Technical Specs
Table Of Contents
- Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS)
- Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS)
- Hardware Overview
- WPAN Antennas, Connectors, and Cables
- Installing and Removing the Module
- Technical Specifications
- Information About Cisco Resilient Mesh and WPAN
- Configuring Cisco Resilient Mesh and the WPAN Module
- Configuring the WPAN Interface
- Configuring the CGM WPAN OFDM Module
- Configuring Adaptive Modulation
- Configuring Group Multicast
- Configuring RPL
- Configuring IPv6
- Configuring PON RPL
- Configuring the Power Outage Server
- Configuring QoS
- Configuring Cisco Resilient Mesh Security
- Configuring IPv6 Multicast Agent
- Configuring Dual-PHY WPAN
- Configuring DTLS Relay for EST
- Configuring Wi-SUN Mode
- Verifying Connectivity to the CGR
- show Command Examples
- Debugging the WPAN Module
- Sample Router Configuration
- Sample CGR and ASR Configuration
- Checking and Upgrading the WPAN Firmware Version
- Related Documentation
- Obtaining Documentation and Submitting a Service Request
• Network discovery time—To assist field installations, RMEs support mechanisms that allow a node to determine whether or
not it has good connectivity to a valid mesh network. For more information, see Network Discovery, on page 13.
• Network formation time—To assist field installations, RMEs use mechanisms that allow up to 5,000 nodes in a single WPAN
to go through the complete network-discovery, access-control, network configuration, route formation, and application registration
process.
• Network restoration time—The mechanism that aids the rerouting of traffic during a link failure.
• Power outage notification—For more information, refer to Power Outage Notification, on page 23.
Cisco Resilient Mesh Security
Cisco Resilient Mesh Network Access Control and Authentication
Cisco Resilient Mesh WPAN Network Access Control (WNAC) authenticates a node before the node gets an IPv6 address. WNAC
uses standard, widely deployed security protocols that support Network Access Control, in particular, IEEE 802.1X using EAP-TLS
to perform mutual authentication between a joining Low Power and Lossy Network (LLN) device and an AAA server. In addition,
Cisco Resilient Mesh uses the secure key management mechanisms introduced in the IEEE 802.11i to allow the CGR to securely
manage the link keys within each Cisco Resilient Mesh device.
LLNs are typically composed of multiple hops and Cisco Resilient Mesh is used to support EAPOL over multi-hop networks. In
particular, the Supplicant (LLN device) might not be within direct link connectivity of the Authenticator (CGR). Cisco Resilient
Mesh uses the Split Authenticator as a communication relay for the Authenticator. All devices that have successfully joined the
network also serve as a Split Authenticator, accepting EAPOL frames from those devices that are attempting to join the network.
Because Cisco Resilient Mesh performs IP-layer routing, the Split Authenticator relays EAPOL frames between a joining device and
an Authenticator using UDP. By introducing a Split Authenticator, the authentication and key management protocol is identical to
an LLN device regardless of whether it is a single hop from the CGR or multiple hops away.
To manage the group keys, Cisco Resilient Mesh implements disruptive innovations which introduce novel mechanisms for efficiently
managing the group keys using the key management mechanisms specified in IEEE 802.11i.
The CGR and Cisco Resilient Mesh devices use the IEEE 802.11 key hierarchy in persistent state to minimize the overhead of
maintaining and distributing group keys. In particular, an LLN device first checks if it has a valid Group Temporal Key (GTK) by
verifying the key with one of its neighbors. If the GTK is valid, the node can begin communicating in the network immediately.
Otherwise, the device then checks if it has a valid Pairwise Temporal Key (PTK) with the CGR. If the PTK is valid, the CGR initiates
a two-way handshake to communicate the current GTK. Otherwise, the device checks if it has a valid Pairwise Master Key (PMK)
with the CGR. If the PMK is valid, the CGR initiates a two-way handshake to establish a new PTK and communicate the current
GTK. Otherwise, the device will request a full EAP-TLS authentication exchange. This hierarchical decision process minimizes the
security overhead in the normal case, where devices might migrate from network-to-network due to environmental changes or network
formation after a power outage. (See Power Outage Notification, on page 23.)
To manage GTKs in a multi-hop mesh network, Cisco Resilient Mesh introduces novel mechanisms for efficiently checking the
consistency of the GTK, PTK, and PMKs. Devices include GTK IDs in IEEE 802.15.4 Enhanced Beacons to quickly verify the
freshness of their GTKs. If any device detects an inconsistency in the GTK state, it requests updated GTKs from the CGR. In addition,
devices include a PTK ID (along with the PMK ID) in GTK request messages sent to the CGR, allowing the CGR to quickly determine
whether to initiate a two-way handshake, four-way handshake, or full EAP-TLS authentication. Including GTK, PTK, and PMK IDs
in the key management messages significantly reduces the latency in detecting (and thus distributing) updated GTKs to all devices
in the network.
Client certification and CA certification size must be less than 1040 Byte; Otherwise the the cert is invalid on CG-Mesh
device.
Note
24
REVIEW DRAFT - CISCO CONFIDENTIAL