REVIEW DRAFT - CISCO CONFIDENTIAL Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS) Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS) 2 Hardware Overview 2 WPAN Antennas, Connectors, and Cables 6 Installing and Removing the Module 7 Technical Specifications 10 Information About Cisco Resilient Mesh and WPAN 11 Configuring Cisco Resilient Mesh and the WPAN Module
REVIEW DRAFT - CISCO CONFIDENTIAL Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS) This guide explains how to install the IEEE 802.15.4e/g Cisco Connected Grid Wireless Personal Area Network (WPAN) module and how to configure the Cisco Resilient Mesh (formerly known as CG-Mesh). This guide addresses configuration for a Cisco 1000 Series Connected Grid Router (CGR 1000) installed with Cisco IOS software.
REVIEW DRAFT - CISCO CONFIDENTIAL • Dynamic network discovery and self-healing network capabilities that based on IPv6, IEEE 802.15.4 e/g, IETF 6LoWPAN, and IETF RPL. • Robust security functionality including Advanced Encryption Standard (AES) 128-bit encryption, IEEE 802.1X, and IEEE 802.11i based-mesh security. • WPAN module firmware upgrade functionality. • WPAN module interface statistics and status. The IEEE 802.15.
REVIEW DRAFT - CISCO CONFIDENTIAL Model Description CGM-WPAN-OFDM-FCC WPAN RF 900 Plug-in module for CGR 1000 routers. Provides access to 900 MHz mesh networks. WPAN Module Assembly The following figure shows the CGM-WPAN-FSK-NA WPAN module assembly. The following figure shows the CGM-WPAN-OFDM-FCC WPAN module assembly.
REVIEW DRAFT - CISCO CONFIDENTIAL Figure 3: Front Panel of the Cisco Connected Grid WPAN Module 1 Captive screws 3 Antenna connector 2 Status LED Status LED The Status LED provides a visual indicator of the available services. The following tables list the status LED colors and their meanings. Table 2: LED Indicator of the CGM-WPAN-FSK-NA WPAN Module Color Description Green Indicates the RF status: • Off: WPAN module is not powered. • Steady On: WPAN module is powered on, hardware is functional.
REVIEW DRAFT - CISCO CONFIDENTIAL LED Name Definition State WPAN WPAN traffic activity detect. Yellow (Off) / Green (Off): WPAN port is disabled. Yellow (On) / Green (Off): Searching for network. Yellow (Off) / Green (Slow Blink): WPAN port is up. Yellow (Off) / Green (Fast Blink): Route is available and DHCPv6 configuration is starting. Yellow (Off) / Green (On): Global IPv6 address is available. SYS Indicates module status.
REVIEW DRAFT - CISCO CONFIDENTIAL Case Description Indoor Cable Adapter or Outdoor Cable Lightning Arrestor Antenna Case 2: RF900 External Antenna, QMA connector (f), quantity=1 RA-QMA(m) to RA-MCX(m), LMR-100, 10.5”, quantity=1, model no. CAB-L100-10-Q-M, Cisco part no. 37-1391-01 Bulkhead adapter, MCX(f) receptacle – N(f), quantity=1, Cisco part no.29-5950-01 900 MHz ISM band, omnistick, N(f), quantity=1, model no. ANT-WPAN-OM-OUT-N, Cisco part no.
REVIEW DRAFT - CISCO CONFIDENTIAL • Clearance to the I/O side view is such that the LED can be read. • Airflow around the WPAN module and through the vents is unrestricted. • Temperature around the unit does not exceed 140 degrees F (60 degrees C). If the WPAN module is installed in a closed or multi-rack assembly, the temperature around it might be higher than normal room temperature. • Relative humidity around the WPAN module does not exceed 95% (non-condensing).
REVIEW DRAFT - CISCO CONFIDENTIAL Installing the Module Follow these steps to install the module in an available slot in the CGR 1120 or CGR 1240: Caution Do not hot swap the WPAN module. Power down the module first. Procedure Step 1 Before you install the WPAN module within the host router (or remove the module), you must power down the router as described in the Cisco 1120 Connected Grid Router Hardware Installation Guide or the Cisco 1240 Connected Grid Router Hardware Installation Guide.
REVIEW DRAFT - CISCO CONFIDENTIAL Technical Specifications Environmental Specifications Following are the operating temperature ranges for the CGR: • CGR 1120: -40 to 140 degrees F (-40 to 60 degrees C) • CGR 1240: -40 to 158 degrees F (-40 to 70 degrees C) Table 6: WPAN Module Environmental Specifications , on page 10 lists the environmental specifications for the WPAN module.
REVIEW DRAFT - CISCO CONFIDENTIAL Table 8: Default Frequencies of Channels Channel Number Channel Frequency (MHz) Channel Number Channel Frequency (MHz) Channel Number Channel Frequency (MHz) Channel Number Channel Frequency (MHz) 0 902.400 16 908.800 32 915.200 48 921.600 1 902.800 17 909.200 33 915.600 49 922.000 2 903.200 18 909.600 34 916.000 50 922.400 3 903.600 19 910.000 35 916.400 51 922.800 4 904.000 20 910.400 36 916.800 52 923.200 5 904.
REVIEW DRAFT - CISCO CONFIDENTIAL the communication module. Resilient Mesh Endpoints (RMEs) support an IEEE 802.15.4e/g interface and standards-based IPv6 communication stack, including security and network management. Cisco Resilient Mesh supports a frequency-hopping radio link, network discovery, link-layer network access control, network-layer auto configuration, IPv6 routing and forwarding, firmware upgrade, and power outage notification. See Power Outage Notification, on page 23.
REVIEW DRAFT - CISCO CONFIDENTIAL Physical Layer RMEs use the communication module in a manner that is compliant with the IEEE 802.15.4g PHY standard. The following PHY parameters are determined by the capabilities of the hardware: • 902-to-928 MHz ISM band, with 64 non-overlapping channels, 400 kHz spacing and 150kbps data rate for 2-FSK; CGM-WPAN-OFDM supports 2-FSK with 200 kHz channel spacing and 50kbps data rates with 129 channels. • OFDM Option 2 802.15.4g.
REVIEW DRAFT - CISCO CONFIDENTIAL EAP messages between the CGR and a joining interface because the joining interface might be multiple mesh hops away from the CGR. CGRs communicate with a standard AAA server using the RADIUS protocol. • Evicting nodes—To evict nodes from a network, the CGR must communicate a new Group Temporal Key (GTK) to all nodes in the PAN except those being evicted. The new GTK has a valid lifetime that begins immediately.
REVIEW DRAFT - CISCO CONFIDENTIAL Frequency Hopping RMEs implement frequency hopping between up to quantity 31 800 kHz channels, PHY data rates of 50 kbps, 200 kbps, 400kpbs,800 kbps and 1200kbps in the 902-to-928 MHz ISM band. The frequency hopping protocol maximizes the use of the available spectrum by allowing multiple sender-receiver pairs to communicate simultaneously on different channels. The frequency hopping protocol also mitigates the negative effects of narrowband interferers.
REVIEW DRAFT - CISCO CONFIDENTIAL IPv6 Network Layer RMEs implement standard IPv6 services. The IPv6 layer forwards IPv6 datagrams between the mesh and serial interfaces. The IPv6 layer also uses the mesh interface to forward IPv6 datagrams across other communication modules. • RMEs support both unicast and multicast forwarding. Layer-3 multicast is mapped to Layer-2 broadcast. • RFC 768 User Datagram Protocol (UDP) is the recommended transport layer protocol over 6LoWPAN.
REVIEW DRAFT - CISCO CONFIDENTIAL • RFC 6719: The Minimum Rank with Hysteresis Objective Function RPL does the following: • Offers a number of advanced features, such as trickle timers limiting the chattiness of the control plane, dynamic link (hop count, throughput, latency, link/path reliability (ETX), link colors), and node routing metrics (node state/attribute, node power levels) for constraint-based routing useful for combined AMI (Advanced Metering Infrastructure) and DA (Distributed Automation) depl
REVIEW DRAFT - CISCO CONFIDENTIAL The traffic on RMEs is marked by the vendor implementation (configuration functionality is not available). If required, traffic can be remarked on the CGR. IPv6 Multicast Forwarding RMEs deliver IPv6 multicast messages that have an IPv6 destination address scope larger than link-local when using a Layer-2 broadcast. When RMEs receive a global-scope IPv6 multicast message, the node delivers the message to higher layers if the node is subscribed to the multicast address.
REVIEW DRAFT - CISCO CONFIDENTIAL Note In Release 6.2, FND doesn't support the group configuration. You need to invoke API to config the group. The overall process of FND management can be divided into the following stages: Figure 6: FND Management Process • Stage 1: Subscribing IPv6 multicast group address from FND. After a node joins in the network, it will send the register message to FND shown in above picture.
REVIEW DRAFT - CISCO CONFIDENTIAL • Stage 4: Subscribing all IPv6 multicast group addresses in a PAN on CGR. Nodes send DAO message directly to CGR. The multicast group information with multicast group addresses and MPL domain will be inserted into one DAO option. CGR will add the multicast group entry for WPAN interface, so that CGR can forward multicast data message from application server to nodes. • Stage 5: Sending multicast message from application server to nodes.
REVIEW DRAFT - CISCO CONFIDENTIAL • Stage 2: Managing IPv6 multicast group address on node. Application server pushes node’s IPv6 multicast group addresses (maximum is 4) to nodes. At the same time, nodes can also call SDK APIs (if_addmaddr, if_delmaddr, if_getmaddrs) to add/delete/get multicast group addresses. • Stage 3: Optionally notifying node’s IPv6 multicast group address to application server.
REVIEW DRAFT - CISCO CONFIDENTIAL Certificate Management with EST Protocol The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes a certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST uses Public-Key Cryptography Standards (PKCS) 10 for certificate requests.
REVIEW DRAFT - CISCO CONFIDENTIAL EST provides an operation for the client to retrieve a bundle of CA certificates from the server, including 802.1x CA and the NMS certificate, as well as the EST-related certificates. EST supports the enrollment operation of client generating its own private key. With client-side key generation, the client sends a /sen (simpleenroll) request with the CSR. The EST server processes the request and if it is valid, returns the client certificate in a PKCS7 Response.
REVIEW DRAFT - CISCO CONFIDENTIAL • Network discovery time—To assist field installations, RMEs support mechanisms that allow a node to determine whether or not it has good connectivity to a valid mesh network. For more information, see Network Discovery, on page 13.
REVIEW DRAFT - CISCO CONFIDENTIAL The following figure shows the Cisco Resilient Mesh authentication overview: Figure 8: Cisco Resilient Mesh Authentication Overview Stages of Authentication The Cisco Resilient Mesh meter must go through five stages of authentication before it connects with the CGR: • Stage 1: Key information exchange • Stage 2: 8021X/EAP-TLS authentication (ECC cipher suite certificate) • Stage 3: 802.
REVIEW DRAFT - CISCO CONFIDENTIAL Compromised Node Eviction A compromised node is one where the device can no longer be trusted by the network and/or operators. Nodes within an IEEE 802.15.4 PAN must possess the currently valid Group Temporal Key (GTK) to send and receive link-layer messages. The GTK is shared among all devices within the PAN and is refreshed periodically or on-demand. By only communicating new GTKs to trusted devices, compromised nodes might be evicted from the network.
REVIEW DRAFT - CISCO CONFIDENTIAL Note Your CGR1000 router must be running Cisco IOS Release 15.7(3)M1 (cgr1000-universalk9-bundle.SPA.157-3.M1.bin) or greater to support the CGM WPAN-OFDM Module. Configuring the WPAN Interface At the CGR 1000, configure the WPAN Module interface as follows: cgr1000_wpanmodule# config terminal cgr1000_wpanmodule(config)# interface cgr1000_wpanmodule(config-if)# wpan Enabling dot1x, mesh-security, and DHCPv6 You must enable the dot1x (802.
REVIEW DRAFT - CISCO CONFIDENTIAL Router (config-if)# ieee154 panid 2121 For sample configuration, see show wpan config, on page 55. Naming the SSID The Service Set Identifier (SSID) identifies the owner of the RME. The SSID is set on a RME in manufacturing, and that same SSID must also be configured on the CGR WPAN interface.
REVIEW DRAFT - CISCO CONFIDENTIAL Naming the Notch A notch is a list of disabled channels from the 902-to-928 MHz range. If there is no notch at all, then all channels are enabled. if there is a notch [x, y], then channels between x and y are disabled. Notch configuration must comply with your regional regulations (for example, a notch configuration is not required for U.S.). Notch configuration must match between the WPAN interface of the CGR and the RME.
REVIEW DRAFT - CISCO CONFIDENTIAL Table 10: Summary of CLI Interface commands for the CGM WPAN OFDM Module Command Definition ieee154 phy-mode <1-255> Defines the IEEE154 PHY mode. Possible options noted below, default value is 149. 1:Classic; Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=ON; Channel Spacing=200 kHz 17:Classic; Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=OFF; Channel Spacing=200 kHz 2:Classic; Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.
REVIEW DRAFT - CISCO CONFIDENTIAL Command Definition ieee154 txpower <-65 - Enter a value between -65 and 35, where 25 is the default transmission power value. 35 > [no] rpl dag-lifetime <15 -255> Enter a value between 15 and 255 seconds. Default is 120. [no] rpl storing-mode Enter command to enable RPL storing mode on the interface. Enter no rpl storing-mode to disable the command. Note CGR must be reloaded for the rpl storing-mode command to take effect.
REVIEW DRAFT - CISCO CONFIDENTIAL The Phy mode change causes the following config changes: channel to 254; notch to none; Note Adaptive modulation only supports to configure the same OFDM option phymode or the same OFDM option plus FSK phymode.
REVIEW DRAFT - CISCO CONFIDENTIAL Setting the Minimum Version Increment To set the minimum time between RPL version increments, use the version-incr-time command: Router(config-if)# rpl version-incr-time ? <10-600> Enter a value between 10 and 600 Router (config-if)# rpl version-incr-time 15 For sample configuration, see show wpan config, on page 55. Setting the DODAG Lifetime Duration To set the Destination-Oriented Directed Acyclic Graph (DODAG) lifetime duration, use the dag lifetime command.
REVIEW DRAFT - CISCO CONFIDENTIAL Router (config-if)# ipv6 ? To enable IPv6 on an interface, use: Router(config-if)# ipv6 enable Configuring IPv6 DHCP Relay To configure the IPv6 DHCP relay, use the ipv6 dhcp relay command: Router (config-if)#ipv6 dhcp relay destination The IPv6 address of the DHCP server displays as: ! interface Wpan3/1 no ip address ip broadcast-address 0.0.0.
REVIEW DRAFT - CISCO CONFIDENTIAL ! interface Tunnel0 description IPsec tunnel to SOL-ASR-7 ip unnumbered Loopback0 ip pim sparse-mode ipv6 unnumbered Loopback0 ipv6 enable ipv6 mld join-group FF38:40:2006:DEAD:BEEF:CAFE:0:1 ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore tunnel source Dialer1 tunnel destination dynamic tunnel protection ipsec profile FlexVPN_IPsec_Profile !
