2730M Im 20150901
2730M Im 20150901
2730M Im 20150901
SEL-2730M
Managed Ethernet Switch
Instruction Manual
20150901
*PM2730M-01*
20122015 by Schweitzer Engineering Laboratories, Inc. All rights reserved.
All brand or product names appearing in this document are the trademark or registered trademark of their respective holders. No SEL
trademarks may be used without written permission. SEL products appearing in this document may be covered by U.S. and Foreign patents.
Schweitzer Engineering Laboratories, Inc. reserves all rights and benefits afforded under federal and international copyright and patent laws in
its products, including without limitation software, firmware, and documentation.
The information in this document is provided for informational use only and is subject to change without notice. Schweitzer Engineering
Laboratories, Inc. has approved only the English language document.
This product is covered by the standard SEL 10-year warranty. For warranty details, visit www.selinc.com or contact your customer service
representative. PM2730M-01
Section 2: Installation
Introduction ..................................................................................................................................................... 2.1
Connecting to the Device ................................................................................................................................ 2.1
Commissioning the Device.............................................................................................................................. 2.4
Navigating the User Interface.......................................................................................................................... 2.4
Device Dashboard............................................................................................................................................ 2.6
Battery Change Instructions .......................................................................................................................... 2.11
Troubleshooting............................................................................................................................................... 6.6
Factory Assistance........................................................................................................................................... 6.7
Appendix E: Syslog
Introduction .....................................................................................................................................................E.1
Remote Syslog Servers....................................................................................................................................E.3
Open Source Syslog Servers ...........................................................................................................................E.3
SEL-2730M Event Logs..................................................................................................................................E.4
Manual Overview
This instruction manual describes the functionality and use of the SEL-2730M
Managed Ethernet Switch. It includes information necessary to install,
configure, test, and operate this device.
An overview of the manuals layout and the topics that are addressed follows.
Preface. Describes the manual organization and conventions used to
present information.
Section 1: Introduction and Specifications. Introduces SEL-2730M
applications, connectivity, and use requirements. This section also lists
specifications.
Section 2: Installation. Provides dimension drawings on the SEL-2730M
and instructions for initializing the SEL-2730M.
Section 3: Managing Users. Explains how users are managed on the
SEL-2730M.
Section 4: Job Done Examples. Provides three Job Done examples.
These examples provide step-by-step configuration of the SEL-2730M
for application in various SCADA and engineering access environments.
Section 5: Settings and Commands. Lists and describes all the
SEL-2730M settings and commands.
Section 6: Testing and Troubleshooting. Provides guidelines for testing
and troubleshooting the SEL-2730M.
Appendix A: Firmware and Manual Versions. Lists firmware and manual
revisions.
Appendix B: Firmware Upgrade Instructions. Provides instructions to
update the firmware in the SEL-2730M.
Appendix C: User-Based Accounts. Provides an introduction to user-based
accounts and the benefits associated with using user-based accounts.
Appendix D: Lightweight Directory Access Protocol. Describes
Lightweight Directory Access Protocol (LDAP) and its use in SEL
products.
Appendix E: Syslog. Provides an introduction to the Syslog protocol and
its uses in SEL products.
Appendix F: Networking Fundamentals. Provides an overview of
Windows Networking and network configuration.
Appendix G: Virtual Local Area Networks. Describes VLANs, their
purpose, and how they should be used in control system environments.
Appendix H: Classless Inter-Domain Routing (CIDR). Explains CIDR and
CIDR notation.
Appendix I: X.509. Explains the structure and use of X.509 certificates.
Safety Information
Dangers, Warnings, This manual uses three kinds of hazard statements, defined as follows:
and Cautions
DANGER
Indicates an imminently hazardous situation
that, if not avoided, will result in death or
serious injury.
WARNING
Indicates a potentially hazardous situation
that, if not avoided, could result in death or
serious injury.
CAUTION
Indicates a potentially hazardous situation
that, if not avoided, may result in minor or
moderate injury or equipment damage.
Safety Symbols The following symbols are often marked on SEL products.
CAUTION ATTENTION
Refer to accompanying documents. Se reporter la documentation.
CAUTION ATTENTION
There is danger of explosion if the battery is incorrectly replaced. Une pile remplace incorrectement pose des risques dexplosion.
Replace only with Ray-O-Vac no. BR1632-B or equivalent Remplacez seulement avec un Ray-O-Vac no BR1632-B ou un produit
recommended by manufacturer. See Owner's Manual for safety quivalent recommand par le fabricant. Voir le guide dutilisateur
instructions. The battery used in this device may present a fire or pour les instructions de scurit. La pile utilise dans cet appareil peut
chemical burn hazard if mistreated. Do not recharge, disassemble, prsenter un risque dincendie ou de brlure chimique si vous en faites
heat above 100C or incinerate. Dispose of used batteries according to mauvais usage. Ne pas recharger, dmonter, chauffer plus de 100C
the manufacturers instructions. Keep battery out of reach of children. ou incinrer. liminez les vieilles piles suivant les instructions du
fabricant. Gardez la pile hors de la porte des enfants.
Disconnect both power supplies before servicing. Dbranchez les deux blocs dalimentation avant lentretien.
DANGER DANGER
Disconnect or de-energize all external connections before opening this Dbrancher tous les raccordements externes avant douvrir cet
device. Contact with hazardous voltages and currents inside this appareil. Tout contact avec des tensions ou courants internes
device can cause electrical shock resulting in injury or death. lappareil peut causer un choc lectrique pouvant entraner des
blessures ou la mort.
DANGER DANGER
Contact with instrument terminals can cause electrical shock that can Tout contact avec les bornes de lappareil peut causer un choc
result in injury or death. lectrique pouvant entraner des blessures ou la mort.
WARNING AVERTISSEMENT
Use of this equipment in a manner other than specified in this manual L'utilisation de cet appareil suivant des procdures diffrentes de
can impair operator safety safeguards provided by this equipment. celles indiques dans ce manuel peut dsarmer les dispositifs de
protection d'oprateur normalement actifs sur cet quipement.
WARNING AVERTISSEMENT
Have only qualified personnel service this equipment. If you are not Seules des personnes qualifies peuvent travailler sur cet appareil. Si
qualified to service this equipment, you can injure yourself or others, vous ntes pas qualifis pour ce travail, vous pourriez vous blesser
or cause equipment damage. avec dautres personnes ou endommager lquipement.
CAUTION ATTENTION
Equipment components are sensitive to electrostatic discharge (ESD). Les composants de cet quipement sont sensibles aux dcharges
Undetectable permanent damage can result if you do not use proper lectrostatiques (DES). Des dommages permanents non-dcelables
ESD procedures. Ground yourself, your work surface, and this peuvent rsulter de labsence de prcautions contre les DES.
equipment before removing any cover from this equipment. If your Raccordez-vous correctement la terre, ainsi que la surface de travail
facility is not equipped to work with these components, contact SEL et lappareil avant den retirer un panneau. Si vous ntes pas quips
about returning this device and related SEL equipment for service. pour travailler avec ce type de composants, contacter SEL afin de
retourner lappareil pour un service en usine.
CAUTION ATTENTION
In order to avoid losing system logs on a factory-default reset, Pour viter de perdre les enregistrements du systme sur un
configure the SEL-2730M to forward Syslog messages. redmarrage dfini par dfaut, configurer le SEL-2730M pour envoyer
les messages de l'enregistreur du systme (Syslog).
Examples
This instruction manual uses several example illustrations and instructions to
explain how to effectively operate the SEL-2730M Managed Ethernet Switch.
These examples are for demonstration purposes only; the firmware
identification information or settings values these examples include may not
necessarily match those in the present version of your SEL-2730M.
Technical Assistance
Obtain technical assistance from the following:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Phone: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
Email: info@selinc.com
Introduction
This section includes the following information about the SEL-2730M
Managed Ethernet Switch.
Product Overview on page 1.1
Product Features on page 1.1
Connections, Reset Button, and LED Indicators on page 1.3
Software System Requirements on page 1.6
General Safety and Care Information on page 1.6
Front- and Rear-Panel Diagrams on page 1.7
Dimension Drawing on page 1.7
Specifications on page 1.9
Product Overview
The SEL-2730M Managed Ethernet Switch is designed for the harsh
environments commonly found in the energy and utility industries. The
SEL-2730M supports communications infrastructures built for engineering
access, supervisory control and data acquisition (SCADA), and real-time data
communication, and offers the same reliability found in SEL protective relays.
Product Features
Reliable. Increase availability with the SEL-2730M, which is
designed, built, and tested to function in harsh environments
such as substations. Optional hot-swappable, dual power
supplies allow connectivity to primary and backup power
sources.
Flexible. Maximize flexibility by using SEL-2730M ordering
options to meet different network configurations. Order the
SEL-2730M with Ethernet ports in combinations of copper,
single-mode fiber, and multimode fiber. Add even more
flexibility by using the four small form-factor pluggable (SFP)
modules to change port configurations when network designs
change.
Status Indicators Figure 1.2 shows the layout of the status indicators on the front of the
SEL-2730M. After the device has turned on and is in a normal operating state,
a red LED indicates a non-optimal condition needing operator attention.
Lamp Test
The LAMP TEST button illuminates all front-panel indicators when pressed.
Rear Panel
Pin Description
1 A+
2 A-
3 B+
4 C+
5 C
6 B
7 D+
8 D
Pin Description
1 A+
2 A
3 B+
4 N/C
5 N/C
6 B
7 N/C
8 N/C
Pin Description
1 GND
2 /N
3 +/H
Pin Description
1 GND
2
3 +
Pin Description
C1 Normally Open
C2 Common
C3 Normally Closed
Cleaning Instructions The device should be de-energized (by removing the power
connection to both the power and alarm connection) before
cleaning.
The case can be wiped down with a damp cloth. Solvent-based
cleaners should not be used on plastic parts or labels.
Dimension Drawing
Mounting Options
Mounting The SEL-2730M comes with reversible mounting ears to support both front-
and rear-panel installations. When mounting multiple SEL-2730M in the same
Instructions rack, leave a one-unit space between each device to ensure proper heat
dissipation.
Warranty
The SEL-2730M meets or exceeds the IEEE 1613 Class 2, IEC 61850-3, and
IEC 60255 industry standards for communications devices in electrical
substations for vibration, electrical surges, fast transients, extreme
temperatures, and electrostatic discharge.
SEL manufactures the SEL-2730M through use of the same high standards as
those for SEL protective relays and backs it with the same 10-year worldwide
warranty.
Specifications
Compliance Processing and Memory
Processor Speed: 313 MHz
Designed and manufactured under an ISO 9001 certified quality
management system Memory: 512 MB
UL Recognized to US and Canadian safety standards Storage: 512 MB
(File E231500; NWGQ2, NWGQ8)
Communications Ports
CE Mark
Ethernet Ports
General Ports: 24 rear, 1 front
Operating Environment Data Rate: 10, 100, or 1000 Mbps
Pollution Degree: 2 Front Connector: RJ45 Female
Overvoltage Category: II Rear Connectors: RJ45 Female or LC Fiber (single-mode or
Dimensions multimode)
Standard: IEEE 802.3
1U Rack Mount
Fiber-Optic Ports
Height: 43.7 mm (1.72 inches)
Multimode Option (to 2 km)
Depth: 232.1 mm (9.14 inches)
Maximum TX Power: 14 dBm
Width: 482.5 mm (19 inches)
Minimum TX Power: 19 dBm
Weight
RX Sensitivity: 30 dBm
1.96 kg (4.3 lb)
System Gain: 11 dB
Switching Properties
Source: LED
Switching Method: Store and Forward
Wavelength: 1300 nm
Switching Latency: <7 s
Connector Type: LC (IEC 61754-20)
Switch Fabric
Throughput: 19.2 Gbps Single-Mode Option (to 15 km)
User Roles: Administrator, Engineer, User Manager, 24/48 Volt Power Supply
Monitor Rated Supply Voltage: 2448 Vdc (polarized)
Syslog Input Voltage Range: 19.2 Vdc to 57.6 Vdc
Storage for 60,000 local syslog messages. Power Consumption: <45 W
Support for three remote syslog destinations. Input Voltage
Interruptions: 50 ms @ 48 Vdc
Introduction
This section includes the following information:
Connecting to the Device on page 2.1
Commissioning the Device on page 2.4
Navigating the User Interface on page 2.4
Device Dashboard on page 2.6
Physical Network
Connect the device to your computer as shown in Figure 2.1. Using a standard
RJ45 Ethernet cable, connect the Ethernet port of your computer to the front
Ethernet port (ETH F) of the device. The web management interface of an
uncommissioned SEL-2730M can only be reached through the front Ethernet
port. After commissioning, an additional IP interface can be configured. See
Network Settings on page 5.13 for information on enabling an additional IP
interface.
Ethernet
Ethernet (DHCP Enabled)
Cable
The default URL for the web server via the front port is https://192.168.1.2.
However, if your computer is configured as a DHCP client, the SEL-2730M
Captive Port feature sends the necessary network configuration information
from the SEL-2730M to place your computer in the same subnet as the
SEL-2730M. This will direct any entered URL to the SEL-2730M. More
information about the Captive Port feature can be found in Network Settings
on page 5.13. If you prefer to use a static IP address, you can set these
parameters yourself as described in Configuring a Static IP Address in
Microsoft Windows Networking on page 2.9.
To set your computers network connection to be automatically configured,
follow these steps:
Step 1. Open the Microsoft Windows Network Connections Control
Panel applet. Do this by typing ncpa.cpl in the Windows Run
dialog box, as shown in Figure 2.2. Clicking OK will open the
Network Connections window, which contains a list of the
network devices available on your computer.
Step 3. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (this entry is usually
located last in the list). Click the Properties button to show the
Internet Protocol (TCP/IP) Properties window (see
Figure 2.5).
Step 2. Enter the account information for the first administrative user.
This requires both a username and a password. The password
must be entered twice to ensure that it is correctly typed,
because the password characters are hidden.
Step 3. Click the Submit button to complete commissioning. When the
page reloads, you will be able to log in as the administrative
user to set up accounts and configure the system. Navigating
the User Interface on page 2.4 provides a general description of
the web interface.
When you log in to the device, you are presented with the Dashboard as
shown in Figure 2.7. The Dashboard gives a quick overview of the status of
the device. The features of the Dashboard are explained in greater detail later
in this section.
The far left frame of the device web interface is the navigation panel.
Selecting any link on this panel will take you to the associated page that
includes all of the settings and configurations for that part of the system. The
navigation panel is always present on the web interface. One of the first tasks
might be to create user accounts for personnel who will be configuring and
maintaining the device. Clicking on the Local Users link in the navigation
panel will open the Accounts page as shown in Figure 2.8.
The Local Users page shown in Figure 2.8 shows the main panel of the web
interface. This sample shows the single administrative user created when the
device was configured. On this page, we can also see the status of each user
account and details about the users.
The Local Users page has an Add New User button above the table. There is
also an Edit button for each user in the table. Each user will also have a Delete
button, except for that user when there is only one administrative user left. The
last administrative user cannot be deleted.
Clicking the Add New User button will display the user form (see Figure 2.9)
to allow changing the role, description, password, or enabled condition of a
user. Clicking the Edit button will show the same form, without the username
box.
Device Dashboard
The device Dashboard is the page that is displayed when a user logs in to the
device. The Dashboard provides a quick overview of the state of the device. To
access the Dashboard from another device webpage, select the Dashboard
link on the left navigation panel.
Network Interfaces The Network Interfaces section of the Dashboard contains icons representing
each physical Ethernet network interface on the device. You can mouse over
any of the network interface port icons to see the current status information of
the port. Clicking one of these icons will add a status area to the Dashboard
and add a line to it containing the statistics for that interface. More
information about network interface configuration can be found in Section 5:
Settings and Commands.
The network interface icons are color coded to indicate the configuration state
of that interface. The interface icon colors and their meanings can be found in
Table 2.1.
Device Information This section of the Dashboard provides version information, including part
number, serial number, and the firmware identification string. This
information can be useful when factory support or firmware upgrades are
necessary.
System Statistics The System Statistics area (see Figure 2.13) of the Dashboard provides some
basic statistics of device operations. This information can quickly help
determine whether the device firmware is operating properly.
Table 2.2 explains the meaning of each of these statistics. The CPU, RAM,
and Storage statistics provide a visual indication of reserve processing or
storage capacity in the unit. Any potential problems related to system resource
utilization would be noticeable through these statistics on the Dashboard.
Statistic Meaning
Diagnostics The Diagnostics section (see Figure 2.14) of the Dashboard provides simple
status indications for the basic hardware systems of the SEL-2730M. This
information can quickly help determine the health of the device hardware and
that it is operating properly.
Configuring a Static To configure the SEL-2730M using a static IP address, you will need to
configure your computer to communicate on the 192.168.1.0/24 subnet. For a
IP Address in description of the Classless Inter-Domain Routing (CIDR) notation, please see
Microsoft Windows Appendix H: Classless Inter-Domain Routing (CIDR).
Networking Step 1. Start the Microsoft Windows Command Terminal.
a. Open the Run command (from the Start menu).
NOTE: The instructions in this b. Type cmd in the text box.
section are provided in the event
you decide to use a static IP c. Click OK.
address to access the device
instead of configuring your
computer for DHCP.
Step 5. Select the Internet Protocol (TCP/IP) entry from the This
connection uses the following items list (usually located last
in the list). Click the Properties button.
Introduction
This section includes the following:
User-Based Accounts on page 3.1
Adding a User on page 3.2
Editing a User and Resetting a Password on page 3.2
Removing a User on page 3.3
Enabling or Disabling a User on page 3.3
Changing a User Password on page 3.4
User-Based Accounts
The SEL-2730M has user-based access control to provide for greater
authentication, authorization, and accountability. Individuals responsible for
configuring, monitoring, or maintaining the device will have their own unique
user accounts. User-based access controls are organized to answer, Who did
what and when? and allow flexibility for detailed auditing. This structure
also eases the burden of password management for the operators by only
requiring users to remember their own personal passwords. This eliminates
the need for each operator to remember a new password every time an
employee leaves or no longer needs access as required in a global account
structure.
Permissions of the device are organized into roles, and access is granted
through role-based access controls (RBACs). The device has four roles:
Administrator, Engineer, User Manager, and Monitor. User account privileges
are based on the group (i.e., role) in which the user is a member. A brief
overview of each role is provided below.
Users with the Administrator role have full access to the device.
Users with the Engineer role have access to most settings and
information on the device. The main exception to this is user
account management.
Users with the User Manager role have access to manage users
on the device. Access to other settings is restricted.
Users with the Monitor role have read-only access to most of
the device settings.
Adding a User The device supports as many as 256 unique local user accounts. Use the
following steps to create a new user account.
Step 1. Log in to the device with an account that is a member of either
the Administrator or the User Manager group. The account you
created during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, enable, disable, or
delete other users.
Step 3. Click Add New User.
Step 4. Enter the Username, Role, and Password of the new user. The
password must be entered twice to confirm that it has been
entered correctly.
Step 5. Click the Submit button. This will add the new user to the
device.
Editing a User and The device provides an Administrator or User Manager user with the ability to
edit account information for existing accounts. With this function, users can
Resetting a Password reset forgotten passwords, reassign group membership, and enable or disable
an account. Please perform the following steps to reset an accounts password.
Step 1. Log in to the device with an account that is a member of the
Administrator or User Manager group. The account you created
during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From this page, a user with the Administrator
or the User Manager role can view, add, edit, enable, disable, or
delete other users.
Step 3. Click the Edit button associated with the account that you want
to edit. This step will open the Edit User form.
Step 4. To change the users password, enter the new password,
confirm the new password, and click the Submit button.
Removing a User In the case where an employee leaves the company, you should remove the
employees account to prevent security breaches. The device allows for the
easy removal of user accounts. Please follow these steps to remove an account.
Step 1. Log in to the device with an Administrator or User Manager
account. The account you created during commissioning is one
such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface. This link will open the User
Accounts page. From here, an Administrator or User Manager
can view, add, edit, enable, disable, or delete other users.
Step 3. Click the Delete button associated with the account that you
want to remove.
Step 4. Verify that the user to be deleted is the correct user.
Step 5. Once verified, click Delete. If this person is not the correct
user, click No to go back to the User Accounts page.
Enabling or Disabling If an employee takes an extended leave of absence or has a temporary change
in duties, the employees account should be disabled to prevent unauthorized
a User access to the device. Disabling the account will maintain the account
information while preventing unauthorized access to the system during the
absence. The account can be reactivated when the employee resumes normal
duties. Please use the following steps to enable or disable a user's account.
Step 1. Log in to the device with an account that is a member of the
Administrator or User Manager group. The account you created
during commissioning is one such account.
Step 2. Select the Local Users link from the navigation menu of the
web management interface.
Step 3. This link will open the User Accounts page. From here, an
Administrator or User Manager can view, add, edit, enable,
disable, or delete other users.
Step 4. Click the Edit button associated with the account that you want
to edit. This step will open the Edit User form.
Step 5. If an account is currently enabled, uncheck the Account
Enabled button to disable the account. To enable an account
that has been disabled, check Account Enabled.
Changing a User Many organizations have policies requiring employees to change their system
passwords at regular intervals. To aid with these policies, users on the device
Password can change their own passwords. Please use the following steps to change
your password.
Step 1. Log in to the device.
Step 2. Select the Local Users link from the navigation menu of the
web management interface.
Users of the Monitor or Engineer group will only see a Change
Your Password button. Users of the User Manager or
Administrators group will see all user accounts of the device, as
well as the same Change Your Password button.
Step 3. Select the Change Your Password button. This step will bring
up the form to change your password. Enter your old password,
new password, and click the Submit button to change your
password.
LDAP Server
SEL-2730M SEL-3354
SEL-2730M
Log in as Alice
Yes
Connection Established
Log in as Bob
No
Connection Refused
NOTE: This device is not compatible SEL cannot guarantee that the device will be compatible with all possible
with LDAP deployments that permit
commas in usernames. LDAP server architectures and implementations. Commissioning and
configuration of an LDAP server typically requires advanced knowledge of
certificate authority hierarchies and centralized user group configurations. It is
important that an organizations LDAP server administrators be involved
during the design and implementation process to ensure that the device
settings will be compatible with your organizations specific trust
management infrastructure.
Hosts The device needs to know the name and IP address of your LDAP server to
know how to contact it. Select Hosts from the navigation panel on your
webpage to view and edit the Hosts settings, see Figure 3.3.
The Host Settings page provides a method to statically map IP addresses with
external device hostnames such as your LDAP servers. To map an IP address
to a hostname, select Add Host. The SEL-2730M supports as many as 64
hosts.
LDAP Settings Now that your device knows who and where your LDAP servers are, we can
configure the device to access those servers. Select Accounts / LDAP in the
navigation panel on your webpage to view the LDAP configuration (see
Figure 3.4).
Figure 3.5 shows the LDAP Connection Settings form and all the options for
communicating with your LDAP servers. To simplify configuration, we have
included a form for your LDAP administrators to complete, which you can use
to populate all the LDAP fields. This form is located in Appendix D:
Lightweight Directory Access Protocol.
The LDAP Enabled setting must be set checked to make centrally managed
accounts available to the SEL-2730M for logins. When LDAP is enabled, if
the credentials entered by the user are not found in the locally configured
accounts on the SEL-2730M, it will next consult the enterprise directory using
LDAP to attempt to authenticate the user. If LDAP authentication is
successful, the directory service will supply user attributes that indicate the
privilege level of the user when logging in to this device.
The TLS Required setting determines whether the connection to the LDAP
server will be protected by a TLS session. Using TLS requires that the LDAP
server be provided with a suitable X.509 server certificate, and that the
SEL-2730M import a suitable CA or server certificate.
The Synchronization Interval setting exists to reduce the overhead
associated with pulling account information from an LDAP server. The device
locally caches the credentials and privileges of centralized users for the period
of time configured. The synchronization interval is settable from 0 to 24
hours. If the synchronization interval is set to 0, then the device will
resynchronize on every login. The synchronization interval exists to speed up
the login process. The SEL-2730M will continue to verify the authenticity of
users against the central directory even if their privilege information is locally
cached.
LDAP Servers
The Configured Servers section lists the LDAP servers that the SEL-2730M
will use to authenticate logins.
LDAP servers are identified by their hostname and port numbers. Use
Port 389 unless a different port number is specified by your LDAP
administrator. This information should be obtained from your LDAP
Administrators using the form found in Appendix D: Lightweight Directory
Access Protocol.
The device allows for two LDAP servers to be configured for redundancy and
increased reliability. LDAP servers are assigned a priority and will be queried
in their order of priority until the user accessing the device is found, or the list
has been exhausted.
Group Mappings
The device has specific device roles that can be mapped to LDAP group
memberships on the Group Maps tab. The view shown in Figure 3.7 has a
single group defined for administrators.
Click the plus sign (+) at the end of the table to configure a new group
mapping in a new row of the table. On the new table row, select the device role
from the drop down list in the left column. You can enter the Mapped DN
string yourself, or you can click the list icon at the end of the Mapped DN
field. When you click the list icon, the SEL-2730M will query your LDAP
server and then show a hierarchical tree of directory groups that can be
searched using your Search Base. Scroll through the tree as necessary to find
the correct group, select it with a mouse click, and click Submit. Opening a
new row in the table is shown in Figure 3.8.
To expand the tree of groups for a row of the table, click the list icon at the
right end of the Mapped DN field in the table. Clicking the icon again will
close the tree of groups. Figure 3.9 shows the tree of possible groups that
appears after clicking the list icon.
If you cannot find an appropriate group, your server administrator may need to
create new groups and assign members appropriate for these mappings. Work
with your LDAP administrator to determine group mappings using the form
found in Appendix D: Lightweight Directory Access Protocol.
The last tab on the LDAP page is Flush LDAP User Cache. Clicking the
Flush Cache button flushes the LDAP user cache, which will cause all LDAP
users to be logged out of the device and will force authentication information
to be refreshed from the server on each accounts next login.
Introduction
This section contains Job Done examples for the SEL-2730M. All Job Done
examples assume that the device has already been commissioned.
Example 1: Create VLANs to Effectively Manage Network
Traffic on page 4.1
Example 2: Configure RSTP Network Topology on page 4.6
Example 3: SNMP Monitoring From a Central Location on
page 4.8
Identifying the Your objective is to create VLANs to separate devices and GOOSE messages
to effectively and securely manage network traffic. Figure 4.1 is the logical
Problem network diagram that was provided to you, and your job is to configure
VLANs on the SEL-2730M to implement this network configuration.
WAN
SEL-3620
Eth1.10192.168.10.1/24
Eth1.20192.168.20.1/24
Eth1.30192.168.30.1/24
10 Relay LAN
20 SCADA LAN
30 Engineering Access LAN
100 GOOSE Message 100
101 GOOSE Message 101
102 GOOSE Message 102
103 GOOSE Message 103
104 GOOSE Message 104
Access between VLANs 10, 20, and 30 are firewalled using an SEL-3620 to
perform packet inspection. The SEL-3620 is configured with three sub-
interfaces on Eth1 to provide routing between each VLAN segment.
VLANs 100104 are used specifically for GOOSE messaging and therefore
do not require routing to the SEL-3620. The VLAN configuration in this Job
Done example allows GOOSE messaging between relays as follows:
Relay-1: Send/Receive GOOSE messages with VIDs 100104
Relay-2: Send/Receive GOOSE messages with VIDs 100102
Relay-3: Send/Receive GOOSE messages with VIDs 103104
Configure VLANs on Step 1. Log into the SEL-2730M1 web management interface and
navigate to Global Settings.
SEL-2730M1
Step 2. Check VLAN-aware and click the Submit button.
Step 3. Navigate to VLAN Settings and click the plus sign beneath the
VLAN table to add a new VLAN.
Step 4. Enter the configuration in Table 4.2.
10 Relay LAN 1, 2 11
20 SCADA LAN 1, 2 9
Step 11. Click the plus sign again to add a new VLAN.
Step 12. Enter the configuration in Table 4.6.
Step 13. Click the plus sign again to add a new VLAN.
Step 14. Enter the configuration in Table 4.7.
Step 15. Click the plus sign again to add a new VLAN.
Step 16. Enter the configuration in Table 4.8.
Step 17. Click the plus sign again to add a new VLAN.
Step 18. Enter the configuration in Table 4.9 and click Submit to create
all of the new VLANs.
Configure VLANs on Step 1. Log into the SEL-2730M2 web management interface and
navigate to Global Settings.
SEL-2730M2
Step 2. Check VLAN-aware and click the Submit button.
Step 3. Navigate to VLAN Settings and click the plus sign beneath the
VLAN table to add a new VLAN.
Step 4. Enter the configuration in Table 4.10.
Step 11. Click the plus sign again to add a new VLAN.
Step 12. Enter the configuration in Table 4.14.
Step 13. Click the plus sign again to add a new VLAN.
Step 14. Enter the configuration in Table 4.15.
Step 15. Click the plus sign again to add a new VLAN.
Step 16. Enter the configuration in Table 4.16.
Step 17. Click the plus sign again to add a new VLAN.
Step 18. Enter the configuration in Table 4.17 and click Submit to
create all of the new VLANs.
Identifying the Your objective is to configure the RSTP settings of the SEL-2730M devices in
the network diagram pictured in Figure 4.4. SEL-2730M-1 has been chosen to
Problem be the root bridge in the network topology and is connected to two
SEL-2730M devices, providing redundant communications paths for end
devices. SEL-2730M-2 and SEL-2730M-3 are connected to each other,
providing a redundant communications path. End devices connected to either
SEL-2730M-2 or SEL-2730M-3 have two communications paths available.
One is listed as the Active RSTP Link, and the other is listed as the Blocking
RSTP Link. The Active RSTP Link will be the path communications will take
unless there is a link or device failure impacting that communications path. In
the event of such a failure, the Blocking RSTP Link will become the active
communications path. Without RSTP, the network topology depicted in the
figure below would have a loop, which would be detrimental to the network.
Port 5: DP Port 6: DP
SEL-2730M
SEL-2730M-1
(Root Bridge)
Port 5: RP Port 5: RP
SEL-2730M SEL-2730M
SEL-2730M-2 SEL-2730M-3
(Designated Bridge) (Designated Bridge)
The root bridge is the logical center of the network. There is always exactly
one root bridge at any given time within the network. The root bridge of the
network is determined by selecting the device with the lowest bridge ID.
RSTP selects the lowest bridge ID by comparing the bridge priority first and
selecting the lowest value. If two devices have equal bridge priority values,
then the MAC addresses are compared next and the device with the lowest
MAC address will be selected as the root bridge. To guarantee that a device
will be the root bridge within the network, the bridge priority value must be
set to a lower value than all other RSTP capable devices in the network.
Careful network planning is crucial when deciding on the selection of the root
bridge.
Configure RSTP on Step 1. Log into SEL-2730M-1 and make sure RSTP is enabled on the
Global Settings page. RSTP is enabled by default.
SEL-2730M1
Step 2. Navigate to RSTP Settings under Switch Management and
select Edit RSTP Settings.
Step 3. Because SEL-2730M-1 will be the root bridge in the spanning
tree topology, the bridge priority must be set to a lower value
than any other switch participating in the spanning tree
topology. For this example, set the Bridge Priority value for
SEL-2730M-1 to 8192. Leave the remaining settings on this
page at their default settings.
Step 4. The following message should now be displayed at the top of
the RSTP Settings page when the device determines it is the
Root Bridge in the spanning tree topology.
NOTE: It may take a few seconds for
the status of the spanning tree
topology to refresh and the message
to appear.
Identifying the Your objective is to configure the SNMP settings of the SEL-2730M to allow
SNMP requests from a network management system (NMS), and to also
Problem configure SNMP traps to be sent to the NMS. Figure 4.6 is the logical network
diagram that was provided you, and your job is to configure the SNMP
settings on the SEL-2730M to implement this SNMP configuration. It is
assumed that the NMS has already been configured with the SNMP
configuration required to allow this communication to occur. SNMP v3 is
used in this example, but the steps to configure SNMP v2c are very similar.
SEL-3620
VPN LAN
NMS
10.10.10.50 SEL-2730M
MGMT: 10.10.27.30
Configure SNMP on Step 1. Log in to the SEL-2730M web management interface and
navigate to IP Configuration under Network Settings. Make
the SEL-2730M sure SNMP is listed under Services under the Mgmt interface.
If SNMP is not listed, you will need to enable SNMP by editing
the network interface and selecting SNMP.
Step 2. Navigate to SNMP Settings under Network Settings and select
Edit Hosts. The Edit Hosts page allows you to limit access to
the SNMP service of the SEL-2730M by entering allowed hosts
or networks. In this example, we will be limiting access to only
allow the NMS with an IP address of 10.10.10.50. Enter the
configuration shown below and click Submit.
Step 3. Select the Add v3 Profile tab at the top of the SNMP Settings
page. Configure the SNMP v3 settings as shown below and
click Submit. These settings must match the SNMP v3
configuration on the NMS.
Step 4. Select the Add Trap Server tab at the top of the SNMP
Settings page and configure the settings as shown below. This
configuration will send Authentication, Configuration, Port
Security, and Rapid Spanning Tree Protocol SNMP traps to the
NMS at 10.10.10.50.
Introduction
This section explains the settings and commands of the device.
Reports on page 5.1
Syslog Report
Switch Management on page 5.3
VLAN Settings
RSTP Settings
Multicast MAC Filtering
Port Mirroring
Port Settings
Network Settings on page 5.13
IP Configuration
SNMP Settings
Syslog Settings
Accounts on page 5.22
Local Users
Security on page 5.22
X.509 Certificates
MAC-Based Port Security
System on page 5.24
Global Settings
Date/Time
Alarm Contact
Usage Policy
File Management
Device Reset
Reports
Syslog Report The SEL-2730M uses the syslog message format to record event data. The
device has storage for 60,000 of these messages. The device can also forward
syslog messages to three destinations.
Device system logs are displayed in the order of their generation. Select a field
label at the top of the list to reorder the messages according to the value of that
field. For example, selecting the Severity label reorders the list by severity.
Switch Management
VLAN Settings When the device is not in VLAN-aware mode, VLAN settings can be viewed
but not modified. To modify VLAN settings, make sure VLAN-aware mode is
enabled and the account accessing the device has the appropriate role
assigned. Refer to Global Settings on page 5.24 for information on enabling
VLAN-aware mode.
VLAN View
The VLAN View page (Figure 5.2) shows a table that provides a VLAN-
centric view of the configuration of VLANs and the member ports. The fields
of the table can be edited, and the Submit button at the bottom of the page used
to apply the finished set of changes to the configuration of the VLANs. In the
VLAN view, groups of VLANs with similar settings are shown as a VID
range.
To edit a VLAN entry, click on the table item to be changed and edit the data.
The affected table item will be highlighted, and an undo link will appear next
to it to allow you to revert the change. Clicking the Submit button at the
bottom of the page will apply all of the edited changes to the VLAN
configuration. Figure 5.3 shows an example where several fields have been
edited but not yet applied.
To delete a VLAN entry, click the X icon in the last row of the table.
To edit a VLAN in a group, click the edit button in the last column of the
entry, enter the VLAN number, and then make the necessary changes in the
table row that is added for that VLAN. Figure 5.4 shows how to select the
VLAN that you wish to edit.
To delete a VLAN group (single row of the VLAN table), select the Port
View tab and delete the affected VID range from the Allowed VIDs column
for the affected ports.
Tagged Ports
The Tagged Ports column lists those ports which are allowed to send or
receive frames for a given VLAN to another VLAN-aware switch or device.
Devices capable of IEEE 802.1Q-2005 VLAN tagging, such as switches and
GOOSE-capable IEDs, transmit frames with a VID assigned to the frame.
This is commonly referred to as VLAN tagging. For the device to allow a
frame with a VLAN tag to be sent or received from a port, that port must be
configured as a Tagged Port for the VLAN indicated by the tag.
SEL-2730M
Port 1 Switch #1
SEL-2730M
Switch #2
Figure 5.5 Switch Trunk Link
Another example of using VLAN tagging is with the IEC 61850 GOOSE
protocol. IEDs tag GOOSE messages with a VID. For these GOOSE
messages to be sent or received with another switch, you must configure the
port used to connect to the other switch or VLAN-aware device as a Tagged
Port for the VID tag of the GOOSE frame. In the example shown in
Figure 5.6, two IEDs use GOOSE messages tagged with VIDs 200, 201, and
202 to communicate through the switch. In this example, the configuration of
the switch must have Ports 9 and 10 listed as Tagged Ports for VLANs 200,
201, and 202 for the GOOSE messages to pass through the switch between the
two VLAN-aware IEDs.
SEL-2730M
Port 9 Port 10
GOOSE Messages With
SEL-IED SEL-IED
Untagged Ports
Devices that are not VLAN-aware can still participate in a VLAN if the switch
is configured to associate their traffic with a VLAN. Their network frames
will need to be assigned a VID associated with other devices within the same
VLAN. Untagged Ports receive untagged frames from devices connected to
the port and apply the VID of the VLAN to which the port is assigned. Each
port can be assigned as an untagged port in one only VLAN. Ports cannot be
assigned as an untagged port in multiple VLANs.
In the example shown in Figure 5.7, an engineer must log in to the SEL IED to
perform maintenance. Communications from the SEL-3354 to the SEL IED
are untagged, and the ports must be in the same VLAN for the two devices in
this example to communicate. VLAN 7 is used in this example, but any valid
VLAN could be used. In this example, Ports 11 and 12 must be set as
Untagged Ports for VLAN 7, for untagged frames to pass between the two
devices.
SEL-2730M
Port 11 Port 12
Untagged Frames
Untagged Frames
SEL-3354 SEL-IED
Port View
The Port View page (see Figure 5.8) provides a port-centric view of the
VLAN configuration of each port. This page provides an alternative view of
the VLAN configuration for each port.
Rapid Spanning Tree Communications networks are typically designed with ring and mesh
topologies and interconnecting switches to provide network redundancy.
Protocol (RSTP) RSTP is designed to support these network topologies and provide loop-free
Settings redundant paths to end devices. Without these protocols, network loops would
be present on the network and Ethernet frames circulating endlessly
throughout the network would impact communications. RSTP ensures a loop-
free network and provides an alternative path in the event of a network failure.
RSTP is enabled by default on this device. You can disable RSTP through the
Spanning Tree Mode setting on the Global Settings page. Exercise caution
when disabling RSTP, because doing so could introduce network loops.
If RSTP is disabled, the following message displays at the top of the RSTP
Settings page.
Settings can be modified while RSTP is disabled; these settings will not
become active until you enable RSTP through the Spanning Tree Mode setting
in Global Settings.
Configuration
Figure 5.10 shows the RSTP configuration of the device.
Bridge ID
The Bridge ID field consists of a combination of the bridge priority and the
bridge MAC address. Each RSTP-capable device in the network has a unique
bridge ID that RSTP uses to determine the root bridge.
Root Bridge
The root bridge is the logical center of the network. There is always exactly
one root bridge at any given time within the network. Determination of the
root bridge of the network occurs through RSTP selection of the device with
the lowest bridge ID. RSTP selects the lowest bridge ID by comparing the
bridge priority first and selecting the lowest value. If two devices have equal
bridge priority values, then RSTP next compares the MAC addresses and
selects the device with the lowest MAC address as the root bridge. To
guarantee a device will be the root bridge within the network, the bridge
priority value must be set to a lower value than all other RSTP-capable devices
in the network. Careful network planning is crucial to selection of the root
bridge.
The following message displays at the top of the RSTP Settings page when the
device is the root bridge in the spanning tree topology.
Root Port
The root port is a port with the shortest path to the root bridge. All RSTP-
enabled devices must have exactly one root port with the exception of the root
bridge, which does not have a root port. If the device is the root bridge, the
root port does not apply and the device displays .
Bridge Priority
The bridge priority consists of two components; the bridge priority and the
MAC address.
Hello Time
The hello time is the interval in which the device sends bridge protocol data
units (BPDUs).
Max Age
The max age is the maximum number of seconds during which the
information in a BPDU is valid.
Forward Delay
The forward delay is the time a port must spend in the listening and learning
states before transitioning to forwarding.
The max age and forward delay derive from the root bridge. If the device is
not the root bridge in the spanning tree topology, the device derives these
settings from the root bridge.
Figure 5.13 shows the Port Settings dialog used to set those RSTP parameters
that are individual for each port.
BPDU Guard 160 min 5 min The amount of time that port configured with BPDU Guard will be dis-
Timeout abled after receiving a BPDU frame.
Bridge Priority 061440 in incre- 32768 Bridge priority helps determine the root bridge. The lower the value, the
ments of 4096 more likely the device will be the root bridge.
Hello Time 110 s 2s Interval in which device sends BPDUs.
Max Age 640 s 20 s Maximum number of seconds during which the information in a BPDU is
valid.
Forward Delay 430 s 15 s The time a port must spend in the listening and learning states before
transitioning to forwarding.
Port Settings
Table 5.3 Port Settings
Priority 0240 128 Port priority determines which port the device selects as a root port when
there is a tie between two ports. The port with the lower value will become
the root port.
Path Cost 1200000000 Based on Path cost helps determine which path the device selects to a root bridge.
port speed The device selects paths with the lowest overall cost first.
STP Mode Auto, Fast Port Auto Auto: Port configured as edge if no BPDU received within the Forward
BPDU Guard, Fast Delay time
Port, Non-STP Fast Port: Port configured as edge at startup.
BPDU Guard Fast Port BPDU Guard: Port configured as edge at startup, disabled on
receiving a BPDU
Non-STP BPDU Guard: Port not participating in STP, disabled on
receiving a BPDU
Multicast MAC The SEL-2730M uses multicast MAC filtering to subscribe multicast traffic to
a group of selected ports. When a multicast frame ingresses a port, the device
Filtering inspects the multicast address to see if it matches any configured multicast
MAC filter. If no match occurs, the device sends the frame to all ports within
the VLAN. If a match does occur, the device sends the frame to only the
member ports the device configuration specifies.
Use the following steps to create a multicast MAC filter on the device.
Step 1. Log in to the device with an Engineer or Administrator
account.
Step 2. Navigate to the Multicast MAC Filtering page and select Add
Filter. The following page will display.
Step 3. Enter the multicast MAC address on which you would like to
filter the VLAN identifier of the VLAN on which the multicast
traffic is located, and the member ports.
NOTE: This VLAN Identifier field displays only when the
device is in VLAN-aware mode.
NOTE: The device automatically updates the member ports with
the ports that are members of the VLAN you selected.
Step 4. Click Submit to add the multicast MAC filter.
Port Mirroring You would typically use port mirroring for troubleshooting network problems
and for monitoring traffic on a selected source port through use of a network
protocol analyzer attached to a target port. Port mirroring mirrors the network
traffic the device sends and receives on the source port to the target port. This
allows use of a non-intrusive troubleshooting technique for gathering network
traffic information for a connected port.
The device can mirror network traffic from one source port to one target port.
The source port may be any physical port on the device except the target port
the device uses for mirroring and the front Ethernet management port (ETH F).
The source port may be selected as ingress, egress, or for passage of both
types of traffic to the target port.
The target port cannot receive ingress traffic while in the monitoring session.
In Figure 5.15, the device has been configured to mirror both ingress and
egress traffic from Port 9 to Port 16. To configure port mirroring, navigate to
the Port Mirroring page and select Enable Port Mirroring. Select the
source port, target port, and the traffic you want mirrored to the target port, by
selecting either Mirror Ingress Traffic or Mirror Egress Traffic. You can
also select both to mirror ingress and egress traffic from the source port to the
target port.
Port Settings The Port Settings page provides you the ability to enable and disable ports, set
an alias for a port, configure port speed and duplex mode, and configure
Rating Limiting protection. The device configures fiber ports automatically to
their maximum speed and sets these to full duplex. The device sets copper
ports to Auto as their default setting for speed and duplex values, but you can
configure these as necessary.
Rate Limiting
The SEL-2730M allows you to set the maximum data rate for either ingress
(incoming) or egress (outgoing) traffic for any of the device ports slider
controls on the Switch Management/Port Settings page. This allows you to
prevent malicious or faulty devices from flooding your network and blocking
access to network resources. Figure 5.16 shows how limiting can be
configured for each port.
The Ingress Rate limit can be set using a slider control to 1, 5, 10, 20, 30, 42,
50, 75, 100, 150, or 300 Mb/s, as appropriate for the link speed of the port, or
can be set to No Limit. For the Ingress traffic, the limit can be set to All
traffic, Broadcast, or mixes of unicast, broadcast, and multicast. The Egress
Rate is applied to the overall rate (all traffic from the port).
Network Settings
IP Configuration The IP Configuration page provides the configuration options for the Internet
Protocol (IP) settings of the device. ETH F is used for initial commissioning and
local access. A second IP interface, under the Mgmt section of the page, can
be configured to access the device over a local or remote network as shown in
Figure 5.17.
Remote Network
SEL-3620
SEL-3354
Mgmt
SEL-2730M ETH F
Local Access
Figure 5.17 IP Configuration
The Mgmt interface is a logical interface accessible through the switch fabric
ports. Ports 124 are considered the switch fabric ports. ETH F is used only for
local access and is not considered a switch fabric port.
The Mgmt interface is used for services such as remote management of the
device, sending syslog or SNMP traps, and receiving SNMP requests. You can
reach the Mgmt interface through the use of devices within the same subnet,
or through a router configured with an interface on the same subnet as the
Mgmt interface.
Hostnamea 163 characters SEL<SERIAL#> The unique name identifying the device on the network.
Domain Namea 0253 characters N/A The domain name of which the device is a member.
Default Gateway Unicast network address N/A The IP address of the device used to transfer packets to another
network. If this setting is left blank, the device will not be able
to communicate outside of the local subnet.
a The Hostname and Domain Name combined length must be less than 255 characters.
Alias 132 characters ETH F A name that is associated with the network interface.
Enabled Enabled, Disabled Enabled Administratively enables or disables the interface.
IP Address Unicast IP address 192.168.1.2/24 IP address of the interface. The device uses classless inter-domain rout-
ing (CIDR) notation to assign the subnet mask.a
HTTPS Enabled, Disabled Enabled Enables or disables HTTPS on the interface.
Captive Port Enabled, Disabled Enabled Enables or disables captive port on the interface.
a The IP address and subnet for ETH F cannot be the same as any of the switch ports or of the Management Network Interface.
Alias 132 characters Mgmt A name that is associated with the network interface.
Enabled Enabled, Disabled Disabled Administratively enables or disables the interface.
IP Address Unicast IP address N/A IP address of the interface. The device uses classless inter-domain routing
(CIDR) notation to assign the subnet mask.
VLAN ID 14094 1 The VLAN with which to associate the interface. The VLAN must be present
to be selected as the management VLAN.
This setting is not visible when the device is not in VLAN-aware mode.
HTTPS Enabled, Disabled Disabled Enables or disables HTTPS on the interface.
SNMP Enabled, Disabled Disabled Enables or disables SNMP on the interface.
SNMP Settings The device supports SNMP v2c and v3 read-only operations. Use SNMP to
monitor device health, status, and to gather data. Figure 5.18 shows the SNMP
Settings page.
The SNMP Engine ID for the SEL-2730M is a sequence of eleven bytes
consisting of 80 00 7C 4F 03, followed by the MAC address of the unit.
Example: For a unit with MAC address of 00:30:A7:04:5A:CF, the SNMP
engine ID would be (shown in hexadecimal): 80 00 7C 4F 03 00 30 A7 04 5A
CF.
SNMP is disabled by default. You must enable SNMP on the Mgmt interface
for the device to respond to SNMP communications. Refer to
IP Configuration for information on how to enable SNMP.
The Permitted Hosts section on the page displays the hosts or networks
allowed SNMP communications with the device. The device will accept
SNMP requests from all IP addresses, unless configured otherwise. The
Permitted Hosts list provides the option to limit SNMP communications from
known IP address ranges. The Edit Hosts page provides the interface to update
the Permitted Hosts list.
The SNMP Profiles section on the page displays the SNMP profiles
configured on the device. The device requires an SNMP profile for it to
respond to SNMP requests. The Add v2c Profile and Add v3 Profile pages
provide the interfaces from which you can add SNMP profiles. The SNMP
manager requesting SNMP information from the device must be configured
with the matching SNMP profile information for the device to respond to the
SNMP requests. The device supports as many as eight SNMP profiles.
The Trap Servers section on the page displays the SNMP trap servers to which
the device is configured to send SNMP traps. An SNMP profile with trap
permission is necessary prior to configuring a trap server. The Add Trap
Server page provides the interface from which you can add a trap server. The
SNMP manager must be configured with the matching SNMP trap profile for
the SNMP manager to accept the SNMP traps.
Descriptions follow for each of the pages under SNMP Settings.
Edit Hosts
The Edit Hosts page allows you to add or remove hosts or networks from the
Permitted Hosts list. Perform the following steps to add a host or network:
Step 1. From the SNMP Settings page, click Edit Hosts. This will take
you to the page shown in Figure 5.19.
Step 2. Enter the alias you would like to use for the host or network
you will be adding.
Step 3. Enter either the host IP address or network ID under the Host
field.
Host IP addresses use a /32 CIDR notation. For example, if the
IP address of the SNMP manager for which you would like to
allow SNMP access to this device is 192.168.10.10, you would
enter 192.168.10.10/32 into the Host field. A network ID could
also be specified to allow access from the network segment that
the SNMP manager is on, e.g., 192.168.10.0/24.
Step 4. The Edits Hosts page allows you to enter as many as 16 entries
on this page.
Step 5. Click Submit to complete.
Alias 1 to 32 characters N/A A name that is associated with the host or network.
Host Host IP address (e.g., 192.168.10.10/32) or N/A IP address or network allowed access to the SNMP
Network ID (e.g., 192.168.10.0/24) service of the device.
Step 2. Enter the Alias you would like to use for the SNMP profile.
Step 3. Select whether the SNMP profile should have Read, Trap, or
both permissions.
Step 4. Enter the SNMP Read Only Community String.
Step 5. Click Submit to add the SNMP profile.
Add v3 Profile
The Add v3 Profile page allows you to add an SNMP v3 profile. Perform the
following steps to add an SNMP v3 profile:
Step 1. From the SNMP Settings page, click Add v3 Profile. This will
take you to the page shown in Figure 5.21.
Step 2. Enter the Username you would like to use for the SNMP v3
user.
NOTE: SNMP v3 provides authentication and encryption to
ensure a secure SNMP communications channel. SNMP v2c
provides mutual authentication through use of a pre-shared key
and the SNMP Read Only Community String, but SNMP
communication is in plaintext.
Step 3. Select whether the SNMP user should have Read, Trap, or
both permissions.
Step 4. Specify the Authentication Protocol, Authentication
Password, Encryption Protocol, and Encryption Password.
Step 5. Click Submit to add the SNMP profile.
The device will send traps to the configured trap server through use of the
SNMP information for the selected profiles. The trap server must have the
corresponding information for the profiles to authenticate and accept the traps.
The device supports as many as three trap servers. Perform the following steps
to add a trap server:
Step 1. From the SNMP Settings page, click Add Trap Server. This
will take you to the page shown in Figure 5.23.
Step 2. Enter the Alias and IP address of the trap server to which you
would like to send SNMP traps.
Step 3. Select the SNMP profile from the drop-down box whose
identity you would like to use to send SNMP traps.
Step 4. Select the SNMP traps you would like to send to the trap server
by checking one or more trap categories under Traps.
Step 5. Click Submit to add the SNMP trap server.
Alias 1128 characters N/A A name that is associated with the SNMP trap server.
IP Address Host IP address N/A The IP address of the SNMP trap server.
Associated A list of SNMP profiles N/A SNMP profile whose identity you will use to send traps.
Profile with the trap permission
Traps See Table 5.10. N/A The device will send SNMP traps to the configured trap server when an
event occurs within the selected trap category.
SNMP traps are categorized based on the type of system event that occurs.
Each category is listed below with an explanation of the event types that fall
within each category. When an SNMP trap is selected, the device will send
that SNMP trap to the configured trap server when an event that falls within
the category occurs.
Category Description
MIB Downloads
SNMP Management Information Base (MIB) modules contain definitions and
other information about the properties of services and resources of the device.
The MIB Downloads page provides a brief description of the MIBs the device
uses to provide information through SNMP. You can download MIBs through
this page by clicking the Download button.
Syslog Settings Syslog is a specification that describes both the method and format in which
the device stores logs locally and routes them to a collector. The device logs
many different types of events such as system startup, log in attempts, and
configuration changes. The device can send its log information to three
destinations and store as many as 60,000 event logs locally in nonvolatile
memory. Each destination, including the local device, has a configurable
logging threshold. The device logs all configuration changes to syslog. For
more information about syslog, please refer to Appendix E: Syslog.
Select the Syslog Settings link from the navigation menu to configure the
syslog settings for the device. The Syslog Settings page (see Figure 5.24)
allows you to configure the local logging threshold, as well as remote syslog
destinations. The Local Logging Threshold setting indicates the minimum
severity that a syslog message must have for the device to store that message
locally. Similarly, the logging threshold under Syslog Destinations determines
the minimum severity that a syslog message must have for that message to be
sent to the configured syslog server. For a description of these severity levels,
please refer to Appendix E: Syslog.
Setting the logging threshold too low can result in the device generating many
logs. Setting the threshold too high can result in the device failing to record
important messages.
The settings under Syslog Destinations are to configure remote syslog
destinations. These destinations are the syslog servers that will store the
syslog events remotely. You can configure as many as three remote
destinations. To configure the device to send syslog events to a remote syslog
server, enter the Alias and IP Address of the remote syslog server, and
specify the logging threshold of the syslog events to be sent to the remote
syslog server.
Accounts
Local Users Use the Local Users page to add, remove, and update local user accounts for
the device. Refer to Section 3: Managing Users for more information
regarding local user accounts.
Security
X.509 Certificates HTTPS (SSL/TLS) connections require authentication to confirm that the
server with which you are communicating is the correct server. This
authentication is through X.509 certificates. By default, the device has a self-
signed X.509 certificate that can cause your web browser to issue a security
alert. This security alert will require a security exception for authentication to
continue. To prevent this security alert from appearing, install a CA-signed
X.509 certificate on the device. If your web browser has been configured to
trust the CA issuing and signing the certificate, the X.509 certificate will be
trusted and the security alert will no longer appear.
The device supports one X.509 certificate that is used for HTTPS
communications between the client web browser and the web server running
on the device. The X.509 Certificates page has options to view, rename,
export, import, and regenerate the X.509 certificate. Descriptions follow for
each of these options.
View
This option provides a detailed view of the installed certificate.
Rename
This option provides a form for renaming the certificate. The Certificate Name
can contain as many as 128 characters.
Import
This option provides a form to import a certificate generated or signed
externally to the device. You must enter the password for the private key
during import if the private key is encrypted.
For more information on X.509 certificates, see Appendix I: X.509.
MAC-Based Port MAC-based port security provides the ability to create MAC address filters
that only allow traffic on a port from specific MAC addresses. The device
Security provides two methods of dynamically building the MAC filter for a port, and
an additional method to statically assign MAC addresses to the filter. The
methods for dynamically building the MAC filter for a port include count lock
and time lock. You can use all methods independently or in conjunction to
build the MAC filter for the port.
For example, you can specify that you would like to learn five MAC addresses
for the port and lock in the configuration. You can also specify that you would
like to learn five MAC addresses for ten minutes, and the configuration will
either lock after five addresses have been learned, or ten minutes have elapsed.
You can also choose to statically configure the MAC filter on the port by
manually entering one or more MAC addresses.
The device supports a maximum of 1000 MAC address entries across all ports.
System
Global Settings
Web Settings
The Web Settings allow for modification of settings related to the web
management interface of the device.
The device automatically selects the language used for the web management
interface based on an Accept-Language request-header field from the
requesting client web browser. The device will default to the highest priority
accepted language the requesting client web browser specifies that is a
supported language for the web management interface of the device. In the
event of a tie in priorities of supported languages, the device selects the
language based on the Language setting configured in the Global Settings. If
none of the requested languages are supported, the language defaults to the
Language setting configured in the Global Settings. The device always
transmits syslog messages and SNMP traps in the language specified through
the Language setting in Global Settings.
VLAN-aware Enabled, Disabled Disabled Determines the operational mode of the device with respect to VLANs.
CoS Mode Weighted Round Weighted Round Sets the devices queue scheduling scheme for egressing frames.
Robin, Strict Robin Weighted Round Robin will cycle through each egress priority queue,
using an 8:4:2:1 ratio to transmit Critical, High, Medium, and Low
traffic frames, respectively. Strict priority will always egress traffic
from a higher priority queue before a lower priority queue.
Spanning Tree RSTP, Off RSTP Configures the spanning tree mode for the device. The device does not
Mode provide network loop prevention if this setting is disabled.
LLDP Enabled, Disabled Enabled Enables or disables Link Layer Discovery Protocol (LLDP) on the
device.
Date/Time The date and time functions of the device allow accurate timekeeping for
time-stamping internally generated system events. The date and time of the
device can be manually set, or the device can synchronize its internal clock to
Network Time Protocol (NTP) servers over the network. One benefit of
synchronizing time using NTP is that all devices synchronized to the NTP
servers share the same time, and event correlation across multiple systems is
possible. Having the same time reference for time-stamped events makes
auditing system and security events across multiple systems easier to manage.
NTP
NTP is a method for synchronizing system clocks over IP networks. NTP
typically maintains accuracies of 10 ms across public networks and 200 s or
better in private networks under ideal conditions.
NTP uses a hierarchical, layered stratum system of clock source levels.
Stratum numbering begins with zero at the top and increments with layers
from the reference clock. The stratum scheme exists to prevent cyclical
dependencies in the hierarchy. A lower stratum number for the NTP source
does not necessarily mean it is more accurate.
To use NTP as the time source for the device, you must select Enable NTP
Client and specify at least one NTP Server, as shown in Figure 5.27. Replace
192.168.100.1 with the IP address of your NTP server, and click the Submit
button.
Alarm Contact The alarm contact is used as a means of alerting system personnel to system
and security-related events that have occurred on the device. The alarm
contact pulses for 1 second if any of the selected Alarm Contact Output
Trigger categories are selected and an event that falls within the category
occurs. Each category is listed in Table 5.17 with an explanation of the event
types that fall within each category.
Usage Policy The device presents a usage policy to all users accessing the login page. This
policy notifies users of what constitutes appropriate use of this device, what
actions are taken to ensure the device is not used inappropriately, and what
actions will be taken if abuse is discovered. The device comes with the
following default usage policy:
This system is for the use of authorized users only. Individuals using this
system without authority or in excess of their authority, are subject to
having all their activities on this system monitored and recorded by
system personnel. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the evidence
of such activity to law enforcement officials.
File Management File management provides an interface from which you can import and export
settings, as well as perform firmware upgrades. Exporting system settings is
useful for providing device configuration backups for disaster recovery, as
well as creating a template configuration that you can use in commissioning
large numbers of devices. For example, if all devices share the same
configuration, with the exception of a few device-specific configuration items
such as hostname and IP address, the configuration can be created once and
then exported as a template. When the configuration file is imported into a
new device, only a couple of changes are necessary before the device is fully
configured.
Export Settings
Settings can be exported either encrypted or unencrypted in XML format. The
encrypted settings export is useful for creating an encrypted copy of the device
configuration as a device backup. You can use this backup for disaster
recovery purposes in the event the configuration on the device must be
restored. The other option is to export the device settings in unencrypted XML
format, which allows for offline editing.
NOTE: Settings files should be stored in a secure location, because they contain
sensitive information.
The Export Settings page provides an interface to export settings to either an
encrypted or unencrypted settings file. Follow the steps below to export a
settings file:
Step 1. Log in to the device and browse to the File Management page.
Step 2. You should be on the Export Settings page shown in
Figure 5.28.
Step 5. The settings export will initialize and show the export progress
for each module. The device will present you with the
following message when the export is complete.
Step 6. Click the Click to Download button. The device will download
the settings to your local computer.
Import Settings
The Import Settings page provides an interface to import settings from either
an encrypted or unencrypted settings file. Perform the following to import a
settings file:
Step 1. Log in to the device and browse to the File Management page.
Step 2. Select the Import Settings tab at the top of the page.
Step 3. Click Choose File and browse to the location of the settings file
you would like to import.
WARNING Step 4. If the file was encrypted during the export process, enter the
Importing settings will replace the encryption password into the Password field. If the file was not
current settings and reboot the encrypted during the export process, leave the Password field
device.
blank.
Step 5. Click the Import button.
Firmware Upgrade
The Firmware Upgrade page provides an interface from which you can
upgrade device firmware. Refer to Appendix B: Firmware Upgrade
Instructions for more information on the firmware upgrade procedure.
Device Reset
Device Reboot
The device reboot function will turn the device off and back on. All
communication through the device will be lost while the device reboots.
Factory Reset
The device provides the factory-reset function to restore the unit to its factory
configuration. You should only use this feature when you decommission the
device. The factory-reset function erases the device log files and returns
device settings back to the factory-default values. After a factory reset, you
must recommission the device. Refer to Section 2: Installation for details on
commissioning the device.
Introduction
This section provides the following guidelines for testing and troubleshooting
the device.
Testing Philosophy on page 6.1
LED Indicators on page 6.2
Device Dashboard on page 6.4
Troubleshooting on page 6.6
Factory Assistance on page 6.7
Testing Philosophy
Device testing can be divided into three categories: acceptance,
commissioning, and maintenance. The categories are differentiated by when
they take place in the life cycle of the product and by test complexity. The
following paragraphs describe when you should perform each type of test, the
goals of testing at that time, and the functions that you need to test at each
point.
This information is intended as a guideline for testing a device.
Acceptance Testing Perform acceptance testing when qualifying the SEL-2730M for use in an
Ethernet-based communications network that supports critical systems.
What to Test
Acceptance test all settings parameters critical to your intended application.
SEL performs detailed acceptance testing on all SEL-2730M models and
versions. It is important for you to perform acceptance testing on the
Maintenance Testing The SEL-2730M does not require regular maintenance testing.
LED Indicators
The SEL-2730M has extensive self-test capabilities. You can determine the
status of your device using the indicator lights located on the front or rear
panels. These indicators are provided to show whether the device is enabled,
whether an alarm condition exists, whether the power supplies are healthy, and
to show the speed and link state for each of the communications interfaces.
Figure 6.1 shows the locations of the LED indicators. The rear-panel
indicators corresponding to the ones on the front panel operate identically.
Table 6.1 describes the system status indicators. On the front panel, these are
located next to the LAMP TEST button.
PWR A Power supply installed and Power supply is installed and failed.
working properly
PWR B Power supply installed and Power supply is installed and failed.
working properly
Device Dashboard
While the device status indicator lights are useful for getting status
information at a quick glance, they will only alert you to simple normal vs.
abnormal operating conditions. For more detailed diagnostic information, visit
the Dashboard page by selecting the Dashboard link from the navigation
panel. Figure 6.2 shows the Dashboard page. The system status and statistics
information on the Dashboard page is updated periodically.
Network Interfaces The Network Interfaces section of the Dashboard contains icons showing the
current state of each physical Ethernet network interface on the device. You
can mouse over any of the network interface port icons to see packet statistics
for the port. Clicking one of these icons will add a status area to the
Dashboard and adds a line to it containing the statistics for that interface.
More information about network interface configuration can be found in
Section 5: Settings and Commands.
The network interface icons are color coded to indicate the configuration state
of that interface. The interface icon colors and their meanings can be found in
Table 6.3.
Device Information The Device Information section of the Dashboard provides information about
the SEL-2730M and its firmware, including part number, serial number, and
the firmware identification string. This information can be useful when factory
support or firmware upgrades are necessary.
System Statistics The System Statistics area of the Dashboard provides some basic statistics for
device operations. This information can quickly help determine whether the
device firmware is operating properly.
Table 6.4 explains the meaning of each of these statistics. The CPU, RAM,
and storage statistics provide a visual indication of reserve processing or
storage capacity in the unit. Any potential problems related to system resource
utilization would be noticeable through these statistics on the Dashboard.
Statistic Meaning
Diagnostics The Diagnostics section of the Dashboard provides simple status indications
for the basic hardware systems of the SEL-2730M. This information can
quickly help determine the health of the device hardware, and that it is
operating properly.
Troubleshooting
Inspection Procedure Complete the following procedure before disturbing the device. After you
finish the inspection, refer to Table 6.5.
Step 1. If the web interface is accessible, record the part number, serial
number, and firmware version from the Dashboard Device
Information table.
Step 2. Record a description of the problem encountered.
Step 3. Examine the System Statistics and Diagnostics tables and
record any values that are unusual.
Step 4. Measure and record the power supply voltage at the power
input terminals.
Step 5. Record the state of the LED indicators.
The PWR A and PWR B indica- Input power is not present. Verify that input power is present and that the power supply
tors are both dark assembly is fully inserted.
The login page is The computer trying to connect to Verify the physical and logical connection between the man-
inaccessible the web interface is not on the cor- agement computer and the SEL-2730M.
rect network. Configure the IP address of the management computer to the
same network as the SEL-2730M, or set the computer network
interface to autoconfigure the network using DHCP as
described in Section 2: Installation.
The ETH F network interface on the Insert a small tool such as a paperclip into the pinhole reset
SEL-2730M is not enabled. above Port 2 on the rear panel of the device, and depress the
reset button for 2 seconds. This will enable the interface and
turn on the Captive Port feature to allow you to connect to the
management interface using ETH F. See Section 2: Installation
for details.
No syslog messages The syslog server is not reachable Ensure that the syslog server IP address is valid and reachable.
from the network containing the If the syslog server is on another network, ensure that a net-
SEL-2730M. work gateway is configured and available to route the syslog
traffic.
No syslog servers defined or the Navigate to the Network Settings/Syslog Settings page and
logging threshold is unexpectedly ensure that the proper syslog IP address and Logging Thresh-
high. old settings are made there.
A user cannot log in The users account is missing. Log in to the SEL-2730M as an administrator and verify the
details for the subject account on the Accounts/Local Users
page.
The users password is incorrect. Check that Caps Lock is not active on the computer logging in.
If necessary, reset the users account from the Local Users
page.
If You Forget Your If you forget the IP address for which your SEL-2730M is configured, but do
not want to perform a full factory reset, the Captive Port feature provides you
SEL-2730M IP access to the web management interface.
Address To activate the Captive Port feature on ETH F, insert a tool such as a
straightened paper clip into the pinhole reset hole above Port 2 on the rear
panel and press the recessed reset button for 5 seconds. This enables the front
Ethernet port and turns on the Captive Port feature.
The Captive Port feature provides special DHCP and DNS servers to the
computer connected to ETH F. The DHCP server assigns the computer an IP
address adjacent to the IP address of your SEL-2730M, so the computer will
be on the same subnet and capable of communicating with it. This also sets
the DNS server for the computer to the IP address of your SEL-2730M. Once
this occurs, any DNS requests from the computer resolve to the SEL-2730M,
so that browsing to any host, such as www.selinc.com, results in opening the
web management interface of your SEL-2730M.
If You Forget Your Use of the Captive Port feature to gain access to your SEL-2730M
reestablishes network communication with it, but you must still know the
Administrative credentials for an administrative account. If you have lost all administrative
Account Password account credentials, you must perform a full factory-default reset.
Turn off power to your SEL-2730M, insert a tool such as a straightened paper
clip into the pinhole reset hole above Port 2 on the rear panel, and press the
recessed reset button. Holding the button depressed, apply power. After two
seconds, release the recessed reset button.
Wait for the green ENABLED LED on the front panel to illuminate, indicating
that your SEL-2730M has reset to factory-default settings and is ready. ETH F
will be enabled, the Captive Port feature will be on, and the IP address for the
unit will be 192.168.1.2. You can access the Commissioning page by entering
a hostname, such as www.selinc.com, or you can browse directly to the IP
address for the unit at https://192.168.1.2.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
Email: info@selinc.com
Firmware
This manual covers SEL-2730M devices containing firmware bearing the
firmware version numbers listed in Table A.1. This table also lists a description of
modifications and the instruction manual date code that corresponds to firmware
versions. The most recent firmware version is listed first.
Manual
Firmware Identification (FID) Number Summary of Revisions
Date Code
Manual
Firmware Identification (FID) Number Summary of Revisions
Date Code
SEL-2730M-R102-V0-Z002001-D20131204 Added support for centrally managed user accounts using LDAP. 20131204
Added BPDU Guard feature to protect network topology against
unexpected BPDUs.
Added per-port rate limiting features to suppress storms.
Added Far End Fault Indication (FEFI) to better support
redundant links.
Removed support for SSLv2.
Fixed intermittent issue with validation of SFPs.
SEL-2730M-R101-V0-Z001001-D20121206 Manual update only (see Table A.2). 20130429
SEL-2730M-R101-V0-Z001001-D20121206 Manual update only (see Table A.2). 20130416
SEL-2730M-R101-V0-Z001001-D20121206 Significantly improved performance of RSTP on link changes. 20121206
Improved tolerance to connection of incorrect fiber type.
SEL-2730M-R100-V0-Z001001-D20120611 Initial version. 20120611
Instruction Manual
The date code at the bottom of each page of this manual reflects the creation or
revision date.
Table A.2 lists the instruction manual release dates and a description of
modifications. The most recent instruction manual revisions are listed at the top.
20150901 Preface
Updated General Safety Marks.
Section 1
Added Open Source Software subsection.
Section 2
Added Battery Change Instructions subsection.
20150630 Section 1
Updated Specifications.
20150522 Section 1
Updated Specifications.
20150325 Section 1
Updated Status Indicators.
Section 3
Updated Figure 3.3Figure 3.9.
Section 4
Updated Figure 4.2.
Updated Job Done Example 3.
20141218 Preface
Updated Safety Information
Section 1
Updated Specifications.
20141014 Appendix A
Updated for firmware revision R104.
20140814 Section 1
Updated Product Features.
Updated Specifications.
Section 2
Updated Navigating the User Interface.
Updated Device Dashboard.
Section 4
Updated Configure VLANs on SEL-2730M1.
Updated Configure VLANs on SEL-2730M2.
Section 5
Updated VLAN Settings.
Updated Figure 5.14 Add New Filter.
Section 6
Updated Figure 6.2 Device Dashboard.
Appendix A
Updated for firmware revision R103.
20140425 Section 1
Updated Specifications.
20131204 Section 1
Updated Product Features.
Updated Figure 1.3: Rear-Panel View.
Updated Communications Ports in Specifications.
Section 2
Updated Figure 2.12: Version Information.
Section 3
Added LDAP functionality description and settings.
Section 5
Updated Figure 5.13: Port Mirroring.
Appendix A
Updated for firmware revision R102.
Appendix D
New appendix with information about LDAP.
Appendix I
Updated X.509 Certificates.
Updated Digital Signatures.
Updated Public Key Infrastructure.
20130429 Section 1
Updated Figure 1.3: Rear-Panel View.
Updated Power Supply in Specifications.
20130416 Section 1
Updated Specifications.
20121206 Appendix A
Updated for firmware revision R101.
20120611 Initial version.
Introduction
SEL occasionally offers firmware upgrades to improve the performance of
your device. The SEL-2730M stores firmware in nonvolatile memory, so that
opening the case or changing physical components is not necessary. These
instructions give a step-by-step procedure to upgrade the device firmware by
uploading a file from a personal computer to the device via the web interface.
All firmware updates are logged.
Firmware releases are enhancements to improve functionality that change the
way your device is configured or maintained, and can be installed in
increasing or decreasing order. All existing settings will be transferred to
newer firmware. Settings may not be transferred to older firmware. After a
firmware update it is possible to revert to the previously installed firmware
version.
To perform an upgrade you will need the appropriate firmware upgrade file
and access to an administrative account on the device.
Firmware Files SEL-2730M firmware upgrade files have a tar.gz file extension. An example
firmware filename is install_2730M_R100.tar.gz.
The firmware packages are cryptographically signed to enable the device to
recognize official SEL firmware. Any uploaded files that cannot be verified as
being produced by SEL will not be processed.
Step 4. Enter the path name for the upgrade file. To locate the file
instead using the Windows file browser, click the Browse
button, navigate to the location where the upgrade file is stored,
select it, and click Open.
Step 5. Click the Upgrade button at the bottom of the page to upload
and install the new firmware. The Upgrading Firmware status
display will appear and periodically update the shown progress
of the upgrade operation as it proceeds. Firmware update takes
about 10 minutes to complete.
Factory Assistance
We appreciate your interest in SEL products and services. If you have
questions or comments, please contact us at:
Schweitzer Engineering Laboratories, Inc.
2350 NE Hopkins Court
Pullman, WA 99163-5603 U.S.A.
Tel: +1.509.332.1890
Fax: +1.509.332.7990
Internet: www.selinc.com
Email: info@selinc.com
Introduction
Local accounts are the engineering access accounts that reside on SEL
products. SEL has historically used global accounts such as ACC and 2AC
and a password associated with each to control access to SEL devices. With
global accounts, every user has the same login credentials (username and
password), which weakens the security of the system. To strengthen
authentication, authorization, and accountability, this SEL product uses a user-
based account structure.
Accountability is the idea that individual users can be held responsible for
their actions on a system. The lack of authentication with global accounts
creates too much opportunity to cast doubt on ones activities, making
accountability difficult to enforce. The ability to clearly authenticate a user to
the individual level allows all actions to be assigned to specific users.
Accountability is very important to event tracking and forensic investigations.
Passphrases
Passphrases provide a user the ability to create strong and easy-to-remember
passwords that protect access to a system. A strong passphrase includes many
different characters from many different character sets. Longer passphrases
provide greater security than shorter passphrases. SEL user-based accounts
support complex passphrases that must include at least one character from
each of the following character sets.
Uppercase letters
Lowercase letters
Digits
Special characters
Certificate Chain
When an SEL device receives an X.509 certificate from an LDAP server
during a StartTLS exchange prior to LDAP bind, you will need to have the
certificate chain stored locally. The certificate chain, also known as the
certification path, is a list of certificates used to authenticate the LDAP server.
The chain, or path, begins with the certificate of the LDAP server (the one the
SEL device receives), and each certificate in the chain is signed by the
certificate authority (CA) identified by the next certificate in the chain. The
chain terminates with a root CA certificate. The root CA certificate is always
signed by the CA itself. The signatures of all certificates in the chain must be
verified by the SEL LDAP client until the root CA certificate is reached. The
Distinguished Name (DN) of the X.509 certificate the LDAP server uses to
authenticate to the SEL LDAP client must match the LDAP server name (i.e.,
LDAP server 3354.x509.local must match its certificate DN
3354.x509.local).
Hostname: IP Address:
Hostname: IP Address:
LDAP Settings
(Input these settings on the LDAP Settings page):
Search Base:
User ID Attribute:
LDAP Servers
(Input these settings on the LDAP Settings page, need at least one):
Device Roles
(Required to map user privileges, input these settings on the LDAP settings page):
Monitor Group/User DN
Introduction
The Syslog protocol, defined in RFC 3164, provides a transport to allow a
device to send system event notification messages across IP networks to
remote syslog servers. Syslog is commonly used to send system logs such as
security events, system events, and status messages useful in troubleshooting,
auditing, and event investigations. The syslog packet size is limited to 1024
bytes and is formatted into three parts: PRI, HEADER, and MSG.
1. PRI: The priority part of a syslog packet is a number enclosed
in angle brackets that represents both the Facility and Severity
of the message. The Priority value is calculated by multiplying
the Facility numerical code by 8 and adding the numerical
value of the Severity. For example, a kernel message
(Facility = 0) with a Severity of Emergency (Severity = 0)
would have a Priority of 0. Also, a local use 4 message
(Facility = 20) with a Severity of Notice (Severity = 5) would
have a Priority value of 165. In the PRI part of the syslog
message, these values would be placed between the angle
brackets as <0> and <165> respectively.
The severity code (Table E.1) is a number indicative of how critical the
message is.
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
The Facility code (Table E.2) defines from which application group the
message originated.
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messagesa
5 Messages generated internally by syslog
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemonb
10 Security authorization messagesa
11 FTP daemon
12 NTP subsystem
13 Log audita
14 Log auditb
15 Clock daemonb
16 Local use 0 (local 0)
17 Local use 1 (local 1)
18 Local use 2 (local 2)
19 Local use 3 (local 3)
20 Local use 4 (local 4)
21 Local use 5 (local 5)
22 Local use 6 (local 6)
23 Local use 7 (local 7)
a Various operating systems have been found to utilize Facilities 4, 10, 13, and 14 for security/
authorization, audit, and alert messages that seem to be similar.
b Various operating systems have been found to utilize both Facilities 9 and 15 for clock (cron/
at) messages.
Source: http://www.faqs.org/rfcs/rfc3164.html
A sample syslog message has been provided below. This particular message
shows an invalid login attempt on July 09, 2009, at 08:17:29 to myhostname
for user root from the IP address 192.168.1.1. The priority of this message is
34.
<34>Jul 09 2009 08:17:29 myhostname Invalid login attempt by:
root at 192.168.1.1
The syslog message has been divided into each respective part as shown here.
PRI HEADER MSG
<34> Jul 09 2009 08:17:29 myhostname Invalid login attempt by: root at 192.168.1.1
PSTN
SEL-3025
SEL-351
SEL-3620
VPN SEL-351
Central Syslog
Server
SEL-351
Commissioning
Device commissioned by {0} at {user_ip} Commissioning Notice SECURITY
User Configuration
User {0}: created by {1} at {user_ip} UserConfig Warning SECURITY
User {0}: deleted by {username} at {user_ip} UserConfig Warning SECURITY
User {0}: enabled by {username} at {user_ip} UserConfig Notice SECURITY
User {0}: disabled by {username} at {user_ip} UserConfig Notice SECURITY
User {0}: password set by {username} at {user_ip} UserConfig Warning SECURITY
User {0}: attributes changed by {username} at {user_ip} UserConfig Notice SECURITY
Login
Login to {interface}: successful by {username} at {user_ip} Login Notice SECURITY
Login to {interface}: failed from {user_ip} Login Notice SECURITY
Logout {interface}: {username} at {user_ip} Login Notice SECURITY
User account {0} locked out due to consecutive failed login attempts Login Warning SECURITY
User account {0} timeout Login Warning SECURITY
LDAP
LDAP: settings changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP: enabled by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP: disabled by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Search Base: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP User ID Attribute: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Group Membership Attribute: changed by {username} at LDAPConfig Warning SECURITY
{user_ip}
LDAP Synchronization Interval: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Bind DN: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Bind DN Password: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Server {hostname}: created by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Server {hostname}: deleted by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP Server {previous_hostname} Hostname: changed to {post_host- LDAPConfig Warning SECURITY
name} by {username} at {user_ip}
LDAP Server {hostname} Port: port number changed by {username} at LDAPConfig Warning SECURITY
{user_ip}
LDAP Group Mapping: {privilege_level} mapping created by LDAPConfig Warning SECURITY
{username} at {user_ip}
LDAP Group Mapping: {privilege_level} mapping deleted by LDAPConfig Warning SECURITY
{username} at {user_ip}
LDAP User Attribute Mappings: changed by {username} at {user_ip} LDAPConfig Warning SECURITY
LDAP: Unable to connect to server at {server_hostname}:{port} LDAP Error SECURITY
LDAP: {server_hostname}:{port} does not respond LDAP Error SECURITY
LDAP: LDAP version used by server {server_hostname}:{port} is not LDAP Error SECURITY
supported
LDAP: Unable to start TLS session with {server_hostname}:{port} LDAP Error SECURITY
LDAP: The certificate presented by {server_hostname}:{port} is invalid LDAP Error SECURITY
LDAP: The hostname of the certificate presented by {server_host- LDAP Error SECURITY
name}:{port} does not match
LDAP: The issuing authority of the certificate presented by {server_host- LDAP Error SECURITY
name}:{port} is untrusted
LDAP: The certificate presented by {server_hostname}:{port} is expired LDAP Error SECURITY
LDAP: Search base entry not found on server {server_hostname}:{port} LDAP Error SECURITY
LDAP: User ID Filter syntax invalid for server {server_hostname}:{port} LDAP Error SECURITY
LDAP: Group Filter syntax invalid for server {server_hostname}:{port} LDAP Error SECURITY
LDAP: Group Filter search on server {server_hostname}:{port} returned LDAP Error SECURITY
no groups
LDAP: No Group Mappings set for server {server_hostname}:{port} LDAP Error SECURITY
LDAP: Bind DN authentication failed on server {server_host- LDAP Error SECURITY
name}:{port}
LDAP: An error occurred during authentication or authorization on server LDAP Error SECURITY
{server_hostname}:{port}
LDAP: One or more of the user-configured DNs for server {server_host- LDAP Error SECURITY
name}:{port} contains syntax errors.
LDAP: Server {server_hostname}:{port} returned a DN that was longer LDAP Error SECURITY
than 4096 bytes. That DN was ignored.
LDAP: An error occurred during Bind DN authentication on server LDAP Error SECURITY
{server_hostname}:{port}
LDAP: An error occurred when searching for a DN on the server LDAP Error SECURITY
{server_hostname}:{port}
LDAP: An error occurred when searching for the users DN on the server LDAP Error SECURITY
{server_hostname}:{port}
Miscellaneous Configuration
Usage Policy: changed by {username} at {user_ip} Config Notice SECURITY
System Contact Information: changed by {username} at {user_ip} Config Notice USER
Ports
Port Settings: changed by {username} at {user_ip} Config Notice SYSTEM
Port {0} changed link state to up Link Up/Down Notice SYSTEM
Port {0} changed link state to down Link Up/Down Notice SYSTEM
Rate Limiting Settings: changed on port {port_number} by {username} at RateLimitingConfig Notice USER
{user_ip}.
Firmware
Firmware update from {0} to {1} succeeded Firmware Warning SYSTEM
Uploaded firmware update package is corrupted; unable to decrypt the Firmware Error SYSTEM
firmware update package or validate the signature on the firmware update
package
Firmware: reversion to previous version initiated by {username} at Firmware Warning USER
{user_ip}
The firmware update from {0} to new version failed with an error of {1}. Firmware Critical SYSTEM
Please contact Schweitzer Engineering Laboratories, Inc. for assistance.
Firmware: update to new version initiated by {username} at {user_ip} Firmware Notice USER
VLAN Configuration
VLAN {0}: updated by {username} at {user_ip} VLANConfig Notice USER
VLAN-aware mode disabled by {username} at {user_ip} VLANConfig Notice USER
VLAN-aware mode enabled by {username} at {user_ip} VLANConfig Notice USER
VLAN {0}: created by {username} at {user_ip} VLANConfig Notice USER
VLAN {0}: deleted by {username} at {user_ip} VLANConfig Notice USER
Multicast MAC Filtering
Static Multicast MAC Group {0}: updated by {username} at {user_ip} StaticMulticastMAC Notice USER
Static Multicast MAC Group {0}: deleted by {username} at {user_ip} StaticMulticastMAC Notice USER
Static Multicast MAC Group {0}: created by {username} at {user_ip} StaticMulticastMAC Notice USER
Port Mirroring
Port Mirroring Settings: changed by {username} at {user_ip} PortMirroringConfig Notice USER
Port Mirroring disabled on {0} by {username} at {user_ip} PortMirroring Notice USER
Port Mirroring enabled on {0} by {username} at {user_ip} PortMirroring Notice USER
Spanning Tree
Spanning Tree: {hostname} has become the root bridge SpanningTree Notice SYSTEM
Spanning Tree: Configuration changed by {username} at {user_ip} SpanningTree Notice USER
Spanning Tree: Port {0} transitioned from {1} to {2} SpanningTree Informational SYSTEM
Spanning Tree: Port {0} transitioned from {1} to {2} SpanningTree Notice SYSTEM
RSTP
BPDU received, port {port_number} disabled. SpanningTree Notice SYSTEM
BPDU Guard timeout reached. Port {port_number} enabled. SpanningTree Notice SYSTEM
BPDU Guard overridden by {username} at {user_ip} Port {port_number} SpanningTree Notice SYSTEM
enabled.
Class of Service Configuration
Class of Service queuing changed from {0} to {1} by {username} at Config Notice USER
{user_ip}
MAC-Based Port Security
MAC-Based Port Security: configuration changed on port {0} by Config Notice SECURITY
{username} at {user_ip}
MAC addresses locked due to time lock expiration PortSecurity Notice SYSTEM
Introduction
A telecommunications network can be as simple as two devices linked
together for the purpose of information sharing or as complex as the Internet
involving many devices serving a multitude of purposes. In either case,
networking devices need a common model for interconnectivity across a
diverse set of communications media, manufacturer equipment, protocols, and
applications. The International Standards Organization (ISO) developed the
Open Systems Interconnection (OSI) model to serve this purpose. The OSI
model has been in use for decades as a reference model that describes the
fundamental concepts and approach to interconnecting heterogeneous systems
by abstracting the model into seven logical layers. This appendix provides an
introduction to networking fundamentals and illustrates how device
communication occurs across disparate networks.
OSI Model
The OSI model consists of seven conceptual layers, as shown in Figure F.1.
Each layer is relatively independent of the other layers and only needs to know
how to communicate with the adjacent layers. This independence has allowed
manufacturers to develop implementations at their respective OSI layers and
still be interoperable with implementations at completely different layers. For
example, a program interfacing at the Application Layer does not need to
know if the data being transmitted will traverse over an Ethernet, serial, or
radio physical medium.
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Physical Layer
1100101010101010101010111011010101000011111100010101
Physical Layer The primary responsibility of the Physical Layer is transmitting data across a
communications medium from one device to another. This layer defines the
(Layer 1) electrical and mechanical interfaces such as the hardware network interface
cards use in interfacing with the physical medium that carries the bit stream. A
Physical Layer device simply transmits or receives data and lacks any
knowledge of the data that it transmits. Copper and fiber Ethernet are both
examples of physical media in common use. Network hubs and repeaters are
devices common to this layer.
Data Link Layer The Data Link Layer is responsible for providing reliable transit of data across
physical mediums by controlling frame synchronization, flow control, error
(Layer 2) detection, and providing physical addressing. Directly connected devices
(Figure F.2) communicate at this layer without the need for a Layer 3 device,
such as a router.
Ethernet Segment 1
The Data Link Layer is subdivided into the Logical Link Control (LLC) and
the Media Access Control (MAC) sub-layers. The LLC sub-layer manages
communication among devices and handles the frame synchronization, flow
control, and error checking introduced previously. The MAC sub-layer
manages physical addressing at the Data Link layer. MAC addresses are
physical addresses that are embedded into the hardware and determine how
devices should identify each other uniquely on the same network segment.
The OSI model represents MAC addresses, also known as hardware
addresses, in the form of 01-23-45-67-89-ab.
At this layer, devices organize data they receive into frames, called headers,
that encapsulate the data with descriptive information. Figure F.3 depicts an
example of an Ethernet frame.
Network Layer The Network Layer is responsible for transmitting data from one device to
another device that is on a separate network segment. The separate network
(Layer 3) segment could be within close proximity, such as within the same building, or
in a completely different country, as seen with the Internet.
Addressing, routing, fragmentation, error handling, and congestion control are
all functions of the Network Layer.
Layer 3 addressing is different from Layer 2 addressing, in that Layer 3
addresses are logical. Logical addresses are hardware independent, unlike
MAC addresses that are assigned to specific hardware. The Network Layer
manages mappings between these logical addresses and physical addresses.
Address Resolution Protocol (ARP) performs this mapping in IP networks.
192.168.254.0/24
Ethernet Segment 1
192.168.254.1
Router
10.10.10.1
Ethernet Segment 2
Transport Layer When data arrive at a network device that the Network Layer determines is the
final destination, the Network Layer formats the data and passes the
(Layer 4) information to the Transport Layer. This layer is responsible for end-to-end
control and ensures successful data transfer. The main Transport Layer
functions are flow control and error recovery.
Flow control manages the amount of data transmitted between communicating
devices so that the sending device does not send more data than the receiving
device can process.
SYN
SYN/ACK
ACK
Session Layer The Session Layer handles session establishment, management, and
termination between two end-user software application processes. This is the
(Layer 5) first layer that switches focus from the actual networking details and deals
primarily with sessions consisting of service requests and responses that occur
between applications installed on communicating devices.
Presentation Layer The Presentation Layer provides for standard data presentation so that
applications can exchange data in a meaningful manner across a network. The
(Layer 6) sending device converts data into a standard format for transmission on the
network. The receiving device converts the data sent in this standard format to
Application Layer The Application Layer is the layer closest to the end user of a system.
Software applications provide a means for end users to interface with a device
(Layer 7) to transmit and receive data. The Application Layer provides the interface
between the end user and software applications that a system uses to process
data over the network. Application Layer protocols define rules for
communicating with network applications in a standardized format.
Broadcast Domain A
2nd Floor
Router
Broadcast Domain B
1st Floor
Figure G.1 Network Illustration Not Utilizing VLANs
Figure G.2 shows the same physical network utilizing VLANs. Broadcast
Domain A now consists of Device A and Device D without requiring Device
A to physically move to the 2nd floor. This can be useful when assigning
VLANs to functional or departmental roles within an organization. Lets
assume VLAN 10 was created for the Human Resources department that
contains network resources spread throughout the 1st and 2nd floors. Without
the use of VLANs, all network resources for the Human Resources
department would need to be physically located on the same floor. As you can
see in Figure G.2, VLAN membership is independent of physical location.
2nd Floor
Router
Broadcast Broadcast Broadcast
Domain A Domain B Domain C
1st Floor
192.168.0.0
192.168.1.0
Route Advertisements
192.168.2.0
192.168.0.0
192.168.1.0
192.168.2.0
192.168.(...).0 ...
192.168.253.0
192.168.254.0
192.168.253.0 192.168.255.0
192.168.254.0
192.168.255.0
192.168.0.0
192.168.1.0
192.168.2.0
Route Advertisements
192.168.(...).0
192.168.0.0/16
192.168.253.0
192.168.254.0
192.168.255.0
CIDR has carried over to use in private network RFC 1918 addresses, through
the use of CIDR notation when defining the subnet mask and in simplifying
internal routing tables. CIDR notation uses the format where the network ID
and associated subnet mask are listed as xxx.xxx.xxx.xxx/n. The value n is the
number of leftmost bits set to a value of 1 in the mask. A traditional classful
depiction of a network ID and subnet mask would be as follows:
Network ID: 192.168.1.0
Subnet Mask: 255.255.255.0 (dotted decimal notation)
To take the above example and convert it to CIDR notation, you would need to
count the number of leftmost bits set to a value of 1 in the binary notation of
the subnet mask. The binary notation of the subnet mask of 255.255.255.0
would be 11111111.11111111.11111111.00000000. There are 24 bits set to a
value of 1, so n would equal 24. The CIDR notation would be 192.168.1.0/
24. The table below provides additional information about CIDR and the
equivalent dotted decimal notation.
/1 128.0.0.0 1 31 2,147,483,646
/2 192.0.0.0 2 30 1,073,741,822
/3 224.0.0.0 3 29 536,870,910
/4 240.0.0.0 4 28 268,435,454
/5 248.0.0.0 5 27 134,217,726
/6 252.0.0.0 6 26 67,108,862
/7 254.0.0.0 7 25 33,554,430
/8 255.0.0.0 8 24 16,777,214
/9 255.128.0.0 9 23 8,388,606
/10 255.192.0.0 10 22 4,194,302
/11 255.224.0.0 11 21 2,097,150
/12 255.240.0.0 12 20 1,048,574
/13 255.248.0.0 13 19 524,286
/14 255.252.0.0 14 18 262,142
/15 255.254.0.0 15 17 131,070
/16 255.255.0.0 16 16 65,534
/17 255.255.128.0 17 15 32,766
/18 255.255.192.0 18 14 16,382
/19 255.255.224.0 19 13 8,190
/20 255.255.240.0 20 12 4,094
/21 255.255.248.0 21 11 2,046
/22 255.255.252.0 22 10 1,022
/23 255.255.254.0 23 9 510
/24 255.255.255.0 24 8 254
/25 255.255.255.128 25 7 126
/26 255.255.255.192 26 6 62
/27 255.255.255.224 27 5 30
/28 255.255.255.240 28 4 14
/29 255.255.255.248 29 3 6
/30 255.255.255.252 30 2 2
Introduction
In cryptography, X.509 is an International Telecommunication Union standard
for public key infrastructure (PKI). X.509 specifies formats for public key
certificates and validation paths for authentication. The SEL-2730M uses
X.509 certificates in the web server for secure device management, and for
IPsec authentication.
Alice
52ED879E Key Generation
70F71D92 Function
Big Random
Number
Symmetric key cryptography, which has been used in various forms for
thousands of years, uses a single key that both encrypts and decrypts the
message. This key must be shared between the sender and receiver in advance.
If the key cannot be shared securely, the confidentiality of any transmission
encrypted with that key cannot be known.
In public key cryptography, the encryption key is not the same as the
decryption key. If a message is encrypted with the publicly known key, only
the private key can be used to decrypt it. This private key is known only to the
owner of the key pair. Only the sender and the intended receiver will know the
message, ensuring confidentiality.
Bob
Hello
Encrypt
Alice!
Alices Public Key
6EB69570
08E03CE4
Alice
Hello
Decrypt
Alice!
Alices Private Key
Figure I.2 Confidentiality With Asymmetric Keys
Alice
I Will Sign
Pay $500 (Encrypt)
Alices Private Key
DFCD3454
BBEA788A
Bob
I Will Verify
Pay $500 (Decrypt)
Alices Public Key
Figure I.3 Authentication With Asymmetric Keys
X.509 Certificates
Digital certificates, also known as public key certificates, provide a formal
method for associating pairs of asymmetric keys with their owners. You can
use these electronic documents, through the use of digital signatures, to bind
public keys to their owners.
Digital Signatures
A digital signature is a more formal method of authenticating data than an
electronic signature. They can be compared to the wax seals that were placed
on envelopes before email was available. To create a digital signature of data,
you would first compute a hash of the data to be signed and then encrypt that
hash with the signers private key. You would then attach this signature to the
data to be signed. To verify the authenticity of the data, the receivers system
first separates data and signature. The receiver computes a hash of the data and
then uses the issuers public key to decrypt the signature. We compare these
two hashes and, if they match, we know the data are authentic.
Signing Verification
Attach
to Data
101100110101 101100110101
Hash Hash
Web of Trust
Another of the three common uses of digital certificates is in the web of trust.
This is a less formal method of authentication than PKI provides, but is still in
common use. The largest use of the web of trust model is in Pretty Good
Privacy (PGP) used for email security. This model is very similar to PKI in
that a trusted third party is verifying the authenticity of a certificate. The
difference is that this trusted third party is not a CA, but rather a person who
endorses the authenticity of another person. Signing the public key of the
person requiring endorsement (or trust) with the endorsers (trusted entity)
own private key establishes a web of trust. Figure I.5 below illustrates a
simple example of a web of trust. If Alice trusts Bob, and Bob trusts Charlie,
then Alice implicitly trusts Charlie.
Diane
Alice Charlie
Trust
Implicit Trust
Bob
Figure I.5 Web of Trust
in SPKI, because the owner and issuer of the certificate are the same entity.
For SPKI to be secure, certificates must be pre-shared among all entities who
communicate on that system. This ensures that all knowledge for security
decisions resides locally.
Validity
Not Before: Aug 1 00:00:00 1996 GMT
Not After: Dec 31 23:59:59 2020 GMT
Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting
cc,
OU=Certification Services Division,
CN=Thawte Server CA/Email=server-certs@thawte.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:
3a:c2:b5:66:22:12:d6:87:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47