0% found this document useful (0 votes)
216 views136 pages

MN-FNS Series Technical Applications Guide - v3

Technical Applications Guide_v3

Uploaded by

jakubiakgrzegorz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
216 views136 pages

MN-FNS Series Technical Applications Guide - v3

Technical Applications Guide_v3

Uploaded by

jakubiakgrzegorz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 136

MN-FNS Series Managed

Industrial Ethernet Switches


Application Guide

MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Legal Matter
Copyright © 2014 UTC Fire & Security. All rights reserved.

Trademarks and patents


The MN-FNS Series name and Edwards logos are trademarks of UTC Fire & Security.
Cisco and Cisco Technology are registered trademarks of Cisco Systems, Inc.
Windows is a registered trademark of Microsoft, Inc.
Other trade names used in this document may be trademarks or registered trademarks of the
manufacturers or vendors of the respective products.
Manufacturer Edwards, A Division of UTC Fire & Security Americas Corporation, Inc. 8985 Town Center
Parkway, Bradenton, FL 34202, USA

Version 1.00.v3 Issued July 19, 2014

FCC compliance Class A: This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio frequency energy and, if not
installed and used in accordance with the instruction manual, may cause harmful interference to radio
communications. Operation of this equipment in a residential area is likely to cause harmful interference
in which case the user will be required to correct the interference at his own expense.

ACMA compliance Notice. This is a Class A product. In a domestic environment this product may cause
radio interference in which case the user may be required to take adequate measures.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE
OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. EDWARDS, CISCO AND THE
ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL EDWARDS, CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT,
SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF EDWARDS, CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

Contact information For contact information, see www.utcfireandsecurity.com.

ii MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Contents
MN-FNS Series Managed Industrial Ethernet Switches Application Guide ............... i

Section I - Fundamentals .............................................................................................. 1


Purpose........................................................................................................................ 1
Background .................................................................................................................. 1

Section II - MN-FNS Series Ethernet Switches And Cisco ......................................... 3


Numbers ...................................................................................................................... 3
Section III - Edwards MN-FNS Series Ethernet Switch Applications......................... 5
Cisco Physical-Media Use Cases: ............................................................................... 6
Application 1 - Stand-alone, Class B ........................................................................ 6
Application 2 - Stand-alone, Class X ........................................................................ 7
Application 3 - Stand-alone, Class X core, Class B Spurs........................................ 8
Application 4 - Stand-alone, Class X with multiple cross-segments (“mesh”) ........... 9
Application 5 - Stand-alone star/spoke configuration ............................................. 10
Application 6 - Customer LAN connected ............................................................... 11
Application 7 - Replacing MN-NETSW1 ................................................................. 12
Section IV - MN-FNS Series Ethernet Switch Processing ........................................ 13
Field/System Information ........................................................................................... 14
Section V - Working With CLI ..................................................................................... 17
Example Running-Config File .................................................................................... 18
Common CLI Commands .......................................................................................... 23
Loading the Configuration Text File to the Switch ...................................................... 24
TFTP Server & Console Port CONFIGURATION File Loading .............................. 24
Console-port loading .............................................................................................. 25
CNA method ........................................................................................................... 36
Using SD Flash card............................................................................................... 47
Section VI - Class X Resilient Ethernet Protocol (REP)............................................ 59
REP Configuration Methods....................................................................................... 61
REP Configuration Using Text Files ....................................................................... 61
REP Configuration Using CNA ............................................................................... 61

MN-FNS Series Technical Application Guide (P/N 3102XXX-EN) iii


REP Commands Directly Into Switch ..................................................................... 64
REP Configuration Verification ............................................................................... 66
Section VII - Reloading Switch IOS ............................................................................ 68

Section VIII - Console Port Connections ................................................................... 70


Direct Connection to MN-FNS Switch (Console Port) ................................................ 70
RJ-45 Console Port Method ................................................................................... 70
USB Console Port Method ..................................................................................... 71
Connecting the Console Port via USB .................................................................... 81
Section IX - Troubleshooting ...................................................................................... 84
Diagnosing Problems ................................................................................................. 84
Bad or Damaged Cable .......................................................................................... 84
Ethernet and Fiber-Optic Cables ............................................................................ 84
Link Status.............................................................................................................. 85
10/100 and 10/100/1000 Port Connections ............................................................ 85
SFP Module ............................................................................................................ 85
Interface Settings.................................................................................................... 86
Ping End Device ..................................................................................................... 86
Spanning Tree Loops ............................................................................................. 86
Switch Performance ................................................................................................... 87
Speed, Duplex, and Autonegotiation ...................................................................... 87
Autonegotiation and Network Interface Cards ........................................................ 87
Cabling Distance .................................................................................................... 87
Section X - Master Reset of the Switch...................................................................... 88
Section XI - MN-FNS Series Ethernet Switch LEDs .................................................. 90
MN-FNS8C18F2 LED description .......................................................................... 95
MN-FNS4C2F3 and MN-FNS8C2F3 Relay Connection ......................................... 96
MN-FNS8C18F2 Relay Connection........................................................................ 97
Section XII - Annex .................................................................................................... 100
Serial Console Cable Pin Out .................................................................................. 100
Switch Configuration Sheet ...................................................................................... 101

Section XIII - Glossary of Terms ............................................................................... 103

iv MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Section XIV - Frequently Asked Questions (FAQs) ................................................ 126
Specifications ....................................................................................................... 130
Regulatory information ......................................................................................... 130
Contact information .............................................................................................. 130

MN-FNS Series Technical Application Guide (P/N 3102XXX-EN) v


Section I - Fundamentals
Purpose
This document provides information to support the technician/engineer in the initial setup of
MN-FNS Series Industrial Ethernet switches and the installation and use of the tools
associated with managing and trouble-shooting these devices.

Background
The Edwards FireWorks® and Emergency Communication Systems/Mass Notification
Systems/Life Safety Systems (ECS/MNS/LSS) all use static IP addressing. This means that
each and every IP device on the Edwards networks must be properly configured to function on
the network or they will not function correctly or at all.
This document is intended to be used by technicians/engineers certified by the Edwards
Learning Center (ELC) on the MN-FNS Series Industrial Ethernet switches and accessories.
These procedures require knowledge of the MN-FNS switches, their components, software,
options, and configuration. Expertise with Microsoft® Windows® 7 or higher operating systems
and computer operations is essential.

• All the released MN-FNS Series Ethernet Switches connect to each other by way of two
optical fiber filaments
• Optical Fiber can be multimode or single mode

• “Edge” devices are Edwards devices such as:

o FireWorks® workstations

o MN-FVPN VoIP modules

o MN-NETRLY4 I/O modules

o MN-COM1S Protocol converter modules

• Edge devices connect to MN-FNS switches with Cat 5, Cat5e and/or Cat6 cable
(“Ethernet” cable). Usually unshielded, twisted pairs (UTP)

• All Edwards network devices use static (fixed) IP addresses

This document was developed in a Windows® 7 environment using:


• Cisco Network Assistant (CNA) software 6.0

• HyperTerminal Private Edition 6.3

• TFTPd32 and TFTPd64 TFTP, and DHCP Server software version 4.5 by Philippe
Jounin.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 1


The following are minimum computer requirements:

• Windows 7 Professional or Ultimate computer system with:

o Service Pack 1

o Full administrator rights

o Unrestricted internet access

o Unrestricted USB port operation

 Some companies “lock out” USB ports. The MN-FNS Series Ethernet
Switches are seen as a “USB drive” by Windows computer systems.

o 4 GB system RAM

o 200 GB Hard drive space

o 10/100/1000 Ethernet port

• TFTP and DHCP server software version 4.5

• Cisco Network Assistant version 6.0

• Cisco USB Console Utility Program

• HyperTerminal, Putty or other Telnet/terminal server software


The technician will also need:

• Heavy-duty paper clips (for accessing the Express Setup switch)

• USB cable (USB A male to USB Mini-b (5-pin) male), at least 6’ long

o In lieu of the USB, you can also use a Cisco 72-3383-01 RJ45 RS232 to DB9
cable and a USB-to-DB9 serial adapter cable

• Edwards MN-FNS Series Ethernet Switch file set

o Downloadable from the Edwards MyEddie website

• 4 Cisco 1GB SD card

• Needle-nose pliers (to remove the SD cards)

• Small-blade (e.g. “watchmaker”) screwdrivers (for wire connections and switch terminal
removal)

• Anti-static tools

2 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Section II - MN-FNS Series Ethernet Switches And Cisco
The UL 864 Listed MN-FNS Series Ethernet Switches, SFPs and certain other units are based
on certain Cisco models. This document refers to the units by their Edwards Stock Keeping
Unit (SKU) number and names. In the switch software or IOS, they are usually referred to by
their Cisco SKUs.
Below is the correlation table for Edwards hardware SKUs to Cisco IOS references:
Edwards SKU Description Cisco IOS reference
MN-FNS4C2F3 4 Fast Ethernet (RJ45), 2 GB SFP, Layer 3 IE-2000-4TS-G-B-U
Lite. 24 VDC.
MN-FNS8C18F2 Rack-mount, 8 Fast Ethernet (RJ45), 16 FE IE-3010-16S-8PC-U
SFP, 2 GB Combo SFP/RJ45, Layer 2.
Requires power supply modules.
MN-FNS8C2F3 8 Fast Ethernet (RJ45), 2 GB Combo IE-2000-8TC-G-B-U
SFP/RJ45, Layer 3 Lite. 24 VDC.
With respect to Cisco IOS terminology:
• LAN Lite – Reduced Layer 2 functionality IOS. Supports SSH & SNMPv3. Does not
support QoS and other features. Not used on Edwards solutions.

• LAN Base – Robust, full Layer 2 IOS. Supports QoS, port security and static routing
features. Standard on all MN-FNS Series Ethernet Switches.

• IP Services – Optional only on the MN-FNS8C18FL2 Ethernet Switch. Supports fully


Layer 2+, full Layer 3 routing (IP unicast routing, IP multicast routing and fallback
bridging).

Numbers
• Maximum switches in a CNA community (Version 6.0): 80

• Maximum number of switches in a REP segment: 40

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 3


4 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)
Section III - Edwards MN-FNS Series Ethernet Switch Applications
The Cisco Physical-media Ethernet switches are managed and can operate in OSI Layer 2
(LAN Lite), Layer 3 Lite (LAN BASE) & full Layer 3, depending on model and IOS. The system
supports single-mode and multi-mode fiber. Most applications are dual-filament fiber. We do
have one single-mode single-filament variant. The type of fiber and the amount of filaments is
not critical to the Use Cases.
All deployments will be configured to support multicasting.
Common parameters:
1. Static IPv4 address per switch – not DHCP

2. VLAN 1 for administration (IP address required to be set)

3. VLAN for REP administration (IP address not required)

4. When stand-along, single network, cabinet switches will use LAN-base. Rack switches
will use LAN-base

5. When using multiple networks or customer LAN, cabinet switches will use LAN-base.
Rack switches will use Layer 3 and may function as routers.

6. Backhaul ports set at 1GB

7. All copper data ports set for autosensing

8. MN-NETSW1 use ST connectors. MN-FNS switches use LC connectors.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 5


Cisco Physical-Media Use Cases:
Application 1 - Stand-alone, Class B

This configuration will use:


1. Layer 3 “Lite” (Cisco LAN Base) class operation

2. Encryption not required, but may be used

3. Switch digital inputs not used

4. Relay programmed for power failure and major fault

5. May have some MN-NETSW1 (multimode) in network

6. Can t-tap network at switch

6 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Application 2 - Stand-alone, Class X

This configuration will use:


1. Layer 3 Lite (LAN Base) class operation

2. Encryption not required, but may be used

3. Switch digital inputs not used

4. Relay programmed for REP and major fault

5. REP configuration

6. Legacy MN-NETSW1 cannot be used

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 7


Application 3 - Stand-alone, Class X core, Class B Spurs

This configuration will use:


1. Layer 3 Lite (LAN Base) class operation

2. Encryption not required, but may be used

3. Switch digital inputs not used

4. Relay programmed for REP and major fault

5. REP configuration for master ring

6. Legacy MN-NETSW1 cannot be used in master ring, but can be used in Class B
taps. See Application 7 for connection information

8 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Application 4 - Stand-alone, Class X with multiple cross-segments (“mesh”)

This configuration will use:


1. Layer 3 Lite (LAN Base) class operation

2. Encryption not required, but may be used

3. Switch digital inputs not used

4. Relay programmed for REP and major fault

5. REP configuration

6. Cross-links are separate segments

7. Legacy MN-NETSW1 cannot be used

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 9


Application 5 - Stand-alone star/spoke configuration

This configuration will use:


1. Layer 3 Lite (LAN Base) class operation

2. Encryption not required, but may be used

3. Switch digital inputs not used

4. Relay programmed for power and major fault

5. Legacy MN-NETSW1 may be used

10 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Application 6 - Customer LAN connected

This configuration will use:


1. Not supported by UTC Tech Services – requires local IT support

2. Layer 3 Lite (LAN Base) class operation and full Layer 3 class operation

3. Encryption required

4. VLAN must be set up on customer LAN for system data

5. Switch digital inputs not used

6. Relay programmed for power and major fault

7. Legacy MN-NETSW1 cannot be used

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 11


Application 7 - Replacing MN-NETSW1

This configuration will use:


1. Mounting brackets will have to be replaced with new

2. ST to LC multimode fiber patch cables and barrel connectors must be used. Check
on dB loss.

12 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Section IV - MN-FNS Series Ethernet Switch Processing
It is STRONGLY recommended that the MN-FNS Series Ethernet Switches be unpacked,
configured, programmed, tested and labeled in an office or work area before they are installed
in the field.
For labeling, it is recommended that a tool such as a Brother™ P-touch® or similar device be
used. When printing the switch labels, it is recommended that at least 2 copies be printed –
the first is applied directly to the switch itself and the second it sent to the installation location
with the switch and is installed on the mounting bracket that covers the switch or on the
enclosure that the switch is installed in.
For switch label information, Edwards recommends at least the following:

• Switch location (e.g. Building 533, Room 17, Panel 4)

• Switch administrative VLAN IP address (e.g. 192.168.2.77)

Example MN-FNS label:

For initial switch configuration, if done prior to installation, the loading of the Configuration Text
file is the most efficient. Once switches are up and running, CNA is usually the best method
for servicing the switches.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 13


Field/System Information
Before you can start to configure and program a network, Best Practices dictate that you must
evaluate and create documentation for the system and work that has to be done before you
start it. This includes:

• Reviewing project specifications and requirements

• Reviewing local and national codes, standards & regulations

• Determine if the network will be dedicated or non-dedicated. If non-dedicated, the site


IT team must do, or at least be intimately involved with the layout and deployment.
Connecting to a customer, or non-dedicated network is NOT supported by Edwards and
requires local IT support.

• Review security requirements

o Physical security

o Network/Data security

• Reviewing or determining fiber runs

o Routing

o Class A loop-backs

o Class B & Class B Spurs

o Lengths

o Fiber types

o Fiber connectors

o Locations

o Accessibility

• Determine where edge (Ethernet) devices will go

o Types

o Quantities

o Use/application

o Power requirement

14 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


o Mounting requirements

o Accessibility

• Determine where MN-FNS Series Ethernet switches and accessories will go

o Types

o Quantities

o Use/application

o Power requirement

o Mounting requirements

o Accessibility

o Monitoring of switch relay contacts

• Layout of network

o REP segments

 Edge Primary

 Edge

 Transit

o VLAN requirements

o IP & subnet addressing

 Complete MN-FNS Series Ethernet Switch Configuration Sheet (see


Annex) for each and every switch.

 Determine and log ALL IP addresses

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 15


16 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)
Section V - Working With CLI
Command Line Interface (CLI) is a powerful text-based method for configuring the MN-FNS
Series Ethernet Switches. It can be applied in two ways:
1) By editing a text file (NOT a “Word” file) and then loading that into the switch, and/or

2) By logging into the switch itself and making changes directly until the technician
becomes very comfortable with the use of CLI and CNA, it is recommended that the text
file method be used as this provides an easy visual check of operating parameters of
the switch.
When you are working with CNA and writing to the switch, the CNA program actually converts
what you have entered and loads it into the switch in CLI format.
There are hundreds of possible CLI commands. With the MN-FNS Series Ethernet Switches,
only a few are actually used.
The default Edwards MN-FNS Series Ethernet Switch configuration files set up certain
defaults:

• REP Administrator VLAN is 2

• Trunkport VLAN is 1

• Default password is edwards

• Default EXEC password is sdrawde

• Level 15 password is configured

• Default is Eastern Standard Time zone (EST)

• Switch relay is set to operate on:

o 1

• Gigabit ports are set to NO SHUTDOWN

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 17


Example Running-Config File

The following is a sample of a RUNNING-CONFIG file for an MN-FNS8C2F3 switch:

!MN-FNS8C2F3 Switch Template file for EST Class 071614ms1 - Class B


!Do not change any lines unless comments start with CHANGE
!CHANGE is your indication that it is OK to edit the line below IF NEEDED
!If CHANGE is not there, LEAVE IT ALONE - READ AGAIN - LEAVE IT ALONE
!DO NOT CHANGE ANY OTHER LINES UNLESS DIRECTED TO DO SO BY EDWARDS
TECHNICAL SUPPORT 1-800-655-4497
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!CHANGE Hostname is the switch name - max 63 letters & numbers or dashes, no spaces or
any other characters
!
hostname MySwitchNameGoesHere
!
!CHANGE Edwards default VLAN for REP is 2
!
rep admin vlan 2
!
boot-start-marker
boot-end-marker
!
!CHANGE If using a switch and you want to also use the B (2nd) power riser or 2nd power
supply, remove the ! in front of the "power-supply dual" line below
!
!power-supply dual
!
enable secret 5 $1$3bYC$Cva53IjYo7.GZ68K2mr7b/
enable password 7 06030B364D5C0D0A
!
username edwards privilege 15 secret 5 $1$GDJG$PHba1q6YRNZFplg1045s8.
no aaa new-model
!
!CHANGE Times zones: EST, -5; CST, -6; MST, -7; PST -8
!
clock timezone EST -5 0

18 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


!
!CHANGE Comment out the line below if the time does NOT change
!
clock summer-time EDT recurring
!
system mtu routing 1500
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!CHANGE The alarm profiles should be left alone unless different operation is required
!
alarm profile defaultPort
alarm not-operating
syslog not-operating
notifies not-operating
!
alarm profile Class_X
alarm link-fault not-operating
syslog link-fault not-operating
relay-major link-fault not-operating
!
!CHANGE This command operates the switch relay when power issue comes up
!
alarm facility power-supply relay major
!
!CHANGE This command sends SNMP signal to FireWorks when power issues come up
!
alarm facility power-supply notifies
!
vlan internal allocation policy ascending
!
vlan 2
name rep
!
lldp run
!
!CHANGE The following are for the Copper RJ45 ports - they default to VLAN1 unless
commanded to other VLAN.
!CHANGE as needed.
!
interface FastEthernet1/1
description 1st 10-100
switchport mode access
spanning-tree portfast
!

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 19


interface FastEthernet1/2
description 2nd 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/3
description 3rd 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/4
description 4th 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/5
description 5th 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/6
description 6th 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/7
description 7th 10-100
switchport mode access
spanning-tree portfast
!
interface FastEthernet1/8
description 8th 10-100
switchport mode access
spanning-tree portfast
!
!CHANGE The Gigabit ports are used for trunk, or inter-switch communications
!
interface GigabitEthernet1/1
description Upper GB Port
switchport trunk native vlan 1
switchport trunk allowed vlan 1-999
switchport mode trunk
!CHANGE - if using REP, remove ! from next line and set segment and edges where required
!rep segment 3
no shutdown
media-type rj45

20 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


duplex full
srr-queue bandwidth share 1 19 40 40
priority-queue out
mls qos trust cos
macro description cisco-ie-switch
alarm profile Class_X
spanning-tree link-type point-to-point
!
!CHANGE The Gigabit ports are used for trunk, or inter-switch communications
!
interface GigabitEthernet1/2
description Lower GB Port
switchport trunk native vlan 1
switchport trunk allowed vlan 1-999
switchport mode trunk
!CHANGE - if using REP, remove ! from next line and set segment and edges where required
!rep segment 3
no shutdown
media-type rj45
duplex full
srr-queue bandwidth share 1 19 40 40
priority-queue out
mls qos trust cos
macro description cisco-ie-switch
alarm profile Class_X
spanning-tree link-type point-to-point
!
!CHANGE This is the IP address for the base switch. This MUST be changed for each switch
!
interface Vlan1
ip address 172.16.3.13 255.255.0.0
!
ip http server
ip http authentication local
ip http secure-server
!
line con 0
password 7 0203004C0A140B32
login
line vty 0 4
password 7 0001171105490F15
login
line vty 5 15
password 7 0001171105490F15
login
!

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 21


end

The ! in the file indicates that the switch is to ignore that line or command. This is helpful for
inserting comments or for commenting out a command. Please note that if you comment out a
command – the switch ignores that line and generally does not post a fault.
The following is a breakdown of sections that can be manipulated for the MN-FNS Series
Ethernet Switches. If the item in the example above does not have a CHANGE above it or is
not in this list, to NOT alter it.
1. hostname MySwitchNameGoesHere

a. This is the switch name that posts in CNA and when the switch is accessed.
After the command “hostname” is the switch name. It must start with a letter, end
with a letter or digit and have interior characters of only letters, digits and/or
hyphens WITHOUT spaces (spaces are not allowed). Maximum of 63 characters

2. power-supply dual

a. If the switch will have dual power supplies or risers, uncomment this line (remove
! at beginning of line)

3. clock timezone EST -5 0

a. Set to timezone (US & Canada) where switch is being installed.

4. clock summer-time EDT recurring

a. If switch is being installed in a location where time does not shift, place a ! at the
beginning of this line

5. rep segment 3

a. If port is part of a REP segment, remove comment from beginning of line and put
in appropriate REP segment NUMBER

6. interface Vlan1
ip address 10.0.0.12 255.255.0.0
a. Change this IPv4 address and subnet to match what your application and design
requires

22 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Common CLI Commands
Configuration:

• config t

• config interface

• copy ru st
Show:

• show ip int br

• show run

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 23


Loading the Configuration Text File to the Switch
There are three methods to load the Configuration Text file to the switch:

1. Using TFTP Server & Console Port

2. Using CNA

3. Using the SD Flash Card

TFTP Server & Console Port CONFIGURATION File Loading


1. Computer must to be in same IP range/subnet as the switches you are programming.

2. Switch is not considered done until it has been tested:

a. Data must be accessed via the switch

b. If REP, the REP must be tested

c. If dual power, power reporting must be monitored.

24 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Console-port loading
Note – for this to work you must be connected to the switch with BOTH the Console cable AND
an Ethernet cable

Console Connection For TFTP Loading To/From


MN-FNS Series Ethernet Switches
071714ms1

Cat 5e or better Ethernet cable

USB A to Mini B cable

Power up MN-FNS Series


Ethernet switch Computer running TFTP
Server software and Cisco
USB COM driver

Must have BOTH cables connected to work with Console & TFTP
1. Load CONFIGURATION file (in examples here, file is called 152CAB8BClass.txt) into a
known directory. In the examples below, the folder is on the E drive, CSFI directory.

2. Start the TFTP server by double-clicking on the icon on the desktop.

a. Note – the screen captures in this example are of the 64 bit version of the TFTP
server – the 32 bit version also works for this application.

3. Select Server interface from pull-down.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 25


4. Navigate to directory where CONFIGURATION file is located by using the Browse
button and map.

5. Click on the Show Dir button

26 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


6. Click on the file you will be loading, then click Copy

7. Close the directory window by clicking the Close buttons

8. Minimize, but DO NOT close the TFTP server

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 27


9. Console-connect into the switch using the USB or RJ45 (RS232) connection.
a. Using HyperTerminal, Telnet or Putty to start a terminal emulation session.
b. Set port to:
i. Speed (baud rate): 9600
ii. Data bits: 8
iii. Stop bits: 1
iv. Parity: None
v. Flow control: None

10. Once the session opens, click enter. The switch will prompt with a password prompt.

11. Password is edwards

12. Type enable

28 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


13. Password is sdrawde

14. Type the following command:


copy tftp://172.16.3.2/152CAB8BClass.txt flash:run

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 29


15. This will copy the 152CAB8BClass.txt file from the TFTP server to the switch and place
it in the flash directory with a name called run. The run file can be copied again if
needed.

16. When you hit return, the system will prompt with asking you if you want to call the
destination file run, press enter

30 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


17. The switch will now copy the file and will prompt saying that it did it (this may take a few
seconds.

18. Once the switch has copied the file over, it will return to the EXEC (#) prompt.

19. At the prompt, type in the following command:


copy flash:run system:running-config
20. The switch will respond with asking you if the destination file is what you want – READ
THIS TO MAKE SURE YOU DID NOT MAKE A TYPO – then click enter

21. Press Enter

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 31


22. The switch will then respond with:

23. Click enter and the switch will display the EXEC prompt again

24. Note that the name of the switch in this example has changed from 4PortNoTape to
MySwitchNameGoesHere

32 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


25. At the prompt, type the following command:
copy ru st
26. This command copies the RUNNING-CONFIG file to the STARTUP-CONFIG on the
switch

27. Click Enter

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 33


28. The switch will ask you if you want to use the default name as shown, click Enter

29. Click Enter

34 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


30. Once the switch has prompted with the OK, it has saved all your files and is ready to go.
If are not sure, type wr at the prompt, then click Enter. The switch will write the files to
NVRAM again

31. Type exit

32. Switch is now ready for testing.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 35


CNA method
1. Load CONFIGURATION file (in examples here, file is called 152CAB8BClass.txt) into a
known directory. In the examples below, the folder is on the E drive, CSFI directory.

2. Start the TFTP server by double-clicking on the icon on the desktop.

a. Note – the screen captures in this example are of the 64 bit version of the TFTP
server – the 32 bit version also works for this application.

3. Select Server interface from pull-down.

4. Navigate to directory where CONFIGURATION file is located by using the Browse


button and map.

36 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


5. Click on the Show Dir button

6. Click on the file you will be loading, then click Copy

7. Close the directory window by clicking the Close buttons

8. Minimize, but DO NOT close the TFTP server

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 37


9. Start CNA and select the Community.

10. Click OK

11. The switch will prompt with a credentials screen – use edwards as the username and
sdrawde as the password

12. Click OK

38 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


13. Select the switch you want to reload the CONFIGURATION file to by right-clicking on
the switch.

14. Select Telnet

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 39


15. Password is edwards

16. At the switch prompt, type enable

17. Password is sdrawde

18. You are now at the EXEC (#) prompt

40 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


19. At the EXEC prompt, type in the command:
copy tftp://172.16.3.2/152CAB8BClass.txt flash:run
20. The system will then prompt with a confirmation of the file name. Press enter.

21. If the file already exists, the switch will prompt with confirmation about overwriting the
file. Press enter.

22. The switch will now copy the file and indicate that it has completed the copy command
by returning to the EXEC prompt.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 41


23. Type in the following command:
copy flash:run system:running-config

24. Click Enter.

25. The system will ask to confirm the file name. Click Enter.

42 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


26. The system will then display that it has copied the file by going back to the EXEC
prompt.

27. At the prompt, type the following command:


copy ru st
28. The switch will ask to confirm the file name. Press Enter.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 43


29. Click Enter.

30. The switch will return to the EXEC prompt.

31. You can use the wr command to verify that the NVRAM was written to.

44 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


32. The switch will now go back to the EXEC prompt. Type Exit, then Enter.

33. You are done with the TELNET session.

34. Refresh the CNA.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 45


35. Save

36. Test the switch.

46 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Using SD Flash card

This procedure can only be used on the MN-FNS4C2F3 and MN-FNS8C2F3 switch. Do
not use this procedure on the MN-FNS8C18F2 switch.
1. Copy the CONFIGURATION file onto 1GB SD Flash card.

2. Unscrew the SD Flash cover on the MN-FNS4C2F3 or MN-FNS8C2F3 switch – caution


– the screw may fall out.

3. Console-connect into the switch using the USB or RJ45 (RS232) connection.

a. Using HyperTerminal, Telnet or Putty to start a terminal emulation session.

b. Set port to:

i. Speed (baud rate): 9600

ii. Data bits: 8

iii. Stop bits: 1

iv. Parity: None

v. Flow control: None

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 47


4. Once the session opens, click Enter. The switch will prompt with a password prompt.

5. Password is edwards

6. Type enable

7. Password is sdrawde

48 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


8. Insert the SD Flash card. The switch will see it. In the example below, the SD card
being used is NOT a standard Cisco unit.

9. Click enter to get back to the EXEC (#) prompt

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 49


10. Type in the following command:
dir sdflash:
11. Press enter.

50 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


12. The switch will now display the files on the SD Flash.

13. At the prompt, type the following command:


copy: sdflash:152CAB8BClass.txt flash:run

14. Click Enter.

15. The switch will ask for confirmation of the file name. Click Enter.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 51


16. The switch should display that the copy has completed and has returned to the prompt.

52 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


17. Type the following command:
copy: ru st
18. Press Enter.

19. The system will prompt with a file name conformation. Press Enter.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 53


20. Press Enter.

21. The switch will show that the command is being saved. Press Enter.

22. The switch will show the command has been completed and return to the prompt.

54 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


23. Type in the following command:
copy ru st
24. Press Enter.

25. The switch will prompt for a file name confirmation. Press Enter.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 55


26. The switch will show the command has been executed and return to the prompt.

27. You can use the wr to verify that the switch has written the file set to NVRAM.

56 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


28. The switch will display that it has completed the task.

29. You can now exit the switch.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 57


30. The switch is now ready to be tested.

58 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Section VI - Class X Resilient Ethernet Protocol (REP)
ECS/MNS/LSS Class X Resilient Ethernet Protocol (REP) on the MN-FNS
Series Ethernet switches
An ECS/MNS/LSS Class X topology consists of a minimum of two MN-FNS
Series Ethernet switches connected in a programmed closed ring called a REP
Segment. The switch-to-switch connections are made using the appropriate
module ports (typically gigabit trunk ports 1 and 2) on each switch.
Fiber optic connections are required for connections longer than 20’ (6.096 m)
and/or that are not mechanically protected and/or are that are not in the same
room.
REP ports must be configured as Layer 2 Trunk ports
The ports in a REP Segment are defined as either Transit (data pass-through) or
Edge (Class X control) ports.
There are a maximum of two edge ports on a given numbered segment. These
are on the same switch in an ECS/MNS/LSS Class X Signaling Line Circuit. The
Edge Primary is the “data out” port of the segment. This is where the REP
monitoring signal is emitted. The mate to the Edge Primary is called the Edge
port. This is the “listening” port of the segment that looks for the REP control
signal from the primary port and if it does not see the signal from the primary
port, it will then pass data out to the transit ports.
The following sections show how to configure the MN-FNS Series Ethernet
switches in a REP Segment. The following guidelines apply to this setup.
1. Define what switches will be part of the REP segment.
2. Assign a segment number to the REP segment.
3. Port names must be assigned before beginning the process.
4. Ports being used for REP must be configured for Trunk use.
5. Choose a switch to be the Edge Switch on the REP segment.
6. Configure all transit ports on a REP segment before configuring the edge
ports.
7. Configure two ports on the edge switch, one as edge primary (beginning of
network data stream) and the other edge (initial end of data network
stream).
8. Save all configurations

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 59


9. Test the ECS/MNS/LSS Class X operation.

The following example shows the CLI commands to configure an MN-FNS Series
Ethernet switch trunk interfaces for ECS/MNS/LSS Class X Fire using REP.
Notes:
• Configure all Transit ports before configuring the Edge switch ports in a REP segment.

• A maximum of two ports can be configured as Edge ports per segment.

• CLI commands are shown with authorized operator logged into the switch being
programmed with EXEC privilege.

60 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


REP Configuration Methods
The REP configuration can be done by:
1. Editing the configuration text file (recommended)

2. Using CNA

3. Using CLI commands into the switch directly

REP Configuration Using Text Files


Refer to the “Working with CLI” Section of this document.
REP Configuration Using CNA
Configure REP on an MN-FNS(x) C2F3 Series Switch for Class X Fire Topology
Refer to Setup a Class X Network Topology Using REP PowerPoint presentation located
on your student thumb drive.
Note: Configure all Transit switches before configuring the Edge switch in a REP segment.
Note: A maximum of two ports can be configured as Edge ports per-switch.

Configure REP on an MN-FNS8C18F2 Series Switch for Class X Fire Topology


1. From the CNA Topology View, select the MN-FNS8C18F2 switch

2. Right-click and select Telnet from the menu

3. A Telnet command window launches

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 61


4. From the Telnet command prompt, enter User Access Verification Password: edwards

5. From the Telnet command prompt Switch#> type Enable

62 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


6. From the Telnet command prompt Password type sdrawde

7. Refer to the list (below) of commands for configuring the REP segments for the
MN-FNS8C18F2

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 63


REP Commands Directly Into Switch
Use the following commands to configure an MN-FNS4C2F3 or MNS8C2F3 Edge switch
in a REP Segment.
Switch# configure terminal
Switch (conf)# rep admin vlan 2
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1 edge primary
Switch (conf)# interface gigabitethernet1/2
Switch (conf-if)# rep segment 1 edge
Switch (conf-if)# exit
Switch (conf)# exit
Switch# copy running-config startup-config

Use the following commands to configure MN-FNS4C2F3 or MNS8C2F3 as Transit


switch in a REP Segment.
Switch# configure terminal
Switch (conf)# rep admin vlan 2
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1
Switch (conf)# interface gigabitethernet1/2
Switch (conf-if)# rep segment 1
Switch (conf-if)# exit
Switch (conf)# exit
Switch# copy running-config startup-config

Use the following commands to configure an MN-FNS8C18F2 Edge switch in a REP


Segment.
Switch# configure terminal
Switch (conf)# rep admin vlan 2
Switch (conf)# interface gigabitethernet0/1
Switch (conf-if)# rep segment 1 edge primary
Switch (conf)# interface gigabitethernet0/2
Switch (conf-if)# rep segment 1 edge
Switch (conf-if)# exit
Switch (conf)# exit
Switch# copy running-config startup-config

64 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Use the following commands to configure MN-FNS8C18F2 as a Transit switch in a REP
Segment.
Switch# configure terminal
Switch (conf)# rep admin vlan 2
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 1
Switch (conf)# interface gigabitethernet1/2
Switch (conf-if)# rep segment 1
Switch (conf-if)# exit
Switch (conf)# exit
Switch# copy running-config startup-config

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 65


REP Configuration Verification

To verify REP topology information for the configured REP Segment, execute the command
shown below from a Telnet command window on any switch in the REP Segment. The
following example shows a REP configuration with each switch uniquely named. This is
convenient for identification purposes.
Check to see that all switches in the ring are present, that there is a Primary and a Secondary
Edge, and that all Roles are Open except for one Alternate, as seen below. The Alternate may
move to another switch if the ring is broken and reconnected. This is normal behavior.
ClassroomC_Switch#show rep topology
REP Segment 1
BridgeName PortName Edge Role
---------------- ---------- ---- ----
ClassroomC_3010 Gi0/1 Pri Open
Lab6_Sw1_BOT Gi1/2 Open
Lab6_Sw1_BOT Gi1/1 Open
Lab4_SW1_BOT Gi1/2 Open
Lab4_SW1_BOT Gi1/1 Open
Lab2_Sw1_BOT Gi1/2 Open
Lab2_Sw1_BOT Gi1/1 Open
Lab1_Sw1_BOT Gi1/1 Open
Lab1_Sw1_BOT Gi1/2 Open
Lab3_Sw1_BOT Gi1/2 Open
Lab3_Sw1_BOT Gi1/1 Open
Lab5_Sw1_BOT Gi1/2 Open
Lab5_Sw1_BOT Gi1/1 Open
ClassroomC_3010 Gi0/2 Sec Alt

66 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 67
Section VII - Reloading Switch IOS

Note: The MN-FNS Series Ethernet switches configurations do not support multiple IOS
version loads or multiple running-config files. Use only Edwards-released IOS versions and
only one version in the switch and one running-config file.

1. Copy 1502EA1.TAR and appropriate CONFIGURATION.TXT to SD Card.


2. On the computer you will be using to load the IOS to the switch:
a. Disable the screen saver
b. Disable the anti-virus program
c. Set power settings to maximum performance to keep hard drive on and ports
active
3. Connect to switch with HyperTerminal or Cisco USB driver
4. Log into switch
5. Insert SD card into switch
6. At EXEC prompt, type in (case sensitive):

archive tar /xtract sdflash:1502EA1.TAR 1502EA1

7. Switch will start loading IOS. This will take a few minutes (usually at least 5, depending
on the computer used and the switch model)
8. Do not interrupt the loading process or use the computer to do anything else until the
system is done extracting the file set. The switch will return to the EXEC prompt once
the extraction has been completed.
9. Load the CONFIGURATION file
10. Test the switch

68 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 69
Section VIII - Console Port Connections
Direct Connection to MN-FNS Switch (Console Port)
RJ-45 Console Port Method

1. Connect the RJ-45-to-DB-9 adapter cable to the 9-pin serial port on the PC. If PC does
not have 9-pin serial port, use a USB-to-DB9 serial adapter cable. Connect the other
end of the cable to the MN-FNS switch console port.

2. Start the terminal-emulation program on the PC. The program, frequently a PC


application such as HyperTerminal or Putty, makes communication between the switch
and your PC possible.

3. Configure the baud rate and character format of the PC or terminal to match the console
port characteristics:
• 9600 baud
• 8 data bits
• 1 stop bit
• No parity
• None (flow control)

70 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


USB Console Port Method
If you have not used the Cisco USB Console Port before on your computer, you will have to
install the driver.
Installing the Cisco USB Console Port Driver for MN-FNS Series
How to load Cisco USB Console Port Driver for MN-FNS Series Ethernet switches
(071914ms1)
1. Close ALL other programs and files before you start this procedure.

2. You must be a system administrator on the computer to load this software.

3. This procedure requires a computer reboot – make sure you know the computer
passwords.

4. Create directory call CiscoUSB on C:\

5. Copy the file cisco_usbconsole_driver_3_1.zip to the CiscoUSB directory

6. Navigate to the CiscoUSB directory and double-click on the


Cisco_usbconsole_driver_3_1 compressed folder icon on Windows Explorer.

7. Double-click on the Windows_64 directory

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 71


8. The system will now display:

9. Double-click on the setup(x64) application. The system will prompt with:

72 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


10. Click Run

11. The system will then prompt with:

12. Click Run

13. The system will start installing to program.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 73


14. The system will respond with:

15. Click Next.

74 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


16. The system will respond with:

17. Click Install.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 75


18. The system will respond with:

19. When installation is complete, the system should respond with:

20. Click Finish.

76 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


21. Click Yes to restart the computer.

22. After the computer reboots, connect the USB cable from the computer to a powered
MN-FNS Series Ethernet switch.

23. The system will install the device driver. This may take a few minutes.

24. Navigate to Device Manager by:

a. Clicking on Start

b. Right Click on My Computer (in example below, My Computer has been


renamed)

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 77


25. A popup window will appear, select Manage

26. The Computer Management window will appear:

27. Click on Device Manager

78 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


28. Double-click on Ports (COM & LPT)

29. Locate the Cisco Serial port.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 79


30. Record the COM number. In the example below, this computer assigned the port
COM12.

31. Port is now read to use with HyperTerminal or other terminal emulation software to
access the switch.

32. Note – if you unplug the USB cable from your computer and plug it in a different USB
port in the future, the system may reassign a different COM port to the Cisco Serial
Port.

80 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Connecting the Console Port via USB

1. Connect the USB cable to the PC and then the Mini-USB connector to the switch. See
figure below:

2. Identify the COM port assigned to the USB-mini Console Port.

a. Choose Start > Control Panel > Systems.

b. Click the Hardware tab and choose Device Manager. Expand the Ports section.
The assigned COM port appears in parenthesis at the end of the line with this
entry: Cisco USB System Management Console.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 81


3. Configure the baud rate and character format of the PC or terminal to match the console
port characteristics:

• 9600 baud

• 8 data bits

• 1 stop bit

• No parity

• None (flow control)

82 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 83
Section IX - Troubleshooting
Diagnosing Problems
The switch LEDs provide troubleshooting information about the switch. They show boot fast
failures, port-connectivity problems, and overall switch performance. You can also get
statistics from Device Manager, the CLI, or an SNMP workstation.

Bad or Damaged Cable

Always examine the cable for marginal damage or failure. A cable might be just good enough
to connect at the physical layer, but it could corrupt packets as a result of subtle damage to
the wiring or connectors. You can identify this problem because the port has many packet
errors or it constantly flaps (loses and regains link).

• Exchange the copper or fiber-optic cable with a known good cable.

• Look for broken or missing pins on cable connectors.

• Rule out any bad patch panel connections or media convertors between the source
and the destination. If possible, bypass the patch panel, or eliminate media convertors

• (fiber-optic-to-copper).

• Try the cable in another port to see if the problem follows the cable.

Ethernet and Fiber-Optic Cables

Make sure that you have the correct cable:

• Use either Category 5, Category 5e, or Category 6 UTP for 10/100 Mb/s
connections.

• Verify that you have the correct fiber-optic cable for the distance and port type.
Make sure that the connected device ports match and use the same type encoding,
optical frequency, and fiber type.

• Determine if a copper crossover cable was used when a straight-through was


required or the reverse.

• Enable auto-MDIX on the switch, or replace the cable.

84 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Link Status

Verify that both sides have a link. A broken wire or a shutdown port can cause one side to
show a link even though the other side does not have a link.

A port LED that is on does not guarantee that the cable is functional. It might have encountered
physical stress, causing it to function at a marginal level. If the port LED does not turn on:

• Connect the cable from the switch to a known good device.

• Make sure that both ends of the cable are connected to the correct ports.

• Verify that both devices have power.

• Verify that you are using the correct cable type.

• Look for loose connections. Sometimes a cable appears to be seated but is not.
Disconnect the cable, and then reconnect it.

10/100 and 10/100/1000 Port Connections

If a port appears to malfunction:

• Verify the status of all ports. See MN-FNS Switch LED section of this document for
descriptions of the LEDs and their meanings.

• Use the show interfaces privileged EXEC command to see if the port is error-
disabled, disabled, or shut down. Re-enable the port, if necessary.

• Verify the cable type.

SFP Module

Use only Edwards MN-FSN Series SFP modules. Each module has an internal serial
EEPROM that is encoded with security information. This encoding verifies that the module
meets the requirements for the switch.

• Inspect the SFP module. Exchange the suspect module with a known good module.

• Verify that the module is supported on this platform. (The switch release notes on
Cisco.com list the SFP modules that the switch supports.)

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 85


• Use the show interfaces privileged EXEC command to see if the port or module is
error-disabled, disabled, or shutdown. Re-enable the port if needed.

• Make sure that all fiber-optic connections are clean and securely connected.

Interface Settings
Verify that the interface is not disabled or powered off. If an interface is manually shut down
on either side of the link, it does not come up until you re-enable the interface. Use the show
interfaces privileged EXEC command to see if the interface is error-disabled, disabled, or shut
down on either side of the connection. If needed, re-enable the interface.

Ping End Device


Ping from the directly connected switch first, and then work your way back port by port,
interface by interface, trunk by trunk, until you find the source of the connectivity issue. Make
sure that each switch can identify the end device MAC address in its Content-Addressable
Memory (CAM) table.

Spanning Tree Loops


STP loops can cause serious performance issues that look like port or interface problems.

A unidirectional link can cause loops. It occurs when the traffic sent by the switch is
received by the neighbor, but the traffic from the neighbor is not received by the switch. A
broken cable, other cabling problems, or a port issue can cause this one-way
communication.
You can enable UniDirectional Link Detection (UDLD) on the switch to help identify
unidirectional link problems. For information about enabling UDLD on the switch, see the
“Understanding UDLD” section in the switch software configuration guide on Cisco.com.

86 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Switch Performance
Speed, Duplex, and Autonegotiation

Port statistics that show a large amount of alignment errors, frame check sequence (FCS), or
late-collisions errors, might mean a speed or duplex mismatch.
A common issue occurs when duplex and speed settings are mismatched between two
switches, between a switch and a router, or between the switch and a workstation or server.
Mismatches can happen when manually setting the speed and duplex or from
autonegotiation issues between the two devices.

To maximize switch performance and to ensure a link, follow one of these guidelines when
changing the duplex or the speed settings.

• Let both ports autonegotiate both speed and duplex.

• Manually set the speed and duplex parameters for the interfaces on both ends of
the connection.

• If a remote device does not autonegotiate, use the same duplex settings on the two
ports. The speed parameter adjusts itself even if the connected port does not
autonegotiate.

Autonegotiation and Network Interface Cards

Problems sometimes occur between the switch and third-party network interface cards (NICs).
By default, the switch ports and interfaces autonegotiate. Laptops or other devices are
commonly set to autonegotiate, yet sometimes issues occur.
To troubleshoot autonegotiation problems, try manually setting both sides of the connection.
If this does not solve the problem, there could be a problem with the firmware or software on
the NIC. You can resolve this by upgrading the NIC driver to the latest version.

Cabling Distance

If the port statistics show excessive FCS, late-collision, or alignment errors, verify that the cable
distance from the switch to the connected device meets the recommended guidelines.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 87


Section X - Master Reset of the Switch

These are reasons why you might want to reset the switch to the Cisco factory default
settings:

• You installed the switch in your network and cannot connect to it because you
assigned the wrong IP address.

• You want to reset the password on the switch.


Note: Resetting the switch deletes the configuration and reboots the switch.
Caution: If you press the Express Setup button when you power on, the automatic boot
sequence stops, and the switch enters bootloader mode.
To reset the switch:
Step 1: Press and hold the Express Setup button for about 20 seconds. The switch reboots.
The system LED turns green after the switch completes rebooting.
Step 2: Press the Express Setup button again for 3 seconds. A switch 10/100 Ethernet port
blinks green.
The switch now behaves like an unconfigured switch. You can configure the switch by using
the CLI setup procedure.

88 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 89
Section XI - MN-FNS Series Ethernet Switch LEDs

90 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 91
92 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)
MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 93
94 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)
MN-FNS8C18F2 LED description

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 95


MN-FNS4C2F3 and MN-FNS8C2F3 Relay Connection

96 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


MN-FNS8C18F2 Relay Connection
RJ45 Pins used for Relay:

3 = Relay Normally Closed (N/C)

7 = Relay Common

8 = Relay Normally Open (N/O)

To connect the MN-FNS8C18F2 alarm port, use an RJ31X cable assembly, such as the
StarTell p/n 91678 (available on the Internet) of Silent Knight SK-7860 cord (available at ADI
and other security wholesalers) and connect that to an MN-TK10 terminal block or the monitor
module.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 97


98 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)
MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 99
Section XII - Annex
Serial Console Cable Pin Out

The is the pin-out of the serial MN-FNS Series Ethernet switch console cable

9 PIN D-SUB FEMALE to the Computer

RJ45 MALE CONNECTOR to the Cisco router

RJ45 DB9
RTS 1 8 CTS
DTR 2 6 DSR
TXD 3 2 RXD
GND 4 5 GND
GND 5 5 GND
RXD 6 3 TXD
DSR 7 4 DTR
CTS 8 7 RTS

100 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Switch Configuration Sheet

Edwards MN-FNS Ethernet Series Switches


Switch Configuration Sheet
Switch Number:

Switch Location:

witch Name:

GBT1 Name:

BT2 Name:

REP Segment:

Switch Type:

Switch Serial Number:

Switch MFG Date:

MAC address (OUI) 1st:

MAC address (OUI) 2nd:

MAC address (OUI) 3rd:

MAC address (NIC) 4th:

MAC address (NIC) 5th:

MAC address (NIC) 6th:

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 101


VLAN1 (data) VLAN2 (REP admin)
1st
SIPv4 Octet:
2nd
SIPv4 Octet:
3rd
SIPv4 Octet:
4th
SIPv4 Octet:
VLAN1 (data) VLAN2 (REP admin)
Subnet 1st:
Subnet 2nd:
Subnet 3rd:
Subnet 4th:
SFP1:
SFP2:

Notes:

102 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Section XIII - Glossary of Terms
(From Cisco)

AAA Authentication, authorization, and accounting. See also TACACS+ and RADIUS.

ABR Area Border Router. In OSPF, a router with interfaces in multiple areas.

ACE Access Control Entry. Information entered into the configuration that lets you specify what
type of traffic to permit or deny on an interface. By default, traffic that is not explicitly
permitted is denied.

Access Modes The security appliance CLI uses several command modes. The commands available in each
mode vary. See also user EXEC mode, privileged EXEC mode, global configuration
mode, command-specific configuration mode.

ACL Access Control List. A collection of ACEs. An ACL lets you specify what type of traffic to
allow on an interface. By default, traffic that is not explicitly permitted is denied. ACLs are
usually applied to the interface which is the source of inbound traffic. See
also rule, outbound ACL.

ActiveX A set of object-oriented programming technologies and tools used to create mobile or
portable programs. An ActiveX program is roughly equivalent to a Java applet.

Address See ARP.


Resolution
Protocol

address The translation of a network address and/or port to another network address/or port. See
translation also IP address, interface PAT, NAT, PAT, Static PAT, xlate.

AES Advanced Encryption Standard. A symmetric block cipher that can encrypt and decrypt
information. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256
bits to encrypt and decrypt data in blocks of 128 bits. See also DES.

AH Authentication Header. An IP protocol (type 51) that can ensure data integrity,
authentication, and replay detection. AH is embedded in the data to be protected (a full IP
datagram, for example). AH can be used either by itself or with ESP. This is an
older IPSec protocol that is less important in most networks than ESP. AH provides
authentication services but does not provide encryption services. It is provided to ensure
compatibility with IPSec peers that do not support ESP, which provides
both authentication and encryption. See also encryption andVPN. Refer to the RFC 2402.

A record "A" stands for address, and refers to name-to-address mapped records in DNS.
address

APCF Application Profile Customization Framework. Lets the security appliance handle non-
standard applications so that they render correctly over a WebVPN connection.

ARP Address Resolution Protocol. A low-level TCP/IP protocol that maps a hardware address, or
MAC address, to an IP address. An example hardware address is 00:00:a6:00:01:ba. The

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 103


first three groups of characters (00:00:a6) identify the manufacturer; the rest of the
characters (00:01:ba) identify the system card. ARP is defined in RFC 826.

ASA Adaptive Security Algorithm. Used by the security appliance to perform inspections. ASA
allows one-way (inside to outside) connections without an explicit configuration for each
internal system and application. See also inspection engine.

ASA adaptive security appliance.

ASDM Adaptive Security Device Manager. An application for managing and configuring a single
security appliance.

asymmetric Also called public key systems, asymmetric encryption allows anyone to obtain access to the
encryption public key of anyone else. Once the public key is accessed, one can send an encrypted
message to that person using the public key. See also encryption, public key.

authentication Cryptographic protocols and services that verify the identity of users and the integrity of data.
One of the functions of the IPSec framework. Authentication establishes the integrity of
datastream and ensures that it is not tampered with in transit. It also provides confirmation
about the origin of the datastream. See also AAA, encryption, and VPN.

Auto Applet Automatically downloads the WebVPN port-forwarding applet when the user first logs in to
Download WebVPN.

auto-signon This command provides a single sign-on method for WebVPN users. It passes the WebVPN
login credentials (username and password) to internal servers for authentication using NTLM
authentication, basic authentication, or both.

Backup IPSec backup servers let a VPN client connect to the central site when the primary security
Server appliance is unavailable.

BGP Border Gateway Protocol. BGP performs interdomain routing in TCP/IP networks. BGP is an
Exterior Gateway Protocol, which means that it performs routing between multiple autonomous
systems or domains and exchanges routing and access information with other BGP systems. The
security appliance does not support BGP. See also EGP.

BLT Bandwidth Limited Traffic stream. Stream or flow of packets whose bandwidth is constrained.
stream

BOOTP Bootstrap Protocol. Lets diskless workstations boot over the network as is described in RFC 951 and
RFC 1542.

BPDU Bridge Protocol Data Unit. Spanning-Tree Protocol hello packet that is sent out at configurable
intervals to exchange information among bridges in the network. Protocol data unit is the OSI term
for packet.

104 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


C

CA Certificate Authority, Certification Authority. A third-party entity that is responsible


for issuing and revoking certificates. Each device with the public key of the CA
can authenticate a device that has a certificate issued by the CA. The term CA
also refers to software that provides CA services. See
also certificate, CRL, public key,RA.

cache A temporary repository of information accumulated from previous task executions


that can be reused, decreasing the time required to perform the tasks. Caching
stores frequently reused objects in the system cache, which reduces the need to
perform repeated rewriting and compressing of content.

CBC Cipher Block Chaining. A cryptographic technique that increases the encryption
strength of an algorithm. CBC requires an initialization vector (IV) to start
encryption. The IV is explicitly given in the IPSec packet.

certificate A signed cryptographic object that contains the identity of a user or device and
the public key of the CA that issued the certificate. Certificates have an expiration
date and may also be placed on a CRL if known to be compromised. Certificates
also establish non-repudiation for IKE negotiation, which means that you can
prove to a third party that IKE negotiation was completed with a specific peer.

CHAP Challenge Handshake Authentication Protocol.

CIFS Common Internet File System. It is a platform-independent file sharing system


that provides users with network access to files, printers, and other machine
resources. Microsoft implemented CIFS for networks of Windows computers,
however, open source implementations of CIFS provide file access to servers
running other operating systems, such as Linux, UNIX, and Mac OS X.

Citrix An application that virtualizes client-server applications and optimizes web


applications.

CLI command line interface. The primary interface for entering configuration and
monitoring commands to the security appliance.

client/server computing Distributed computing (processing) network systems in which transaction


responsibilities are divided into two parts: client (front end) and server (back
end). Also called distributed computing. See also RPC.

Client update Lets you update revisions of clients to which the update applies; provide a URL
or IP address from which to get the update; and, in the case of Windows clients,
optionally notify users that they should update their VPN client version.

command-specific From global configuration mode, some commands enter a command-specific


configuration mode configuration mode. All user EXEC, privileged EXEC, global configuration, and
command-specific configuration commands are available in this mode. See
alsoglobal configuration mode, privileged EXEC mode, user EXEC mode.

Compression The process of encoding information using fewer bits or other information-
bearing units than an unencoded representation would use. Compression can
reduce the size of transferring packets and increase communication
performance.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 105


configuration, config, A file on the security appliance that represents the equivalent of settings,
config file preferences, and properties administered by ASDM or the CLI.

Content Interprets and modifies applications so that they render correctly over a WebVPN
Rewriting/Transformation connection.

cookie A cookie is an object stored by a browser. Cookies contain information, such as


user preferences, to persistent storage.

CPU Central Processing Unit. Main processor.

CRC Cyclical Redundancy Check. Error-checking technique in which the frame


recipient calculates a remainder by dividing frame contents by a prime binary
divisor and compares the calculated remainder to a value stored in the frame by
the sending node.

CRL Certificate Revocation List. A digitally signed message that lists all of the current
but revoked certificates listed by a given CA. This is analogous to a book of
stolen charge card numbers that allow stores to reject bad credit cards. When
certificates are revoked, they are added to a CRL. When you implement
authentication using certificates, you can choose to use CRLs or not. Using
CRLs lets you easily revoke certificates before they expire, but the CRL is
generally only maintained by the CA or an RA. If you are using CRLs and the
connection to the CA or RA is not available when authentication is requested, the
authentication request will fail. See also CA, certificate, public key, RA.

CRV Call Reference Value. Used by H.225.0 to distinguish call legs signaled between
two entities.

cryptography Encryption, authentication, integrity, keys and other services used for secure
communication over networks. See also VPN and IPSec.

crypto map A data structure with a unique name and sequence number that is used for
configuring VPNs on the security appliance. A crypto map selects data flows that
need security processing and defines the policy for these flows and the crypto
peer that traffic needs to go to. A crypto map is applied to an interface. Crypto
maps contain the ACLs, encryption standards, peers, and other parameters
necessary to specify security policies for VPNs using IKE and IPSec. See
alsoVPN.

CTIQBE Computer Telephony Interface Quick Buffer Encoding. A protocol used in IP


telephony between the Cisco CallManager and CTI TAPI and JTAPI applications.
CTIQBE is used by the TAPI/JTAPI protocol inspection module and
supports NAT,PAT, and bi-directional NAT. This enables Cisco IP SoftPhone and
other Cisco TAPI/JTAPI applications to communicate with Cisco CallManager for
call setup and voice traffic across the security appliance.

cut-through proxy Enables the security appliance to provide faster traffic flow after user
authentication. The cut-through proxy challenges a user initially at the application
layer. After the security appliance authenticates the user, it shifts the session flow
and all traffic flows directly and quickly between the source and destination while
maintaining session state information.

106 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


D

data confidentiality Describes any method that manipulates data so that no attacker can read it. This is
commonly achieved by data encryption and keys that are only available to the parties
involved in the communication.

data integrity Describes mechanisms that, through the use of encryption based on secret key or public
keyalgorithms, allow the recipient of a piece of protected data to verify that the data has
not been modified in transit.

data origin A security service where the receiver can verify that protected data could have
authentication originated only from the sender. This service requires a data integrity service plus
a key distribution mechanism, where a secret key is shared only between the sender
and receiver.

decryption Application of a specific algorithm or cipher to encrypted data so as to render the data
comprehensible to those who are authorized to see the information. See also encryption.

DES Data encryption standard. DES was published in 1977 by the National Bureau of
Standards and is a secret key encryption scheme based on the Lucifer algorithm from
IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths), IPSec crypto (56-
bit key), and 3DES (triple DES), which performs encryption three times using a 56-bit
key. 3DES is more secure than DES but requires more processing for encryption and
decryption. See also AES, ESP.

DHCP Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses
to hosts dynamically, so that addresses can be reused when hosts no longer need them
and so that mobile computers, such as laptops, receive an IP address applicable to
the LAN to which it is connected.

Diffie-Hellman A public key cryptography protocol that allows two parties to establish a shared secret
over insecure communications channels. Diffie-Hellman is used within IKE to establish
session keys. Diffie-Hellman is a component of Oakley key exchange.

Diffie-Hellman Diffie-Hellman refers to a type of public key cryptography using asymmetric encryption
Group 1, Group 2, based on large prime numbers to establish both Phase 1 and Phase 2 SAs. Group 1
Group 5, Group 7 provides a smaller prime number than Group 2 but may be the only version supported
by some IPSecpeers. Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most
secure, and is recommended for use with AES. Group 7 has an elliptical curve field size
of 163 bits and is for use with the Movian VPN client, but works with any peer that
supports Group 7 (ECC). See also VPN and encryption.
Note The group 7 command option was deprecated in ASA version 8.0(4).

digital certificate See certificate.

DMZ See interface.

DN Distinguished Name. Global, authoritative name of an entry in the OSI Directory (X.500).

DNS Domain Name System (or Service). An Internet service that translates domain names
into IP addresses.

DoS Denial of Service. A type of network attack in which the goal is to render a network
service unavailable.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 107


DSL digital subscriber line. Public network technology that delivers high bandwidth over
conventional copper wiring at limited distances. DSL is provisioned via modem pairs,
with one modem located at a central office and the other at the customer site. Because
most DSL technologies do not use the whole bandwidth of the twisted pair, there is room
remaining for a voice channel.

DSP digital signal processor. A DSP segments a voice signal into frames and stores them in
voice packets.

DSS Digital Signature Standard. A digital signature algorithm designed by The US National
Institute of Standards and Technology and based on public-key cryptography. DSS does
not do user datagram encryption. DSS is a component in classic crypto, as well as the
RedcreekIPSec card, but not in IPSec implemented in Cisco IOS software.

Dynamic NAT See NAT and address translation.

Dynamic PAT Dynamic Port Address Translation. Dynamic PAT lets multiple outbound sessions
appear to originate from a single IP address. With PAT enabled, the security appliance
chooses a unique port number from the PAT IP address for each outbound translation
slot ( xlate). This feature is valuable when an ISP cannot allocate enough unique IP
addresses for your outbound connections. The global pool addresses always come first,
before a PAT address is used. See also NAT, Static PAT, and xlate.

ECHO See Ping, ICMP. See also inspection engine.

EGP Exterior Gateway Protocol. Replaced by BGP. The security appliance does not support EGP. See
also BGP.

EIGRP Enhanced Interior Gateway Routing Protocol. The security appliance does not support EIGRP.

EMBLEM Enterprise Management BaseLine Embedded Manageability. A syslog format designed to be


consistent with the Cisco IOS system log format and is more compatible with CiscoWorks
management applications.

encryption Application of a specific algorithm or cipher to data so as to render the data incomprehensible to
those unauthorized to see the information. See also decryption.

ESMTP Extended SMTP. Extended version of SMTP that includes additional functionality, such as delivery
notification and session delivery. ESMTP is described in RFC 1869, SMTP Service Extensions.

ESP Encapsulating Security Payload. An IPSec protocol, ESP provides authentication and encryption
services for establishing a secure tunnel over an insecure network. For more information, refer to
RFCs 2406 and 1827.

108 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


failover, Failover lets you configure two security appliances so that one will take over operation if the
failover other one fails. The security appliance supports two failover configurations, Active/Active failover
mode and Active/Standby failover. Each failover configuration has its own method for determining and
performing failover. With Active/Active failover, both units can pass network traffic. This lets you
configure load balancing on your network. Active/Active failover is only available on units running
in multiple context mode. With Active/Standby failover, only one unit passes traffic while the
other unit waits in a standby state. Active/Standby failover is available on units running in either
single or multiple context mode.

Fixup See inspection engine.

Flash, Flash A nonvolatile storage device used to store the configuration file when the security appliance is
memory powered down.

FQDN/IP Fully qualified domain name/IP address. IPSec parameter that identifies peers that are security
gateways.

FragGuard Provides IP fragment protection and performs full reassembly of all ICMP error messages and
virtual reassembly of the remaining IP fragments that are routed through the security appliance.

FTP File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between
hosts.

GGSN gateway GPRS support node. A wireless gateway that allows mobile cell phone users to
access the public data network or specified private IP networks.

global Global configuration mode lets you to change the security appliance configuration. All user
configuration EXEC, privileged EXEC, and global configuration commands are available in this mode. See
mode also user EXEC mode, privileged EXEC mode, command-specific configuration mode.

GMT Greenwich Mean Time. Replaced by UTC (Coordinated Universal Time) in 1967 as the world
time standard.

GPRS general packet radio service. A service defined and standardized by the European
Telecommunication Standards Institute. GPRS is an IP-packet-based extension
of GSMnetworks and provides mobile, wireless, data communications

GRE Generic Routing Encapsulation described in RFCs 1701 and 1702. GRE is a tunneling
protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels,
creating a virtual point-to-point link to routers at remote points over an IP network. By
connecting multiprotocol subnetworks in a single-protocol backbone environment, IP
tunneling using GRE allows network expansion across a single protocol backbone
environment.

GSM Global System for Mobile Communication. A digital, mobile, radio standard developed for
mobile, wireless, voice communications.

GTP GPRS tunneling protocol. GTP handles the flow of user packet data and signaling information
between the SGSN and GGSN in a GPRS network. GTP is defined on both the Gn and Gp

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 109


interfaces of a GPRS network.

H.225 A protocol used for TCP signaling in applications such as video conferencing. See
also H.323and inspection engine.

H.225.0 An ITU standard that governs H.225.0 session establishment and packetization. H.225.0
actually describes several different protocols: RAS, use of Q.931, and use of RTP.

H.245 An ITU standard that governs H.245 endpoint control.

H.320 Suite of ITU-T standard specifications for video conferencing over circuit-switched media, such
as ISDN, fractional T-1, and switched-56 lines. Extensions of ITU-T standard H.320 enable
video conferencing over LANs and other packet-switched networks, as well as video over the
Internet.

H.323 Allows dissimilar communication devices to communicate with each other by using a
standardized communication protocol. H.323 defines a common set of CODECs, call setup
and negotiating procedures, and basic data transport methods.

H.323 RAS Registration, admission, and status signaling protocol. Enables devices to perform registration,
admissions, bandwidth changes, and status and disengage procedures between VoIP gateway
and the gatekeeper.

H.450.2 Call transfer supplementary service for H.323.

H.450.3 Call diversion supplementary service for H.323.

Hash, Hash A hash algorithm is a one way function that operates on a message of arbitrary length to
Algorithm create a fixed-length message digest used by cryptographic services to ensure its data
integrity. MD5 has a smaller digest and is considered to be slightly faster than SHA-1. Cisco
uses both SHA-1 and MD5 hashes within our implementation of the IPSec framework. See
also encryption, HMAC, and VPN.

headend A firewall, concentrator, or other host that serves as the entry point into a private network
forVPN client connections over the public network. See also ISP and VPN.

HMAC A mechanism for message authentication using cryptographic hashes such as SHA-
1 andMD5.

host The name for any device on a TCP/IP network that has an IP address. See
also network andnode.

host/network An IP address and netmask used with other information to identify a single host or network
subnet for security appliance configuration, such as an address translation ( xlate) or ACE.

HTTP Hypertext Transfer Protocol. A protocol used by browsers and web servers to transfer files.
When a user views a web page, the browser can use HTTP to request and receive the files
used by the web page. HTTP transmissions are not encrypted.

110 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


HTTPS Hypertext Transfer Protocol Secure. An SSL-encrypted version of HTTP.

IANA Internet Assigned Number Authority. Assigns all port and protocol numbers for use on the
Internet.

ICMP Internet Control Message Protocol. Network-layer Internet protocol that reports errors and
provides other information relevant to IP packet processing.

IDS Intrusion Detection System. A method of detecting malicious network activity by signatures
and then implementing a policy for that signature.

IETF The Internet Engineering Task Force. A technical standards organization that
develops RFCdocuments defining protocols for the Internet.

IGMP Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report
IPmulticast memberships to neighboring multicast routers.

IKE Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
security appliance must verify the identity of its peer. This can be done by manually entering
preshared keys into both hosts or by a CA service. IKE is a hybrid protocol that uses
partOakley and part of another protocol suite called SKEME inside ISAKMP framework. This
is the protocol formerly known as ISAKMP/Oakley, and is defined in RFC 2409.

IKE Extended IKE Extended Authenticate (Xauth) is implemented per the IETF draft-ietf-ipsec-isakmp-
Authentication xauth-04.txt ("extended authentication" draft). This protocol provides the capability of
authenticating a user within IKE using TACACS+ or RADIUS.

IKE Mode IKE Mode Configuration is implemented per the IETF draft-ietf-ipsec-isakmp-mode-cfg-04.txt.
Configuration IKE Mode Configuration provides a method for a security gateway to download an IP
address (and other network level configuration) to the VPN client as part of an IKE
negotiation.

ILS Internet Locator Service. ILS is based on LDAP and is ILSv2 compliant. ILS was developed
by Microsoft for use with its NetMeeting, SiteServer, and Active Directory products.

IMAP Internet Message Access Protocol. Method of accessing e-mail or bulletin board messages
kept on a mail server that can be shared. IMAP permits client e-mail applications to access
remote message stores as if they were local without actually transferring the message.

implicit rule An access rule automatically created by the security appliance based on default rules or as a
result of user-defined rules.

IMSI International Mobile Subscriber Identity. One of two components of a GTP tunnel ID, the
other being the NSAPI. See also NSAPI.

inside The first interface, usually port 1, that connects your internal, "trusted" network protected by
the security appliance. See also interface, interface names.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 111


inspection The security appliance inspects certain application-level protocols to identify the location of
engine embedded addressing information in traffic. This allows NAT to translate these embedded
addresses and to update any checksum or other fields that are affected by the translation.
Because many protocols open secondary TCP or UDP ports, each application inspection
engine also monitors sessions to determine the port numbers for secondary channels. The
initial session on a well-known port is used to negotiate dynamically assigned port numbers.
The application inspection engine monitors these sessions, identifies the dynamic port
assignments, and permits data exchange on these ports for the duration of the specific
session. Some of the protocols that the security appliance can inspect
are CTIQBE, FTP,H.323, HTTP, MGCP, SMTP, and SNMP.

interface The physical connection between a particular network and a security appliance.

interface The IP address of a security appliance network interface. Each interface IP address must be
ip_address unique. Two or more interfaces must not be given the same IP address or IP addresses that
are on the same IP network.

interface names Human readable name assigned to a security appliance network interface. The inside
interface default name is "inside" and the outside interface default name is "outside." Any
perimeter interface default names are "intf n", such as intf2 for the first perimeter interface,
intf3 for the second perimeter interface, and so on to the last interface. The numbers in the
intf string corresponds to the position of the interface card in the security appliance. You can
use the default names or, if you are an experienced user, give each interface a more
meaningful name. See also inside, intfn, outside.

intf n Any interface, usually beginning with port 2, that connects to a subset network of your design
that you can custom name and configure.

interface PAT The use of PAT where the PAT IP address is also the IP address of the outside interface.
SeeDynamic PAT, Static PAT.

Internet The global network that uses IP. Not a LAN. See also intranet.

intranet Intranetwork. A LAN that uses IP. See also network and Internet.

IP Internet Protocol. IP protocols are the most popular nonproprietary protocols because they
can be used to communicate across any set of interconnected networks and are equally well
suited for LAN and WAN communications.

IPS Intrusion Prevention Service. An in-line, deep-packet inspection-based solution that helps
mitigate a wide range of network attacks.

IP address An IP protocol address. A security appliance interface ip_address. IP version 4 addresses


are 32 bits in length. This address space is used to designate the network number, optional
subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary
bits), represented by 4 decimal numbers separated by periods, or dots. The meaning of each
of the four octets is determined by their use in a particular network.

IP pool A range of local IP addresses specified by a name, and a range with a starting IP address
and an ending address. IP Pools are used by DHCP and VPNs to assign local IP addresses
to clients on the inside interface.

IPSec IP Security. A framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. IPSec provides these security services
at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based
on local policy and to generate the encryption and authentication keys to be used by IPSec.
IPSec can protect one or more data flows between a pair of hosts, between a pair of security

112 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


gateways, or between a security gateway and a host.

IPSec Phase 1 The first phase of negotiating IPSec, includes the key exchange and the ISAKMP portions
ofIPSec.

IPSec Phase 2 The second phase of negotiating IPSec. Phase two determines the type of encryption rules
used for payload, the source and destination that will be used for encryption, the definition of
interesting traffic according to access lists, and the IPSec peer. IPSec is applied to the
interface in Phase 2.

IPSec transform A transform set specifies the IPSec protocol, encryption algorithm, and hash algorithm to use
set on traffic matching the IPSec policy. A transform describes a security protocol ( AH or ESP)
with its corresponding algorithms. The IPSec protocol used in almost all transform sets
isESP with the DES algorithm and HMAC-SHA for authentication.

ISAKMP Internet Security Association and Key Management Protocol. A protocol framework that
defines payload formats, the mechanics of implementing a key exchange protocol, and the
negotiation of a security association. See IKE.

ISP Internet Service Provider. An organization that provides connection to the Internet via their
services, such as modem dial in over telephone voice lines or DSL.

JTAPI Java Telephony Application Programming Interface. A Java-based API supporting telephony functions.
See also TAPI.

key A data object used for encryption, decryption, or authentication.

LAN Local area network. A network residing in one location, such as a single building or campus. See
also Internet, intranet, and network.

layer, Networking models implement layers with which different protocols are associated. The most common
layers networking model is the OSI model, which consists of the following 7 layers, in order: physical, data
link, network, transport, session, presentation, and application.

LCN Logical channel number.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 113


LDAP Lightweight Directory Access Protocol. LDAP provides management and browser applications with
access to X.500 directories.

MAC Address A media access control address (MAC address) is a unique identifier assigned to network
interfaces for communications on the physical network segment. MAC addresses are used as a
network address for most IEEE 802 network technologies, including Ethernet.

mask A 32-bit mask that shows how an Internet address is divided into network, subnet, and host
parts. The mask has ones in the bit positions to be used for the network and subnet parts, and
zeros for the host part. The mask should contain at least the standard network portion, and the
subnet field should be contiguous with the network portion.

MCR See multicast.

MC router Multicast (MC) routers route multicast data transmissions to the hosts on each LAN in an
internetwork that are registered to receive specific multimedia or other broadcasts. See
alsomulticast.

MD5 Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5
andSHA-1 are variations on MD4 and are designed to strengthen the security of the MD4
hashing algorithm. SHA-1 is more secure than MD4 and MD5. Cisco uses hashes for
authentication within the IPSec framework. Also used for message authentication in SNMP v.2.
MD5 verifies the integrity of the communication, authenticates the origin, and checks for
timeliness. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.

MDI Media dependent interface.

MDIX Media dependent interface crossover.

Message A message digest is created by a hash algorithm, such as MD5 or SHA-1, that is used for
Digest ensuring message integrity.

MGCP Media Gateway Control Protocol. Media Gateway Control Protocol is a protocol for the control
of VoIP calls by external call-control elements known as media gateway controllers or call
agents. MGCP merges the IPDC and SGCP protocols.

Mode See Access Modes.

Mode Config See IKE Mode Configuration.

Modular Modular Policy Framework. A means of configuring security appliance features in a manner to
Policy similar to Cisco IOS software Modular QoS CLI.
Framework

MS mobile station. Refers generically to any mobile device, such as a mobile handset or computer,
that is used to access network services. GPRS networks support three classes of MS, which
describe the type of operation supported within the GPRS and the GSM mobile wireless

114 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


networks. For example, a Class A MS supports simultaneous operation
of GPRS and GSMservices.

MS-CHAP Microsoft CHAP.

MTU Maximum transmission unit, the maximum number of bytes in a packet that can flow efficiently
across the network with best response time. For Ethernet, the default MTU is 1500 bytes, but
each network can have different values, with serial connections having the smallest values. The
MTU is described in RFC 1191.

multicast Multicast refers to a network addressing method in which the source transmits a packet to
multiple destinations, a multicast group, simultaneously. See also PIM, SMR.

N2H2 A third-party, policy-oriented filtering application that works with the security appliance to
control user web access. N2H2 can filter HTTP requests based on destination host name,
destination IP address, and username and password. The N2H2 corporation was acquired by
Secure Computing in October, 2003.

NAT Network Address Translation. Mechanism for reducing the need for globally unique IP
addresses. NAT allows an organization with addresses that are not globally unique to connect
to the Internet by translating those addresses into a globally routable address space.

NEM Network Extension Mode. Lets VPN hardware clients present a single, routable network to the
remote private network over the VPN tunnel.

NetBIOS Network Basic Input/Output System. A Microsoft protocol that supports Windows host name
registration, session management, and data transfer. The security appliance supports
NetBIOS by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.

netmask See mask.

network In the context of security appliance configuration, a network is a group of computing devices
that share part of an IP address space and not a single host. A network consists of multiple
nodes or hosts. See also host, Internet, intranet, IP, LAN, and node.

NMS network management system. System responsible for managing at least part of a network. An
NMS is generally a reasonably powerful and well-equipped computer, such as an engineering
workstation. NMSs communicate with agents to help keep track of network statistics and
resources.

node Devices such as routers and printers that would not normally be called hosts. See
also host,network.

nonvolatile Storage or memory that, unlike RAM, retains its contents without power. Data in a nonvolatile
storage, storage device survives a power-off, power-on cycle or reboot.
memory

NSAPI Network service access point identifier. One of two components of a GTP tunnel ID, the other
component being the IMSI. See also IMSI.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 115


NSSA Not-so-stubby-area. An OSPF feature described by RFC 1587. NSSA was first introduced in
Cisco IOS software release 11.2. It is a non-proprietary extension of the existing stub area
feature that allows the injection of external routes in a limited fashion into the stub area.

NTLM NT Lan Manager. A Microsoft Windows challenge-response authentication method.

NTP Network time protocol.

Oakley A key exchange protocol that defines how to acquire authenticated keying material. The basic
mechanism for Oakley is the Diffie-Hellman key exchange algorithm. Oakley is defined in RFC
2412.

object Simplifies access control by letting you apply access control statements to groups of network
grouping objects, such as protocol, services, hosts, and networks.

OSPF Open Shortest Path First. OSPF is a routing protocol for IP networks. OSPF is a routing protocol
widely deployed in large networks because of its efficient use of network bandwidth and its rapid
convergence after changes in topology. The security appliance supports OSPF.

OU Organizational Unit. An X.500 directory attribute.

outbound Refers to traffic whose destination is on an interface with lower security than the source interface.

outbound An ACL applied to outbound traffic.


ACL

outside The first interface, usually port 0, that connects to other "untrusted" networks outside the security
appliance; the Internet. See also interface, interface names, outbound.

PAC PPTP Access Concentrator. A device attached to one or more PSTN or ISDN lines capable
ofPPP operation and of handling the PPTP protocol. The PAC need only implement TCP/IP to
pass traffic to one or more PNSs. It may also tunnel non-IP protocols.

PAT See Dynamic PAT, interface PAT, and Static PAT.

PDP Packet Data Protocol.

Perfmon The security appliance feature that gathers and reports a wide variety of feature statistics, such
as connections/second, xlates/second, etc.

PFS Perfect Forwarding Secrecy. PFS enhances security by using different security key for

116 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


the IPSecPhase 1 and Phase 2 SAs. Without PFS, the same security key is used to
establish SAs in both phases. PFS ensures that a given IPSec SA key was not derived from any
other secret (like some other keys). In other words, if someone were to break a key, PFS
ensures that the attacker would not be able to derive any other key. If PFS were not enabled,
someone could hypothetically break the IKE SA secret key, copy all the IPSec protected data,
and then use knowledge of the IKE SAsecret to compromise the IPSec SA setup by this IKE SA.
With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker
would have to break each IPSec SAindividually.

Phase 1 See IPSec Phase 1.

Phase 2 See IPSec Phase 2.

PIM Protocol Independent Multicast. PIM provides a scalable method for determining the best paths
for distributing a specific multicast transmission to a group of hosts. Each host has registered
using IGMP to receive the transmission. See also PIM-SM.

PIM-SM Protocol Independent Multicast-Sparse Mode. With PIM-SM, which is the default for Cisco
routers, when the source of a multicast transmission begins broadcasting, the traffic is forwarded
from one MC router to the next, until the packets reach every registered host. See also PIM.

Ping An ICMP request sent by a host to determine if a second host is accessible.

PIX Private Internet eXchange. The Cisco PIX 500-series security appliances range from compact,
plug-and-play desktop models for small/home offices to carrier-class gigabit models for the most
demanding enterprise and service provider environments. Cisco PIX security appliances provide
robust, enterprise-class integrated network security services to create a strong multilayered
defense for fast changing network environments.

PKCS12 A standard for the transfer of PKI-related data, such as private keys, certificates, and other data.
Devices supporting this standard let administrators maintain a single set of personal identity
information.

PNS PPTP Network Server. A PNS is envisioned to operate on general-purpose computing/server


platforms. The PNS handles the server side of PPTP. Because PPTP relies completely on
TCP/IP and is independent of the interface hardware, the PNS may use any combination of IP
interface hardware including LAN and WAN devices.

Policy NAT Lets you identify local traffic for address translation by specifying the source and destination
addresses (or ports) in an access list.

POP Post Office Protocol. Protocol that client e-mail applications use to retrieve mail from a mail
server.

Pool See IP pool.

Port A field in the packet headers of TCP and UDP protocols that identifies the higher level service
which is the source or destination of the packet.

PPP Point-to-Point Protocol. Developed for dial-up ISP access using analog phone lines and
modems.

PPTP Point-to-Point Tunneling Protocol. PPTP was introduced by Microsoft to provide secure remote
access to Windows networks; however, because it is vulnerable to attack, PPTP is commonly
used only when stronger security methods are not available or are not required. PPTP Ports are
pptp, 1723/tcp, 1723/udp, and pptp. For more information about PPTP, see RFC 2637. See

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 117


alsoPAC, PPTP GRE, PPTP GRE tunnel, PNS, PPTP session, and PPTP TCP.

PPTP GRE Version 1 of GRE for encapsulating PPP traffic.

PPTP GRE A tunnel defined by a PNS- PAC pair. The tunnel protocol is defined by a modified version
tunnel of GRE. The tunnel carries PPP datagrams between the PAC and the PNS. Many sessions are
multiplexed on a single tunnel. A control connection operating over TCP controls the
establishment, release, and maintenance of sessions and of the tunnel itself.

PPTP PPTP is connection-oriented. The PNS and PAC maintain state for each user that is attached to
session aPAC. A session is created when end-to-end PPP connection is attempted between a dial user
and the PNS. The datagrams related to a session are sent over the tunnel between
the PAC andPNS.

PPTP TCP Standard TCP session over which PPTP call control and management information is passed.
The control session is logically associated with, but separate from, the sessions being tunneled
through a PPTP tunnel.

preshared A preshared key provides a method of IKE authentication that is suitable for networks with a
key limited, static number of IPSec peers. This method is limited in scalability because the key must
be configured for each pair of IPSec peers. When a new IPSec peer is added to the network, the
preshared key must be configured for every IPSec peer with which it communicates.
Usingcertificates and CAs provides a more scalable method of IKE authentication.

primary, The security appliance normally operating when two units, a primary and secondary, are
primary unit operating in failover mode.

privileged Privileged EXEC mode lets you to change current settings. Any user EXEC mode command will
EXEC mode work in privileged EXEC mode. See also command-specific configuration mode, global
configuration mode, user EXEC mode.

protocol, A standard that defines the exchange of packets between network nodes for communication.
protocol Protocols work together in layers. Protocols are specified in a security appliance configuration as
literals part of defining a security policy by their literal values or port numbers. Possible security
appliance protocol literal values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, ipsec, nos,
ospf, pcp, snp, tcp, and udp.

Proxy-ARP Enables the security appliance to reply to an ARP request for IP addresses in the global pool.
See also ARP.

public key A public key is one of a pair of keys that are generated by devices involved in public key
infrastructure. Data encrypted with a public key can only be decrypted using the associated
private key. When a private key is used to produce a digital signature, the receiver can use the
public key of the sender to verify that the message was signed by the sender. These
characteristics of key pairs provide a scalable and secure method of authentication over an
insecure media, such as the Internet.

QoS quality of service. Measure of performance for a transmission system that reflects its transmission quality
and service availability.

118 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


R

RA Registration Authority. An authorized proxy for a CA. RAs can perform certificate enrollment
and can issue CRLs. See also CA, certificate, public key.

RADIUS Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that
secures networks against unauthorized access. RFC 2058 and RFC 2059 define the RADIUS
protocol standard. See also AAA and TACACS+.

Refresh Retrieve the running configuration from the security appliance and update the screen. The icon
and the button perform the same function.

registration See RA.


authority

replay- A security service where the receiver can reject old or duplicate packets to defeat replay
detection attacks. Replay attacks rely on the attacker sending out older or duplicate packets to the
receiver and the receiver thinking that the bogus traffic is legitimate. Replay-detection is done
by using sequence numbers combined with authentication, and is a standard feature ofIPSec.

RFC Request for Comments. RFC documents define protocols and standards for communications
over the Internet. RFCs are developed and published by IETF.

RIP Routing Information Protocol. Interior gateway protocol (IGP) supplied with UNIX BSD
systems. The most common IGP in the Internet. RIP uses hop count as a routing metric.

RLLA Reserved Link Local Address. Multicast addresses range from 224.0.0.0 to 239.255.255.255,
however only the range 224.0.1.0 to 239.255.255.255 is available to us. The first part of the
multicast address range, 224.0.0.0 to 224.0.0.255, is reserved and referred to as the RLLA.
These addresses are unavailable. We can exclude the RLLA range by specifying: 224.0.1.0 to
239.255.255.255. 224.0.0.0 to 239.255.255.255 excluding 224.0.0.0 to 224.0.0.255. This is the
same as specifying: 224.0.1.0 to 239.255.255.255.

route, routing The path through a network.

routed firewall In routed firewall mode, the security appliance is counted as a router hop in the network. It
mode performs NAT between connected networks and can use OSPF or RIP. See also transparent
firewall mode.

RPC Remote Procedure Call. RPCs are procedure calls that are built or specified by clients and
executed on servers, with the results returned over the network to the clients.

RSA A public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adelman)
with a variable key length. The main weakness of RSA is that it is significantly slow to compute
compared to popular secret-key algorithms, such as DES. The Cisco implementation
of IKEuses a Diffie-Hellman exchange to get the secret keys. This exchange can be
authenticated with RSA (or preshared keys). With the Diffie-Hellman exchange, the DES key
never crosses the network (not even in encrypted form), which is not the case with the RSA
encrypt and sign technique. RSA is not public domain, and must be licensed from RSA Data
Security.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 119


RSH Remote Shell. A protocol that allows a user to execute commands on a remote system without
having to log in to the system. For example, RSH can be used to remotely examine the status
of a number of access servers without connecting to each communication server, executing
the command, and then disconnecting from the communication server.

RTCP RTP Control Protocol. Protocol that monitors the QoS of an IPv6 RTP connection and conveys
information about the on-going session. See also RTP.

RTP Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide
end-to-end network transport functions for applications transmitting real-time data, such as
audio, video, or simulation data, over multicast or unicast network services. RTP provides
such services as payload type identification, sequence numbering, timestamping, and delivery
monitoring to real-time applications.

RTSP Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio
and video. RTSP is designed to work with established protocols, such as RTP andHTTP.

rule Conditional statements added to the security appliance configuration to define security policy
for a particular situation. See also ACE, ACL, NAT.

running The configuration currently running in RAM on the security appliance. The configuration that
configuration determines the operational characteristics of the security appliance.

SA security association. An instance of security policy and keying material applied to a data flow.
SAs are established in pairs by IPSec peers during both phases of IPSec. SAs specify the
encryption algorithms and other security parameters used to create a secure tunnel. Phase 1
SAs ( IKE SAs) establish a secure tunnel for negotiating Phase 2 SAs. Phase 2 SAs
( IPSecSAs) establish the secure tunnel used for sending user data. Both IKE and IPSec use
SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are
unique in each security protocol. A set of SAs are needed for a protected data pipe, one per
direction per protocol. For example, if you have a pipe that supports ESP between peers,
oneESP SA is required for each direction. SAs are uniquely identified by destination
( IPSecendpoint) address, security protocol ( AH or ESP), and Security Parameter
Index. IKEnegotiates and establishes SAs on behalf of IPSec. A user can also
establish IPSec SAs manually. An IKE SA is used by IKE only, and unlike the IPSec SA, it is
bidirectional.

SCCP Skinny Client Control Protocol. A Cisco-proprietary protocol used between Cisco Call Manager
and Cisco VoIP phones.

SCEP Simple Certificate Enrollment Protocol. A method of requesting and receiving (also known as
enrolling) certificates from CAs.

SDP Session Definition Protocol. An IETF protocol for the definition of Multimedia Services. SDP
messages can be part of SGCP and MGCP messages.

secondary The backup security appliance when two are operating in failover mode.
unit

120 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


secret key A secret key is a key shared only between the sender and receiver. See key, public key.

security You can partition a single security appliance into multiple virtual firewalls, known as security
context contexts. Each context is an independent firewall, with its own security policy, interfaces, and
administrators. Multiple contexts are similar to having multiple stand-alone firewalls.

security See cryptography.


services

serial A method of data transmission in which the bits of a data character are transmitted sequentially
transmission over a single channel.

SGCP Simple Gateway Control Protocol. Controls VoIP gateways by an external call control element
(called a call-agent).

SGSN Serving GPRS Support Node. The SGSN ensures mobility management, session management
and packet relaying functions.

SHA-1 Secure Hash Algorithm 1. SHA-1 [NIS94c] is a revision to SHA that was published in 1994.
SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a
160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but
it is slower. Secure Hash Algorithm 1 is a joint creation of the National Institute of Standards
and Technology and the National Security Agency. This algorithm, like other hash algorithms, is
used to generate a hash value, also known as a message digest, that acts like a CRC used in
lower-layer protocols to ensure that message contents are not changed during transmission.
SHA-1 is generally considered more secure than MD5.

SIP Session Initiation Protocol. Enables call handling sessions, particularly two-party audio
conferences, or "calls." SIP works with SDP for call signaling. SDP specifies the ports for the
media stream. Using SIP, the security appliance can support any SIP VoIP gateways
and VoIPproxy servers.

site-to-site A site-to-site VPN is established between two IPSec peers that connect remote networks into a
VPN single VPN. In this type of VPN, neither IPSec peer is the destination or source of user traffic.
Instead, each IPSec peer provides encryption and authentication services for hosts on theLANs
connected to each IPSec peer. The hosts on each LAN send and receive data through the
secure tunnel established by the pair of IPSec peers.

SKEME A key exchange protocol that defines how to derive authenticated keying material, with rapid
key refreshment.

SMR Stub Multicast Routing. SMR allows the security appliance to function as a "stub router." A stub
router is a device that acts as an IGMP proxy agent. IGMP is used to dynamically register
specific hosts in a multicast group on a particular LAN with a multicast router. Multicast routers
route multicast data transmissions to hosts that are registered to receive specific multimedia or
other broadcasts. A stub router forwards IGMP messages between hosts and MC routers.

SMTP Simple Mail Transfer Protocol. SMTP is an Internet protocol that supports email services.

SNMP Simple Network Management Protocol. A standard method for managing network devices
using data structures called Management Information Bases.

split Allows a remote VPN client simultaneous encrypted access to a private network and clear
tunneling unencrypted access to the Internet. If you do not enable split tunneling, all traffic between the
VPN client and the security appliance is sent through an IPSec tunnel. All traffic originating
from the VPN client is sent to the outside interface through a tunnel, and client access to the

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 121


Internet from its remote site is denied.

spoofing A type of attack designed to foil network security mechanisms such as filters and access lists. A
spoofing attack sends a packet that claims to be from an address from which it was not actually
sent.

SQL*Net Structured Query Language Protocol. An Oracle protocol used to communicate between client
and server processes.

SSH Secure Shell. An application running on top of a reliable transport layer, such as TCP/IP, that
provides strong authentication and encryption capabilities.

SSL Secure Sockets Layer. A protocol that resides between the application layer and TCP/IP to
provide transparent encryption of data traffic.

standby unit See secondary unit.

stateful Network protocols maintain certain data, called state information, at each end of a network
inspection connection between two hosts. State information is necessary to implement the features of a
protocol, such as guaranteed packet delivery, data sequencing, flow control, and transaction or
session IDs. Some of the protocol state information is sent in each packet while each protocol
is being used. For example, a browser connected to a web server uses HTTP and supporting
TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and
receives. The security appliance and some other firewalls inspect the state information in each
packet to verify that it is current and valid for every protocol it contains. This is called stateful
inspection and is designed to create a powerful barrier to certain types of computer security
threats.

Static PAT Static Port Address Translation. Static PAT is a static address that also maps a local port to a
global port. See also Dynamic PAT, NAT.

subnetmask See mask.

TACACS+ Terminal Access Controller Access Control System Plus. A client-server protocol that supports
AAA services, including command authorization. See also AAA, RADIUS.

TAPI Telephony Application Programming Interface. A programming interface in Microsoft Windows


that supports telephony functions.

TCP Transmission Control Protocol. Connection-oriented transport layer protocol that provides
reliable full-duplex data transmission.

TCP Intercept With the TCP intercept feature, once the optional embryonic connection limit is reached, and
until the embryonic connection count falls below this threshold, every SYN bound for the
effected server is intercepted. For each SYN, the security appliance responds on behalf of the
server with an empty SYN/ACK segment. The security appliance retains pertinent state
information, drops the packet, and waits for the client acknowledgment. If the ACK is received,
then a copy of the client SYN segment is sent to the server and the TCP three-way handshake
is performed between the security appliance and the server. If this three-way handshake
completes, may the connection resume as normal. If the client does not respond during any

122 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


part of the connection phase, then the security appliance retransmits the necessary segment
using exponential back-offs.

TDP Tag Distribution Protocol. TDP is used by tag switching devices to distribute, request, and
release tag binding information for multiple network layer protocols in a tag switching network.
TDP does not replace routing protocols. Instead, it uses information learned from routing
protocols to create tag bindings. TDP is also used to open, monitor, and close TDP sessions
and to indicate errors that occur during those sessions. TDP operates over a connection-
oriented transport layer protocol with guaranteed sequential delivery (such as TCP). The use of
TDP does not preclude the use of other mechanisms to distribute tag binding information, such
as piggybacking information on other protocols.

Telnet A terminal emulation protocol for TCP/IP networks such as the Internet. Telnet is a common
way to control web servers remotely; however, its security vulnerabilities have led to its
replacement by SSH.

TFTP Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. It runs on UDP
and is explained in depth in RFC 1350.

TID Tunnel Identifier.

TLS Transport Layer Security. A future IETF protocol to replace SSL.

traffic The traffic policing feature ensures that no traffic exceeds the maximum rate (bits per second)
policing that you configure, thus ensuring that no one traffic flow can take over the entire resource.

transform set See IPSec transform set.

translate, See xlate.


translation

transparent A mode in which the security appliance is not a router hop. You can use transparent firewall
firewall mode mode to simplify your network configuration or to make the security appliance invisible to
attackers. You can also use transparent firewall mode to allow traffic through that would
otherwise be blocked in routed firewall mode. See also routed firewall mode.

transport An IPSec encryption mode that encrypts only the data portion (payload) of each packet, but
mode leaves the header untouched. Transport mode is less secure than tunnel mode.

TSP TAPI Service Provider. See also TAPI.

tunnel mode An IPSec encryption mode that encrypts both the header and data portion (payload) of each
packet. Tunnel mode is more secure than transport mode.

tunnel A method of transporting data in one protocol by encapsulating it in another protocol. Tunneling
is used for reasons of incompatibility, implementation simplification, or security. For example, a
tunnel lets a remote VPN client have encrypted access to a private network.

Turbo ACL Increases ACL lookup speeds by compiling them into a set of lookup tables. Packet headers
are used to access the tables in a small, fixed number of lookups, independent of the existing
number of ACL entries.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 123


U

UDP User Datagram Protocol. A connectionless transport layer protocol in the IP protocol stack. UDP is
a simple protocol that exchanges datagrams without acknowledgments or guaranteed delivery,
which requires other protocols to handle error processing and retransmission. UDP is defined in
RFC 768.

UMTS Universal Mobile Telecommunication System. An extension of GPRS networks that moves toward
an all-IP network by delivering broadband information, including commerce and entertainment
services, to mobile users via fixed, wireless, and satellite networks

Unicast Unicast Reverse Path Forwarding. Unicast RPF guards against spoofing by ensuring that packets
RPF have a source IP address that matches the correct source interface according to the routing table.

URL Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents
and other services using a browser. For example, http://www.cisco.com.

user User EXEC mode lets you to see the security appliance settings. The user EXEC mode prompt
EXEC appears as follows when you first access the security appliance. See also command-specific
mode configuration mode, global configuration mode, and privileged EXEC mode.

UTC Coordinated Universal Time. The time zone at zero degrees longitude, previously called Greenwich
Mean Time (GMT) and Zulu time. UTC replaced GMT in 1967 as the world time standard. UTC is
based on an atomic time scale rather than an astronomical time scale.

UTRAN Universal Terrestrial Radio Access Network. Networking protocol used for implementing wireless
networks in UMTS. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS
backbone between a GGSN, an SGSN and the UTRAN.

UUIE User-User Information Element. An element of an H.225 packet that identifies the users implicated
in the message.

VLAN Virtual LAN. A group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same physical network cable,
when in fact they are located on a number of different LAN segments. Because VLANs are based on
logical instead of physical connections, they are extremely flexible.

VoIP Voice over IP. VoIP carries normal voice traffic, such as telephone calls and faxes, over an IP-based
network. DSP segments the voice signal into frames, which then are coupled in groups of two and
stored in voice packets. These voice packets are transported using IP in compliance with ITU-T
specification H.323.

VPN Virtual Private Network. A network connection between two peers over the public network that is
made private by strict authentication of users and the encryption of all data traffic. You can establish
VPNs between clients, such as PCs, or a headend, such as the security appliance.

virtual See security context.

124 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


firewall

VSA Vendor-specific attribute. An attribute in a RADIUS packet that is defined by a vendor rather than
byRADIUS RFCs. The RADIUS protocol uses IANA-assigned vendor numbers to help identify VSAs.
This lets different vendors have VSAs of the same number. The combination of a vendor number and
a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of
VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A RADIUS packet
contains any VSAs attribute 26, named Vendor-specific. VSAs are sometimes referred to as
subattributes.

WAN wide-area network. Data communications network that serves users across a broad geographic
area and often uses transmission devices provided by common carriers.

WCCP Web Cache Communication Protocol. Transparently redirects selected types of traffic to a group of
web cache engines to optimize resource usage and lower response times.

Websense A content filtering solution that manages employee access to the Internet. Websense uses a policy
engine and a URL database to control user access to websites.

WEP Wired Equivalent Privacy. A security protocol for wireless LANs, defined in the IEEE 802.11b
standard.

WINS Windows Internet Naming Service. A Windows system that determines the IP address associated
with a particular network device, also known as "name resolution." WINS uses a distributed
database that is automatically updated with the NetBIOS names of network devices currently
available and the IP address assigned to each one.WINS provides a distributed database for
registering and querying dynamic NetBIOS names to IP address mapping in a routed network
environment. It is the best choice for NetBIOS name resolution in such a routed network because it
is designed to solve the problems that occur with name resolution in complex networks.

X.509 A widely used standard for defining digital certificates. X.509 is actually an ITU recommendation, which
means that it has not yet been officially defined or approved for standardized usage.

xauth See IKE Extended Authentication.

xlate An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, or
the mapping of one IP address/port pair to another.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 125


Section XIV - Frequently Asked Questions (FAQs)

Q How long is the warranty on the MN-FNS equipment?


A The MN-FNS Series equipment has a 1 year warranty from the date of shipment.
Q Will the MN-FNS equipment be included in the 5 year Extended Warranty that
EST offers?
A No – The MN-FNS Series equipment has a 1 year warranty from the date of
shipment.

Q When I pass the EST Institute class on the MN-FNS Series, does that mean I
have Cisco certification?
A No – The MN-FNS Series certification applies only to the solutions offered through
EST. The training is a great start to a Cisco certification, such as a CCNA, but it
does not in itself, provide this certification.

Q I have CCNA certification, why do I have to go to the EST class?


A While the CCNA is fantastic, it does not address the code restrictions and other
system installation parameters that apply to the UL 864/2572 listed ECS/MNS/LSS
systems.

Q As an SP/BP, where do I get support for the MN-FNS Switches?


A For pre-sale information, contact Edwards Application Engineering through your
District Manager or Edwards Sales Representative. For installation issues & trouble-
shooting, contact Edwards Technical Support directly.

Q Can I contact Cisco directly for support?


A No. All support for MN-FNS Switches is through Edwards.
Q Some of the MN-FNS Series switches support Layer 3 operation. Does that
mean that EST will help layout the Layer 3 operation on a dedicated or non-
dedicated network?
A No – EST does not provide network design services or network diagnostics.

126 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Q The MN-FNS switches have ground screws. Why do they have to be
connected?
A The switches have multiple internal transient protectors that are connected to the
chassis of the switch. Data circuits also require the best possible electrical
environment to operate efficiently. One of the ways this environment is maintained
is with proper grounding. To ensure that the ground connections for the switches
are as good as they can possibly be, connections between the switch and mounting
brackets are not considered as reliable as a dedicated wire from the switch ground
screws to the incoming electrical ground or the chassis ground. Never defeat the
ground conductor or operate the equipment in the absence of a properly installed
grounding system.

Q Why can the copper wire (“Cat 5”) cable from a standard Ethernet switch be
run over 300 feet, but I can only run it 20 feet on an MN-FNS switch?
A This is due to UL restrictions. Current UL standards require that if a circuit does not
have ground-fault detection (which Ethernet circuits do not), it cannot be run more
than 20 feet, must be in the same room and must be mechanically protected.

Q The MN-FNS8C18F2 switch has RJ45 ports labeled POE, what EST modules
are POE?
A While the switch is labeled for POE use, it is not listed for, nor can it be used for that
purpose. There are no current EST modules that are POE powered.

Q Do I need the SD card for the MN-FNS4C2F3 or the MN-FNS8C2F3?


A Not to run the switch, but an SD card is very handy for startup, troubleshooting and
switch service. The MN-FNS4C2F3 and MN-FNS8C2F3 switches do not come from
the factory with SD Flash cards. This SD Flash card is computer compatible and can
be written to and/or read in a PC.

Q Do I need the SD card for the MN-FNS8C18F2?


A Yes. The MN-FNS8C18F2 switch (aka “Rack” switch) comes from the factory with
an SD Flash card in it. This card is required to boot and operate the switch. This
card format is not computer compatible and cannot be used in a PC.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 127


Q I have to replace an old MN-NETSW1, what are my options?
A The MN-FNS4C2F3 (4 copper port) or MN-FN8C2F3 (8 copper port) can be installed
as a replacement for the MN-NETSW1. The mounting bracket will have to be
changed.

Q Can I connect multimode fiber to a single-mode SFP or visa-versa?


A No. As with most fiber optic devices, they must be used for the fiber optic cable they
are designed for. All of the MN-FNS Series SFPs are Listed to work on either
multimode OR single mode fiber, not both.

Q On a switch, do all the SFPs have to be the same?


A No. You can come in one port with multimode and leave on another port with single
mode. Or come in one port with standard power single mode and leave with high
power single mode. You can pick and choose between any of the Edwards SFPs.

Q Can I put different SFPs on the same fiber:


A No. Each end of the same fiber MUST have the same SFP model.
Q How will we get Firmware updates to the switches?
A Edwards releases firmware only after it has been checked and by Edwards
Engineering. This firmware is available from the MyEddie website software page.

Q Do you have different applications pre-programmed on SD cards that we can


get?
A No. The configuration files (templates) are available on the MyEddie website
software page.

Q Do I have to mount the switch inside one of EST boxes?


A MN-FNS Series switches are Listed to be installed in Listed Edwards enclosures,
such as the 3-RCC, 3-CAB and Listed rack series enclosures. Listed brackets are
also available.

Q Can I cascade MN-FNS switches together?


A Yes.

128 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)


Q Can I plug an existing MN-NETSW1 switch into the new MN-FNS switch?
A Not in a Class X Resilient Ethernet Protocol (REP) ring. The MN-NETSW1 can be
installed on a Class B spur or on a Class B network.

Q Is the REP Class X the same as Spanning Tree Protocol (STP)?


A No, REP (Resilient Ethernet Protocol) is:
• Faster than STP for resolution and restoration

• Predictable in start/stop of ring

• Configurable for multiple rings on a given network

Q Are the Cisco switches compatible with STP?


A By default, until REP is programmed and activated, the MN-FNS Series Ethernet
switches operate with STP.

Q Can the MN-NETSW1 reside on new MN-FNS Series Class X networks?


A Only on end paths, not as part of the REP trunk
Q Is FireWorks required with the MN-FNS switches?
A No. Future product will be enhanced with high level communication from Fireworks
to the Cisco switch.

Q Are identical Cisco switches from other sources than EST also UL 864/2572
listed?
A No. The listing only applies to products purchased through EST and labeled as
such.

Q Can existing identical Cisco switches be upgraded to the UL listed versions?


A No. The listed Cisco switches are physically identical to the standard Cisco switches
but are manufactured with specifically listed suppliers and the software is rev locked
until a new listed firmware is released. They should be capable of operating in the
same modes as the listed switches but there is no option for upgrading to a listed
version.

MN-FNS Series Technical Application Guide (p/n 3102XXX-EN) 129


Specifications
Dimensions (W × H × D) 6.24 × 3.83 × 3.41 in. (158.5 × 97.3 × 86.6 mm)

Compatible mounting brackets MN-BRKT1F, MN-BRKT3F, MN-BRKT8C18F


Operating environment 32 to 120°F (0 to 49°C)
Temperature Relative Humidity 0 to 93% noncondensing
Regulatory information
Manufacture Edwards, A Division of UTC Fire & Security
Americas Corporation, Inc.
8985 Town Center Parkway, Bradenton, FL
34202, USA
Authorized EU manufacturing representative:
UTC Fire & Security B.V.
Kelvinstraat 7, 6003 DH Weert, Netherlands
Year of manufacture The first two digits of the DATE MFG number
(located on the product identification label) are
the year of manufacture.
Contact information
For contact information, see www.edwardsutcfs.com.

130 MN-FNS Series Technical Application Guide (P/N 3102XXX-EN)

You might also like