Page 1 ORBIT MCR ™ Multiservice Connect Router ORBIT ECR ™ Edge Connect Router MDS 05-6632A01, Rev. F May 2016 Including New Features from Firmware Revsion 4.6.x...
Page 2 View instructional videos: Orbit™ MCR Learning and Development YouTube Channel Quick-Start instructions for this product are contained in publication 05-6709A01. Visit our website for downloadable copies of all documentation at www.gemds.com.
Page 3: Table Of Contents
SING THE 3.4.4 CLI Q ........................53 UICK EFERENCE ABLE 3.4.5 CLI ........................ 55 PECIFIC XAMPLES SING ......................59 NTERFACE ONFIGURATION 3.5.1 ........................... 59 ERIAL NTERFACE 3.5.2 ............................... 64 3.5.3 ............................... 78 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 4 VRRP – V 3.8.24 ................360 IRTUAL OUTER EDUNDANCY ROTOCOL 3.8.25 IP P ..........................362 ASSTHROUGH ....................364 UBLIC EY AND ERTIFICATES 3.9.1 802.1X A ................ 364 ERTIFICATE ANAGEMENT AND UTHENTICATION MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 5 IELD ICTIONARY & T ....................412 VENT NCODING RANSPORT 8.3.1 ............................. 412 XAMPLES 8.3.2 PRIVAL ........................... 413 SYSLOG 8.3.3 APP-NAME ..........................413 SYSLOG 8.3.4 MSG ............................413 SYSLOG ..........................413 ONFIGURING MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 6 MODE 13.2.8 ......................456 ISCO SWITCH AS AUTHENTICATOR APPENDIX H – LICENSES ......................457 14.0 14.1 O ..................457 OURCE ICENSE ECLARATION APPENDIX I – COUNTRY SPECIFIC INFORMATION ..............458 15.0 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 7: Copyright And Trademark
Copyright and Trademark This manual and all software described herein is protected by Copyright: 2016 GE MDS LLC. All rights reserved. GE MDS LLC reserves its right to correct any errors and omissions in this publication. RF Regulatory Information RF Safety Notice (English and French) Concentrated energy from a directional antenna may pose a health hazard to humans.
Page 8 Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada. Operational Safety Notices The MDS Orbit MCR may not be used in an environment where radio frequency equipment is prohibited or restricted in its use. This typically includes aircrafts, airports, hospitals, and other sensitive electronic areas.
Page 9 If you have additional questions or need an exact specification for a product, please contact GE MDS using the information at the back of this guide. In addition, manual updates can be found on our web site at www.gemds.com...
Page 10: Safety Regulatory Information – (Region-Specific)
National Electrical Code. Tampering or replacement with non-factory components may adversely affect the safe use of the transceiver in hazardous locations, and may void the approval. A power connector with screw-type retaining screws as supplied by GE MDS must be used.
Page 11 - EN 301 489-17: V2.2.1 - EN 301 489-24: V1.5.1 - EN 301 511: V9.0.2 - EN 301 908-1: V5.2.1 - EN 301 908-2: V5.2.1 ATEX Special Conditions for Safe Use as per SIRA 14ATEX4119X: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 12 The USB connection shall only be used in an unclassified (non-hazardous) area.  The SIM card shall be connected / disconnected only in a non-hazardous area or when the device is not energized. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 13: Product Country Certification Information – (Non-Na/Eu)
Este dispositivo está em conformidade com as diretrizes de exposição à radiofreqüência quando posicionado a pelo menos 20 centímetro de distância do corpo. Para maiores informações, consulte o site da ANATEL – www.anatel.gov.br Japan Mexico  IFT number [IFT] = RTIGEGE14-0827-A1 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 14 2. este equipo o dispositivo debe aceptar cualquier interferencia, incluyendo la que pueda causar su operación no deseada. New Zealand Philippines Conformity Number: ESD-GEC-1402584 South Africa  Registered number = ER0133084/14  Dealer number = DA0132013/14 ECR Selected Country Certification Information MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 15 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 16: Product Overview And Applications
It serves the need for localized WiFi communications with a cellular back-up or backhaul option, while providing the extended temperature range and industrial-grade packaging inherent to GE MDS products. These features allow the best use of communication options at each installation site.
Page 17: Thi Manual
The label on the bottom of the unit identifies the radio model as GE MDS MCR. It includes the device serial number and agency/regulatory identifications, including IDs for applicable embedded modules. See “Agency/Regulatory Approvals” on Page 385 for more information.
Page 18 The LAN port should be assigned IP addresses only if it is a routed interface (that is, not in a bridge). NOTE The software commands and responses shown in this manual were obtained from a unit operating in a lab environment. The information displayed may differ from field service conditions. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 19: I Nterface C Ards (Nic S )
Do not use the USB port in hazardous locations.  Network Management System— Orbit MCR is supported by GE MDS PulseNET, a Network Management System (NMS), providing monitoring of small and large scale deployment of all GE MDS devices. ...
Page 20: Z U Nlicensed
Key Benefits  Multiple data rates to meet application range and link budget: 125 kbps, 250 kbps, 500 kbps, 1000 kbps, 1250 kbps  Up to 60 miles LOS (Line of Sight) MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 21: N Arrowband
Low latency and robust proprietary Media Access Control specifically designed narrowband communications  High Reliability - Error detection and re-transmit on error for Unicast traffic - Multiple Forward Error Correction (FEC) modes including adaptive FEC MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 22: A Pplications
2.5 MCR and ECR Connectors and Indicators Figure 2-2 shows the unit’s front panel connectors and indicators. These items are referenced in the text that follows. The unit’s LED Indicator Panel is described in Table 2-5. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 23 Binding Sc rew s ( 2) Ret aining Sc rew s (2 ) W ire Port s (2 ) (Polarity: Left +, Right –) Figure 2-4. DC Power Connector (P/N 73-1194A39) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 24 DTE serial device supporting RS-232 or RS-485. If necessary, an adapter may be used to convert the unit’s RJ-45 serial jack to a DB-9F type (GE MDS 73-2434A12). Not all PCs include a serial port. If one is not available, the unit’s USB port may be used to NOTE access the device management interface.
Page 25 Connects to ground (negative supply potential) on chassis RXD (Received Data)—Supplies received data to the connected device TXD (Transmitted Data)—Accepts TX data from the connected device CTS (Clear to Send) RTS (Request to Send) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 26 - Connect pin 7 (TXD-) to RXD- of connected device - Connect pin 8 (RXD-) to TXD- of connected device Figure 2-5 illustrates the 2-wire and 4-wire connections described above. Figure 2-5. EIA-485 4-Wire/2-Wire Connections MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 27 NOTE GE MDS part number 73-2434A25 provides a custom RJ45 to DB9 Adapter for use with the Orbit MCR and other GE MDS products. The chart below provides details for connections made using this adapter. WIRING CHART RJ-45 PIN FUNCTION DB9 PIN LED Status Indicators—The LEDs on the unit provide visual indications of the status of the device as...
Page 28: Grounding Considerations
Normally, the unit is adequately grounded if mounted with the flat brackets to a well-grounded metal surface. If the unit is not mounted to a grounded surface, it is recommended that a safety ground wire be MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 29: Mounting Options
6-32 Screw (6X) 2.65" Tap in Enclosure 4.81" 2.75" (2X) 1.5" (2X) .75" (2X) 8.0" 8.5" 9.25" Figure 7 . Flat Mounting Bracket Dimensions Figure 2-7. MCR Flat Mounting Bracket Dimensions MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 30: Din Rail Mounting
The integrated bracket on the unit’s case allows for quick installation and removal from a DIN mounting rail as shown in Figure 2-9. Figure 2-9. DIN Rail Attachment and Removal (Pull down tab to release from rail) MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 31 To connect an external WiFi antenna, 97-4278A48, a Reverse SMA to N-Female cable and antenna mount is required. These are not sold from GE MDS but are available from many retailers. 900 MHz ISM Antennas —Antenna connection is a TNC connector. Multiple options are available for this unlicensed operation.
Page 32 LTE antennas (GE MDS PN: 97-2485A05) on the Main and AUX Cell ports, with cabled use of the External Wi-Fi antenna (GE MDS PN: 97-4278A48) is a good solution. This configuration requires a suitable metallic ground plane for the Cellular antennas (8"...
Page 33 TNC coaxial connector. A directional Yagi (Figure 2-12) or corner reflector antenna is generally used at remote sites to minimize interference to and from other users. Antennas of this type are available from several manufacturers, including GE MDS. Contact your sales representative for details. Figure 2-12. Typical Yagi Antenna (mounted to mast) Feedlines: Selection of an antenna feedline is very important.
Page 34: Accessories And Spares
4.00 dB Accessories and Spares The table below lists common accessories and spare items for use with the MCR. GE MDS also offers an Accessories Selection Guide listing an array of additional items that may be used with the product.
Page 35 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 36: Device Management
(For security, a new password should be established as soon as possible after login.) Figure 3-1. PC Connection for Web Management Use of a modern browser is highly recommended. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 37 When finished, log out of the Device Manager by clicking Logout in the upper right hand side of the screen. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 38 For initial configuration, the Setup Wizard will appear and provide guidance in typical setups. This will be disabled after initial setup is completed, but may be re-run at any time from the Wizards page. Figure 3-4. Initial Setup Wizard Starting Page MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 39: R Ecovery " P Asswords
The MDS Orbit platform employs extensive security measures to prevent unauthorized access. As such, there are no hidden manufacturer passwords or other “back doors” found in less secure products. If a MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 40 Logging in with a one-time password can only be performed from the local serial or USB console. You cannot use a one-time password when connecting to the unit remotely. To use the one-time password for log-in, proceed as follows: At the username prompt, enter the word recovery. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 41 Troubleshooting ---> Status / Recovery Information / Passwords Figure 3-8. One-Time Password Display Screen To edit or delete (revoke) a One-Time Password, navigate to: Troubleshooting ---> Actions / One Time Passwords MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 42: D Efault P Asswords
“Change Password” Screen shown below located at: User Authentication ---> Actions / Change Passwords Figure 3-10. Change User Password Screen This feature is also a part of the Initial Setup Wizard, as shown in the Figure below. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 43: Review
Cellular Security – Utilize IPSec VPN to secure end-to-end cellular link over public cellular networks. WiFi Security – Secure Wi-Fi link with pre-shared key or EAP-TLS/RADIUS using certificates. NX915 Security – Secure 900MHz link pre-shared key or EAP-TLS/RADIUS using certificates. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 44: S Ettings
3.2 Preconfigured Settings The GE MDS factory configuration establishes typical settings based on the types of modules ordered. The intent is to provide as much out-of-box functionality as possible. For example, in WiFi/Cell configurations, the unit is configured as a WiFi hotspot.
Page 45: D Evice M Anager
3.7.1 - Date, Time and NTP Note - this is part of the Server Initial Setup Wizard Set Geographic 3.7.2- Geographical-location Note - this is part of the Location (if desired) Initial Setup Wizard MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 46 3.5.5 - Licensed Narrowband (LN) LNxxx hardware modules Licensed Narrowband provide operation in operation (if present) various global frequencies from 400 MHz to 960 MHz. User configuration is required to match conditions of license. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 47 Set ipv4 address 192.168.1.21 address Set prefix-length 24 Configure DHCP 3.8.13 - DHCP Service Set v4subnet 192.168.1.0/24 Server Set domain-name gemds Set range-start 192.168.1.10 Set range-end 192.168.1.19 Set router 192.168.1.1 Set broadcast-address 192.168.1.255 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 48 3.8.5 - Bridging Add ETH1 and WiFi to the bridge bridge traffic from ETH1 and WiFi Set to 192.168.1.22 Orbit MCR #2: Set bridge IP 3.8.5 - Bridging address prefix-length 24 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 49 Orbit MCR #2: Set bridge IP 3.8.5 - Bridging Set to 192.168.1.22 prefix-length 24 address Set mode udp port 30000 Set up Terminal Server 3.8.14 - Terminal Service COM1 remote addr: 192.168.1.11 port 30001 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 50 IN_UNTRUSTED and OUT_UNTRUSTED Set Cell output filer to filters to Cell interface OUT_UNTRUSTED Set NAT on Cell 3.8.9 - Source NAT (Masquerading) Set cell NAT source to MASQ interface to masquerade MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 51: I Nterface
Double check to be sure they are correct. An adapter may be used to convert the unit’s RJ-45 serial jack to a DB-9F type (GE MDS part no. 73-2434A12). If no serial port exist on the PC, a Mini-USB cable may be connected between the MCR’s USB device port and the PC.
Page 52 CLI shows all possible commands that can be typed. Creating a One-Time Password To create a one-time recovery password, proceed as follows:  Upon successful log-in, enter the following command: > request system recovery one-time-passwords create function <selected function> MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 53: R Eference T Able
> show configuration interfaces interface NxRadio nx-config View NxRadio Settings > show interfaces-state interface NxRadio nx-status | repeat 5 Monitor NxRadio Status > show configuration interfaces interface Wi-Fi wifi-config View WiFi Settings MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 54 > request system configuration-files export filename Export configuration file to a myConfig.xml manual-file-server { tftp { address 192.168.1.10 } } TFTP server at 192.168.1.10 > request system power restart inactive Reboot device to firmware inactive image MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 55: E Xamples U Sing Cli
Bridge myssid % set interfaces interface ipv4 address prefix-length Bridge 192.168.1.21 % set services dhcp enabled true v4subnet domain-nam range-start 192.168.1.0/24 e gemds range-end router broadcast-address 192.168.1.10 192.168.1.19 192.168.1.1 192.168.1.255 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 56 Bridge % set interfaces interface bridge-settings members port Bridge ETH1 % set interfaces interface bridge-settings members wifi-station interface Bridge Wi-Fi % set interfaces interface ipv4 address prefix-length Bridge 192.168.1.22 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 57 Bridge Wi-Fi % set interfaces interface ipv4 address prefix-length Bridge 192.168.1.22 % set services serial terminal-server server mode udp port remote address COM1 30000 port 192.168.1.11 30001 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 58 % set interfaces interface type cell enabled true Cell % set interfaces interface filter input Cell IN_UNTRUSTED % set interfaces interface filter output Cell OUT_UNTRUSTED % set interfaces interface nat source Cell MASQ MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 59: Interface Configuration
USB-to-USB cable may also be used to connect to a Computer in case no serial port exists. If a mini-USB connection is used, the computer must contain the appropriate device driver. A driver for serial operation can be found on GE MDS website. Configuring The screens below shows console access to the COM1 serial and USB port: Navigate to: Serial --->...
Page 60 Capability – Describes the capabilities of the serial port. (Read Only) For example, in the above  figure the COM1 port is capable of operating in RS232 or RS485 mode. - Rs 485 2 Wire - Rs 485 4 Wire Click on the USB1 to get: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 61  VMIN > 0; VTIME == 0: The terminal server waits to process data until at least VMIN bytes of serial data are received. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 62 Cts Hold -The CTS hold parameter is applicable only when h/w device mode = CTSKEY or CTSKEYPLUS. This parameters specifies the time (in milliseconds) to hold CTS up after data is transmitted. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 63 % set services serial ports COM1 hw-flow-control true hw-device-mode CTSKEY cts-delay 90 cts-hold 40 % commit Monitoring From the Web UI, the Serial Ports screen shows the settings: Navigate to: Serial ---> Basic Config / Ports MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 64 Orbit MCR product family is available with following cellular modem options:  Verizon Wireless 4G LTE modem  3G GSM/UMTS/HSPA+ modem  4G LTE GSM (EMEA/APAC)  4G LTE GSM (North America) MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 65 27 dB of isolation from each other to ensure optimal operation of the cellular modem. For Antenna Installation assistance, see “Antenna Planning and Installation” on Page 31 or contact your local GE MDS representative. See the below table for approved Antenna Types.
Page 66 In the UI, start on the following page: Interfaces / Cell ---> Basic Config / Cellular Figure 3-23. Connection and Connection Profile Switching UI Screen MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 67 Each Connection Profile has grouped information that contains specific information to be selected. The choices are described below:  Network Configuration - contains various parameters related to how the modem registers with the cellular network. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 68 PAP/CHAP) to be specified. The user does not need to configure the MCR with 4G LTE modem with these parameters. The user may need to configure MCR with 3G GSM modem parameters, depending on the cellular network. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 69 Orbit MCR units equipped with cell may have one or two SIM slots: SIM-A and SIM-B. DEFAULT - SIM-A. The slots are located on the outside of the case, on the front panel. If MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 70 % set interfaces interface Cell cell-config connection-profile CARRIER_A bearer-config apn carrierA.apn % set interfaces interface Cell cell-config connection-profile CARRIER_A sim-slot SIM-A  Configure a profile for carrier B to use SIM-B: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 71 If Index - The if Index value for the if Entry represented by this interface. Valid values: 1— 2147483647  Phys Address - The interface's address at its protocol sub-layer. For example, for an 802.x interface, this object normally contains a MAC address. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 72  Out Discards - The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 73 Modem Type - This parameter identifies the type of modem inside the unit.  Rssi - Received signal strength indicator (dBm) of cellular modem. Monitoring via the CLI Ensure the CLI is in Operational mode. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 74 > show interfaces-state interface Cell statistics statistics discontinuity-time 2013-01-01T02:16:01+00:00 statistics in-octets 1218 statistics in-unicast-pkts 18 statistics in-multicast-pkts 0 statistics in-discards 0 statistics in-errors 0 statistics out-octets 774 statistics out-unicast-pkts 14 statistics out-discards 0 statistics out-errors 0 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 75 The cell modem has its own set of firmware supplied by the wireless carrier. Occasionally new versions of this firmware become available. The user has the option to upgrade the cell modem firmware if they wish to do so. GE posts new cell firmware at: http://www.gegridsolutions.com/communications/mds/software.asp?directory=Orbit_MCR/Cell MDS 05-6632A01, Rev. F...
Page 76 File Path - For FTP, TFTP, and SFTP, the path to the source file on the remote server  User Name - For FTP and SFTP, the user name on the remote server MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 77 Current State – The status of the reprogramming task: inactive transfering processing cancelling complete failure cancelled  Detailed Message – The details regarding the operation, such as “Processing cellular modem firmware image” MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 78: Wifi
The WiFi module can be configured to operate as an 802.11b/g/n Access Point or Station. The specifications for the WiFi module are covered in “LN400 – 101D-LN400 LN900 – 101D-LN900 2.4 GHz WiFi Specifications” on Page 385. The table below contains the list of GE MDS approved antennas. Table 3-6. Approved Cell Antenna Types...
Page 79 Station Mode No connection Solid Green Wi-Fi connection established. Configuring Configuring the WiFi begins with the following UI: Navigate to: Interfaces / Wi-Fi ---> Basic Config / Wi-Fi / Wifi Config MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 80 AP. The parameters are:  Channel – IEEE 802.11 channel number to operate on. Valid values 1-11, DEFAULT - 6.  Operation Mode - IEEE 802.11 mode to operate in. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 81 Station Timeout – The number of seconds a station may be inactive before the access point will verify that the station is still within range. Valid values: 1-300 (300 = DEFAULT) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 82 Point. The first SSID should be reserved for high throughput data paths. The second SSID is intended to support auxiliary applications such as a dedicated management connection or guest LAN access. The following example demonstrates having a second Wi-Fi AP with the SSID: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 83 SSID of the AP to have the station associate to it. Then, click on the ADD button to enter additional details about the Wi-Fi AP. In the following example, the SSID of SOMESSID is used. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 84 Psk – The Preshared Key 8 to 64 characters, DEFAULT = <blank>. NOTE Remember to click on the Save button when finished. Monitoring: General WiFi status information The following UI screens are read-only. Navigate to: Interfaces / Wi-Fi ---> Status / General MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 85  In Unicast Pkts - The number of packets, delivered by this sub-layer to a higher (sub-) layer, which were not addressed to a multicast or broadcast address at this sub-layer. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 86  Channel – IEEE 802.11 channel number to operate on. Valid values 1-11.  Ap Status - link to information regarding the Ap linked to this station - as shown below MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 87  Authenticated – indicates the client is valid to connect - True/False  Authorized – indicates the client has valid logon credentials - True/False  Inactive – milliseconds since last packet MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 88 % show interfaces interface Wi-Fi wifi-config | details mode access-point; tx-power 15; ap-config { ap somessid { broadcast-ssid false; station-max station-timeout 300; beacon-interval 100; privacy-mode wpa2-personal; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 89 % set interfaces interface Wi-Fi wifi-config ap-config operation-mode 80211n channel 3 ap somessid broadcast-ssid true privacy-mode wpa2-personal psk-config psk somepassphrase encryption ccmp-tkip % show interfaces interface Wi-Fi wifi-config | details mode access-point; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 90 15; ap-config { ap somessid { broadcast-ssid true; station-max station-timeout 300; beacon-interval 100; privacy-mode wpa2-personal; psk-config { encryption ccmp-tkip; key-mgmt wpa-psk; somepassphrase; vlan-mode none; ap somessid2 { broadcast-ssid true; station-max MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 91 % show interfaces interface Wi-Fi | details enabled true; wifi-config { mode station; tx-power 15; station-config { ap somessid { enabled true; privacy-mode wpa2-personal; psk-config { encryption ccmp; key-mgmt wpa-psk; somepassphrase; type wifi; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 92 4 wifi-status station-status ssid somessid wifi-status station-status bssid 00:19:70:2c:40:3f wifi-status station-status rssi -58 wifi-status station-status authenticated true wifi-status station-status authorized true wifi-status station-status inactive 29270 wifi-status station-status rxbytes 27119 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 93 Transmission System) and hybrid FHSS/DTS technologies to provide dependable wireless communications. The GE MDS NX915 NIC module is a point-to-multipoint, medium speed, long range (>20 miles), spread-spectrum, wireless data transmission product. It operates as a Frequency-Hopping Spread Spectrum (FHSS) or a Digital Transmission System (DTS) in the 902 to 928 MHz license-free ISM band.
Page 94 Yagi 3 Element N-Female - no cable 97-3194A13 (NX915) (8.55 dBi) 6.4 dBd Yagi 3 Element N-Female – with 10’ 900 MHz Outdoor 902-960MHz 97-3194A13A (NX915) Jumper N-M and Mount (8.55 dBi) MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 95 Dwell time determines how frequently the radio switches channels. Longer dwell times are more efficient for data transport and provide higher throughput; but smaller dwell times provide faster synchronization and are more robust in weak signal environments or in the presence of interferers. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 96 - In general the lower the LQI the better the quality. - LQI should be used as a "relative" measurement. Precision is fairly loose and subject to variation from radio to radio and modulation format. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 97 DTS operation. When a remote’s RSSI is stronger than the ADR threshold it will attempt to transmit with a faster modem. The downstream traffic is only sent at the lower data rate, either 125 kbps or 500kbps depending on the mode. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 98 Navigate to: Interfaces / NxRadio ---> Basic Config / Nx Radio Figure 3-42. ISM 900 (NX) Configuration Settings  Modem Mode - Controls the target throughput of the radio and attached remotes 125kbps - Theoretical throughput of 125 kbps MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 99 This can take a significant amount of time to sync and begin to pass data. NOTE Remember to click on the Save button when finished. Figure 3-43. ISM 900 (NX) EAP Security Settings MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 100 Valid values: 0 – Rekeying will not be time-based, but will instead occur every one million packets. 30-525600 minutes, DEFAULT 180 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 101 8MHz on the lower portion of the band from 902-910 MHz. To block a single channel enter a value like “915.615-915.615” . This ensures blocking the specified frequency but depending on hop settings, may block other channels as well. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 102 3.1.0 and later, and a less strong key when talking to units with firmware earlier than 3.1.0. DEFAULT 2.0. For more information, refer to Product Bulletin PB15001_A, MCR-900 Encryption Issue Resolution, available at http://www.gemds.com. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 103 Figure 3-47. ISM 900 (NX) Remote Configuration  Modem Mode - Controls the target throughput of the radio. 125kbps - Theoretical throughput of 125 kbps 250kbps - Theoretical throughput of 250 kbps MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 104 MODBUS polling. This setting must match on each radio (Remote and AP).  Power - The transmit power of the radio. Valid values are: 20—30 dBm –DEFAULT =30dBm Figure 3-48. ISM 900 (NX) Remote EAP Security Configuration MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 105 Certificate ID, Key ID, CA Certificate ID – Reference to the remotes certificate material loaded through the Certificate Management side menu (section 3.9). Figure 3-50. ISM 900 (NX) Remote Advanced Configuration MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 106 Basic configuration with defaults The advanced configuration on an NX915 module operating as a Store-and-Forward device, shares the same configuration as a Remote. Interfaces / NxRadio ---> Basic Config / Nx Radio MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 107 This feature compresses IP headers to improve system performance, and is most useful in applications that rely on IP packets with small payloads, such as terminal server operations or MODBUS polling. This setting must match on each radio (Remote and AP). MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 108 Passphrase - The passphrase used in PSK mode 8 to 64 letters.  Certificate ID, Key ID, CA Certificate ID – Reference to the remotes certificate material loaded through the Certificate Management side menu (section 3.9). MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 109 Data Retries - Number of times to retry unicast data before declaring NACK. Valid values: 0—15, DEFAULT = 3.  NIC ID – ADVANCED SETTING - DO NOT CHANGE - Manual overrides of the NIC identifier. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 110 Admin Status - The desired state of the interface.  Oper Status - The current operational state of the interface.  If Index - The ifIndex value for the ifEntry represented by this interface. Valid values are: 1—2147483647 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 111 Out Unicast Pkts - The total number of packets that higher-level protocols requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 112 1000kbps - Theoretical throughput of 1000 kbps with narrow bandwidth 1000Wkbps - Theoretical throughput of 1000 kbps with higher sensitivity 1250kbps - Theoretical throughput of 1250 kbps  Alarms - The current NIC alarms: frequency-not-programmed authorization-fault MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 113 Hardware Revision - The Hardware Revision.  Temperature - The transceiver temperature in degrees C. Remote’s AP Info (Remote and Store-And-Forward Mode ONLY): Figure 3-58. ISM 900 (NX) S&F AP Information MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 114 In AP mode the “Connected Remotes” and “Endpoints” information will be displayed in addition to the Active Channel. NOTE Clicking on the mac address in either connected remotes or endpoints will bring up more stats. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 115 MyNetwork % show interfaces interface NxRadio nx-config | details modem-mode 500kbps; device-mode access-point; network-name MyNetwork; data-compression none; header compression false; power dwell-time beacon-interval 150; hop-set security { security-mode none; encryption none; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 116 { lna-state high-sensitivity; stale-packet-timeout 1500; propagation-delay 40miles; mcast-repeat data-retries fragment-threshold remote-age-time 600; endpoint-age-time 300; allow-retransmit true; arp-cache false; adr-mode none; adr-threshold -70; encryption-protocol 2.0; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 117 75 advanced-config propagation-delay 60miles data-retries 0 mcast-repeat 0 lna-state high-immunity fragment-threshold 50 stale-packet-timeout 1250 avoided-frequencies 915- % show interfaces interface NxRadio nx-config | details modem-mode 500kbps; device-mode access-point; network-name MyNetwork; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 118 % show interfaces interface NxRadio nx-config | details modem-mode 500kbps; device-mode remote; network-name MyNetwork; data-compression none; header-compression false; power security { security-mode none; encryption none; advanced-config { lna-state high-sensitivity; stale-packet-timeout 1500; data-retries nic-id gateway-id arp-cache false; adr-mode none; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 119 CACert key-id DevicePrivKey cert-id DevicePubCert % show interfaces interface NxRadio nx-config | details modem-mode 500kbps; device-mode remote; network-name MyNetwork; data-compression lzo; header-compression false; power security { security-mode eap; encryption aes128-ccm; eap-mode eap-tls; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 120 500kbps; device-mode store-and-forward; network-name MyNetwork; data-compression none; header-compression false; power security { security-mode none; encryption none; advanced-config { lna-state high-sensitivity; stale-packet-timeout 1500; propagation-delay 40miles; mcast-repeat data-retries fragment-threshold remote-age-time 600; endpoint-age-time 300; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 121 NIC AVG AVG TX ADDRESS IP ADDRESS LIVE STATUS RSSI LQI PACKETS BYTES PACKETS BYTES ERROR ERROR DROP DROP ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 00:06:3d:07:3e:3a 10.15.65.184 associated 1 22933 00:06:3d:07:67:f9 10.15.65.182 associated 2 1597 285716 2431 2444359 0 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 122 49 nx-status ap-info ap-address 00:06:3d:09:06:01 nx-status ap-info ip-address 10.15.65.146 nx-status ap-info connected-time 0 nx-status ap-info avg-rssi -70 nx-status ap-info avg-lqi 7 nx-status mac-stats tx-success 19083 nx-status mac-stats tx-fail 0 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 123 -70 7 918.382500 -70 6 919.305000 -69 7 920.227500 -68 12 921.150000 -70 7 922.072500 -70 7 922.995000 -70 7 923.917500 -72 7 924.840000 -72 7 925.762500 -72 6 926.685000 -72 7 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 124 Power Output: 20 dBm to 40 dBm peak power in 1.0 dBm steps (DEFAULT = 40 dBm)  Output Impedance: 50 Ohms  Antenna Connector: TNC female  Modulation Type: QPSK, 16QAM, 64QAM  FEC: Convolutional and Reed Solomon  Data Rates: 20kbps - 120kbps MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 125 These settings can NOT be changed or modified by the user. See the table above: Table 3-16. Country Limitations Example Country Limitation Prohibit LN400 25KHz operation using 20ksps (Except at 450 MHz – 470 MHz) Table 3-17. LNxxx Interface LED Descriptions MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 126 This rotation is logged in the event log with event type nx_auth. These events can be suppressed in the event log configuration to prevent them from filling the event log. See section 3.6.2 for instruction on controlling the event log. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 127 MODBUS polling. This setting must match on each radio (Remote and AP).  Power - The transmit power of the radio: Valid values: 20 - 40 dBm – DEFAULT is 40dBm MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 128 Low Gain – Provides better sensitivity, while still offering good throughput. Adaptive – Provides the best sensitivity and standard throughput. Adaptive on a per- packet basis. NOTE It is critical to have FEC set identically on the AP and all Remotes. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 129 - Use Encapsulated Authentication Protocol - will change the fields displayed and give the user the ability to enter radius info on the AP and certificate info on the remote. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 130 0 – Rekeying will not be time-based, but will instead occur every one million packets. 30-525600 minutes, DEFAULT 180. NOTE Remember to click on the Save button when finished. Advanced Configuration Figure 3-65. Licensed Narrowband AP Advanced Settings MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 131  QAM 64 Threshold – When the radio is using automatic modulation, it will automatically switch to QAM 64 modulation when the averaged calculated RSSI value drops below this MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 132 Phys Address- The interface's address at its protocol sub-layer. For a LN module, this object normally contains a MAC address. Statistics - A collection of interface-related statistics objects. Figure 3-68. Licensed Narrowband (LN) Statistics MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 133 General Init Status - State of the NIC Initialization Off - Not operating Initializing - Powering on the NIC Discovering - Determining the NIC address Reprogramming - Programming the NIC firmware MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 134 Current Device Mode – Read-only display of the active mode the LnRadio is operating.  Alarms - The current NIC alarms: synthesizer-out-of-lock: Synthesizer is out of lock. Call GE MDS tech support for assistance. radio-not-calibrated: Radio was not calibrated. Call GE MDS tech support for assistance.
Page 135 Highlighting a MAC address of a Connected Remote and clicking Remote Web Connect will open a remote web UI session to the selected remote. See Section 3.8.16, Remote Management Service, for more information. Figure 3-71. Licensed Narrowband (LN) AP Connection Status MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 136 EVM - The Error Vector Magnitude measured at the time of the last received packet. For more information, refer to refer to Important Notes and Information Regarding EVM  Rx Modulation - The modulation measured at the time of the last received packet. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 137 On the next page, the example will display how to configure the LN module as an access point with the network name of ‘MyNetwork’ and default settings. For this example we assume a transmit frequency of MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 138 % set interfaces interface LnRadio ln-config security encryption aes256-ccm security-mode psk passphrase mypassphrase % show interfaces interface LnRadio ln-config | details radio-mode standard; device-mode access-point; network-name MyNetwork; data-compression lzo; header-compression true; power tx-frequency 451.4; rx-frequency 456.4; channel 12.5KHz-9.6ksps; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 139 456.4; channel 12.5KHz-9.6ksps; modulation automatic; false; security { security-mode eap; encryption aes256-ccm; radius-server RADIUS_SERVER; advanced-config { data-retries packet-ttl 600; remote-age-time 600; endpoint-age-time 300; allow-retransmit true; arp-cache false; qam16-threshold -85; qam64-threshold -70; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 140 % set interfaces interface LnRadio ln-config security encryption aes256-ccm security-mode psk passphrase mypassphrase % show interfaces interface LnRadio ln-config | details radio-mode standard; device-mode remote; network-name MyNetwork; data-compression lzo; header-compression true; power tx-frequency 456.4; rx-frequency 451.4; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 141 451.4; channel 12.5KHz-9.6ksps; modulation automatic; false; security { security-mode eap; encryption aes128-ccm; eap-mode eap-tls; pki { cert-id DevicePubCert; key-id DevicePrivKey; ca-cert-id CACert; advanced-config { data-retries nic-id inactivity-timeout 600; remote-age-time 600; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 142 767 link-status associated rssi rx-modulation qam64 device-stats tx-packets 730 device-stats tx-bytes 108661 device-stats rx-packets 721 device-stats rx-bytes 215575 device-stats tx-error 10 device-stats rx-error 0 device-stats tx-drop 0 device-stats rx-drop 0 nic-id MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 143 -68 ln-status last-rx-packet last-evm 0 ln-status hardware-info serial-number 2661832 ln-status hardware-info hardware-id 0 ln-status hardware-info hardware-revision 0 ln-status test test-mode-time 0 ln-status test test-state stop MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 144 > request interfaces-state interface LnRadio ln-status test-mode state receive time 5 To exit Test Mode: > request interfaces-state interface LnRadio ln-status test-mode state stop To display the current test state: > show interfaces-state interface LnRadio ln-status test MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 145 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 146 Also the device supports external logging using SysLog or the Netconf - as described below. Administrators can override the default event handling of the unit. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 147 Logs are stored in the Event Log, which may be viewed on the Web UI by navigating to Logging ---> Status and scrolling down to Event Log section, as shown in the following example. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 148 Click on Add… and the Event Rules Details option will appear. Click on the button to the right of the Name field to locate the event rule to configure. This will automatically bring up the popup shown on the previous page. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 149 Clicking on the add buton will display the Event Rule Details option. Clicking the Finish button will add the event rule. From the CLI this modification can be made with the commands: % set logging event-rule cell_disconnected local true % set logging event-rule cell_connected local true MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 150 “high” state. Refer to Section 2.5 for further details. Alarms have factory default settings that control the behavior of the alarm outputs timing in terms of period and duration. These values can be overridden to adjust for local requirements. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 151 The following example shows how to have the device generate an exportable event log and download that log to a local file through the web browser. Navigate to Logging ---> Actions / Export Event Log Click on the Begin Generating button once the file destination is configured. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 152 Exporting button. The current status of the export process is displayed on the web page. Note that the web page does not display the current status if the device has not been instructed to export an event log (in other words, if the state is “inactive”). MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 153 Iperf is an open source network testing tool that measures throughput by sending and receiving data streams. Typically, a remote host acts as an iperf client, sending data streams to an endpoint, which acts as an iperf server. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 154 Currently, iperf service running v2.0.5 and is hardcoded to act only as a TCP server listening on port 5001. Configuring The following shows how to enable iperf service – Services / Iperf Server ---> Basic Config: Figure 3-77. Iperf Enable Screen MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 155 Rolling back to these snapshots will modify configuration, but does not modify passwords. Use the table below as a quick reference to the capabilities of each type of snapshot. Snapshot type User can modify? Resets passwords? Factory Auto User MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 156 User snapshots do not restore passwords. You can also specify a default user snapshot. The system may use the default user snapshot as a recovery point in the event that the unit fails to boot properly. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 157 Default - Set the default user snapshot used in error recovery. Optional. Delete Snapshot  Identifier – The user snapshot to delete. Once a snapshot is deleted, it cannot be recovered. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 158 You can rollback to one of the unit’s snapshots in either operational or configuration mode. Use the following command to rollback the unit to the configuration stored in the Auto snapshot, and reboot to the current active image. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 159 Auto description "Automatic snapshot for 4.0.8" date 2016-01-13T17:20:54+00:00 version 4.0.8 hash 0xa13ceb2d5d267341d5067d975e39131e user-default false system recovery snapshots Snapshot1 description "Example snapshot" date 2016-01-13T19:53:44+00:00 version 4.5.5 hash 0x579b9fa00303ceb9eeb3981cc429d31b user-default true MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 160 To start the support package bundle generation from the CLI, enter the following command to upload the bundle to an external TFTP server: > request system support-package generate filename debug-2016-02-04.tgz manual-file- server { tftp { address 192.168.1.10 } } MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 161 To view the status of the process in the CLI, ensure the CLI is in operational mode and then follow the example below: > show system support-package generate-status system support-package generate-status state complete system support-package generate-status detailed-message “Successfully exported support package” system support-package generate-status size 2245680 system support-package generate-status bytes-transferred 2245680 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 162 (using the calendar) , time (using the slider shown below) and timezone (offset from GMT) - Navigate to System / Time ---> Actions / Set Current Datetime: Figure 3-83. Set DateTime Screen For setting the time use the sliders; Figure 3-84. Set Date and Time Sliders Screen MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 163 Enable NTP or SNTP by clicking the Use NTP checkbox. Click on the Mode option to choose which type of time server desired; NTP or SNTP and then add a server configuration by clicking the Add button: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 164 % set system ntp use-ntp true mode ntp ntp-server time.nist.gov To configure a SNTP server from the CLI, use the following command as an example; % set system ntp use-ntp true mode sntp ntp-server server-address MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 165 They can also be manually disabled. When local user management is being used, passwords are stored in non-volatile memory using PKCS#5 based encryption. User authentication is performed using either locally stored passwords or RADIUS. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 166 Start by viewing the current users at System / User Authentication ---> Status  Group Memberships -A list of groups the current user is a member of. To configure the password options navigate to the Basic Config tab. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 167 Minimum Length - The minimum number of characters that must be in a password. DEFAULT= 8  Minimum Lower Case Letters - The minimum number of lower-case letters ([a-z]) that must be in a password. DEFAULT 1 read-write uint16 1 No MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 168 {nothing}” Each portion is adjustable to tailor the search. For example to find all web_login events set up the filter as shown. Results of the search may resemble the following: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 169 If more than one RADIUS server is configured, then the unit will attempt each RADIUS server in the order that they appear in the configuration until a successful response is received. A RADIUS server must be configured to provide the user’s authentication group in its authentication reply via a GE MDS vendor attribute.
Page 170  Timeout - The number of seconds the device will wait for a response from a RADIUS server before trying with a different server. Default = 5 - max value 255. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 171 1812; shared-secret abcd1234; user-authentication-type radius-CHAP; nas-address 192.168.1.100; 3.7.5 Firmware Management Understanding GE periodically releases new Orbit MCR/ECR device firmware to provide new features and important updates. Firmware is provided at: http://www.gegridsolutions.com/Communications/MDS/software.asp?directory=Orbit_MCR MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 172 Therefore it is necessary to have the GE MDS public certificate loaded into the device to reprogram the firmware.
Page 173 UI and not through the CLI  Local File - For a local file, the file to upload as chosen by the file dialog popped up by the Select File... button MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 174 (in other words, if the state is “inactive”). Figure 3-88. Reprogram Inactive Image Monitoring The reprogramming status contains the following items:  Current State – The status of the reprogramming task: inactive transfering processing MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 175 Note that the web page does not display the current status if the device has not been instructed to verify a firmware image (in other words, if the state is “inactive”). MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 176 100 Configuring - Copy To copy the active firmware image to the inactive firmware image, navigate to the Copy Image section and click on the Begin Copying button to begin. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 177 Size – The total number of bytes in the image (not displayed on the web UI)  Bytes Transferred – The number of bytes already processed (not displayed on the web UI) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 178 File Server Configurations can be used for reprogramming, downloading certificates, configuration script import and export and sending support bundles for debugging. The following shows how to add a file server configuration named “GE File Server 1”: % set file-servers GE_file_server_1 tftp address 192.168.1.10 % commit >...
Page 179 - The raw y coordinate value. z-axis - The raw z coordinate value. This can be enabled from the Web UI. Navigate to System / Tamper Detection ---> Basic Config. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 180 % set system tamper-detection magnetometer trigger-thresholds y-axis 25 % set system tamper-detection magnetometer trigger-thresholds z-axis 100 % set system tamper-detection magnetometer enabled true Monitoring Example of device status during calibration period: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 181 Once tamper detection is enabled the alarm will be triggered when the magnetometer readings exceed the configurable offsets. To clear the alarm, navigate to System / Tamper Detection / ---> Actions / Clear Alarms and press Perform Action. After confirmation, the following screen will show. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 182 File Destination - File transfer method to use. Available choices are To Local File (DEFAULT), To FTP Server, To TFTP Server, and To SFTP Server. Local file downloads are only available through the web UI and not through the CLI MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 183 (in other words, if the state is “inactive”). Figure 3-95. Export Configuration Monitoring The export status contains the following items:  Current State – The status of the export configuration file task: inactive preparing transfering cancelling complete failure MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 184 File Path - For FTP, TFTP, and SFTP, the path to the source file on the remote server  User Name - For FTP and SFTP, the user name on the remote server  Password - For FTP and SFTP, the password on the remote server MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 185  Detailed Message – The details regarding the operation, such as “Transferring configuration file”  Size – The total number of bytes in the file (not displayed on the web UI) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 186 The following example shows how to configure a DNS server with IP address 192.168.1.2 on the MCR. Note that the “search” option can take a list of arguments and in this example, there are two arguments; mds and gemds. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 187 64 bytes from 43-10.any.icann.org (192.0.43.10): icmp_req=2 ttl=128 time=132 ms 64 bytes from 43-10.any.icann.org (192.0.43.10): icmp_req=3 ttl=128 time=172 ms --- example ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 132.818/163.231/184.739/22.112 ms MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 188 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 189 GRE tunnels do not provide any security. GRE and IPsec can be combined to enable following uses cases: - Sending multicast IP traffic securely from one private network to another over an untrusted network MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 190 “Bridge”. Definitions that are provided may apply to any of the interfaces.  Type - Indicates the Interface type - Read only system information  Admin Status - The desired state of the interface - Up meaning operational MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 191 )layer, which were addressed to a broadcast address at this sub-layer.  In Multicast Pkts - The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 192 The result of this command is very verbose and includes status and statistics for all the defined interfaces. For the sake of brevity, only the bridge interface status information is shown below (similar information will be shown for each defined interface): MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 193 The LAN port should be assigned IP addresses only if it is a routed interface (that is, not in a bridge). Configuring From the Interfaces screen the status may be displayed by clicking on the interface and scrolling down to the statistics information: Navigate to: Interfaces / Add/Delete Interfaces MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 194 Port-based authentication can be enabled in either EAP (Extensible Authentication Protocol) mode or MAB (MAC Authentication Bypass) mode. Both modes require the use of RADIUS server. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 195 – The name of a RADIUS server configuration in system settings Monitoring Read-only parameters for Ethernet ports show the state of the security on the port: run show interfaces-state interface ETH1 security MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 196 Output - Use for selecting and applying a QoS policy (from the available QoS policies) to the outgoing traffic on this interface. See "Quality of Service (QoS)" on Page 203, for more information on creating QoS policies. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 197 Destination NAT (Port Forwarding). Use for selecting and applying a destination NAT rule-set (from available destination nat rule- sets) to incoming traffic on this interface MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 198 6480 statistics out-discards 0 statistics out-errors 0 eth-phy-status "10 Mb, Half Duplex" ipv4 forwarding true ipv4 mtu 1500 PREFIX LENGTH ORIGIN ------------------------------------------------------------- 10.10.10.147 static LINK LAYER ADDRESS ORIGIN STATE MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 199 % set system mds-radius servers MyServer address 192.168.10.100 shared-secret RadiusSharedSecret % commit Port authentication can now be enabled on an Ethernet port. For example: % set interfaces interface ETH1 security security-mode EAP radius-server MyServer % commit MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 200 Interfaces / Add/Delete Interface Screen. Below are the minimal steps to set up a VLAN virtual device: Create the VLAN as an interface with a name by clicking on the Add button. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 201 Description - User defined identifier for the this connection up to 34 characters  Enabled - Checked indicates enabled (DEFAULT). Disable will prevent usage. Scroll down and set the VLAN ID MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 202 Access: To set ETH2 as an access port for video_vlan the command is: % set interfaces interface ETH2 vlan-mode access vlan video_vlan Native VLANs A VLAN device may also be specified as a “native” VLAN by checking the Native Vlan box. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 203 The unit supports transparent bridging of LAN, WiFi/900Mhz networks. The bridge forwards traffic between LAN and WiFi/900Mhz networks at the layer-2 of OSI model. This allows LAN and WiFi/900Mhz clients to be in the same IP sub-network. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 204 (LAN/WiFi). This configuration obviates the need for NAT, as the back-office network behind the VPN Concentrator (VPNC) can address the local LAN or WiFi network directly via the secure tunnel. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 205 Ensure the CLI is in operational mode. Follow the example below to view the state and statistics of a bridge. In this example, bridge (Bridge) is bridging the LAN (ETH1). > show interfaces-state interface Bridge interfaces-state interface Bridge MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 206 NTP server at IP address 216.171.112.36. A static route to network 216.171.112.0/24 via next-hop 10.10.10.101 (or a host-only route to 216.171.112.36/24 via next-hop 10.10.10.101) ensures that the unit can communicate with the NTP servers. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 207 Source – Routes are defined by either the kernel or the user (static). To configure a static route, click the Static Routes option to navigate to Routing ---> Basic Config / IPV4. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 208 To add a new route, click the Add button. The Configure Route Details menu appears. Create a numeric ID for the new route, and click Add. The ID acts as a label, is for reference only, and has no bearing on the route itself. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 209 % set routing static-routes ipv4 route 10 description "Route to NTP Server" outgoing-interface ETH2 dest-prefix 216.171.112.36/32 next-hop 10.10.10.101 View the static routes with the command % show routing static-routes { ipv4 { route 10 { MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 210 DEST PREFIX NEXT HOP INTERFACE SOURCE ------------------------------------------------------------------------------------------ 10.10.10.0/23 ETH2 kernel 192.110.11.0/24 Wi-Fi kernel 192.168.0.0/24 Bridge kernel 216.171.112.36/32 10.10.10.101 ETH2 static fe80::/64 kernel fe80::/64 Bridge kernel fe80::/64 ETH1 kernel fe80::/64 Wi-Fi kernel MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 211 Both IPv4 and IPv6 neighbors may be created. This example uses IPv4, but IPv6 neighbors are created in a similar fashion. Click the IPv4 menu shortcut to proceed. The Neighbor list on the Interfaces / Wi-Fi ---> Basic Config / IPv4 menu shows all user-configured neighbors. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 212 Figure 3-119. Neighbor link layer address entry Once all items are configured appropriately, click Save in the upper left corner of the screen. The new neighbor will be populated into the Neighbor list. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 213 Static neighbors are those added by the user.  State - Incomplete, reachable, stale, delay, probe. Incomplete - Address resolution is still in progress and the neighbor's link-layer address is unknown. Reachable - The neighbor is currently reachable. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 214 MCR unit when packet filtering is enabled. Figure 3-120 shows the flow of packets terminating at the unit, such as device management traffic using SSH or NETCONF protocol terminating at local device management process within the unit. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 215 Rule 3 = permit everything Apply the filter to input or output direction of the interface. This selection depends on whether the rules should apply to traffic that ingresses or egresses the device. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 216 First, navigate to Wizards and click Access Control List (Filter) from either the navigation bar or the main Wizards page. Figure 3-123. Wizards List The Access Control List Wizard Introduction page appears. Click Next to continue. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 217 To create a new filter, click Add, then Yes to verify the creation of a new filter. Enter the name of the new filter, for example “Cell_Input_Filter”. Click OK to continue. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 218 ICMP - When selected, the rule will only apply to that specific ICMP message only. For ICMP message type definitions, see RFC792, available from the Internet Engineering Task Force, http://www.ietf.org N/A - the rule will be applied to all ICMP protocol messages. Destination Unreachable MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 219 Address - Apply rule to a specific destination address and prefix. Address Range – Apply rule to a range of destination addresses. Address Set – Apply rule to a non-contiguous set of destination addresses. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 220 UDP and set Source Port to Services. The services must be entered as a comma-separated list. Since this example permits UDP services DNS, NTP, and IKE, enter dns, ntp, Ike in the textbox next to Services. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 221 Figure 3-130. Creation of a default restrictive packet filter rule for inbound traffic Once all changes are finished, click Back to return to the list of packet filters and create another. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 222 After clicking Add New Rule, the rule creation menu appears. Select Protocol All and Actions Accept. This is a permissive filter, which allows all traffic. Later on, if needed, this filter can be enhanced to deny certain traffic from exiting the cellular interface. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 223 In dropdown box next to the Cell interface and select the newly created input filter. Next, click the Out dropdown next to the Cell interface and select the newly created output filter. Click Next to continue. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 224 Change the packet filters applied to a network interface by navigating to Interfaces and click on the desired interface from the navigation bar. Navigate to the Basic Config tab. The input and output filters appear in the Filter drop-down. Figure 3-135. Cell interface, Filter menu MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 225 Monitoring At this time there are no commands to monitor traffic statistics for packets being dropped or permitted by the firewall. This feature may be added to future revisions of firmware. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 226 Figure 3-137. Packets Being Masqueraded Through MCR Configuring Source NAT configuration on MCR involves following high level steps: Create a source NAT rule-set. Add a rule to perform source NAT on the public interface. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 227 The Source NAT Wizard allows the creation or editing of Source NAT rule sets. First, navigate to Wizards and click Source NAT/Masquerading from either the navigation bar or the main Wizards page. Figure 3-138. Configuration Wizards Menu The Source NAT Introduction page appears. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 228 The next menu shows all rules contained within the new rule set. Since the rule set is new, it has none. Click Add New Rule to add one. The rule creation menu appears. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 229 Interface – - Translate the source address to the address of the interface to which this rule-set has been applied. (The example above uses this configuration). Address – Translate the source address to the specified address. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 230 Select the Firewall system tab. Check the box next to Enabled on the Basic Config tab and click Save in the upper left corner of the screen. Figure 3-143. Enabling the Firewall service MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 231 To add a new rule set, click the Add button. The Configure Rule Set Details menu appears. Figure 3-146. Add New Rule Set menu First, enter a name for the new rule set and click the Add button. Figure 3-147. Rule Set Display MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 232 Source NAT – Edit this section if the rule should be applied to a specific interface or address. Since the rule in this example applies to the cellular interface, configuration will be done on the Source NAT section. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 233 Now, the rule set must be applied to the desired interface. Navigate to Interfaces and click on Cell to proceed to the cell interface’s menu. From there, navigate to Basic Config / NAT. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 234 Figure 3-153 shows the flow of packets being port-forwarded (DNAT’ed) through the MCR unit. For example, TCP traffic arriving at the cellular interface and getting port forwarded to a private host connected to the local Ethernet interface. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 235 The Destination NAT Wizard is the simplest way to add a destination NAT rule-set. First, navigate to Wizards and click Destination NAT/Port Forwarding from either the navigation bar or the main Wizards page. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 236 The wizard’s introduction page appears. Click Next to continue. Click Add to create a new rule-set and enter name for the new rule set. Spaces are not allowed; use the underscore character instead. Click OK to continue. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 237 (In the example above, this is TCP.)  Source IP – Apply rule to traffic that originates at a specific address or addresses.  Mode – Options: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 238 In the example above, the new rule set should be applied to the cellular interface. Click Next to continue. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 239 To view the list of destination NAT rule sets that exist on the device at any time, navigate to Firewall ---> Basic Config / Destination NAT Figure 3-162. List of destination NAT rule sets MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 240 Commit the configuration and exit configuration mode. % commit Monitoring At this time there are no commands to monitor traffic statistics for packets masqueraded by the firewall. This feature may be added in future revisions of firmware. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 241 Remote Tunnel Network = 172.16.1.0/24 Static NAT: 10.10.1.0/24 -> 192.168.1.0/24 Site-B IPsec Configuration: Local Network = 10.10.2.0/24 Remote Network = 172.16.1.0/24 Static NAT: 10.10.1.0/24 (local tunnel network is the external network) -> 192.168.1.0/24 (internal network) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 242 The Static NAT Wizard is the simplest way to configure static NAT on the unit. First navigate to Wizards and click on One-to-One NAT from either the navigation bar or the main Wizards page. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 243 Internal Address - The internal address is the address that is translated to the external address. This is the rule{1}/static-nat/address in the CLI). In Network A above, this is 192.168.1.0/24. Once the rule is complete, click Next to continue. The Interface Selection screen appears. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 244 To save and apply the changes, click Submit. To view the list of destination NAT rule sets that exist on the device at any time, navigate to Firewall ---> Basic Config / Static NAT. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 245 LAN on the other side of the remote router through an IPsec tunnel. If the remote LAN is configured as 0.0.0.0/0, then Orbit will route traffic from local LAN to any other destination through this tunnel. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 246 IPSec encryption and NHRP (Next Hop Resolution Protocol) functionality to enable easier configuration of hub-to-spoke VPN deployments. In addition, it enables formation of on-demand dynamic tunnels between spokes for a full or partial mesh VPN network. The routes are added for MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 247 IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPsec based VPN is made up by two parts:  Internet Key Exchange protocol (IKE)  IPsec protocols (ESP, AH) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 248 IP traffic from/to devices connected to either LAN, WiFi or Serial port of the Orbit to securely flow to/from back-office applications via a secure tunnel through a public cellular network. The tunneled application traffic is authenticated and encrypted to protect from eavesdropping, tampering and replay attacks. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 249 Orbit either manually or via SCEP. Configuration of the example above is possible via the Web UI's VPN Setup Wizard, or the CLI. Both procedures are shown below. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 250 Click Next to continue. The next screen provides a list of VPN setups that one can choose from for a particular use case. For this example, we’ll select “Configure Site-to-Site IPsec VPN”. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 251 Click Next to continue. The next screen shows an example network diagram for the selected setup. Figure 3-169. VPN Setup Network Diagram Click Next to continue. The next screen requires one to specify a name for this VPN connection. Figure 3-170. VPN – Specifying Name MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 252 - DN – Use the specified distinguished name as the local IKE identity.  Peer Endpoint – Address, FQDN. Required setting. - Address – Specify the IP address of the IKE peer. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 253 The following options are available only when the authentication method chosen is Public key or EAP- TTLS. For more information on certificates, Certificate Management and 802.1X Authentication.  Cert Type – RSA, ECDSA. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 254 Aes 256 Ccm12, Aes 128 Ccm 16, Aes 192 Ccm 16, Aes 256 Ccm16, Aes 128 Gcm 8, Aes 192 Gcm 8, Aes 256 Gcm8, Aes 128 Gcm 12, Aes 192 Gcm 12, Aes 256 Gcm12, Aes 128 Gcm 16, Aes 192 Gcm 16, Aes 256 Gcm16. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 255 Click Next to continue. The next screen provides some general information. Click Next to continue. The next screen lists all the changes that have been made by this wizard. Click Submit to commit these changes on Orbit. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 256 The IKE panel includes configuration for IKE policy and peer settings. When VPN wizard is used for configuration, it automatically configures the IKE policy (<name>_<type>_ike_policy), IKE peer (<name>_<type>_ike_peer) based on specified VPN name. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 257 The IPsec panel includes configuration for IPsec policy and connection settings. When VPN wizard is used for configuration, it automatically configures the IPsec policy (<name>_<type>_ipsec_policy), IPsec connection (<name>_<type>) based on specified VPN name. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 258 NOTE The VPN connections that are configured using the VPN service menu cannot be modified using the VPN wizard. Using the CLI The CLI can also be used to configure VPN. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 259 % set services vpn ipsec connection VPN-GWY-CONN remote-ip-subnet 192.168.2.0/24 % set services vpn ipsec connection VPN-GWY-CONN filter input IN_TRUSTED % set services vpn ipsec connection VPN-GWY-CONN filter output OUT_TRUSTED % set services vpn ipsec connection VPN-GWY-CONN failure-retry-interval 1 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 260 Config menu or via CLI, the firewall needs to be manually configured as well: 1. Add following rules to IN_UNTRUSTED filter that is applied to the Cell interface in the incoming direction: % set services firewall filter IN_UNTRUSTED rule 1 match protocol icmp MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 261 See section 3.8.20 Network Link failover/failback for GRE/IPsec VPN configuration examples. See section 12.0 APPENDIX G for more VPN configuration examples like DMVPN etc. Monitoring Using the Web UI To view the VPN status, navigate to Services->VPN-> Status. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 262 Under IKE panel, click on the IKE security association row to view the detailed status. Figure 3-175. VPN – IKE Security Association Detailed Status Under IPsec panel, click on the IPsec security association row to view the detailed status. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 263 259b6cf8efb75dcc ciphersuite AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established-time 5590 rekey-time 4584 reauth-time 1773488 services vpn ipsec security-associations security-association 40 name SRX240-1_t1 state INSTALLED mode TUNNEL udp-encap false in-spi ccc45708 out-spi 127c75e1 ciphersuite AES_CBC-128/HMAC_SHA2_256_128/MODP_2048 in-bytes MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 264 At least one of the unit’s interfaces (ETH1, ETH2, WiFi or Bridge if the interface is bridged) NOTE must be configured with an IP address from the subnet of the configured DHCP. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 265 The V4 Subnet and V6 Subnet drop-downs show the currently configured DHCP subnets. Click on an entry to edit, add or delete new entries. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 266  NTP Server – A list of NTP (Network Time Protocol) servers to pass to clients. Domain names or  IP addresses may be used. Entries must be separated by spaces. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 267 192.168.1.150 router 192.168.1.1 broadcast-address 192.168.255.255 ntp- servers [time.mds] Monitoring For the WebUI refer to the DHCP Menu as illustrated in Figure From the CLI in operational mode. Follow the example below to view the DHCP leases. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 268 The protocol contained in the UDP messages must handle these scenarios. Table 3-20. UDP Terminal Server Settings UDP RX UDP TX Point-to-Point Local Address/Port Peer Unicast Address/Port Point-to-Multipoint Local Address/Port Multicast Group Address/Port MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 269  Description – A user-defined string describing the terminal server.- blank by default  Enabled -– Check box to allow for enabling/disabling the server  Mode - Further detailed configuration information MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 270  Address – The IPv4/IPv6 address  Port – The UDP port used when sending serial data to the remote address (30011 - DEFAULT) When selecting one of the Multicast options: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 271 Basic Setup of a TCP Terminal Server Start the same initial settings as were done for UDP setup.  Click Choices  Click TCP Server  Click TCP Server check box MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 272 (30 sec DEFAULT)s Basic Setup of Modbus Terminal Server Start the same initial settings as were done for UDP setup.  Click Choices  Click Modbus TCP  Click Modbus TCP check box MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 273 Configure Outgoing Interface (outgoing-interface) Configure Orbit Serial Terminal Server  Configure which Serial Port to use as Terminal Server  Configure UDP as Protocol  Configure UDP Mode to use Point-to-Multipoint MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 274 View the finished IPv4 Route table to view that the route is present: Figure 3-191. Example: Route Page NOTE Step #8 & #9 are ONLY if the user has a Terminal Server already configured in their system. Otherwise proceed to Step #10 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 275 % set services serial terminal-server server YOURPORT mode udp mode point-to-multipoint port 30015 multicast port 30016 address 224.100.0.5 % commit Configuring via the CLI The following shows how to configure and enable a UDP terminal server on COM1: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 276 Each of these services can configured to only listen to specified IP addresses configured on the system. This may be useful if there are multiple networks being routed between and it is not desirable to expose management interfaces via one or more of the networks. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 277  IPv4 Bind IPs - Restrict the server to only listen for connections on the specified IPv4 addresses. If not present, or empty, the server will listen on all IPv4 addresses. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 278 Figure 3-196. HTTP Restricted IP Once configuration is complete, click Save. Web UI - SNMP Configure To configure SNMP to listen only to a specific address, navigate to SNMP Agent ---> Basic Config. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 279  IPv6 Bind IPs - Restrict the server to only listen for connections on the specified IPv6 addresses. If not present, or empty, the server will listen on all IPv6 addresses. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 280 These remote management interfaces can also be bound to IPv6 address by using “ipv6-bind-ips” instead of “ipv4-bind-ips”. If these settings are not configured, the default behavior is to listen on all IP addresses in the system. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 281 It takes some time to view the web interface of a remote radio over a narrowband channel. Accessing the remote configuration through the Remote Management Service’s web proxy client is significantly faster. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 282 Figure 3-200 Narrowband example network. Configuration Using the WebUI Navigate to Services->Remote Management and click the Basic Config tab. Figure 3-201 Basic configuration for Remote Management MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 283 Web Proxy Client to open a remote web UI session to this unit. Enabled by DEFAULT. To initiate a remote web proxy or over the air reprogramming session, access the Actions menu at Services->Remote Management->Actions. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 284 If the remote unit does not currently have the specified firmware version, it will ignore the reboot request. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 285 You can also monitor the transfer status by viewing the AP’s event log to see that it has begun or finished a remote transfer session. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 286 When you click Perform Action, a new browser tab opens that contains the remote web UI. To show that the web UI is a remote session, the webpage header reads “GE MDS Device Management (Remote).” Popup blockers on some web browsers may block the new webpage that is launched. If the new window is blocked, disable the popup blocker or configure it properly to allow popups from the Orbit device.
Page 287 Interfaces->NxRadio->Status, and expand the LN Radio or NX Radio menu, as applicable. In the Connected Remotes list, highlight the intended remote unit, and click Remote Web Connect. Figure 3-206 Connected Remotes display, LN or NX radios MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 288 Status – The current state of the web proxy server. Disabled – The unit is not accepting remote web connection requests. Operating – The unit may be managed remotely through a remote web UI session. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 289 Monitoring To view the current Remote Management status, ensure that the CLI is in operational mode. % show services remote-management-status services remote-management-status web-proxy-client status disabled services remote-management status web-proxy-server status operating MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 290 The classifiers mark the packets as they travel through the system. This mark is used when the packet gets to the queue, to put it in its proper class. Packets can be classified based on the following parameters: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 291 VLAN 101 traffic and then all remaining traffic. Configuring In the web UI, the QoS service is configured under QoS Services ---> Basic Config. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 292 The following options are available on the classifier menu.  Match Type – All, Any. - All – Match all match rules if there is more than one match rule in the classifier. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 293 Not – This menu is used to create a rule that matches packets that do not match a specific ether-type.  Type – Protocol, Custom. - Protocol – Any, Arp, Goose, Gse, Ieee1588, IPv4, IPv6, Ipx, Mpls-multicast, Mpls-unicast, Pppoe-discovery, Pppoe-session, Profinet, Provider-bridging, Q-in-q, Rarp, Vlan. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 294 The shaping policy sets a guaranteed minimum date rate for each class and optionally a maximum data rate that the class cannot exceed. Since this example prioritizes GOOSE messages above all other traffic, select Prioritization. Figure 3-219. QoS Prioritization menu MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 295 GOOSE messages, into the new priority class. Since this example makes GOOSE messages the highest priority, enter 1 as the priority. Click Save. The configured QoS classifiers and policies are listed at QoS Services ---> Basic Config. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 296 % set services qos policy Policy1 prioritization default-priority 5 % set services qos policy Policy1 prioritization class HIGH priority 1 classifier GOOSE % set services qos policy Policy1 prioritization class STANDARD priority 5 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 297 SFTP. One solution to this is to use the classifiers metric. A classifier with a lower metric is evaluated before classifiers with higher metrics. All classifiers have a default metric of 10. So by giving SFTP classifier a lower metric, it will be considered before the FROM1234 classifier. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 298 % set services qos policy FAIR fairness sfq % set services qos policy Policy1 prioritization class HIGH next-policy FAIR Now multiple traffic flows from 1.2.3.4 will be treated fairly. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 299 % set services qos policy DSCP-POLICY modify dscp value 16 % commit % set routing static-routes ipv4 route 1 outgoing-interface GRE % set routing static-routes ipv4 route 1 dest-prefix 192.168.2.0/24 % commit MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 300 SNMP Understanding MCR Orbit platform incorporates a SNMP agent to enable monitoring of system and network interface status with GE MDS PulseNET or other SNMP Managers. The SNMP agent on the Orbit platform provides following functionality:  SNMP version v1, v2c and v3. Each of these versions can be enabled or disabled independently.
Page 301 Configuration of the User-based Security Model vacm Configuration of the View-based Access Control Model In the Web UI these are provided on the screen by Navigating to: SNMP Agent ---> Advanced Config. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 302 Figure 3-224. SNMP Main Page MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 303 Use “snmpwalk” tool to do SNMP walk on the unit (only small subset of output is shown for the sake of brevity) $ snmwalk -M +./ -c public -v2c 192.168.1.1 internet SNMPv2-MIB::sysDescr.0 = STRING: GE MDS Orbit SNMP Agent SNMPv2-MIB::sysObjectID.0 = OID: MDS-ORBIT-SMI-MIB::mdsOrbit DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14841) 0:02:28.41 SNMPv2-MIB::sysContact.0 = STRING:...
Page 304 V 3 - SNMP version 3: adds both encryption and authentication, which can be used or in combination.  Agent Engine settings:  Engine ID (submenu) - Local SNMP engine's administratively-unique identifier. Click on the Engine ID and set/verify the parameters. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 305 OID subtree is included or excluded from the view. For example in the case below, the view name is “internet” with subtree OID value of 1.3.6.1 and type “included”. This view basically includes all OIDs at or below 1.3.6.1 OID subtree. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 306 “security model “ is v1 and v2c. In addition, the “all-rights” group has access to “internet” view under “any” security model and “no-auth-no-priv” security level. That is, the members of “all- rights” group can access internet view without any authentication (auth) or encryption (priv). MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 307 Configuring the SNMP agent for v3-only operation (w/ Authentication and Encryption) The example below assumes SNMP agent has factory default configuration (see section “Default Configuration on Page 303”). Disable v2c and enable v3 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 308 AES encryption with password “aesPassword”. Click on the Add button in the User table and then enter “User 1”. Once done, click the Add button. This will then prompt the user for additional information. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 309 Password (DEFAULT) – Used to create a localized key. Key – 20-byte Authentication key  MD5 Key Type: Choices: (select from the choices pulldown) Password (DEFAULT) – Used to create a localized key. Key – 16-byte Authentication key MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 310 Also, ensure group “secure” has read and notify access to “internet” view under “usm” security model and “auth-priv” security level. That is, the members of “secure” group can access internet view only with authentication (auth) or encryption (priv). MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 311 Click on Add… and configure a name for the group. In this example, the group name will be “secure”. Once finished, click the Add button, which will present additional configurable fields. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 312 Filling in the VACM Group parameter values can be accomplished via the CLI using the following commands: % set services snmp vacm group secure member User1 sec-model [usm] % set services snmp vacm group secure access usm auth-priv read-view internet Commit configuration MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 313 The snmpwalk tool can be used test above configuration: $ snmpwalk -M +./ -v3 -u User1 -a sha -A sha1Password -x aes -X aesPaasword -l authpriv 192.168.1.1 internet SNMPv2-MIB::sysDescr.0 = STRING: GE MDS Orbit SNMP Agent SNMPv2-MIB::sysObjectID.0 = OID: MDS-ORBIT-SMI-MIB::mdsOrbit DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6128338) 17:01:23.38 SNMPv2-MIB::sysContact.0 = STRING:...
Page 314 % set services snmp agent version v1 Configure SNMP manager as a target (“TARGET-1-v1”) that listens on port 5000, has IP address of 192.168.1.2, can receive v1 traps (tag “std_v1_trap”) with security name of “public”. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 315 $ snmptrapd -M +./ -Lo -c snmptrapd.conf NET-SNMP version 5.4.3 2014-04-22 13:39:02 0.0.0.0(via UDP: [192.168.1.1]:161->[192.168.1.2]) TRAP, SNMP v1, community public MDS-EVENT-MIB::traps0 Enterprise Specific Trap (MDS-EVENT-MIB::mdsEvent) Uptime: 2:07:00.35 MDS-EVENT-MIB::mdsEventName.0 = STRING: "ssh_login" MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 316 SNMPv2-MIB::snmpTrapOID.0 = OID: MDS-EVENT-MIB::mdsEvent, MDS-EVENT-MIB::mdsEventName.0 = STRING: "ssh_login", MDS-EVENT-MIB::mdsEventInfoInCee.0 = STRING: "@cee:{\"host\":\"(none)\",\"pname\":\"loggingmgr\",\"time\":\"2014-04- 15T01:34:26.373312+00:00\",\"action\":\"login\",\"service\":\"ssh\",\"domain\":\"os\",\"o bject\":\"session\",\"status\":\"success\",\"src_ipv4\":\"192.168.1.2\",\"src_port\":42031,\ "user_name\":\"admin\",\"event\":\"ssh_login\",\"profile\":\"http://gemds.com/cee_profil e/1.0beta1.xsd\"}" As can be seen above, the SNMP agent sent a v2 trap for “ssh_login” event. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 317 As can be seen above, the SNMP agent sent a v3 trap for “ssh_login” event. If the authentication or encryption password for user “User1” as set in snmptrapd.conf file does not match as that configured in the unit, snmptrapd will not display the received trap. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 318 % set services snmp agent version v3 Create a remote user named “RemUser1” with engine-id of SNMP inform receiver (80:00:1f:88:04:74:65:73:74:69:6e:67) and SHA1 authentication with password “sha1Password” and AES encryption with password “aesPassword”. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 319 SNMPv2-MIB::snmpTrapOID.0 = OID: MDS-EVENT-MIB::mdsEvent MDS-EVENT-MIB::mdsEventName.0 = STRING: "ssh_login" MDS-EVENT-MIB::mdsEventInfoInCee.0 = STRING: "@cee:{\"host\":\"(none)\",\"pname\":\"loggingmgr\",\"time\":\"2014-04- 15T04:25:53.677885+00:00\",\"action\":\"login\",\"service\":\"ssh\",\"domain\":\"os\",\"o bject\":\"session\",\"status\":\"success\",\"src_ipv4\":\"192.168.1.2\",\"src_port\":42694,\ "user_name\":\"admin\",\"event\":\"ssh_login\",\"profile\":\"http://gemds.com/cee_profil e/1.0beta1.xsd\"}" Monitoring Ensure the CLI is in operational mode. Check SNMP agent status > show SNMPv2-MIB MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 320 SNMPv2-MIB system sysDescr "GE MDS Orbit SNMP Agent" SNMPv2-MIB system sysObjectID 1.3.6.1.4.1.4130.10 SNMPv2-MIB system sysUpTime 911614 SNMPv2-MIB system sysServices 72 SNMPv2-MIB system sysORLastChange 0 SNMPv2-MIB snmp snmpInPkts 0 SNMPv2-MIB snmp snmpInBadVersions 0 SNMPv2-MIB snmp snmpInBadCommunityNames 0 SNMPv2-MIB snmp snmpInBadCommunityUses 0...
Page 321 Src Address - Source address to use for icmp-echo request Interval - Time interval (in seconds) between icmp-echo requests. Value range [1..86400] DEFAULT=5 Timeout - Time to wait (in milliseconds) for icmp-echo response. Value range [1..5000] DEFAULT=2000 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 322 Following figure shows a setup to achieve a high reliability network communications between a SCADA back office and remote sites using 900 MHz and Cellular communications in a redundant network setup using routing functionality MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 323 The reachability check is done by configuring a NETMON service operation, which checks connectivity based on either the link status of the primary interface (NX) or on ICMP ECHO requests (pings) towards a host reachable via the MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 324 Configure GRE tunnel interface with mode = ip-over-gre, src-address = 10.150.1.10 (the local Cell interface address) and dst-address = 10.150.1.1 (the WAN address of the R1 router). - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘GRE1’: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 325 Configure a NETMON service icmp-echo-monitor operation named NX-LINK-CHECK that does a periodic link check by pinging R1 over NX interface. Please refer to NETMON service section for further help with configuration. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 326 NX-LINK-CHECK operation, which checks the reachability of the back-office network via this route. - Navigate to Routing ---> Basic Config / IPv4 and click ‘Add’ to add the primary route over MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 327 6. Configure secondary route towards SCADA back-office network (10.10.1.0/24) with GRE1 as the outgoing interface and preference value of 20. - From the same page, click ‘Add’ to add the secondary route over GRE1 tunnel interface: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 328 Configure secondary route towards SCADA back-office network (10.10.1.0/24) with GRE1 as the outgoing interface and preference value of 20. % set routing static-routes ipv4 route 2 dest-prefix 10.10.1.0/24 % set routing static-routes ipv4 route 2 outgoing-interface GRE1 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 329 Once primary link connectivity is restored (i.e. N successful pings), both AP and REMOTE update their routing tables to direct traffic over NX network. The above setup is facilitated by same functionality as described in previous section. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 330 On each REMOTE, the BOND interface bonds NX interface (primary) with GRE layer-2 tunnel interface (secondary) and is itself bridged with the LAN interface. On the AP, the NX and layer-2 GRE tunnel interfaces are bridged with the LAN interface. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 331 = 10.150.1.10 (the remote Cell interface address as configured in IPsec VPN towards REMOTE-1). - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘GRE-REMOTE-1’: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 332 Add the GRE-REMOTE-2 tunnel interface to the bridge that has NX interface and disable STP on the bridge. Please refer to section on Bridging for help with adding members to a bridge. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 333 10.150.1.10 (the local Cell interface address as used in IPsec VPN towards AP) and dst-address = 10.150.1.1 (the remote Cell interface address as configured in IPsec VPN towards AP). - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘GRE1’: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 334 Configure BOND interface in ‘active-backup’ mode with NxRadio and GRE-AP as members and NxRadio as the primary member. - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘Bond1’: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 335 REMOTE switches its link from NX to/from GRE tunnel. The time interval of this traffic determines the time interval of failover at the AP. Please refer NETMON service section for help with configuration. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 336 10.150.1.20 (the local Cell interface address as used in IPsec VPN towards AP) and dst-address = 10.150.1.1 (the remote Cell interface address as configured in IPsec VPN towards AP). - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘GRE-AP’: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 337 Configure BOND interface in ‘active-backup’ mode with NxRadio and GRE-AP as members and NxRadio as the primary member. - Navigate to Interfaces / Add/Delete Interfaces and click ‘Add’ to create new interface named ‘Bond1’: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 338 REMOTE switches its link from NX to/from GRE tunnel. The time interval of this traffic determines the time interval of failover at the AP. Please refer NETMON service section for help with configuration. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 339 % set services vpn ike peer REMOTE-2_ike_peer ike-policy REMOTE-2_ike_policy % set services vpn ike peer REMOTE-2_ike_peer local-endpoint address 10.150.1.1 % set services vpn ike peer REMOTE-2_ike_peer local-identity default % set services vpn ike peer REMOTE-2_ike_peer peer-endpoint address 10.150.1.20 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 340 % set services vpn ipsec connection AP filter input IN_TRUSTED % set services vpn ipsec connection AP filter output OUT_TRUSTED  Configure GRE tunnel interface % set interfaces interface GRE-AP type gre % set interfaces interface GRE-AP gre-config mode ethernet-over-gre MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 341 % set services netmon operation NX-LINK-CHECK enabled true % set services netmon operation NX-LINK-CHECK icmp-echo-monitor dst-host 192.168.1.4 % set services netmon operation NX-LINK-CHECK icmp-echo-monitor interval 5 REMOTE#2 Configuration Configuration is similar to REMOTE#1. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 342 LAN route with a router in the back-office (and vice versa) over the Cellular WAN interface. Both OSPF and RIP exchange routing updates with peers MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 343 Following example shows how to create a route filter to export route for a directly connected local LAN (i.e. direct/interface route for Bridge interface for a unit with factory default configuration). Navigate to Routing-> Basic Config->Route filters Click ‘Add’ to create a route filter named LOCAL_LAN. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 344 Select the newly created LOCAL_LAN route filter and click ‘Add’ to add a rule with ID=1 to this filter. Select ‘outgoing-interface= Bridge’ and Action=’accept’. Click Finish on the panels to close them. To apply configuration, click Save. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 345 To apply configuration, click Save. Using CLI In configuration mode, enter following commands: % set routing rip enabled true % set routing rip export-filter LOCAL_LAN % set routing rip interface GRE MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 346 The user can check the routing table in the ‘General’ panel to ensure a dynamic route for the back-office has been received from the back-office router. The ‘RIP’ panel, displays the state of RIP routing protocol including route import/export statistics. Using CLI In operational mode, enter following commands: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 347 MD5 authentication can be used to secure routing protocol updates on per-interface basis. In the example below, OSPF is enabled with area 0.0.0.0 containing GRE interface along with LOCAL_LAN as the export filter. Navigate to Routing-> Basic Config->OSPF Select ‘LOCAL_LAN’ as the export filter. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 348 Under ‘Area,’ click ‘Add’ to add area 0.0.0.0 (backbone) Under ‘Interface,’ click ‘Add’ to add GRE interface to area 0.0.0.0. To apply configuration, click Save. Using CLI In configuration mode, enter following commands: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 349 The user can check the routing table in the ‘General’ panel to ensure a dynamic route for the back-office has been received from the back-office router. The ‘OSPF’ panel, displays the state of OSPF routing protocol including route import/export statistics and other OSPF protocol status. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 350 10.10.40.0/24 dynamic 172.18.175.128/28 - Cell kernel > show routing-state ospf routing-state ospf routing-instance MAIN_OSPF routing-state ospf state up routing-state ospf preference 150 routing-state ospf import-filter ACCEPT routing-state ospf export-filter LOCAL_LAN MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 351 4 routing-state ospf statistics export-updates-accepted 1 routing-state ospf statistics export-withdraws-received 1 routing-state ospf statistics export-withdraws-accepted 0 routing-state ospf area 0.0.0.0 stub false nssa false transit false nssa-translation false num-interfaces MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 352 IBGP mode. In the example below, BGP is configured with one external neighbor with LOCAL_LAN as the export filter. Navigate to Routing-> Basic Config->BGP Select ‘LOCAL_LAN’ as the export filter. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 353 Please see section 12.2.2.1 for an example on use of BGP to exchange routes over DMVPN network. Using CLI In configuration mode, enter following commands: % set routing bgp neighbor PRIMARY-HUB peer-address 172.16.0.1 % set routing bgp neighbor PRIMARY-HUB enabled true MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 354 The user can check the routing table in the ‘General’ panel to ensure a dynamic route for the back-office has been received from the back-office router. Using CLI In operational mode, enter following commands: >show routing-state bgp MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 355 Standalone GPS receiver in 4G cellular modules (4Gx in the model string). The following table below displays the approved GPS antennas that can be used. Table 3-22. Approved GPS Antenna Types MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 356 ‘source’ parameter. To apply configuration, click Save. Using CLI % set services gps enabled true % commit Monitoring Navigate to Services --> GPS Service --> Status MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 357 There is built in support for DynDNS.com and No-IP.com DDNS providers. The service also supports user specified URL for updating DDNS providers that do not have built-in support. Configuring Navigate to Services->DDNS Service--> Basic Config MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 358 HTTPS – Whether or not to use HTTPS when sending DDNS updates.  Verify Server Certificate – Whether or not to verify DDNS service provider.  CA Certificate – Locally stored certificate to us to verify DDNS service provider. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 359 % set services ddns enabled true % set services ddns provider dyn.com % set services ddns hostname pump1.dyndns.org % set services ddns username test % set services ddns password test123 % set services ddns interface Cell MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 360 The hosts need to be configured to communicate to only one router IP address, the VIP, and whichever physical router is currently designated as the Master will have that VIP address assigned to its interface. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 361 ETH2 vrrp The router status will be displayed as one of the following states: vrrp disabled – VRRP is disabled on this interface. vrrp initializing – VRRP is starting. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 362 22 will be routed to Orbit instead of getting passed through to the end device. One can similarly configure entries for HTTP (TCP port 80) or HTTPS (tcp port 443) to enable remote access to Orbit’s Web UI. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 363 % set services ip-passthrough local-service SSH protocol tcp port 22 % set services ip-passthrough local-service HTTP protocol tcp port 80 % set services ip-passthrough local-service HTTPS protocol tcp port 443 % commit Monitoring Using Web UI Navigate to Services->IP Passthrough->Status MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 364 The device may delete a private key by clicking the Delete button on the web user interface or using the CLI in operational mode. See the following example for deleting private keys via the CLI: > request pki private-keys delete key-identity generated_key_2048 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 365 The current status of the generation process is displayed on the web page. Note that the web page does not display the current status if the device has not been instructed to generate a private key (in other words, if the state is “inactive”). MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 366 Navigate to the Private Keys section in Certificate Management / Basic Config. Click on the Add button, and then click on the Begin Importing button once the key identity, the optional key passphrase, and the file source are configured. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 367 The current status of the import process is displayed on the web page. Note that the web page does not display the current status if the device has not been instructed to import a private key (in other words, if the state is “inactive”). MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 368 CA certificates currently loaded into the device. Figure 3-234. CA Certificates Ensure the CLI is in operational mode and follow the example below to view the installed CA certificates: > show pki ca-certs show-all CERT IDENTITY MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 369 File Source - File transfer method to use. Available choices are From Local File (DEFAULT), From HTTP Server, From FTP Server, From TFTP Server, From SFTP Server, and From SCEP Server. Local file uploads are only available through the web UI and not through the MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 370 Import button. The current status of the import process is displayed on the web page. Note that the web page does not display the current status if the device has not been instructed to import a CA certificate (in other words, if the state is “inactive”). MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 371 Figure 3-237. Client Certificates Ensure the CLI is in operational mode and follow the example below to view the installed client certificates: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 372 Server Address - For FTP, TFTP, and SFTP, the remote server's host name or IP address  File Path - For FTP, TFTP, and SFTP, the path to the source file on the remote server MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 373 Once the import of a client certificate is begun, the process may be cancelled by clicking the Cancel Import button. The current status of the import process is displayed on the web page. Note that the web MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 374 “Successfully imported client certificate” pki client-certs import-status size 1586 pki client-certs import-status bytes-transferred 1586 pki client-certs import-status percent-complete 100 For SCEP imports, additional status is displayed in the web page: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 375 Firmware Certificates The device can manually import firmware certificates. From the WebUI, navigate to Certificate Management / Basic Config. The Firmware Certificates section shows the firmware certificates currently loaded into the device. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 376 Navigate to the Firmware Certificates section in Certificate Management / Basic Config. Click on the Add button, and then click on the Begin Importing button once the certificate identity and the file source are configured. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 377 (in other words, if the state is “inactive”). Figure 3-243. Import Firmware Certificate Monitoring The import status contains the following items: MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 378 In general, it is simply for reference and does not have to be a specific name. In fact, it can be the same name as the ca-server if this helps to remember it. Also, client certificate information that goes in MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 379 System Administration or Security personnel. The common name will always be required. Other parameters may be required. Here is an example: > set pki cert-info certificate-info predefined_cert_info organization-x509 “GE MDS LLC” org- unit-x509 Engineering common-name-x509 00102200000102030411223344556670 Obtaining a New Certificate To obtain a new client certificate from a SCEP server, the first step is to request the CA certificate from the SCEP server.
Page 380 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 381: Technical Reference
MCR-900 Only 900 ISM (NxRadio) MCR-LN + 3G Cellular Lic. Narrowband (LnRadio) MCR-LN + WiFi WiFi Lic. Narrowband (LnRadio) MCR-LN + 3G Cellular Lic. Narrowband (LnRadio) MCR-LN Only Lic. Narrowband (LnRadio) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 382 Solid Red No Remotes connected Solid Green Linked with at least 1 Remote Remote Mode Blink Red NIC Initialization / Not linked to an Access Point Solid Green Linked with Access Point MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 383: Technical Specifications
4.0W 292mA Connected (Typical Download) 4.3W 310mA Table 4-8. Orbit MCR-3G Power Consumption: Power Consumption (nominal, 25C, Cellular Only) Mode Power 13.8V Connected (Idle) 2.5W 182mA Connected (Typical Download) 3.2W 235mA MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 384 Size 8.0” long (20.32 cm), 4.8” wide (12.192 cm), 1.75” High (4.445 cm) Housing Die-cast Aluminum Weight 2 lbs. (without mounting hardware) Environmental Operating Temperature Range ° ° C to +70 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 385 Part 15C FCC ID M4Y-ZCN722MV1 WiFi Antenna Connector Female Reverse SMA 4G LTE/CDMA (Verizon Only) LTE 1900(B2), AWS (B4), 850(B5), 700 (B13), 700(B17), 1900(B25) CDMA 1xRTT/EV-DO Rev A - 800(BC0), 1900(BC1), 800(BC10) MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 386 Output Impedance 50 Ohms Permissible Antennas GE MDS 93-/97-3194A14, 10dBd (12.15dBi) YAGI Antenna GE MDS 93-/97-3194A23, 7dBd (9.15dBi) 5/8 wavelength OMNI Antenna Connector TNC female Number of Frequency Channels Selectable 50 to 81 for FHSS, 1 to 20 for DTS Channel Separation 307.5 kHz minimum...
Page 387 Permissible Antennas Various options based on user license, including .. GE MDS 93-/97-3194A18, 406-430MHz, 7dBi OMNI w/16” Jumper N-F Conn & Mnt GE MDS 93-/97-3194A19, 430-450MHz, 7dBi OMNI w/16” Jumper N-F Conn & Mnt GE MDS 93-/97-3194A26, 450-470MHz, 11 dBi OMNI w/N-F Conn & Mnt GE MDS 93-/97-3194A02, 406-430MHz, 12 dBi YAGI w/N-F Conn &...
Page 388 Permissible Antennas Various options based on user license, including .. GE MDS 93-/97-3194A17, 902-928MHz, 9dBi OMNI w/16” Jumper N-F Conn GE MDS 93-/97-3194A14, 902-960MHz, 12 dBi YAGI 6 Elementw/N-F Conn GE MDS 93-/97-3194A13, 902-960MHz, 8.5 dBi YAGI 3 Elementw/N-F Conn...
Page 389 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 390 A fade margin of 20 to 30 dB is usually sufficient in most systems. Frame: A segment of data that adheres to a specific data protocol and contains definite start and end points. It provides a method of synchronizing transmissions. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 391 SSH: Secure Shell protocol for a network that allows users to open a window on a local PC and connect to a remote PC as if they were present at the remote. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 392 Telnet: A terminal emulation protocol that enables an Internet user to communicate with a Remote device for management activities as if it were locally connected to a PC. TX: Abbreviation for “Transmit.” WAN: Wide Area Network MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 393 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 394: Operational Mode
[, as shown below at the end of the possible completions information. Items in the list are separated by a space character. This example shows that there are three ways to input values to a list node: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 395 With brackets, for a list that contains one value: “ [ gemds ] ” % set system dns search [gemds] With brackets, for a list that contains more than one value: “ [ ge gemds ] ” % set system dns search [ge gemds] 6.6 Tab-Completion...
Page 396 - For example, the “filename” parameter will be requested from the user since it is mandatory and yet it was not supplied in the initial request: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 397 - Show only text that does not matches a pattern extended - Show referring elements find - Search for the first occurrence of a pattern hide - Hide display options MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 398 0 status counters tx_bytes 238574 status counters tx_carrier_errors 0 status counters tx_compressed 0 status counters tx_dropped 0 status counters tx_errors 0 status counters tx_fifo_errors 0 status counters tx_heartbeat_errors 0 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 399: Regular Expressions
> show configuration | match "(uid) | (gid)" | linnum 1: uid 1019; 2: gid 1013; 3: uid 1019; 4: gid 1013; 5: uid 1019; 6: gid 1013; 7: uid 1019; MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 400 The commands available to the user differs, depending on whether the CLI is in operational mode or configuration mode. The following commands are describe in the next sections: Operational Mode Commands Configuration Mode Commands commit annotate configure commit exit compare help copy ping delete MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 401 Shared - Edit candidate configuration without locking it. exit - Exits the CLI session. help <command> - Display help text related to <command>. ping - Ping an IP address or hostname. quit - Quit current operation. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 402 "Oil from Tanker1 "; authentication { user-authentication-order [ local-users radius ]; password-options { minimum-length minimum-lower-case-letters 2; minimum-capital-letters minimum-numeric minimum-non-alpha-numeric 1; - Showing configuration data when the CLI is in configuration mode: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 403 "" set logging event-rules console_login local true set logging event-rules console_login priority notice ..<Remaining text omitted for brevity> ..show [path] - Display CLI properties.. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 404 [brief] - If changes have been made, but have not yet been committed, then those changes can be reviewed prior to committing them by using the “compare” command. Differences will be MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 405 “revert” command. rollback [<number>] - Return the configuration to a previously committed configuration. The system stores a limited number of old configurations. If more than the configured number of configurations are stored, MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 406 <statement> - Remove all tags from a configuration statement. - Exit to top level and optionally run command. - Exit one level of configuration. validate - Validates current configuration. This is the same operation as commit check. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 407 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 408 In case of an out of band IMA server setup, the MCR needs to be configured with an IMA IPsec connection and a VPN-GWY IPsec connection. An example follows: connection IMA-CONN-1 { ike-peer IMA-SERVER; ipsec-policy IPSEC-POLICY-IMA; local-ip-subnet 0.0.0.0/0; remote-ip-subnet 0.0.0.0/0; is-out-of-band-ima true; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 409 IMA database. > show services vpn services vpn ipsec ipsec-status connections connection IMA-CONN-1 state disconnected failure-reason none last-timestamp 2013-01-18T21:24:26+00:00 ima-evaluation “non-compliant major” ima-recommendation Quarantined MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 410 Follow the troubleshooting steps described in VPN section on troubleshooting IMA connection failure. Note that an IMA connection failure means that unit was unable to communicate or attest with IMA. It does not mean there was an IMA evaluation failure. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 411 3 mandatory fields that must be in every logged event: - host – Hostname of the event source. - pname – Process name that generated the event. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 412 DHCP server (Syslog header left off for brevity, and formatted for clarity): DHCP Request sent to the server: @cee: { "host":"stout", "pname":" my_appname ", "time":"2012-08-22T11:20:10.559227-04:00", "action":"request", "domain":"net", "object":"interface", "service":"dhcp_client", "status":"ongoing", "event":"dhcp_client", "interface_name":"eth0", "profile":�http://gemds.com/cee_profile/1.0beta1.xsd MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 413 The following shows how to configure the unit with a server to which events will be sent: % set logging syslog server my_syslog_server ip 192.168.1.1 port 1999 protocol tls version RFC5424 tls-options tls-ca-certificate my_ca_cert tls-client-certificate my_client_cert tls- client-key my_client_key MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 414 % show logging event-rules cell_disconnected description "cell connection disconnected"; local true; priority notice; syslog-facility user; syslog true; snmp-notification true; netconf-notification true; MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 415 9.0 APPENDIX D – Managing Signed Firmware The GE MDS code signing tool (CST) is a command line program that can be run on Windows or Linux. Running the CST and passing the “--help” argument will print the following usage info: pkgsigner --help GEMDS Firmware Packaging Signing Utility (pkgsigner) 06-6671A01 Rev.
Page 416 Signing a GE MDS firmware package is an optional step for users and is not required. Users may wish to sign a firmware package to ensure that only user-approved firmware package revisions from GE MDS can be loaded into a unit. An example of signing a firmware package is shown below: ./pkgsigner -v ge_pubcert.pem -k user_key.pem -P "mypass"...
Page 417 Service (Verizon) 10.1 Understanding The MDS Orbit MCR-4G requires a mini SIM card (2FF type) provisioned for 4G cell operation. The unit’s cellular interface will not function without a valid SIM card installed. GE MDS does not provide SIM cards. Service can be obtained by contacting Verizon and requesting a provisioned SIM card for the appropriate M2M service plan.
Page 418 Frequency 1000 1000W 1250 902.700000 903.007500 903.315000 903.622500 903.930000 904.237500 904.545000 904.852500 905.160000 905.467500 905.775000 906.082500 906.390000 906.697500 907.005000 907.312500 907.620000 907.927500 908.235000 908.542500 908.850000 909.157500 909.465000 909.772500 910.080000 910.387500 910.695000 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 419 914.385000 914.692500 915.000000 915.307500 915.615000 915.922500 916.230000 916.537500 916.845000 917.152500 917.460000 917.767500 918.075000 918.382500 918.690000 918.997500 919.305000 919.612500 919.920000 Unused 920.227500 920.535000 920.842500 921.150000 921.457500 921.765000 922.072500 922.380000 922.687500 922.995000 923.302500 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 420 923.610000 923.917500 924.225000 924.532500 924.840000 925.147500 925.455000 925.762500 926.070000 926.377500 926.685000 926.992500 927.300000 Channels/Hop Set MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 421 Bridge bridge-settings members port ETH2 # Cell interface configuration set interfaces interface Cell type cellular set interfaces interface Cell enabled true set interfaces interface Cell ipv4 dhcp point-to-point-connection true MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 422 IN_UNTRUSTED rule 10 match protocol udp set services firewall filter IN_UNTRUSTED rule 10 match dst-port set services firewall filter IN_UNTRUSTED rule 10 match dst-port services [ ike ntp ] MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 423 172.18.175.138 remote-host 172.18.175.40 remote-id 172.18.175.40 initiator true initiator-spi 6fae9c7ca839c195 responder-spi 63568d4ca1c3d071 ciphersuite AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established-time 1 rekey-time 9899 reauth-time services vpn ipsec security-associations security-association 1 name SRX240 state INSTALLED mode TUNNEL MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 424 12.1.2 JUNOS 12.1.2.1 Configuration The configuration below assumes that interface ge-0/0/0 is the external WAN interface and vlan.0 is the VLAN interface that includes all LAN ports. # IKE/IPsec configuration set security ike proposal IKE-PROP-PSK authentication-method pre-shared-keys set security ike proposal IKE-PROP-PSK dh-group group14...
Page 425 UNTRUST host-inbound-traffic system-services ike set security zones security-zone UNTRUST host-inbound-traffic system-services ping set security zones security-zone UNTRUST host-inbound-traffic system-services ntp set security zones security-zone UNTRUST interfaces ge-0/0/0.0 # Security policies set security policies from-zone TRUST to-zone UNTRUST policy ORBIT138-NET-1-SA match source-address...
Page 426 Bridge filter input IN_TRUSTED set interfaces interface Bridge filter output OUT_TRUSTED set interfaces interface Bridge bridge-settings members port ETH1 set interfaces interface Bridge bridge-settings members port ETH2 # Cell interface configuration MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 427 DMVPN host-to-host set services vpn ipsec connection DMVPN filter input IN_TRUSTED set services vpn ipsec connection DMVPN filter output OUT_TRUSTED # Multipoint GRE tunnel configuration set interfaces interface GRE1 type gre MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 428 PRIMARY-HUB export-filter LOCAL-LAN set routing bgp neighbor PRIMARY-HUB local-as 65550 set routing bgp neighbor PRIMARY-HUB peer-as 65500 set routing bgp neighbor PRIMARY-HUB hold-time 30 set routing bgp neighbor PRIMARY-HUB keepalive-time 10 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 429 OUT_UNTRUSTED rule 2 actions set services firewall filter OUT_UNTRUSTED rule 2 actions action drop 12.2.1.2 Status # IKE/IPsec status > show services vpn services vpn ike security-associations security-association 5 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 430 DMVPN state ESTABLISHED local-host 172.18.175.138 local-id "C=US, ST=NY, L=Rochester, O=GE MDS, OU=ENGG, CN=VZW138.com" remote-host 172.18.175.45 remote-id "CN=DMVPN-HUB.com, OU=ENGG, O=GE MDS, L=Rochester, ST=NY, C=US, unstructuredName=DMVPN-HUB.com" initiator true initiator-spi ba596984ff972043 responder-spi 0c2e769cbc243bf3 ciphersuite AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 established-time 574 rekey-time 9200 reauth-time 2075232 services vpn ipsec security-associations security-association 4...
Page 431 0 statistics import-withdraws-ignored 0 statistics import-withdraws-accepted 0 statistics export-updates-received 8 statistics export-updates-rejected 1 statistics export-updates-filtered 6 statistics export-updates-accepted 1 statistics export-withdraws-received 0 statistics export-withdraws-accepted 0 local-state established peer-address 172.16.0.1 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 432 # Certificate configuration crypto pki trustpoint DMVPN-3-TIER-SUBCA-2 enrollment terminal pem subject-name C=US, ST=NY, L=Rochester, O=GE MDS, OU=ENGG, CN=DMVPN-HUB.com revocation-check none rsakeypair DMVPN-3-TIER-SUBCA-2 2048 # Below assumes that Orbit client certificates have ‘orbit’ string in the common name. This enables this ceritificate map to be used for all Orbits that connect to this router.
Page 433 DMVPN_TRANSFORM esp-aes 256 esp-sha-hmac mode transport crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM set ikev2-profile DMVPN_IKEV2_PROFILE # Multipoint GRE tunnel configuration interface Tunnel0 description DMVPN NETWORK ip address 172.16.0.1 255.255.255.0 no ip redirects MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 434 Status 172.18.175.45/4500 172.18.175.138/4500 none/none READY Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA Life/Active Time: 86400/1714 sec IPv6 Crypto IKEv2 SA DMVPN-HUB#show crypto ipsec sa MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 435 0xCF3F2463(3477021795) transform: esp-256-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2682, flow_id: Onboard VPN:682, sibling_flags 80000000, crypto map: Tunnel0-head-0 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 436 - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 172.18.175.62 to network 0.0.0.0 0.0.0.0/0 [1/0] via 172.18.175.62 10.0.1.0/24 is variably subnetted, 2 subnets, 2 masks MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 437 Bridge ipv4 address 192.168.1.1 prefix-length 24 set interfaces interface Bridge filter input IN_TRUSTED set interfaces interface Bridge filter output OUT_TRUSTED set interfaces interface Bridge bridge-settings members port ETH1 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 438 SRX240 ipsec-policy SRX240-IPSEC-POLICY set services vpn ipsec connection SRX240 local-ip-subnet 172.16.1.2/32 set services vpn ipsec connection SRX240 remote-ip-subnets 172.16.1.1/32 set services vpn ipsec connection SRX240 filter input IN_TRUSTED MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 439 IN_UNTRUSTED rule 11 actions set services firewall filter IN_UNTRUSTED rule 11 actions action accept set services firewall filter IN_UNTRUSTED rule 12 match protocol all set services firewall filter IN_UNTRUSTED rule 12 actions MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 440 694 rekey-time 9143 reauth-time 1852140901 services vpn ipsec security-associations security-association 196 name SRX240_SA state INSTALLED mode TUNNEL udp-encap false in-spi cce4cde5 out-spi 4c84f08c ciphersuite AES_CBC-128/HMAC_SHA2_256_128/MODP_2048 in-bytes in-packets 0 in-last-use 1621200 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 441 0 family inet address 172.18.175.40/26 # Local LAN#1 interface set interfaces vlan unit 0 family inet address 192.168.3.1/24 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust-1 set vlans vlan-trust-1 vlan-id 1 set vlans vlan-trust l3-interface vlan.0 # Local LAN#2 interface set interfaces vlan unit 1 family inet address 192.168.4.1/24...
Page 442 UNTRUST host-inbound-traffic system-services ike set security zones security-zone UNTRUST host-inbound-traffic system-services ping set security zones security-zone UNTRUST host-inbound-traffic system-services ntp set security zones security-zone UNTRUST interfaces ge-0/0/0.0 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 443 ORBIT135 ike-policy IKE-POLICY-PSK set security ike gateway ORBIT135 address 172.18.175.135 set security ike gateway ORBIT135 local-identity inet 172.18.175.40 set security ike gateway ORBIT135 external-interface ge-0/0/0 set security ike gateway ORBIT135 version v2-only # IPsec set security ipsec vpn ORBIT135 bind-interface st0.0...
Page 444 *[Direct/0] 1w5d 20:14:55 > via lo0.0 172.16.1.2/32 *[Static/5] 1w2d 20:03:32 > via st0.0 172.18.175.0/26 *[Direct/0] 1w5d 18:34:56 > via ge-0/0/0.0 172.18.175.40/32 *[Local/0] 1w5d 18:35:03 Local via ge-0/0/0.0 192.168.3.0/24 *[Direct/0] 1w5d 18:34:56 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 445 Local via vlan.0 192.168.4.0/24 *[Direct/0] 1w5d 18:34:56 > via vlan.1 192.168.4.1/32 *[Local/0] 1w5d 20:14:32 Local via vlan.1 192.168.1.0/24 *[Static/5] 1w5d 18:35:02 > via gr-0/0/0.0 192.168.2.0/24 *[Static/5] 1w5d 18:35:02 > via gr-0/0/0.0 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 446: Configuration Examples
ETH1 security security-mode EAP set interfaces interface ETH1 security radius-server ghost set interfaces interface ETH2 security security-mode EAP set interfaces interface ETH2 security radius-server ghost MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 447 /etc/freeradius/eap.conf Setup tls { } section with your certificates, key and key password /etc/freeradius/clients.conf # Allow connections from devices in this network client 192.168.1.0/24 { secret = password shortname = ghost MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 448 EAP. The Orbit is agnostic to the specific EAP method chosen. Examples in this document show Cisco PEAP and EAP-TLS methods being used. 13.2.4 Windows configuration #1 - Cisco PEAP mode Following shows the configuration used to test Cisco PEAP mode on Windows MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 449 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 450 Windows peer. The client certificate and the issuing certificate can be imported using the certmgr.msc utility. The wired interface is configured as shown in the next few diagrams on the following pages: MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 451 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 452 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 453 MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 454 Running Wireshark in administrator mode on the Windows peer captures the EAP-TLS conversation between the Orbit and Windows. This tool can be used to diagnose communication errors on the peer. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 455 Also, this is no certificate import utility; the certificates can reside anywhere on the file system. Kubuntu Linux configuration #2 – EAP-TLS mode 13.2.7 The following shows an example of configuring EAP-TLS mode on Kubuntu Linux. MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 456 192.168.1.200 auth-port 1812 acct-port 1646 radius-server key password line con 0 line vty 0 4 password cisco line vty 5 15 password cisco Switch# MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 457 Upon request, in accordance with certain software license terms, GE will make available a copy of Open Source code contained in this product. This code is provided to you on an “as is” basis, and GE makes no representations or warranties for the use of this code by you independent of any GE provided software or services.
Page 458 Table 15-1. Country-Specific Installation Data Country Applicable Symbol(s) Installation/Operating Requirements Australia For professional use only, not for sale to the general public. Hot surface—this product is only suitable for installation In restricted access locations. MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 459 NOTES MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual...
Page 460 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F...
Page 462 TECHNICAL ASSISTANCE Technical assistance for GE MDS products is available from our Technical Support Department during business hours (8:30 A.M.–6:00 P.M. Eastern Time). When calling, please give the complete model number of the product, along with a description of the trouble/symptom(s) that you are experiencing. In many cases, problems can be resolved over the telephone, without the need for returning the unit to the factory.
Page 463 GE MDS, LLC 175 Science Parkway Rochester, NY 14620 Telephone: +1 585 242-9600 FAX: +1 585 242-9620 www.gemds.com...

This manual is also suitable for:

Mds orbit ecr

GE MDS ORBIT MCR Technical Manual

Copyright and Trademark

Rf Regulatory Information

Product Country Certification Information - (Non-Na/Eu)

1 Product Overview and Applications

2 Product Description

3 Device Management

Quick Links

Troubleshooting

Related Manuals for GE MDS ORBIT MCR

Summary of Contents for GE MDS ORBIT MCR

This manual is also suitable for:

Table of Contents