB service interface primary purpose is to provide unit service and management access. Ethernet or WiFi connection can be established using an external ETH/USB or WiFi adapter. Please note that only adapters listed in https://www.racom.eu/eng/products/radio-modem-ripex.html#accessories_ethusb can be used.

The DHCP server is running on this service interface to enable easier connection of the management device (PC, tablet or smart phone).

  • Enable / Disable
    Each of the ETH or WiFi service can be enabled or disabled separately. When the WiFi is enabled, the units acts as a WiFi Access Point (AP).

  • IP / Mask
    IP address of the DHCP server. This is the IP address to be used when accessing the unit management via this serial interface.

  • DHCP pool start
    Default = IP address of the DHCP server + 1

    DHCP Server assigns addresses to connected clients starting from this address.

  • DHCP pool end
    DHCP server assigns IP addresses to connected clients in the range defined by DHCP pool start and DHCP pool end (inclusive).

  • WiFi
    WiFi AP parameters can be customized.

  • SSID automatically
    List box {On; Off}, default = “On”

    When automatic definition of SSID is enabled, the SSID contains unit Serial number.

  • SSID
    WiFi AP SSID. When entered manually, it must follow SSID naming conventions.

  • Mode
    List box {802.11g; 802.11g }, default = “802.11g ”

    WiFi AP mode.

  • Channel
    Selected WiFi channel.

  • Security
    List box {Off; WPA2-PSK}, default = “Off”

    It is a good practice to use WPA2-PSK secured connection together with a strong password. It is highly recommended in case of permanent WiFi adapter installation.

7.6.1.3. Time

Unit Event time stamps, unit Statistics records and unit internal logs are using Unit time. It is good practice to keep the Unit time synchronized to ease unit and network diagnostics.

Unit time can be setup manually or it can be synchronized with an NTP server. NTP server synchronization is recommended.

The unit itself serves as an NTP server providing the time synchronization to another IP clients. If no NTP server is defined or no one is available, the unit runs in an “orphan” mode. The unit internal NTP server Stratum is set to 8 in this case. If the unit is synchronized with an NTP server, the unit NTP server Stratum is set a 1 higher comparing to Stratum of the NTP server providing the time synchronization to the unit.

If the unit is synchronized to a time source and the unit (synchronized) time differs from the unit RTC time (by more than 8 seconds), the RTC time is updated.

[Note]Note

Each unit can serve as NTP server for further IP equipment, this functionality is always on.

  • Status
    The Status field provides information about NTP synchronization status.

    Refresh button is used to update the Status information.

  • Change device time manually
    This field is used to setup unit time manually.

  • Update in device
    Sets the given time to the unit.

  • Use browser time checkbox
    Permanently updates the Change device time manually field to minimize the delay between the time input and the moment of time setup.

  • NTP client synchronization source
    Synchronization source of the NTP client. The only option “NTP server” is implemented at this firmware version.

  • NTP server minimum polling time
    Minimal period of the NTP server queries. NTP client is allowed to prolong this time in case of poor quality of the server or connection to the server.

  • Time zone
    Time zone to represent unit internal time. All the unit timestamps are displayed using this time zone. Changing the time zone does not affect unit internal records – they are always recorded using UTC time zone.

  • NTP servers
    Multiple NTP servers can be configured to get more precise time synchronization or to have a backup solution in case of an individual NTP server unavailability. Maximum number of records in the list is 32. The unit runs in an “orphan” mode if the NTP client synchronization source is set to “NTP server” and there is no NTP server defined in this list.

7.6.1.4. Hot standby

7.6.1.4.1. Hot standby settings

Following settings is supported by the controller version of the RipEX2-HS , where the controller manages the active and passive/standby RipEX2 units and their accessing to the shared channels (e.g. radio).

The communication between individual RipEX2 units and HS controller use DI/DO interfaces, so other use of this interface is not possible.

The HW switch (mode selector) has to be set to AUTO position for switching between units, otherwise the selected unit remains active even if an error occurs on the selected one.

AUTO regime allows switching to the standby unit when an error status occur in active unit – if both units are without alarms, the A unit will be active.

  • Hot standby mode enabled
    Listbox {On; Off }, default = “Off”
    Switches Hot Standby functionality.

  • Virtual MAC
    MAC address of shared LAN interface. It should be same for both individual RipEX2 units. This MAC address has to differ from other MAC addresses used in unit. It is possible to use e.g. VRRP type of addresses: 00:00:5E:00:01:XX.

    To prevent a collision with broadcast addresses (in case of Flexible protocol usage), the address must not be ended with :FF:FF:FF.

  • Virtual IP
    This address has to fit into range of addresses used for the relevant network interface (e.g. ETH 1) and will be used as shared IP address for LAN interface. The radio address use used according to setting in SETTINGS/Interfaces/Radio/IP – the same address has to be set in both radio modems.

  • Unit chassis position
    Listbox {Unit A; Unit B}, default = “Unit B”
    Position of the unit in HS chassis, set Unit A for unit in A position and vice versa.

  • Fallback time
    Time in seconds. The time delay to stay on the standby unit, after all alarms are solved.

  • Guard mode
    Listbox {INCLUDE; EXCLUDE}, default = “INCLUDE”
    Defines the behavior of guarding of ETH interfaces. INCLUDE requires all guarded lines in UP status – if one of these guarded lines is not in UP state, alarm occurs and the switching to the standby unit is executed.

  • Guard ETH1 .. ETH5 active
    Listbox {On; Off}, default = “Off”
    Switches on guarding of the individual ETH link.

  • Toggle now

    This button allows to switch from unit Active status to the non-active.

    It will not be possible if:

    • The second unit is in alarm status.

    • The HW MODE selector is not set to AUTO.

    • The unit is in not-active status.

      [Note]Note

      It is possible to change the active status from the A to the B unit using shall command “rrcmd rrhstdby web passivate” and back from A to B using command “rrcmd rrhstdby web activate”. Both units should be without errors for the SW sw itching.

7.6.1.4.2. Hot standby LAN interface settings

It is necessary to set LAN interface used for HS functionality.

The Range for virtual address parameter is in this menu available only when HS functionality in the menu SETTINGS/Device/Unit/Hot standby is enabled (see above).

The parameter Range for virtual address has to be set to On for the LAN address interconnected with shared ETH interface (Range for virtual address set to On).

[Note]Note

Interconnected ETH interface IP addreses of both ETH addresses should be different as well as adresses of A and B units, yet in the same range as the virtual shared address (= together three different addresses in the same range).

7.6.2. Configuration

There are several tools to operate full unit configuration: Backup, Restore, and restore to Factory settings.

  • Backup

    It is a good practise to make a configuration backup into an external file every time the configuration is changed, to be able to restore the configuration into another unit in case of unit maintenance.

    Backup and download button triggers the web browser Download action. The specific behaviour depends on your web browser personal settings – whether the configuration backup file is downloaded to a predefined download folder or the file Download dialog to select destination folder is shown. The configuration is stored in a text file (.json file type).

    The backup configuration has the following limitations:

    • The set of configuration data is limited by a user access privileges of the user who performed the backup. The full configuration backup can only be issued by a user with the Administrator (role_admin) access privileges. The same user access limit applies when the configuration is restored (i.e. the full configuration Restore can only be issued by a user with the Administrator (role_admin) access privileges).

    • The configuration data are valid only for the given configuration version (CNF version – see below). If the new firmware version brings the new configuration version, the new configuration backup file needs to be downloaded after the firmware upgrade.

    [Note]Note

    The actual unit configuration (inside the running unit) is converted to a new version automatically during the firmware upgrade. No need to take care about that process.

    Configuration version is stored in the parameter called “CNF version” which can be checked in the menu: Diagnostics – Support – Advanced information.

  • Restore
    The configuration can be restored from a backup file (containing the same configuration version as the configuration version currently running in the unit – see above).

    • Choose File Button
      Triggers the file selection dialog. Once the configuration backup file is selected, it is uploaded to the unit. The upload action can take some time – depends on the speed of your service connection to the unit.

    • Factory settings
      Load default configuration button loads default values of all configuration parameters into the web interface. All parameters whose current value differs from the default are marked as changed. They are listed in the Changes to commit dialog. They do not affect the running unit until eventually send to the unit by the Send configuration button.

      [Note]Note

      This action can be used (for example) to check which set of parameters differs from the default value.

    • Restore configuration button
      Enabled after the backup configuration is uploaded. Press the button to restore the unit configuration. The configuration restore result is reported as an error message (in case of failure) or Notification centre success message:

  • Restore factory settings
    Restores all configuration parameters to default setup (including monitoring settings)

    Deletes user database (only default user “admin” with default password will remain). Logout from station will apply.

  • Total purge
    Restores all configuration parameters to default setup (including monitoring settings)

    Deletes user database (only default user “admin” with default password will remain). Logout from station will apply.

    Deletes all diagnostic logs and statistics

    Clears Radio Tx and antenna degradation detector calibration

[Note]Note

Basic data such as Code, Region, SW keys will always remain in the unit.

[Warning]Warning

This action can take up to two minutes – do not power off the unit until finished.

Tab. 7.1: Configuration versions

CNF version FW version
102.0.3.0
92.0.1.0
81.4.8.0
71.4.6.0
61.4.5.0
51.4.3.0
41.4.1.0
31.3.6.0
21.3.4.0
11.3.2.0
01.3.1.0

7.6.3. Events

Settings of the severities of the individual events. Some events can generate SNMP notification and can change level of the HW alarm outputs (AO, DO1, DO2) see Section 2.2.2, “Power and Control”.

7.6.4. SNMP

SNMP (Simple Network Management Protocol) implementation in RipEX provides three SNMP versions: v1, v2c and v3.

[Note]Note

Following characters are prohibited in SNMP communication:
” (Double quote) ` (Grave accent) \ (Backslash) $ (Dollar symbol) ; (Semicolon)

  • SNMP mode
    List box {Off; v1_v2c_v3; v3}, default = “Off”
    Enables the SNMP and defines which protocol versions are available.

  • Community name
    String {1..32 char}, default = <public>
    Community name used by v1 and v2c
    When mode v1_v2c_v3 is used, this parameter is mandatory.

Version 3 settings

  • Security user name
    String {1..32 char}, default = <empty>
    User name for SNMPv3. When v3 protocol is selected, this parameter is mandatory.

  • Security level
    List box {NoAuthNoPriv; AuthNoPriv; AuthPriv}, default = “NoAuthNoPriv”
    The v3 protocol security level. Switches on/off Authentication (Auth) and the SNMP data encryption (Priv).

  • Authentication
    List box {MD5_legacy; SHA1_legacy; SHA224; SHA256; SHA384; SHA512}, default = “SHA256”
    Authentication algorithm. Legacy algorithms are not recommended to use, they are available for compatibility reasons only.

  • Authentication passphrase
    String {8..128 char}, default = <empty>
    Passphrase used for authentication with SNMP server.

  • Encryption
    List box {DES_legacy; AES128; AES192; AES256}, default = “AES128”
    Encryption algorithm.

  • Encryption passphrase
    String {8..128 char}
    Passphrase used for data encryption when communicating with SNMP server.

  • Engine ID mode
    List box {Default; User defined}, default = “Default”
    Engine Id serves for unique identification of the SNMP instance (i.e. the RipEX unit) according to RFC3411. When the “Default” Engine ID mode is selected the MAC address of the Eth1 interface is used for the unique part of the Engine Id (the whole Engine ID example: 800083130302a92006ef).

  • Engine ID
    String {1..27 char}
    When “User defined” Engine ID mode is selected the differentiated part of the Engine ID can be entered as ASCII characters or generated (e.g. U3qPrisWoDYbBVNsAWluZYGL3M5). This string is converted into HEX number (i.e. 55 33 71 50 72 69 73 57 6f 44 59 62 42 56 4e 73 41 57 6c 75 5a 59 47 4c 33 4d 35). The whole Engine ID for mentioned example:
    800083130455337150726973576f44596242564e7341576c755a59474c334d35.

Notification

Notification is used for asynchronous notification from a RipEX unit into the SNMP server.

  • Notification mode
    List box {Off; Trap; Inform}, default = “Off”
    Mode of notification; Inform is not supported by SNMPv1

  • Notification version
    List box {v1; v2c; v3}, default = “v2c”
    Notification packets version.

  • Inform repeats
    Number {0 – 10}, default = 3
    Number of repeats used when Inform acknowledge was not received.

  • Inform timeout [s]
    Number {1 – 20}, default 10
    Inform acknowledge timeout.

Notification destinations

  • Destination IP
    IP address {0.0.0.0}, default 0.0.0.0
    IP address of SNMP server receiving notification packets.

  • Destination port
    Number {1 – 65535}, default = 162
    Notification packets destination port.

7.6.5. SW keys

Certain RipEX2 features needs to be activated by a SW key to be available. When the respective SW key is not present, the feature can not be configured. If the feature is enabled in a configuration backup file and the file is loaded to a unit which is not equipped with the respective key, the configuration is refused (no changes are made in the unit).

Here is the list of available SW keys and their assignment to offered SW key packages.

SW key(s) can be obtained from your supplier. It is delivered as a text file containing the key(s). Every SW key is unique for the specific unit (specific serial number). Use Choose File dialog to select the file and Install key button to install the key(s) to unit.

Differences with the previous generation of RipEX:

– SW keys are always installed as a file (there is not a clipboard option)

– Single file can contain multiple SW keys

– SW keys are not time limited

7.6.6. Firmware

Unit firmware defines the unit functionality. There are several principles for managing the firmware in the running network:

  • Maintain the same version of firmware all around the network – preferred scenario. RipEX units are able to cooperate even when running different version of firmware, but using the same firmware version in all units is the best way to keep the network maintenance easy and straightforward.

  • The traditional good-practice says “do not touch the running system” – which means: do not upgrade the firmware if there is no reason to do so.

  • The cyber security issues may force the firmware to be upgraded e.g. when some serious security vulnerability was fixed.

There are 2 stages of the firmware upgrade procedure:

a) Uploading new firmware into the unit internal archive

b) Updating the unit firmware

Both operations can take several tens of seconds.)

[Note]Note

The uploading time of the new FW into the unit may last longer when slow connection to the file location is used.

[Note]Note

Unit configuration backup is highly recommended after the firmware upgrade. See Section 7.6.2, “Configuration” for details.

To upgrade the firmware:

  1. Optional (recommended): Backup the current unit configuration (menu Settings – Device – Configuration – Back up and download)

  2. Download the required firmware from the Racom web: Products – RipEX – Download – Firmware RipEX2 – ripex2-fw-x.x.x.0.fwp

  3. Click the Choose File button (the button label may differ based on your web browser localization) to select the firmware file

  4. Click the Upload firmware to archive button to transfer the firmware file into the unit. The upload can take a long time – depending on the connection speed between the management PC and the RipEX2 unit. In case of slow connection and file transfer longer than 120 s, the web browser will shut down the connection and the action will not finish successfully. This action does not update the running unit firmware yet. There is no affection on the other communication running through this unit. Successful saving of the new firmware into the archive is announced in the Notifications and the available firmware version is printed Under the “Update firmware” heading (on the right side of the “>” mark).

  5. Click the Update firmware button to update (i.e. reinstall) the unit firmware. The update process takes approx. one minute. The user data communication running through this unit is interrupted for a while. All the processes are restarted in a certain moment (e.g. VPN tunnels need to be re-established).

  6. It is possible not only to upgrade the firmware version, but even to downgrade it, although this operation is not recommended. Be aware of eventual security issues of firmware downgrade as eventually outdated security code can be part of an old firmware. Unit configuration may not be fully compatible. In such a case, parts of the unit configuration will be changed to the default values.

    [Warning]Warning

    Do not shut down the unit during the firmware update process. It may permanently damage the unit.

7.7. Advanced

RipEX 2 introduces new concept for expert settings and rapid deployment of new features called “Advanced” section. Advanced section displays all configuration set points currently present in the device automatically, without need to design a special configuration page (like the ones in “Settings”). This allows us to deploy new features rapidly with each new firmware and also allows experienced users to fine-tune their RipEX 2.

Please note, that RipEX 2 is a very powerful device and it really shows all parameters in the Advanced section.

When you visit the page for the first time, you will see a search field and below a tree of configuration pages.

Search field looks through all labels and the tree itself and is capable of showing all relevant configuration pages. It features so called “fuzzy” search capable of returning right answers even when there is a typo in search query. Try searching for “Ethernet” or “BGP” to see the feature in action. To use the whole tree again, simply delete search query.

Configuration tree has two parts. For you convenience first few items (Interfaces, Routing, …) use similar hierarchy to “Settings”, but include all advanced settings. The newest features then can be found in the last item called “General”, which contains all configuration tables there are in the unit.

By selecting a configuration page (marked with pencil icon) a window is shown on the right side of the screen containing selected configuration page set points. You can change settings and then send them to the device the same way you know from “Settings”.

Please note, that RipEX 2 is a very powerful device and it really shows in the Advanced section. Be careful when adjusting settings in Advanced section and review the “Changes” page in detail before sending changes to the device.