FCC ID: LDK-CGMOFDM Connected Grid WPAN Module for Cisco 1000 Series Connected Grid Router

by: Cisco Systems Inc latest update: 2020-09-15 model: CGMOFDM

Four grants have been issued under this FCC ID from 03/13/2018 to 09/15/2020 (this is one of thirty-one releases in 2020 for this grantee). Public details available include frequency information, manuals, and internal & external photos. some products also feature user submitted or linked troubleshooting guides, instructions, drivers, password defaults, & warrantee terms.

permalink for this FCC identifier

search for: Repair details

from iFixIt

Replacement

on Amazon

Trade-in? Recycling locations

eg is reader-supported. when you buy through links on our site, we may earn an affiliate commission.

eg for Slack usage

all	frequencies			exhibits	applications
		manuals

all exhibits 15
1 ~ 2020-09-15 2
2 ~ 2020-09-15 2
3 ~ 2018-03-13 12
4 ~ 2018-03-13 12

app s				submitted / available
1 2 3 4	User Manual	Users Manual	pdf	267.66 KiB	/ September 09 2018
1 2 3 4	Users Manual	Users Manual	pdf	2.57 MiB	September 15 2020
1 2 3 4	Modular Approval Letter	Cover Letter(s)	pdf	26.91 KiB	September 15 2020
1 2 3 4		Attestation Statements	pdf
1 2 3 4		Attestation Statements	pdf
1 2 3 4		External Photos	pdf		/ September 09 2018
1 2 3 4		Internal Photos	pdf		/ September 09 2018
1 2 3 4		ID Label/Location Info	pdf
1 2 3 4		Cover Letter(s)	pdf
1 2 3 4		RF Exposure Info	pdf
1 2 3 4		Cover Letter(s)	pdf
1 2 3 4		Test Report	pdf
1 2 3 4		Test Report	pdf
1 2 3 4		Test Setup Photos	pdf		/ September 09 2018
1 2 3 4		Cover Letter(s)	pdf

exhibit
download
text

1 2 3 4

User Manual

Users Manual

pdf

267.66 KiB

/ September 09 2018

Data Sheet Cisco Connected Grid WPAN Module for the Cisco 1000 Series Connected Grid Router The Cisco Wireless Personal Area Network (WPAN) Connected Grid Module is an IEEE 802.15.4g/e radio-frequency (RF) connection for Cisco 1000 Series Connected Grid Routers (CGR 1000 Series). It delivers 900 MHz RF mesh connectivity to a diverse set of endpoints. The WPAN module allows utilities to converge multiple applications supported by the CGR 1000 across a single RF mesh network. Among these applications are Advanced Metering Infrastructure (AMI), Distribution Automation (DA), Integration of Distributed Energy Resources (DER), and Remote Workforce Automation. Together, the ruggedized WPAN module and the CGR 1000 routers provide a versatile platform for diverse field area network (FAN) and Internet of things (IoT) communications deployments aligned with Wi-SUN alliance objectives for smart utility grids. Product Overview The Cisco IEEE 802.15.4g/e/v-compliant WPAN Connected Grid Module for CGR 1000 routers gives utilities highly secure IPv6-based, over-the-air network connectivity. These modules are ideal for high-scale deployments to smart meters, distribution sensors, distribution automation devices, gateways (such as the Cisco 500 Series WPAN Industrial Routers [IR500]), and other endpoints. They are also suited for use in multi-hop mesh networks and long-

reach solutions. Figure 1 displays a Cisco Connected Grid WPAN Module. Figure 1. Cisco Connected Grid WPAN Module Table 1 provides SKUs and description information about the Cisco Connected Grid WPAN Module. Table 1. Cisco Connected Grid WPAN Module for CGR 1000 Series SKU Description CGM-WPAN-FSK-NA Connected Grid Module - IEEE 802.15.4e/g WPAN 900 MHz CGM-WPAN-OFDM-FCC Connected Grid Module - IEEE 802.15.4e/g/v WPAN 900 MHz 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6 Utilities looking to deploy standards-based communications to millions of endpoints should consider the Cisco CGR 1000 Series with the WPAN module. The module provides dynamic, automated network discovery and self-

healing. And its multi-hop mesh networking delivers a high endpoint-to-collector ratio of up to 5000 endpoints per CGR 1000. Connected Grid WPAN Modules are tightly integrated with the network services of CGR 1000 routers. For example, the CGR 1000 provides Internet Engineering Task Force (IETF) Route Policy Language (RPL)-based routing for high availability and network reliability to endpoints connected to the wireless mesh. RPL is the standard for IPv6 Routing Protocol for Low Power and Lossy Networks. The WPAN module, along with CGR 1000 software, also provides robust security features for access control, device identity, key management, and encryption. It offers four levels of quality of service (QoS). Together, the WPAN module and CGR 1000 routers provide comprehensive network statistics that help network operators quickly identify and troubleshoot connectivity issues. The Connected Grid WPAN Modules and CGR 1000 routers can be deployed in numerous utility environments worldwide. The product thus comes with an array of antenna and cabling options to match the utilitys own environment. Refer to the antenna specifications (Table 4), cable specifications (Table 5), and accessories specifications (Table 6) for more details. Cisco Connected Grid WPAN Module Specifications Table 2 shows the hardware specifications for the Cisco Connected Grid WPAN Module, plus a partial listing of regulatory compliance and safety data.1 Table 2. Hardware Specifications Feature Form Factor CGM-WPAN-FSK-NA CGM-WPAN-OFDM-FCC Single Connected Grid Module Single Connected Grid Module Dimensions (H x W x D) 1.50 x 4.24 x 5.25 3.81 cm x 10.77 cm x 13.34 cm 1.50 x 4.24 x 5.25 3.81 cm x 10.77 cm x 13.34 cm Weight

.5 pounds Radio Capabilities Worldwide Frequency Support North America- ISM: 902-928 MHz Australia: 915-928 MHz Brazil: 902-907.5, 915-928 MHz Hong Kong: 920-924 MHz China: 920- 925 MHz

.5 pounds North America- ISM: 902-928 MHz Radio Access Method IEEE802.15.4 g/e IEEE802.15.4 g/e/v Frequency Hopping Spread Spectrum 64 channels (depending on regulatory domain), 400 31 channels , 800 KHz Channel spacing for OFDM KHz per channel Modes Antenna Interfaces 1 antenna port - QMA connector 1 antenna port - QMA connector Output Transmit Power

(Average Power) 30 dBm 25 30 dBm (36dBm EIRP), vary on datarate Link Budget Over 136 dB (up to 148 dB depending on antenna Over 136 dB (up to 148 dB depending on antenna Receiver Sensitivity 106 dBm gain) gain) 101 dBm 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6 Feature CGM-WPAN-FSK-NA CGM-WPAN-OFDM-FCC Operating Conditions Operating Temperature Shock and Vibration Operating Seismic Earthquake Altitude 40 F to 158 F (40 to +70 C) continuous operating temperature range with IEEE 1613 type, for up to +85 C for 16 hours 40 F to 158 F (40 to +70 C) continuous operating temperature range with IEEE 1613 type, for up to +85 C for 16 hours 30G at 6 ms, Class Cm IEEE 1613 Class VS3 IEC 870-2-2 Class Cm 30G at 6 ms, Class Cm IEEE 1613 Class VS3 IEC 870-2-2 Class Cm IEC 61850-3, Class S3 IEC 61850-3, Class S3 10,000 ft (3,048 m) maximum operating temperature is derated with increasing altitude per IEEE1613a-2008 10,000 ft (3,048 m) maximum operating temperature is derated with increasing altitude per IEEE1613a-2008 Relative Humidity 5 to 95 percent noncondensing 5 to 95 percent noncondensing Non-Operating Conditions Temperature 40 to +185 F (25 C to +85 C) 40 to +185 F (25 C to +85 C) Non-Operating Relative Humidity Altitude Non-Operating Free-Fall Drop 5 to 95 percent noncondensing 5 to 95 percent noncondensing 10,000 ft (3000 m); maximum operating temperature is derated with increasing altitude per IEEE 1613a-2008 10,000 ft (3000 m); maximum operating temperature is derated with increasing altitude per IEEE 1613a-2008 4 in. (100 mm) per ENG-339611 4 in. (100 mm) per ENG-339611 Non-Operating Shock and Vibration 50-60 G (3.76 m/s minimum) 3-500 Hz at 1.12 GRMS (BP at 10 and 100 Hz) 50-60 G (3.76 m/s minimum) 3-500 Hz at 1.12 GRMS (BP at 10 and 100 Hz) Immunity Safety Emissions EN61000-6-2 EN61000-4-2 (ESD) EN61000-4-3 (RF) EN61000-4-4 (EFT) EN61000-4-5 (SURGE) EN61000-4-6 (CRF) EN61000-4-11 (VDI) EN 55024, CISPR 24 EN50082-1 EN61000-6-2 EN61000-4-2 (ESD) EN61000-4-3 (RF) EN61000-4-4 (EFT) EN61000-4-5 (SURGE) EN61000-4-6 (CRF) EN61000-4-11 (VDI) EN 55024, CISPR 24 EN 55035, CISPR 35 EN61000-6-1 USA: UL 60950-1 Canada: CAN/CSA C22.2 No. 60950-1 Europe: EN 60950-1 China: GB 60950-1 Australia/New Zealand: AS/NZS 60950-1 Rest of world: IEC 60950-1 CSA-certified to UL/CSA 60950-1, 2nd Ed. CB report to IEC60950-1, 2nd Ed., covering all group differences and national deviations USA: UL 60950-1 Canada: CAN/CSA C22.2 No. 60950-1 CSA-certified to UL/CSA 60950-1, 2nd Ed. CB report to IEC60950-1, 2nd Ed., covering all group differences and national deviations 47 CFR, Part 15 ICES-003 Class A EN55022 Class A CISPR22 Class A AS/NZS 3548 Class A VCCI V-3 CNS 13438 EN 300-386 47 CFR, Part 15 EN61000-3-3 EN61000-3-4 ICES-003 Class A EN55032 Class A CISPR32 Class A AS/NZS 3548 Class A VCCI V-3 CNS 13438 EN 300-386 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6 Radio FCC Part 2, FCC Part 15.247, Part 90.210 Brazil: ANATEL Resolution No. 506 Australia: AS/NZS 4268:2008 China: 1049 Issue 1 FCC Part 2, FCC Part 15.247, Part 90.210 RSS-247 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6 Table 3 outlines the software specifications for the Cisco Connected Grid WPAN Module. Table 3. Software Specifications Feature CGM-WPAN-FSK-NA Software Compatibility PHY/MAC 15.4(1)CG and above IOS 15.5M(03) and above IEEE 802.15.4g/e IETF 6LOWPAN (RFC 6282) Data Traffic Native IPv6 traffic over IEEE 802.15.4g/e-

CGM-WPAN-OFDM-FCC IOS 15.7M(03) and above IEEE 802.15.4g/e/v IEEE 6LOWPAN (RFC 6282) Native IPv6 traffic over IEEE 802.15.4g/e/v-

6LoWPAN, including non-IP traffic transported over Raw Sockets TCP and IPv4 traffic when endpoints implement MAP-T 6LoWPAN, including non-IP traffic transported over Raw Sockets TCP and IPv4 traffic when endpoints implement MAP-T IPv6 Routing IETF RPL: IPv6 Routing Protocol for Low Power IETF RPL: IPv6 Routing Protocol for Low Power and Lossy Networks (RFC 6550, 6551, 6553, 6554, 6719, 6207) and Lossy Networks (RFC 6550, 6551, 6553, 6554, 6719, 6207) Support for endpoints implementing multiple IPv6 Support for endpoints implementing multiple IPv6 addresses; for example, more than one IPv6 WPAN prefix or IPv6 MAP-T prefix addresses; for example, more than one IPv6 WPAN prefix or IPv6 MAP-T prefix WPAN Security Access control: IEEE 802.1x Device identity: X.509 digital certificates (utility Access control: IEEE 802.1x Device identity: X.509 digital certificates (utility certificates) Encryption: AES-128 Key management: IEEE 802.11i WPAN Quality of Service

(QoS) 4 queues Priority queuing certificates) Encryption: AES-128 Key management: IEEE 802.11i 4 queues Priority queuing Network Management and Diagnostics Detailed WPAN diagnostics such as Tx power, Detailed WPAN diagnostics such as Tx power, received signal strength indication (RSSI), frequency (if connected) received signal strength indication (RSSI), frequency (if connected) IETF Constrained Application Protocol (CoAP) (draft-

IETF Constrained Application Protocol (CoAP) ietf-core-coap-18)

(draft-ietf-core-coap-18) Management Information Bases (MIBs) WPAN MIB ENTITY MIB IF MIB WPAN MIB ENTITY MIB IF MIB Data Rate 150 Kbps (75 Kbps with FEC enabled) 800 kbps, 400kbps, 200kbps, 150 kbps, 50 kbps For more information about CGOS software capability support, consult your local Cisco representative (Cisco.com login required). Table 4 lists the antenna options for the Connected Grid WPAN Modules. Table 4. Antenna Options Item Specification ANT-MP-INT-OUT-M ANT-WPAN-OM-OUT-N ANT-LPWA-DB-O-N-5 Multipurpose integrated antenna Outdoor Omni antenna for 900 MHz WPAN Outdoor Omni antenna for 900 MHz WPAN Outdoor For an extensive description of antenna options and the potential deployment scenarios, see the following deployment guide:

http://www.cisco.com/en/US/docs/routers/connectedgrid/antennas/installing/cg_antenna_install_guide.html. Table 5 lists the RF cable options for the Connected Grid WPAN Module. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6 Table 5. RF Cable Options Item Specification Indoor WPAN Cable Options for Cisco 1120 Connected Grid Router (CGR 1120) CAB-L240-10-Q-N 10 ft (3 m) Low Loss LMR 240 Cable with QMA and N Connectors CAB-L240-15-Q-N 15 ft (4. 5m) Low Loss LMR 240 Cable with QMA and N Connectors CAB-L240-20-Q-N 20 ft (6 m) Low Loss LMR 240 Cable with QMA and N Connectors Item Specification Outdoor WPAN Cable Options for Cisco CGR 1120 and 1240 Connected Grid Router (CGR1240) CAB-L400-5-N-N 5 ft (1.5 m) Low Loss LMR 400 Cable with N Connectors (straight to right angle) CAB-L400-5-N-NS 5 ft (1.5 m) Low Loss LMR 600 Cable with N Connectors (straight to straight) CAB-L400-20-N-N 20 ft (6 m) Low Loss LMR 400 Cable with N Connectors CAB-L600-30-N-N 30 ft (9.14 m) Ultra Low Loss LMR 600 Cable with N Connectors Table 6 lists additional accessories available for Connected Grid WPAN Modules. Table 6. Additional Accessories Item Specification CGR-LA-NM-NF Lightning arrestor for CGR 1240 CGR-N-CONN-WPAN N connectors for CGR 1240 for WPAN- ext. antennas CGR-LA-NF-NF Lightning arrestor for CGR 1120 ANT-ADPTR-Q-TNC Connecting adapter for CGR antennas- QMA to TNC for CGR 1120 For an extensive description of antenna and cable options and deployment scenarios, see the deployment guide:

http://www.cisco.com/en/US/docs/routers/connectedgrid/antennas/installing/cg_antenna_install_guide.html. Ordering Information The Cisco Connected Grid WPAN Module and the Cisco 1000 Series Connected Grid Routers are available to any Cisco authorized partner. For more information, contact your Cisco representative. Cisco and Partner Services Services from Cisco and certified partners can help you transform your network and innovate faster across the grid and enterprise. We have the deep, broad expertise to create a clear, replicable, and optimized field network across many technologies. Planning and design services help you use technology to achieve business goals and can increase deployment accuracy, speed, and efficiency. Technical services help improve operational efficiency, save money, and reduce risk. Optimization services continuously boost performance and help your team succeed with new technologies. For More Information To find out more about the Cisco Connected Grid WPAN Module for the Cisco 1000 Series Connected Grid Routers, visit http://www.cisco.com/en/US/products/ps12280/index.html. For more information on the Cisco CGR 1000, visit http://www.cisco.com/go/cgr1000. For more information on the Cisco Field Area Network (FAN) solution, visit http://www.cisco.com/go/fan. 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6 Printed in USA C78-730622-01 12/14 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 6

exhibit
download
text

1 2 3 4

Users Manual

Users Manual

pdf

2.57 MiB

September 15 2020

REVIEWDRAFT-CISCOCONFIDENTIAL Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide

(Cisco IOS) Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide (Cisco IOS) 2 Hardware Overview 2 WPAN Antennas, Connectors, and Cables 6 Installing and Removing the Module 7 Technical Specifications 10 Information About Cisco Resilient Mesh and WPAN 11 Configuring Cisco Resilient Mesh and the WPAN Module 26 Checking and Upgrading the WPAN Firmware Version 81 Related Documentation 84 Obtaining Documentation and Submitting a Service Request 84 REVIEWDRAFT-CISCOCONFIDENTIAL Cisco Connected Grid WPAN Module for CGR 1000 Series Installation and Cisco Resilient Mesh Configuration Guide

(Cisco IOS) This guide explains how to install the IEEE 802.15.4e/g Cisco Connected Grid Wireless Personal Area Network (WPAN) module and how to configure the Cisco Resilient Mesh (formerly known as CG-Mesh). This guide addresses configuration for a Cisco 1000 Series Connected Grid Router (CGR 1000) installed with Cisco IOS software. Note For detailed information of the WPAN-OFDM module, see Connected Grid Module (CGM) WPAN-OFDM Module - Cisco IOS. Danger Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Note The Cisco Connected Grid WPAN Module is installed in either of the CGR 1000 series models: Cisco 1120 Connected Grid Router (CGR 1120) or Cisco 1240 Connected Grid Router (CGR 1240). The WPAN module is installed at the factory. Only technicians of Cisco or Cisco partners may install, uninstall, or configure Connected Grid modules. For system requirements, important notes, limitations, open and resolved bugs, and last-minute documentation updates, see the Release Notes for CGR 1000 (Cisco IOS) on Cisco.com:

http://www.cisco.com/c/en/us/support/routers/1000-series-connected-grid-routers/products-release-notes-list.html. For translations of the warnings that appear in this document, see the Regulatory Compliance and Safety Information document for your router on Cisco.com:

http://www.cisco.com/en/US/docs/routers/connectedgrid/cgr1000/rcsi/cgr1000.rsci.html When using the online publications, see the documents that match the Cisco system software version running on the WPAN module. Hardware Overview The CGM-WPAN-FSK-NA WPAN module provides IPv6-based, IEEE 802.15.4e/g-compliant, and highly secure wireless connectivity for the CGR to enable Field Area Network (FAN) applications. The module is ideal for standards-based IPv6 multihop mesh networks and long-reach solutions. It helps enable a high ratio of endpoints to the CGR. The module provides the following functionality:

The CGM-WPAN-OFDM module is designed to operate within an RF900 wireless network to provide digital automation (DA) control over Resilient Mesh Endpoints (RMEs) with serial (RS232/RS485), USB (LS/FS), or Fast Ethernet (10/100) ports for intelligent control primarily in the electrical grid. CGR 1000s installed with a CGM-WPAN-OFDM module provide a low cost, low power, small scale DA solution. Ruggedized IP41 enclosures are available for the CGR1000 to support installation within an outdoor cabinet. 902-to-928 MHz ISM band frequency hopping technology (configurable frequency range to match your countrys regulations). See Technical Specifications, on page 10. 2 REVIEWDRAFT-CISCOCONFIDENTIAL Dynamic network discovery and self-healing network capabilities that based on IPv6, IEEE 802.15.4 e/g, IETF 6LoWPAN, and IETF RPL. Robust security functionality including Advanced Encryption Standard (AES) 128-bit encryption, IEEE 802.1X, and IEEE 802.11i based-mesh security. WPAN module firmware upgrade functionality. WPAN module interface statistics and status. The IEEE 802.15.4e/g WPAN module hardware contains the following:

Microcontroller, an RF transceiver operating in the 902-to-928 MHz ISM band. Frequency synthesizer. RF Micro Devices RF6559 front-end module. Cisco Resilient Mesh has no physical user interfaces such as buttons or display, and therefore all configuration and management occur through Constrained Application Protocol (CoAP) Simple Management Protocol (CSMP) from Cisco IoT Field Network Director (IoT FND). The application module can implement its own user interface and display information obtained using CSMP. Cisco Resilient Mesh uses the communication module hardware in a way that is compliant with the IEEE 802.15.4e/g MAC/PHY specification. Cisco Resilient Mesh uses the following PHY parameters:

Operating Band: 902 to 928 MHz Channel Spacing: 400 kHz Modulation Method: Binary FSK 150k baud data rate, 75-bit rate due to FEC Maximum output Power: 28 dBm. See Configuring Transmit Power, on page 28. Note Up to two WPAN modules can be installed in any of the slots of the CGR 1120 and CGR 1240. This section covers the following topics:

WPAN Models, on page 3 WPAN Module Assembly, on page 4 Front Panel, on page 4 WPAN Models Table1:WPANModuleModels Model Description Table 1: WPAN Module Models, on page 3 lists the WPAN module models. CGM-WPAN-FSK-NA Connected Grid ModuleIEEE 802.15.4e/g WPAN 900 MHz. 3 REVIEWDRAFT-CISCOCONFIDENTIAL Model Description CGM-WPAN-OFDM-FCC WPAN RF 900 Plug-in module for CGR 1000 routers. Provides access to 900 MHz mesh networks. WPAN Module Assembly The following figure shows the CGM-WPAN-FSK-NA WPAN module assembly. The following figure shows the CGM-WPAN-OFDM-FCC WPAN module assembly. Figure1:CGM-WPAN-FSK-NAWPANModuleAssembly Figure2:CGM-WPAN-OFDM-FCCWPANModuleAssembly Front Panel The following figure shows the front panel of the WPAN module and its components:

4 REVIEWDRAFT-CISCOCONFIDENTIAL Figure3:FrontPaneloftheCiscoConnectedGridWPANModule The Status LED provides a visual indicator of the available services. The following tables list the status LED colors and their meanings. 1 Captive screws 3 Antenna connector 2 Status LED Status LED Table2:LEDIndicatoroftheCGM-WPAN-FSK-NAWPANModule Color Description Green Indicates the RF status:

Off: WPAN module is not powered. Steady On: WPAN module is powered on, hardware is functional. Table3:LEDIndicatorsoftheCGMWPAN-OFDM-FCCWPANModule LED Name Definition State RSSI Measure of power present in the received radio signal. Yellow (Off) / Green (Off): RSSI less than -105 dBm Yellow (On) / Green (Off): RSSI is -105 to -95 dBm Yellow (Off) / Green (Slow Blink): RSSI is -95 to -75 dBm Yellow (Off) / Green (Fast Blink): RSSI is -75 to -60 dBm Yellow (Off) / Green (Solid On): RSSI greater than -60 dBm 5 REVIEWDRAFT-CISCOCONFIDENTIAL LED Name Definition State WPAN WPAN traffic activity detect. Yellow (Off) / Green (Off): WPAN port is disabled. Yellow (On) / Green (Off): Searching for network. Yellow (Off) / Green (Slow Blink): WPAN port is up. Yellow (Off) / Green (Fast Blink): Route is available and DHCPv6 configuration is starting. Yellow (Off) / Green (On): Global IPv6 address is available. Yellow (Blinking): Bootload in process Yellow (Solid): Software update mode in process SYS Indicates module status. Green (Blinking): Broadcast slot time complete Antenna Connector The antenna connector is a QMA, panel-mounted, 50-ohm connector for connecting the antenna to the WPAN module. WPAN Antennas, Connectors, and Cables The antenna is connected to the QMA, panel-mount, 50-ohm connector located on the faceplate of the WPAN module. Depending on whether the WPAN module is used in the CGR 1240 or CGR 1120, there is a combination of indoor and outdoor cables to connect from the antenna to the QMA connector on the module. The CGM-WPAN-OFDM module supports the outdoor 5dBi Omni Antenna. This antenna (Cisco Part Number:

ANT-LPWA-DB-O-N-5) can be utilized for WPAN, LoRaWAN and ISM technologies. For more information about antennas, including installation steps, see the Cisco Connected Grid Antennas Installation Guide. Table 4: Cisco Supported CGR1240 WPAN Module Antennas, Connectors, and Cables , on page 6 lists the Cisco antennas supported by the WPAN module in a CGR 1240. Table 5: Cisco Supported CGR1120 WPAN Module Antennas, Connectors, and Cables , on page 7 lists the Cisco antennas supported by the WPAN module in a CGR 1120. Table4:CiscoSupportedCGR1240WPANModuleAntennas,Connectors,andCables Indoor Cable Outdoor Cable Antenna Adapter or Lightning Arrestor None None 900 MHz, 3G, 806-960 MHz, 1710-2700 MHz, monopole antenna, chassis mounted, omnidirectional, quantity=1, model no. ANT-MP-INT-OUT-M, Cisco part no. 07-1140-02 RA-QMA(m) to RA-MCX(m), LMR-100, 10.5, quantity=1, model no. CAB-L100-10-Q-M, Cisco part no. 37-1391-01 RA-QMA(m) to RA-MCX(m), LMR-100, 17.5, quantity=1, model no. CAB-L100-17-Q-M, Cisco part no. 37-1380-01 Case Description Case 1: RF900 Integrated Antenna, QMA connector (f), quantity=1 6 REVIEWDRAFT-CISCOCONFIDENTIAL Case Description Case 2: RF900 External Antenna, QMA connector (f), quantity=1 Indoor Cable Outdoor Cable Antenna Adapter or Lightning Arrestor RA-QMA(m) to RA-MCX(m), LMR-100, 10.5, quantity=1, model no. CAB-L100-10-Q-M, Cisco part no. 37-1391-01 Bulkhead adapter, MCX(f) receptacle N(f), quantity=1, Cisco part no.29-5950-01 RA-N(m)-N(m), LMR-400-DB, 20, quantity=1, model no. CAB-L400-20-N-N, Cisco part no.37-1392-01 900 MHz ISM band, omnistick, N(f), quantity=1, model no. ANT-WPAN-OM-OUT-N, Cisco part no.07-1163-02 and Lightning arrestor, DC pass, N(m)-N(f), quantity=1, model no.CGR-LA-NM-NF, Cisco part no. 07-1091-01 RA-N(m)-N(m), LMR-600-DB, 30, quantity=1, model no.CAB-L600-30-N-N, Cisco part no.37-1396-01 Adapter or Lightning Arrestor Lightning arrestor, N(f)-N(f), quantity=1, model no. CGR-LA-NF-NF, Cisco part no. 07-1158-01 900 MHz ISM band, omnistick, 5 dBi gain, N(f), quantity=1, model no. ANT-WPAN-OM-OUT-N, Cisco part no. 07-1163-01 RA-N(m) to N(m), LMR-400-DB, 20, quantity=1, model no. CAB-L400-20-N-N, Cisco part no. 37-1392-01 RA-N(m)-N(m), LMR-600-DB, 30, quantity=1, model no. CAB-L600-30-N-N, Cisco part no. 37-1396-01 Table5:CiscoSupportedCGR1120WPANModuleAntennas,Connectors,andCables Case Description Indoor Cable Outdoor Cable Antenna Case 1:

RF900 Omnistick Antenna, QMA connector

(f), quantity=1 RA-QMA(m) to N(m), LMR-240-FR, 10, quantity=1, model no. CAB-L240-10-Q-N, Cisco part no. 37-1351-02 RA-QMA(m) to N(m), LMR-240-FR, 15, quantity=1, model no. CAB-L240-15-Q-N, Cisco part no. 37-1352-02 RA-QMA(m) to N(m), LMR-240-FR, 20, quantity=1, model no. CAB-L240-20-Q-N, Cisco part no. 37-1353-02 Installing and Removing the Module Installation Guidelines Note The WPAN module can be installed in any slot of the CGR 1120 and CGR 1240. Before installing the WPAN module, verify that the following guidelines have been met:

7 REVIEWDRAFT-CISCOCONFIDENTIAL Clearance to the I/O side view is such that the LED can be read. Airflow around the WPAN module and through the vents is unrestricted. Temperature around the unit does not exceed 140 degrees F (60 degrees C). If the WPAN module is installed in a closed or multi-rack assembly, the temperature around it might be higher than normal room temperature. Relative humidity around the WPAN module does not exceed 95% (non-condensing). Altitude at the installation site is not higher than 10,000 feet. After replacing or installing a module in the router, you must update the label (on the router exterior) that lists the module types contained in the router. The label must list the FCC ID number and the IC Certification number for each module installed in the router. Before installing the OFDM module, verify that the following guidelines have been met:

The module can be located in the same host as - and co-transmit with a cellular radio and a WiFi radio but not with any other radios. This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Installations of this product are limited to the CGR1000 router product series. Usage of antenna and antenna cabling options other than those listed in Table 4 and Table 5 will void the users authority to operate the equipment. requirements. Changes or modifications not expressly approved CISCO will void the user's authority to operate the equipment. Installations of this device must ensure a distance of at least 20 cm from persons of the general public to comply with RF-exposure Installation Warning Statements This section includes the basic installation warning statements. Translations of these warning statements appear in the Regulatory Compliance and Safety Information for Cisco Connected Grid Router 1000 Series Routers. Danger Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Danger To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of: 140F (60C) Statement 1047 Danger To prevent airflow restriction, allow clearance around the ventilation openings to be at least: 1.75 in. (4.4 cm) Statement 1076 8 REVIEWDRAFT-CISCOCONFIDENTIAL Installing the Module Follow these steps to install the module in an available slot in the CGR 1120 or CGR 1240:

Caution Do not hot swap the WPAN module. Power down the module first. Procedure Step 1 Before you install the WPAN module within the host router (or remove the module), you must power down the router as described in the Cisco 1120 Connected Grid Router Hardware Installation Guide or the Cisco 1240 Connected Grid Router Hardware Installation Guide. Step 2 Insert the WPAN module into the slot as shown in Figure 4: Inserted WPAN Module, on page 9. Figure4:InsertedWPANModule Step 3 Using a screwdriver, screw both captive screws into place. Removing the Module Follow these steps to remove the WPAN module from a slot in the CGR 1120 or the CGR 1240:

Caution Do not hot swap the WPAN module. Power down the module first. Procedure Step 1 Step 2 Using a screwdriver, loosen the two captive screws on the WPAN module. Gently pull the WPAN module out of the slot. Note Cover empty module slots with a slot cover. 9 Table 6: WPAN Module Environmental Specifications , on page 10 lists the environmental specifications for the WPAN module. REVIEWDRAFT-CISCOCONFIDENTIAL Technical Specifications Environmental Specifications Following are the operating temperature ranges for the CGR:

CGR 1120: -40 to 140 degrees F (-40 to 60 degrees C) CGR 1240: -40 to 158 degrees F (-40 to 70 degrees C) Table6:WPANModuleEnvironmentalSpecifications EnvironmentalOperational Specifications Temperatureoperational

-40 to 158F (-40 to 70C) Altitude Humidity Vibration Shock Seismic Up to 1500 meters RH95% non-condensing 1.0 g from 1.0 to 150 Hz 30 G half sine 6 ms and 11 ms GR63-Core, Zone 4 Physical-Layer Specifications Table 7: List of Interface Default Values, on page 10 lists the interface default values. Table7:ListofInterfaceDefaultValues Parameters Default Value Administrative state Enabled 802.15.4 raw data rates 150 kbaud data rate, 75 bit rate due to FEC Maximum RF transmit power 28 dBm Channels 64 when using 902-to-928 MHz band (frequency hopping) Link retransmission retries 3 Table 8: Default Frequencies of Channels , on page 11 lists the default frequencies for each channel. 10 REVIEWDRAFT-CISCOCONFIDENTIAL Table8:DefaultFrequenciesofChannels Channel Number Channel Frequency

(MHz) Channel Number Channel Frequency

(MHz) 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 902.400 902.800 903.200 903.600 904.000 904.400 904.800 905.200 905.600 906.000 906.400 906.800 907.200 907.600 908.000 908.400 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 908.800 909.200 909.600 910.000 910.400 910.800 911.200 911.600 912.000 912.400 912.800 913.200 913.600 914.000 914.400 914.800 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 915.200 915.600 916.000 916.400 916.800 917.200 917.600 918.000 918.400 918.800 919.200 919.600 920.000 920.400 920.800 921.200 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 921.600 922.000 922.400 922.800 923.200 923.600 924.000 924.400 924.800 925.200 925.600 926.000 926.400 926.800 927.200 927.600 Regulatory and Compliance Information For regulatory compliance and safety information for the WPAN module, refer to Regulatory Compliance and Safety Information for the Cisco 1000 Series Connected Grid Routers:

http://www.cisco.com/en/US/docs/routers/connectedgrid/cgr1000/rcsi/cgr1000.rsci.html Information About Cisco Resilient Mesh and WPAN Cisco Resilient Mesh and WPAN Overview Cisco Resilient Mesh is embedded firmware for Smart Grid assets within a Neighborhood Area Network that supports an end-to-end IPv6 communication network using mesh networking technology. Cisco Resilient Mesh is embedded in Smart Grid endpoints, such as residential electric meters using IP Layer-3 mesh networking technology, that perform end-to-end IPv6 networking functions on 11 REVIEWDRAFT-CISCOCONFIDENTIAL the communication module. Resilient Mesh Endpoints (RMEs) support an IEEE 802.15.4e/g interface and standards-based IPv6 communication stack, including security and network management. Cisco Resilient Mesh supports a frequency-hopping radio link, network discovery, link-layer network access control, network-layer auto configuration, IPv6 routing and forwarding, firmware upgrade, and power outage notification. See Power Outage Notification, on page 23. The CGR runs the IPv6 Routing Protocol over Low Power and Lossy Networks, also known as RPL. The IPv6 Layer-3 RPL protocol is used to build the mesh network. It serves as an RPL Directed Acyclic Graph (DAG) root and stores information reported in Destination Advertisement Object (DAO) messages to forward datagrams to individual nodes within the mesh network. Figure5:CiscoResilientMeshFunctionalOverview The network provides a communication platform for two-way wireless communication with Smart Grid assets, such as residential electric meters or distribution automation devices, and supports multiple application services simultaneously, such as Advanced Metering Infrastructure (AMI) and Distribution Automation (DA). For more information on the IEEE 802.15.4 link, see Frequency Hopping, on page 15. You can configure a CGR with dual WPANs for either of the following scenarios:

Multiple WPANs can operate in the network, each as independent WPAN and independent Cisco Resilient Mesh. In this configuration, each WPAN forms a separate RPL tree and mesh, and each must have a unique IPv6 prefix and Service Set Identifier (SSID). A WPAN can also operate in a master-slave configuration. The master WPAN owns the RPL tree and the mesh, and all IPv6 and 802.1x traffic flows through the master WPAN from the perspective of the CGR and IoT FND. Conceptually, the slave WPAN acts only as a NIC at the MAC and PHY layer. In that sense, the slave WPAN is attached to the master WPAN. For more information, see Dual-PHY WPAN , on page 26. 12 REVIEWDRAFT-CISCOCONFIDENTIAL Physical Layer RMEs use the communication module in a manner that is compliant with the IEEE 802.15.4g PHY standard. The following PHY parameters are determined by the capabilities of the hardware:

902-to-928 MHz ISM band, with 64 non-overlapping channels, 400 kHz spacing and 150kbps data rate for 2-FSK;

CGM-WPAN-OFDM supports 2-FSK with 200 kHz channel spacing and 50kbps data rates with 129 channels. OFDM Option 2 802.15.4g. Frequency hopping between up to quantity 31 800 kHz channels, PHY data rates of 50 kbps, 200 kbps, 400kpbs,800 kbps and 1200kbps BFSK modulation Forward Error Correction (FEC) with Interleaving 150 kbaud data rate, 75 bit rate due to FEC See Physical-Layer Specifications, on page 10 for interface default values and default frequencies for each channel. Media Access Control (MAC) Layer RMEs implement a proprietary Media Access Control (MAC) layer that utilizes the enhanced frame formats specified by IEEE 802.15.4e-2012 and IEEE 802-15.4g-2012. Network Discovery Enhanced Beacon (EB) messages allow communication modules to discover PANs that they can join. RMEs also use EB messages that disseminate useful PAN information to devices that are in the process of joining the PAN. Joining nodes are nodes that have not yet been granted access to the PAN. As such, joining nodes cannot communicate IPv6 datagrams with neighboring devices. The EB message is the only message sent in the clear that can provide useful information to joining nodes. CGRs drive the dissemination process for all PAN-wide information. Joining devices also use the RSSI value of the received EB message to determine if a neighbor is likely to provide a good link. The transceiver hardware provides the RSSI value. Neighbors that have an RSSI value below the minimum threshold during the course of receiving EB messages, are not considered for PAN access requests. RMEs support the enhanced frame formats, specified by IEEE 802.15.4e-2012 and IEEE 802-15.4g-2012, that allow link frames to carry the following information:

Frame Formats Frequency hopping synchronization Security capabilities in EB frames Received Signal Strength Indication (RSSI) information in acknowledgments for bi-directional link quality estimation In addition, RMEs use secure, enhanced acknowledgment frames which are the same security mechanisms used to secure data frames. Link-layer Access Control RMEs implement link-layer access control mechanisms that follow the functionality defined by the IEEE 802.1X standard for node authentication. Admitting nodesThe access control mechanism follows the concepts established by 802.1X for mutual authentication and 802.11i for group key management. RMEs use certificate-based EAP-TLS to perform mutual authentication with an AAA server. RMEs implement the supplicant, and the CGR implements the authenticator. RMEs use a stateless EAP proxy that forwards 13 REVIEWDRAFT-CISCOCONFIDENTIAL EAP messages between the CGR and a joining interface because the joining interface might be multiple mesh hops away from the CGR. CGRs communicate with a standard AAA server using the RADIUS protocol. Evicting nodesTo evict nodes from a network, the CGR must communicate a new Group Temporal Key (GTK) to all nodes in the PAN except those being evicted. The new GTK has a valid lifetime that begins immediately. After the new GTK is distributed to all allowed nodes, the CGR invalidates the old GTK. After the old GTK is invalidated, those nodes that did not receive the new GTK can no longer participate in the network and are considered evicted. Security modeAll data-and-acknowledgment traffic are protected using the IEEE 802.15.4 Counter with CBC-MAC (CCM) AES-128 keysAll nodes in a PAN share the same AES-128 keys for use with CCM. Device authenticationEAP-TLS, where the CGR serves as the authenticator and communicates with a standard AAA server security mode. using RADIUS. Handshake protocolA handshake protocol similar to 802.11i is used to establish a Pairwise Temporal Key (PTK) between a device and a CGR. The PTK is used to securely distribute the GTK. The same handshake messages might be used to refresh the GTK. Because communication modules might not be within direct communication range of a CGR, RMEs also implement an EAP proxy service so that communication modules can proxy messages between a joining device and the CGR. 6LoWPAN Adaptation The 6LoWPAN adaptation layer adapts IPv6 to operate efficiently over low-power and lossy links such as defined by IEEE 802.15.4

(low-rate WPAN (LR-WPANs)). The adaptation layer sits between the IPv6 and IEEE 802.15.4 layers and provides IPv6 header compression, IPv6 datagram fragmentation, and optimized IPv6 Neighbor Discovery. The 6LoWPAN adaptation feature uses packet-header filtering for packet transmission when transporting IPv6 datagrams within IEEE 802.15.4e frames. RMEs implement the 6LoWPAN header compression format: >RFC 6282 on Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks . For each IPv6 datagram submitted to the mesh interface for transmission, an RME attempts to compress the IPv6 header to the smallest encoding supported by the header compression mechanism. Note Initial 6LoWPAN RFC 4944 also includes an IPv6 header compression scheme that is now deprecated and replaced by RFC 6282 6LoWPAN header compression. The Cisco CGR implementation for 6LoWPAN header compression implements only RFC 6282. For more information on RFC 6282, see http://datatracker.ietf.org/doc/rfc6282/ . The 6LoWPAN adaptation feature uses 800-byte IEEE802.15.4 MTU with MAC layer fragmentation, and has 800-byte IEEE 802.1X MTU with no MAC layer fragmentation support. Note RMEs perform hop-by-hop packet fragmentation and reassembly, where a communication module must receive all 6LoWPAN fragments for an IPv6 datagram before it can begin forwarding the datagram to the next hop. However, whereas the IEEE 802.15.4e/g PHY supports a 1500-byte MTU, the Cisco implementation of the 6LoWPAN layer does not generate link frames larger than 800 bytes. 14 REVIEWDRAFT-CISCOCONFIDENTIAL Frequency Hopping RMEs implement frequency hopping between up to quantity 31 800 kHz channels, PHY data rates of 50 kbps, 200 kbps, 400kpbs,800 kbps and 1200kbps in the 902-to-928 MHz ISM band. The frequency hopping protocol maximizes the use of the available spectrum by allowing multiple sender-receiver pairs to communicate simultaneously on different channels. The frequency hopping protocol also mitigates the negative effects of narrowband interferers. RMEs allow each communication module to follow its own channel-hopping schedule for unicast communication and synchronize with neighboring nodes to periodically listen to the same channel for broadcast communication. This enables all nodes within a RME PAN to use different parts of the spectrum simultaneously for unicast communication when nodes are not listening for a broadcast message. Using this model, broadcast transmissions can experience higher latency than with unicast transmissions. When a communication module has a message destined for multiple receivers, it waits until its neighbors are listening on the same channel for a transmission. The size of a broadcast listening window and the period of such listening windows determine how often nodes listen for broadcast messages together rather than listening on their own channels for unicast messages. Note RMEs implement a leading-edge frequency hopping scheme developed by Cisco. Currently, neither IEEE 802.15.4 nor any other industry standard defines a frequency hopping protocol. Unicast Listening Schedule The unicast schedule supports unicast communication used for communicating MAC commands and IPv6 unicast datagrams. Each node maintains its own channel-hopping schedule for receiving unicast messages. A unicast schedule is defined by the following parameters:

Channel SequenceA list of channels indexed by a 16-bit integer that a mesh interface follows when listening for unicast transmissions. Slot DurationThe equal-sized time slots of the unicast schedule. A node listens to a single channel for the entire duration of a slot before switching to the next channel in the unicast schedule for listening. Broadcast Listening Schedule The Layer-2 broadcast schedule supports broadcast communication used for communicating Layer-3 IPv6 multicast datagrams. The broadcast schedule is established on a CGR and disseminated to all nodes in the PAN using a Trickle-based dissemination protocol. All nodes in the PAN synchronize to only one broadcast schedule. There is no coordination of broadcast schedules between PANs. The following parameters define the broadcast schedule:

Channel SequenceLists channels indexed by a 16-bit integer the mesh interface follows when listening for broadcast transmissions. Slot DurationSpecifies equal-sized time-slots for the broadcast schedule. Broadcast Listen WindowSpecifies how long a node listens for broadcast messages within a broadcast slot. Broadcast packets must start their transmission within the Broadcast Listen Window to ensure that all neighboring nodes are listening for the broadcast transmission. The Broadcast Listen Window must specify a time that is no greater than the Slot Duration. At the beginning of each broadcast slot, the node switches to the next channel in the broadcast schedule to listen for broadcast transmissions. At the end of the Broadcast Listen Window, the node returns to listening for unicast transmissions until the start of the next broadcast slot. The unicast schedule is free running and the timing remains unaffected by the broadcast schedule. In other words, the broadcast schedule is overlaid on a node unicast schedule. 15 REVIEWDRAFT-CISCOCONFIDENTIAL IPv6 Network Layer RMEs implement standard IPv6 services. The IPv6 layer forwards IPv6 datagrams between the mesh and serial interfaces. The IPv6 layer also uses the mesh interface to forward IPv6 datagrams across other communication modules. RMEs support both unicast and multicast forwarding. Layer-3 multicast is mapped to Layer-2 broadcast. RFC 768 User Datagram Protocol (UDP) is the recommended transport layer protocol over 6LoWPAN. TCP is not the preferred transport layer over 6LoWPAN and is generally not used by RMEs. The default IPv6 MTU is 1280 bytes. Higher layers might limit the size of link frames to a smaller value. As described in 6LoWPAN Adaptation, on page 14, the Cisco 6LoWPAN implementation supports an 800-byte MTU. IPv6 Protocols Cisco Resilient Mesh implements the following protocols to support IPv6:

RFC 2460: Internet Protocol version 6 RFC 4291: IP Version 6 Addressing Architecture RFC 6724: Default Address Selection for Internet Protocol Version 6 (IPv6) RFC 4861: Neighbor Discovery for IPv6 RFC 4443: ICMP for the Internet Protocol Version 6 (IPv6) RFC 3315: Dynamic Host Configuration Protocol for IPv6 Autoconfiguration RMEs implement a DHCPv6 client for IPv6 address autoconfiguration. RMEs also support arbitrary DHCPv6 options (that is, vendor option 17) to allow additional stateless configuration information to be included in DHCPv6 replies from the server. Cisco Resilient Mesh uses the DHCPv6 Rapid Commit option to reduce the traffic to only Solicit and Reply messages, so the DHCPv6 server must support this option. RMEs implement a DHCPv6 client, while the CGR implements a DHCPv6 Relay Agent. A joining node might not be within range of a CGR and must use a neighboring communication module to make DHCPv6 requests. On a RME, no DHCPv6 server address needs to be configured. The DHCPv6 client requests are sent to the DHCPv6 Relay Agent on the CGR. The DHCPv6 Relay Agent forwards the DHCPv6 client messages to the DHCPv6 server. RMEs perform routing at the network layer using the Routing Protocol for Low-Power and Lossy Networks (RPL):

RFC 6550 RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) (to establish routes for delivering unicast IPv6 datagrams to their destinations). RFC 6551: Routing Metrics Used for Path Calculation in Low-Power and Lossy Networks RFC 6553: The Routing Protocol for Low-Power and Lossy Networks (RPL) Option for Carrying RPL Information in Data-Plane RFC 6554: An IPv6 Routing Header for Source Routes with the Routing Protocol for Low-Power and Lossy Networks (RPL) Datagrams RFC 6206: The Trickle Algorithm RPL 16 REVIEWDRAFT-CISCOCONFIDENTIAL RFC 6719: The Minimum Rank with Hysteresis Objective Function RPL does the following:

Offers a number of advanced features, such as trickle timers limiting the chattiness of the control plane, dynamic link (hop count, throughput, latency, link/path reliability (ETX), link colors), and node routing metrics (node state/attribute, node power levels) for constraint-based routing useful for combined AMI (Advanced Metering Infrastructure) and DA (Distributed Automation) deployments. Supports multi-topology routing with the support of multiple Directed Acyclic Graphs (DAGs) where each DAG is optimized against different constraints and metrics dictated by the objective function. Reduces the probability of loops occurring as well as detects these loops by employing data path validation, and then breaking the loops using local poisoning. CGR and RME implementations support a non-storing mode for RPL. Supports both local repair (faster and sub-optimal) and global re-optimization. RPL constructs the routing tree of the meters. Each node builds and maintains up to three Destination-Oriented Directed Acyclic Graphs (DODAG) parents that provide a path to the Root CGR. RMEs implement a non-storing mode because the expected traffic flow for AMI applications primarily flows through the CGR. Implementing non-storing mode helps save memory on RMEs by only storing the DODAG parents and the neighbors on the sub-DAG. In non-storing mode, each node maintains their DODAG parents and uses them as default routes. The routing graph, created by the set of DODAG parents across all nodes, defines the set of upward routeseach node reports their DODAG parents to the CGR so that the router can generate source routes when delivering datagrams across the PAN. Likewise, nodes establish downward routes by advertising their parent set towards the DODAG Root. Because RMEs implement the non-storing mode of RPL, nodes report their parent sets directly to the Root; and, the Root must store the information. The Root uses this information when determining source routes needed for delivering datagrams to individual nodes within the mesh. RMEs configure the RPL protocol to ensure routes are loop-free by disallowing nodes from selecting DODAG parents that are positioned further away from the CGR. Route Redistribution of External RPL Routes CG WPAN module for Cisco Resilient Mesh supports route redistribution of external RPL routes in Cisco Resilient Mesh networks for application modules and MAP-T addresses in DA networks. (See Configuring Redistribution of RPL in Other Routing Protocols, on page 34). IPv6 Unicast Forwarding RMEs implement a route-over architecture where forwarding occurs at the network layer. RMEs examine every IPv6 datagram that they receive and determine the next-hop destination based on information contained in the IPv6 header. RMEs do not use any information from the link-layer header to perform next-hop determination. RMEs implement the options for carrying RPL information in Data-Plane datagrams ( RFC 6553 ) and Type 4 routing header as specified for RPL in RFC 6554 . The routing header allows a node to specify each hop that a datagram must follow to reach its destination. The RME communication stack offers four priority queues for QoS and supports differentiated classes of service when forwarding IPv6 datagrams to manage interactions between different application traffic flows as well as control-plane traffic. RMEs implement a strict-priority queuing policy, where higher-priority traffic always takes priority over lower-priority traffic. 17 REVIEWDRAFT-CISCOCONFIDENTIAL The traffic on RMEs is marked by the vendor implementation (configuration functionality is not available). If required, traffic can be remarked on the CGR. IPv6 Multicast Forwarding RMEs deliver IPv6 multicast messages that have an IPv6 destination address scope larger than link-local when using a Layer-2 broadcast. When RMEs receive a global-scope IPv6 multicast message, the node delivers the message to higher layers if the node is subscribed to the multicast address. RMEs then forward the message to other nodes by transmitting the same IPv6 multicast message over the mesh interface. RMEs use an IPv6 Hop-by-Hop option containing a sequence number to ensure that a message is not received and forwarded more than once. Group Multicast Group multicast can be used to control a specific group of devices by multicast. The devices in one group can cross multiple PANs. This feature is supported on CGEREF2/CGEREF2PLUS/CGEREF3/CGERFPLCREF3 with Cisco Resilient Mesh Release 6.2. Note This feature only works when MPL is enabled. In the following figure, headend services are composed of the third-party application server and FND. Headend router are used for managing and communicating with all nodes in multiple PANs. In an application data collection system, there are multiple groups crossing multiple CGRs to collect different data in the field. The nodes in a group intersperse in multiple PANs. The group multicast configuration is supported on FND or application server. FND manages the group multicast addresses table based on customers configuration, while the application server managers the group multicast addresses. 18 REVIEWDRAFT-CISCOCONFIDENTIAL Note In Release 6.2, FND doesn't support the group configuration. You need to invoke API to config the group. The overall process of FND management can be divided into the following stages:

Figure6:FNDManagementProcess Stage 1: Subscribing IPv6 multicast group address from FND. After a node joins in the network, it will send the register message to FND shown in above picture. If FND has the preconfigured multicast group table, it will push the multicast group addresses to the node. Stage 2: Managing IPv6 multicast group address on node. FND posts nodes IPv6 multicast group addresses (maximum is 4) with TLV MulticastGroupSettings to the node. FND can add or delete the multicast group addresses by TLV MulticastGroupSettings. Stage 3: Notifying nodes IPv6 multicast group address to FND. After a node receive the multicast group addresses, it will send the confirmation message to FND. Then the node can register it into FND. At the same time, node will periodically send its group multicast address into FND. 19 REVIEWDRAFT-CISCOCONFIDENTIAL Stage 4: Subscribing all IPv6 multicast group addresses in a PAN on CGR. Nodes send DAO message directly to CGR. The multicast group information with multicast group addresses and MPL domain will be inserted into one DAO option. CGR will add the multicast group entry for WPAN interface, so that CGR can forward multicast data message from application server to nodes. Stage 5: Sending multicast message from application server to nodes. When application server sends a multicast message to nodes, if MPL is enabled on CGR, CGR inserts the MPL domain address

(for example, FF03::FC) into original multicast message as shown in the following figure. Then CGR forwards the MPL message to WPAN interface. If node joins in the destination group address, it will receive the message and handle in the upper layer of nodes. If node does not join in the destination group address, it will forward this MPL message because all nodes join in the same MPL domain. Draft comment: add the multicast group scope for this feature The overall process of application server management can be divided into the following stages:

Figure7:ApplicationServerManagementProcess Stage 1: Optionally subscribing IPv6 multicast group address from application server. After a node joins in the network, the application layer of node can subscribe the multicast group addresses from application server shown in above figure. 20 REVIEWDRAFT-CISCOCONFIDENTIAL Stage 2: Managing IPv6 multicast group address on node. Application server pushes nodes IPv6 multicast group addresses (maximum is 4) to nodes. At the same time, nodes can also call SDK APIs (if_addmaddr, if_delmaddr, if_getmaddrs) to add/delete/get multicast group addresses. Stage 3: Optionally notifying nodes IPv6 multicast group address to application server. After a node receives the multicast address from application server, it sends the confirmation to the application server. Stage 4: Subscribing all IPv6 multicast group addresses in a PAN on CGR. Nodes send DAO message directly to CGR. The multicast group information with multicast group addressees and MPL domain will be inserted into one DAO option. CGR will add the multicast group entry for WPAN interface, so that CGR can forward multicast data message from application server to nodes. Stage 5: sending multicast message from application server to nodes. This stage is the same as the stage 5 of process with FND management. For more information about configuring group multicast, see Configuring Group Multicast, on page 32. CoAP Simple Management Protocol (CSMP) RMEs implement CSMP for remote configuration, monitoring, and event generation over the IPv6 network. CSMP service is exposed over both the mesh and serial interfaces. RMEs use the Cisco IoT FND, which provides the necessary backend network configuration, monitoring, event notification services and network firmware upgrade, as well as power outage and restoration notification and meter registration. IoT FND also retrieves statistics on network traffic from the interface. IoT FND accesses CSMP over the mesh to manage communication modules. The application module can use the information to perform application-specific functions and support customer-specific diagnostic tools. RMEs do not support the following:

CLI commandsAll configuration and management occur only through CSMP No user interfaceAll configuration and management occur only through CSMP Note In operations, IoT FND is the preferred interface to manage the WPAN module configuration and Cisco Resilient Mesh networks. Only trained and qualified engineers should use the Cisco IOS CLI to configure or monitor a WPAN module. The following parameters are available from the RMEs through CSMP on IoT FND:

Status Information Identification UTC time in seconds IEEE 802.15.4 link 6LoWPAN link Network interface (for both serial and mesh interface) RPL Cisco Resilient Mesh firmware 21 REVIEWDRAFT-CISCOCONFIDENTIAL Certificate Management with EST Protocol The Enrollment over Secure Transport (EST) is a cryptographic protocol that describes a certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST uses Public-Key Cryptography Standards (PKCS) 10 for certificate requests. With the EST support enabled, the operational certificates do not need to depend on the manufacturer's PKI. The manufacturer-installed certificate is used only once for initial bootstrapping. After that, all certificates used by the endpoint can be managed using the customer's PKI only. The management of customer-installed certificates does not require manually installing the certificates and keys on the endpoints. Note EST is supported on IR510 WPAN Gateway and IR530 WPAN Range Extender with Cisco Resilient Mesh Release 6.1. The following certificates are supported:

Manufacturer IDevID (birth certificate) Installed by the manufacturer, using the manufacturers PKI, only used for bootstrapping, and immutable. the LDevID. operational certificate. Utility IDevID (passport certificate) Managed by Utility PKI, enrolled using Manufacturer IDevID, and used only for enrolling LDevID (visa certificate) Managed by Utility PKI, enrolled using Utility IDevID, and used for 802.1X authentication as When the endpoint comes with a manufacturer IDevID, after onboarding it acquires a passport and a visa cert from the customer PKI domain. The manufacturer IDevID and passport certificates are used to authenticate and authorize the endpoint when it enrolls for a visa certificate. The visa cert is used to authenticate and authorize the endpoint when it joins the network (802.1x, EAP-TLS). The Cisco Resilient Mesh uses EST over CoAP/DTLS/UDP for certificate enrollment. During the initial bootstrapping process, nodes that have already joined the network (enrolled and authenticated) act as DTLS relays for nodes being bootstrapped. DTLS relay can be configured by CLI with the following parameters:

enabled flag, allows to disable the entire relay functionality when not needed EST server IP address and port maximum number of sessions maximum session lifetime For more information on DTLS relay configuration, see Configuring DTLS Relay for EST, on page 52. Note DTLS relay should only be enabled during the enrollment windows. When nodes that are one hop away from the Border Router (BR) are being enrolled, they need to go through the DTLS relay running on the BR. On the BR, layer 1 and layer 2 run on the bridge (running Resilient Mesh) while layer 3 and above run in IOS. The relay operates at layer 3 and layer 4, therefore it is implemented in IOS as well. The relay on the BR will support the same configuration that is supported by the relay running on endpoints. On the BR, the configuration will be done using IOS CLIs. The relay on the node can be set by TLV170 DtlsRelaySettings. Each node supports at most two relay sessions at the same time. Because each DTLS packet will refresh the relay session, the timeout of each session is 30 seconds. 22 REVIEWDRAFT-CISCOCONFIDENTIAL EST provides an operation for the client to retrieve a bundle of CA certificates from the server, including 802.1x CA and the NMS certificate, as well as the EST-related certificates. EST supports the enrollment operation of client generating its own private key. With client-side key generation, the client sends a

/sen (simpleenroll) request with the CSR. The EST server processes the request and if it is valid, returns the client certificate in a PKCS7 Response. The certificate will include the public key from the CSR. During bootstrapping this enrollment process is performed twice. First the client authenticates with the Manufacturer IDevID and enrolls the Utility IDevID. After that it authenticates with the Utility IDevID and enrolls the Utility LDevID. The Utility LDevID is then used for the 802.1X authentication. Power Outage Notification Cisco Resilient Mesh supports timely and efficient reporting of power outages. In the event of a power outage, Cisco Resilient Mesh enters power outage notification mode and the node stops listening for traffic to conserve energy. Cisco Resilient Mesh triggers functions to conserve energy by notifying the communication module and neighboring nodes of the outage. The outage notification is sent using the same security settings as any other UDP/IPv6 datagram transmission. Communication modules, unaffected by the power outage, gather and forward the information to a CGR. When power outage happens, if the outage nodes backup power is adequate, its Power Outage Notification (PON) message will be sent as broadcast once. Any node receiving the PON message will delete this parent based on the hold up time if it exists. Such node is called powered outage node. If the outage nodes backup power is limited, its PON message will be sent as broadcast three times. Any node receiving the PON message will delete this parent directly if the route exists and forward it to the outage server. Such node is called normal outage node. Under outage mode, powered outage node will still send its PON and relay childrens PONs to its parent as unicast. However, normal outage node is in deep sleep mode until the next broadcast transmission. Receiving and unicasting transmission is disabled. To improve the PON success rate, PON RPL instance is introduced in Wi-SUN mode in the Cisco Resilient Mesh Release 6.2. If node's PON RPL instance is valid and at least one parent is available, parent should be the preferred parent of PON RPL instance. If node's PON RPL instance has no available parent, parent should be the preferred parent from Core RPL instance. If node's PON RPL instance has no available parent, the node must drop the packet from PON RPL instance. To configure PON RPL, see Configuring PON RPL, on page 35. To configure outage server address, see Configuring the Power Outage Server, on page 35. Software Upgrade You can perform firmware upgrades through the CGR CLI (Cisco IOS). WPAN firmware is not upgraded automatically when the CGR is upgraded to a new image integrated with new WPAN firmware. You can upgrade the WPAN to the firmware version integrated in the CGR image, or you can upgrade to a custom WPAN firmware other than the one integrated in current CGR image. For more information, see Checking and Upgrading the WPAN Firmware Version, on page 81. Performance RMEs support the following performance-enhancing features:

23 REVIEWDRAFT-CISCOCONFIDENTIAL Network discovery timeTo assist field installations, RMEs support mechanisms that allow a node to determine whether or not it has good connectivity to a valid mesh network. For more information, see Network Discovery, on page 13. Network formation timeTo assist field installations, RMEs use mechanisms that allow up to 5,000 nodes in a single WPAN to go through the complete network-discovery, access-control, network configuration, route formation, and application registration process. Network restoration timeThe mechanism that aids the rerouting of traffic during a link failure. Power outage notificationFor more information, refer to Power Outage Notification, on page 23. Cisco Resilient Mesh Security Cisco Resilient Mesh Network Access Control and Authentication Cisco Resilient Mesh WPAN Network Access Control (WNAC) authenticates a node before the node gets an IPv6 address. WNAC uses standard, widely deployed security protocols that support Network Access Control, in particular, IEEE 802.1X using EAP-TLS to perform mutual authentication between a joining Low Power and Lossy Network (LLN) device and an AAA server. In addition, Cisco Resilient Mesh uses the secure key management mechanisms introduced in the IEEE 802.11i to allow the CGR to securely manage the link keys within each Cisco Resilient Mesh device. LLNs are typically composed of multiple hops and Cisco Resilient Mesh is used to support EAPOL over multi-hop networks. In particular, the Supplicant (LLN device) might not be within direct link connectivity of the Authenticator (CGR). Cisco Resilient Mesh uses the Split Authenticator as a communication relay for the Authenticator. All devices that have successfully joined the network also serve as a Split Authenticator, accepting EAPOL frames from those devices that are attempting to join the network. Because Cisco Resilient Mesh performs IP-layer routing, the Split Authenticator relays EAPOL frames between a joining device and an Authenticator using UDP. By introducing a Split Authenticator, the authentication and key management protocol is identical to an LLN device regardless of whether it is a single hop from the CGR or multiple hops away. To manage the group keys, Cisco Resilient Mesh implements disruptive innovations which introduce novel mechanisms for efficiently managing the group keys using the key management mechanisms specified in IEEE 802.11i. The CGR and Cisco Resilient Mesh devices use the IEEE 802.11 key hierarchy in persistent state to minimize the overhead of maintaining and distributing group keys. In particular, an LLN device first checks if it has a valid Group Temporal Key (GTK) by verifying the key with one of its neighbors. If the GTK is valid, the node can begin communicating in the network immediately. Otherwise, the device then checks if it has a valid Pairwise Temporal Key (PTK) with the CGR. If the PTK is valid, the CGR initiates a two-way handshake to communicate the current GTK. Otherwise, the device checks if it has a valid Pairwise Master Key (PMK) with the CGR. If the PMK is valid, the CGR initiates a two-way handshake to establish a new PTK and communicate the current GTK. Otherwise, the device will request a full EAP-TLS authentication exchange. This hierarchical decision process minimizes the security overhead in the normal case, where devices might migrate from network-to-network due to environmental changes or network formation after a power outage. (See Power Outage Notification, on page 23.) To manage GTKs in a multi-hop mesh network, Cisco Resilient Mesh introduces novel mechanisms for efficiently checking the consistency of the GTK, PTK, and PMKs. Devices include GTK IDs in IEEE 802.15.4 Enhanced Beacons to quickly verify the freshness of their GTKs. If any device detects an inconsistency in the GTK state, it requests updated GTKs from the CGR. In addition, devices include a PTK ID (along with the PMK ID) in GTK request messages sent to the CGR, allowing the CGR to quickly determine whether to initiate a two-way handshake, four-way handshake, or full EAP-TLS authentication. Including GTK, PTK, and PMK IDs in the key management messages significantly reduces the latency in detecting (and thus distributing) updated GTKs to all devices in the network. Note Client certification and CA certification size must be less than 1040 Byte; Otherwise the the cert is invalid on CG-Mesh device. 24 REVIEWDRAFT-CISCOCONFIDENTIAL The following figure shows the Cisco Resilient Mesh authentication overview:

Figure8:CiscoResilientMeshAuthenticationOverview Stages of Authentication The Cisco Resilient Mesh meter must go through five stages of authentication before it connects with the CGR:

Stage 1: Key information exchange Stage 2: 8021X/EAP-TLS authentication (ECC cipher suite certificate) Stage 3: 802.11i four-way handshakePairwise Master Key (PMK) confirmation, Pairwise Transient Key (PTK) derivation, and Group Temporal Key (GTK) distribution Stage 4: Group key handshake Stage 5: Secure data communications Figure9:Four-WayHandshake 25 REVIEWDRAFT-CISCOCONFIDENTIAL Compromised Node Eviction A compromised node is one where the device can no longer be trusted by the network and/or operators. Nodes within an IEEE 802.15.4 PAN must possess the currently valid Group Temporal Key (GTK) to send and receive link-layer messages. The GTK is shared among all devices within the PAN and is refreshed periodically or on-demand. By only communicating new GTKs to trusted devices, compromised nodes might be evicted from the network. Cisco Resilient Mesh Security Warm Boot vs. Cold Boot Authentication for Cisco Resilient Mesh security behaves differently between a warm-boot versus a cold-boot:

A warm boot is when the meter has a working key, in which case authentication has already been established and the meter joins A cold boot is when the meter has not yet been authenticated because it is the first time the meter has been authenticated or the the mesh quickly. meter key has expired. Dual-PHY WPAN In a CGR configured with dual-WPAN interfaces, the Dual-PHY WPAN feature enables a WPAN to operate as a slave of a master WPAN. A master WPAN is the same as a regular independent WPAN. Only one slave WPAN can be attached to a master WPAN. Note The Dual-PHY WPAN feature applies to the CGR IOS release only. Only the master WPAN has an RPL tree; the slave WPAN has an RPL tree with zero entries. All mesh nodes obtain the IPv6/RPL prefix of the master WPAN. The IPv6/RPL prefix, as well as RPL configurations on the slave WPAN, are ignored. A slave WPAN does not send RPL DODAG Information Object (DIO) messages. Conceptually, the slave WPAN acts only as a NIC at the MAC and PHY layer. From the point of view of the CGR and IoT FND, all IPv6 and 802.1x/mesh-security traffic flows only through the master WPAN;

however, it is correctly routed at the lower layer to the actual master or slave interface. The CGR sees all power outage notification

(PON) and power restoration notification (PRN) traffic as flowing only through the master WPAN, even though it may have come from different master or slave interfaces. All traffic statistics are reported under the master WPAN. All non-WPAN commands (ping, traceroute, show interface, etc.) work through the master IPv6 prefix. The master WPAN shows the link neighbor table for nodes sensed by the master WPAN, and the slave WPAN shows the link neighbor table for nodes sensed by the slave WPAN. The two WPANs can be mix of RF and PLC. SSIDs do not need to be identical on both WPANs. However, different PANIDs should be configured on each WPAN. See Configuring the Dual-PHY Master-Slave Relationship, on page 42 for configuration information. Configuring Cisco Resilient Mesh and the WPAN Module IoT FND provides the user interface for all Cisco Resilient Mesh configuration and management. Cisco Resilient Mesh has no CLI and no graphical user interface for configuration or management. All configuration and management occur only by using IoT FND through the CGR Series WPAN module by using Cisco IOS software commands (Release 15.4(2)CG and greater). 26 REVIEWDRAFT-CISCOCONFIDENTIAL Note Your CGR1000 router must be running Cisco IOS Release 15.7(3)M1 (cgr1000-universalk9-bundle.SPA.157-3.M1.bin) or greater to support the CGM WPAN-OFDM Module. You must enable the dot1x (802.1X), mesh-security, and DHCPv6 features to configure the WPAN interface. Configuring the WPAN Interface At the CGR 1000, configure the WPAN Module interface as follows:

cgr1000_wpanmodule# config terminal cgr1000_wpanmodule(config)# interface wpan <slot|port>

cgr1000_wpanmodule(config-if)#

Enabling dot1x, mesh-security, and DHCPv6 To enable these features, use the following command:

dot1x system-auth-control For dot1x, the WPAN interface configuration requires:

dot1x pae authenticator See Sample Router Configuration, on page 62. See show dot1x all details, on page 38. For configuring mesh security, see Configuring Cisco Resilient Mesh Security, on page 36. For DHCPv6, you will also need in your WPAN running configuration:

ipv6 dhcp relay destination <IPv6 address>

See Sample Router Configuration, on page 62. In Cisco IOS on the CGR, various WPAN radio related commands are under the ieee154 parameter:

Router(config-if)#ieee154 ?

beacon-async IEEE154 async beacon parameters channel dwell notch panid ssid txpower Channel (for hw testing use only. 254 is channel hopping) Channel dwell configuration for regional compliance Channel notch configuration for regional compliance PAN ID SSID Transmission power configuration (hardware dependent) Naming Your PAN To configure the name of your IEEE 802.15.4 Personal Area Network Identifier (PAN ID), use the following WPAN command:

Router(config-if)# ieee154 panid ?

<0-65535> Enter a value between 0 and 65535 27 REVIEWDRAFT-CISCOCONFIDENTIAL The Service Set Identifier (SSID) identifies the owner of the RME. The SSID is set on a RME in manufacturing, and that same SSID must also be configured on the CGR WPAN interface. To configure the name of the SSID, use the ssid command ieee154 ssid <ssid_name>, for example:

Router (config-if)# ieee154 panid 2121 For sample configuration, see show wpan config, on page 55. Naming the SSID Router(config)# interface wpan 3/1 Router(config-if)# ieee154 ssid ?

WORD ssid string (Max size 32) Router(config-if)# ieee154 ssid myWPANssid For sample configuration, see show wpan config, on page 55. Configuring Transmit Power Note Transmit power must match the local regulation and be aligned with the Cisco Resilient Mesh value, which can be monitored through IoT FND. The actual maximum possible power emitted by the radio antenna is approximately 28 to 30 dbm. However, this is not directly, nor linearly, mapped to the txpower designation in the configuration. The txpower in the configuration specifies the txpower setting in the physical hardware (chip). However, the radio signal out of the hardware chip must travel through the amplifier, front end, antenna, etc., which causes the output power of the chip to be less than the actual electro-magnetic signal that is emitted into the air. Values range from 2 (high) to the default value of -34 dBm (low) as shown in Table 9: Transmit Power: Configured Power Value Versus Actual Power, on page 28:

The range provided in txpower configuration is an integer range, which is a superset of all the configurable values available. Table9:TransmitPower:ConfiguredPowerValueVersusActualPower Configured Power Value (dBm) Actual Power (dBm) txpower Value High Low 2

-34 28 (For outdoors; the recommended value) 0 (For indoor lab testing) Router(config-if)# ieee154 txpower ?

<-65 - 64> Enter a value between -65 and 64

*Default value is -34 To configure the transmit power for outdoor usage, specify a higher transmit power, such as:

Router (config-if)# ieee154 txpower 30 For sample configuration, see show wpan config, on page 55. 28 REVIEWDRAFT-CISCOCONFIDENTIAL Naming the Notch A notch is a list of disabled channels from the 902-to-928 MHz range. If there is no notch at all, then all channels are enabled. if there is a notch [x, y], then channels between x and y are disabled. Notch configuration must comply with your regional regulations (for example, a notch configuration is not required for U.S.). Notch configuration must match between the WPAN interface of the CGR and the RME. For sample configuration, see show wpan config, on page 55. Note A channel list is a list of enabled channels. You can view the notch by using the following command:

Router(config-if)# ieee154 notch ?

<0-63> channel id Router (config-if)# ieee154 notch 10-15, 30-35 Router (config-if)# end Router# config in-hardware notch notch: [10, 15]

notch: [30, 35]

Router# show wpan slot/port hardware channel-list channellist: 0 1 2 3 4 5 6 7 8 9 16 17 18 19 20 21 22 23 24 25 26 27 28 29 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Configuring the CGM WPAN OFDM Module The following table shows the CLI interface commands for the CGM WPAN-OFDM Module. 29 REVIEWDRAFT-CISCOCONFIDENTIAL Table10:SummaryofCLIInterfacecommandsfortheCGMWPANOFDMModule Command Definition ieee154 phy-mode

<1-255>

Defines the IEEE154 PHY mode. Possible options noted below, default value is 149. 1:Classic; Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=ON; Channel Spacing=200 kHz 17:Classic; Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=OFF; Channel Spacing=200 kHz 2:Classic; Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=ON; Channel Spacing=400 kHz 18:Classic; Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=OFF; Channel Spacing=400 kHz 64:Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=OFF; Channel Spacing=200 kHz 96:Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=ON; Channel Spacing=200 kHz 66:Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=OFF; Channel Spacing=400 kHz 98:Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=ON; Channel Spacing=400 kHz 128:Rate=100 kb/s; Modulation=OFDM; Option=1; MCS=0; Channel Spacing=1200 kHz 129:Rate=200 kb/s; Modulation=OFDM; Option=1; MCS=1; Channel Spacing=1200 kHz 130:Rate=400 kb/s; Modulation=OFDM; Option=1; MCS=2; Channel Spacing=1200 kHz 131:Rate=800 kb/s; Modulation=OFDM; Option=1; MCS=3; Channel Spacing=1200 kHz 132:Rate=1200 kb/s; Modulation=OFDM; Option=1; MCS=4; Channel Spacing=1200 kHz 133:Rate=1600 kb/s; Modulation=OFDM; Option=1; MCS=5; Channel Spacing=1200 kHz 134:Rate=2400 kb/s; Modulation=OFDM; Option=1; MCS=6; Channel Spacing=1200 kHz 144:Rate=50 kb/s; Modulation=OFDM; Option=2; MCS=0; Channel Spacing=800 kHz 146:Rate=200 kb/s; Modulation=OFDM; Option=2; MCS=2; Channel Spacing=800 kHz 147:Rate=400 kb/s; Modulation=OFDM; Option=2; MCS=3; Channel Spacing=800 kHz 149:Rate=800 kb/s; Modulation=OFDM; Option=2; MCS=5; Channel Spacing=800 kHz 150:Rate=1200 kb/s; Modulation=OFDM; Option=2; MCS=6; Channel Spacing=800 kHz 161:Rate=50 kb/s; Modulation=OFDM; Option=3; MCS=1; Channel Spacing=400 kHz 162:Rate=100 kb/s; Modulation=OFDM; Option=3; MCS=2; Channel Spacing=400 kHz 163:Rate=200 kb/s; Modulation=OFDM; Option=3; MCS=3; Channel Spacing=400 kHz 164:Rate=300 kb/s; Modulation=OFDM; Option=3; MCS=4; Channel Spacing=400 kHz 165:Rate=400 kb/s; Modulation=OFDM; Option=3; MCS=5; Channel Spacing=400 kHz 166:Rate=600 kb/s; Modulation=OFDM; Option=3; MCS=6; Channel Spacing=400 kHz 192:Rate=6.25 kb/s; Modulation=OQPSK; Chip Rate=100 kchip/s; Rate Mode=0; Channel Spacing=200 kHz 30 REVIEWDRAFT-CISCOCONFIDENTIAL Command Definition ieee154 txpower <-65 -

35 >

[no] rpl dag-lifetime

<15 -255>

[no] rpl storing-mode Enter a value between -65 and 35, where 25 is the default transmission power value. Enter a value between 15 and 255 seconds. Default is 120. Enter command to enable RPL storing mode on the interface. Enter no rpl storing-mode to disable the command. Note CGR must be reloaded for the rpl storing-mode command to take effect. Sample Configuration interface Wpan2/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 10 max-interval 20 suppression-coefficient 1 ieee154 dwell window 12400 max-dwell 400 ieee154 panid 106 ieee154 phy-mode 149 ieee154 ssid edgecompute-secure ieee154 txpower 25 rpl storing-mode rpl dag-lifetime rpl dio-dbl 5 rpl dio-min 16 rpl version-incr-time 120 authentication host-mode multi-auth authentication port-control auto ipv6 address 2046:FACE::/64 ipv6 dhcp relay destination 2001:FACE::200 no ipv6 pim Configuring Adaptive Modulation Adaptive modulation enhances the backward compatibility with the classic Cisco Resilient Mesh network and improves the transmitting ability in the classic Cisco Resilient Mesh network. Adaptive modulation is supported on both Wi-SUN and Cisco mesh mode. The following example shows the configuration of adaptive modulation in Wi-SUN mode:

(config)#interface wpan 4/1

(config-if)#ieee154 phy-mode Supported Phy-Modes:

64:Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=OFF; Channel Spacing=200 kHz 96:Rate=50 kb/s; Modulation=2FSK; Modulation Index=1.0; FEC=ON; Channel Spacing=200 kHz 66:Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=OFF; Channel Spacing=400 kHz 98:Rate=150 kb/s; Modulation=2FSK; Modulation Index=0.5; FEC=ON; Channel Spacing=400 kHz 161:Rate=50 kb/s; Modulation=OFDM; Option=3; MCS=1; Channel Spacing=400 kHz 162:Rate=100 kb/s; Modulation=OFDM; Option=3; MCS=2; Channel Spacing=400 kHz 163:Rate=200 kb/s; Modulation=OFDM; Option=3; MCS=3; Channel Spacing=400 kHz 164:Rate=300 kb/s; Modulation=OFDM; Option=3; MCS=4; Channel Spacing=400 kHz 165:Rate=400 kb/s; Modulation=OFDM; Option=3; MCS=5; Channel Spacing=400 kHz 166:Rate=600 kb/s; Modulation=OFDM; Option=3; MCS=6; Channel Spacing=400 kHz

(config-if)#ieee154 phy-mode 166 165 164 163 31 REVIEWDRAFT-CISCOCONFIDENTIAL Note Adaptive modulation only supports to configure the same OFDM option phymode or the same OFDM option plus FSK phymode. The Phy mode change causes the following config changes:

channel to 254; notch to none;

Use the following command to check PHY mode configuration:

#show wpan 4/1 hardware config Configuring Group Multicast Use the following commands to configure group multicast:

Enable MPL:

(config)#fan-mpl domain 0 Check the mcast address reported by node:

#show wpan 4/1 rpl mcast-info domains

#show wpan 4/1 rpl mcast-info groups Add multicast agent interface (uplink interface):

(config-if)#mcast-agent interface fx/x Add multicast agent port:

(config-if)#mcast-agent port Add multicast agent group:

(config-if)#mcast-agent group-join ?

X:X:X:X::X multicast group address Check multicast agent port, interface, and groups:

#show wpan 4/1 mcast-agent ?

group-join multicast group address interface mcast-interface ports Mcast optional ports Configuring RPL To determine the available RPL functions, query the rpl command:

Router(config-if)# rpl ?

dag-lifetime dio-dbl dio-min route-poisoning version-incr-time Version increment time in minutes RPL DAG lifetime in minutes RPL DIO dbl value RPL DIO min value Route poisoning 32 Note For more information about RPL, refer to "RFC 6550: RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks". REVIEWDRAFT-CISCOCONFIDENTIAL Setting the Minimum Version Increment To set the minimum time between RPL version increments, use the version-incr-time command:

Router(config-if)# rpl version-incr-time ?

<10-600> Enter a value between 10 and 600 Router (config-if)# rpl version-incr-time 15 For sample configuration, see show wpan config, on page 55. Setting the DODAG Lifetime Duration Router(config-if)# rpl dag-lifetime ?

<60-255> Enter a value between 60 and 255 Router(config-if)# rpl dag-lifetime 120 For sample configuration, see show wpan config, on page 55. Configuring the DODAG Information Object Parameter To set the Destination-Oriented Directed Acyclic Graph (DODAG) lifetime duration, use the dag lifetime command. Each node uses the lifetime duration parameter to drive its own operation (such as Destination Advertisement Object (DAO) transmission interval). Also, the CGR uses this lifetime value as the timeout duration for each RPL routing entry. To configure the DODAG Information Object (DIO) parameter per the RPL IETF specification, use the rpl dio-min command. Caution This command must only be used by an expert RPL protocol administrator. Router(config-if)# rpl dio-MIN ?

<14-24> Enter a value between 14 and 24 Router(config-if)# rpl dio-MIN 21 For a sample configuration, see show wpan config, on page 55. To set the DIO double parameter as per the RPL IETF specification, use the dio-dbl command. DIO double is a doubling factor parameter used by the RPL protocol. Caution This command must only be used by an expert RPL protocol administrator. Router(config-if)# rpl dio-dbl ?

<0-10> Enter a value between 0 and 10 Router(config-if)# rpl dio-dbl 5 For sample configuration, see Sample Router Configuration, on page 62. Configuring IPv6 To determine the available IPv6 functions, query the ipv6 commands:

33 REVIEWDRAFT-CISCOCONFIDENTIAL Router (config-if)# ipv6 ?

To enable IPv6 on an interface, use:

Router(config-if)# ipv6 enable Configuring IPv6 DHCP Relay To configure the IPv6 DHCP relay, use the ipv6 dhcp relay command:

Router (config-if)#ipv6 dhcp relay destination The IPv6 address of the DHCP server displays as:

interface Wpan3/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7220 ieee154 ssid myWPANssid rpl dio-dbl 5 rpl dio-min 21 rpl route-poisoning authentication host-mode multi-auth authentication port-control auto ipv6 address 2091:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator See Sample Router Configuration, on page 62. Configuring Redistribution of RPL in Other Routing Protocols CGR allows redistribution of the RPL routes including the WPAN prefix as well as the external RPL routes such as MAP-T addresses assigned to DA gateways or prefixes assigned to Application Modules. Before redistributing RPL in OSPFv3, you must configure OSPFv3 on the uplink tunnel interface:

Router (config-if)# router ospfv3 process_id Router (config-if)# ipv6 ospf process_id area area_id To redistribute RPL in OSPFv3, use the following route-map and router OSPFv3 commands:

<!--snip--!>

interface Loopback0 ip address 20.211.0.11 255.255.255.255 ipv6 address 2001:420:7BF:7E8::B/128 ipv6 enable ipv6 ospf 1 area 1 end

34 REVIEWDRAFT-CISCOCONFIDENTIAL

interface Tunnel0 description IPsec tunnel to SOL-ASR-7 ip unnumbered Loopback0 ip pim sparse-mode ipv6 unnumbered Loopback0 ipv6 enable ipv6 mld join-group FF38:40:2006:DEAD:BEEF:CAFE:0:1 ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore tunnel source Dialer1 tunnel destination dynamic tunnel protection ipsec profile FlexVPN_IPsec_Profile

<!--snip--!>

router ospfv3 1

address-family ipv6 unicast redistribute connected route-map WPAN router-id 2.0.0.7 exit-address-family

<!--snip--!>

route-map WPAN permit 10 match interface Wpan5/1

<!--snip--!>

CGR-JAF1626AQED#show ipv6 ospf neighbor Configuring PON RPL Use the following command to configure PON RPL:

(config-if)#rpl pon ?

dio-dbl dio-min instance Enable RPL PON instance RPL PON DIO dbl value RPL PON DIO min value Configuring the Power Outage Server OSPFv3 Router with ID (2.0.0.7) (Process ID 1) State FULL/ -

Dead Time 00:00:30 Interface ID 27 Interface Tunnel0 Neighbor ID 20.0.0.3 CGR-JAF1626AQED#

Pri 0 You can configure the power outage server with the outage server command. We recommend an IPv6 address or IPv6 resolvable FQDN of a server. Note In most cases, the outage server is your IoT FND server. Router(config-if)# outage-server ?

WORD X:X:X:X::X IPv6 address (aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh, aaaa::bbb) IPv6 address resolvable hostname To configure the power outage server, use one of the following outage server commands:

35 REVIEWDRAFT-CISCOCONFIDENTIAL Router (config-if)# outage server 2001:c1::8a43:e1ff:fec3:2aa Router (config-if)# outage server nms.cisco.com For sample configuration, see Sample Router Configuration, on page 62. Configuring QoS To specify a QoS service policy, use the qos service-policy command. See the Quality of Service Solutions Configuration Guide Library, Cisco IOS Release 15M&T for QoS configuration information. Configuring Cisco Resilient Mesh Security RMEs use the IEEE 802.1X protocol, known as Extensible Authentication Protocol over LAN (EAPOL), for authentication. Configuring Mesh Key Router (config-if)# mesh-security ?

delete Delete the session(s) expire Force Expire set Set parameters To set the mesh key, use the mesh-security set mesh-key command in privileged mode:

Router# mesh-security set mesh-key interface wpan <slot>/<port> key ?

Hex-string Key - even number (max. 32) of hex digits Router# mesh-security set mesh-key interface wpan 3/1 key 1234567891234567 < --# Your secret key. To configure the mesh key lifetime, use the mesh-security mesh-key command in interface configuration mode:

Note Only call this command if you are an expert mesh-security administrator. Note The Mesh-key lifetime value should be less than 120 days (10368000 seconds). Router(config-if)# mesh-security ?

authentication-timeout keystore-update-period max-active-authentication Set number of parallel authentications max-active-key-exchange mesh-key Set number of parallel key exchanges Mesh key Set authentication timeout Set keystore update period Router(config-if)# mesh-security mesh-key lifetime ?

<60-2592000> Key lifetime (in seconds) or 36 Note Mesh-Security config and keys do not appear in the CGR configuration as shown by show running-config or show startup-config. REVIEWDRAFT-CISCOCONFIDENTIAL Router (config-if)# mesh-security mesh-key lifetime 60 Sample Cisco Resilient Mesh Security Configuration The following example shows what is required for mesh-security:

aaa new-model

aaa group server radius nps-group server name nps-radius

aaa authentication enable default none aaa authentication dot1x default group nps-group

<...snip...>

dot1x system-auth-control

<...snip...>

interface Wpan4/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7224 ieee154 ssid migration_far2 ieee154 txpower -30 authentication host-mode multi-auth authentication port-control auto ipv6 address 2092:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator mesh-security mesh-key lifetime 259200 end

radius server nps-radius address ipv4 <IP address> auth-port 1645 acct-port 1646 key <RADIUS key>

Note The MTU setting on the AAA server must be set to 800 bytes or lower, because IEEE802.1x implementation in RMEs limits the MTU to 800 bytes. RADIUS servers can use auth-port 1812 and acct-port 1813 instead of 1645 and 1646, respectively. 37 REVIEWDRAFT-CISCOCONFIDENTIAL Note From Release 6.1, mesh device supports radius server on TLS1.2. On TLS 1.2. the supported cipher suites are:

To view the configuration and clients of the Cisco Resilient Mesh 802.1X security configuration, use the show dot1x all details command:

Note The output for this command shows only new or re-authentications. It will not show nodes that are in the process of warm-starting (and have cached the security credentials). TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 Cisco Resilient Mesh Security Troubleshooting Use the following commands to troubleshoot Cisco Resilient Mesh:

show dot1x all details, on page 38 show mesh-security keys, on page 39 show mesh-security session all, on page 39 show mesh-security interface wpan <slot >/<port >

show dot1x all details Enabled 3

# show dot1x all details Sysauthcontrol Dot1x Protocol Version Dot1x Info for Wpan4/1

PAE PortControl ControlDirection HostMode QuietPeriod ServerTimeout SuppTimeout ReAuthMax MaxReq TxPeriod Dot1x Authenticator Client List

EAP Method Supplicant Session ID

= AUTHENTICATOR

= AUTO

= Both

= MULTI_AUTH

= 60

= 0

= 30

= 2

= 30 Auth SM State Auth BEND SM State EAP Method Supplicant Session ID EAP Method Supplicant Session ID Auth SM State Auth BEND SM State 38

= (13)

= 0108.003c.2303

= 640000020000001D00288E5C

= AUTHENTICATED

= IDLE

= (13)

= 0108.003c.2302

= 640000020000001C002854F8

= AUTHENTICATED

= IDLE

= (13)

= 0108.003c.2304

= 640000020000001B0026A39A Note The output of show mesh-security-keys is the result of the mesh-security set-key configuration. REVIEWDRAFT-CISCOCONFIDENTIAL EAP Method Supplicant Session ID EAP Method Supplicant Session ID EAP Method Supplicant Session ID Auth SM State Auth BEND SM State Auth SM State Auth BEND SM State Auth SM State Auth BEND SM State Auth SM State Auth BEND SM State show mesh-security keys

= AUTHENTICATED

= IDLE

= (13)

= 0108.003c.2300

= 640000020000001A00268108

= AUTHENTICATED

= IDLE

= (13)

= 0108.003c.2205

= 640000020000001900266D96

= AUTHENTICATED

= IDLE

= (13)

= 0108.003c.2305

= 64000002000000180026695E

= AUTHENTICATED

= IDLE

# show mesh-security keys

: 0 *

: Sat Jun 7 16:29:09 2014 Mesh Interface: Wpan3/1 Master Key Lifetime : 120 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 30 Days 0 Hours 0 Minutes 0 Seconds Mesh Interface: Wpan4/1 Master Key Lifetime : 120 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 30 Days 0 Hours 0 Minutes 0 Seconds Key ID Key expiry Time remaining : 20 Days 0 Hours 53 Minutes 45 Seconds Key ID Key expiry Time remaining : 50 Days 0 Hours 53 Minutes 45 Seconds Mesh Interface: Wpan5/1 Master Key Lifetime : 120 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 30 Days 0 Hours 0 Minutes 0 Seconds Key ID Key expiry Time remaining : 24 Days 21 Hours 24 Minutes 1 Seconds Mesh Interface: Wpan6/1 Master Key Lifetime : 120 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 30 Days 0 Hours 0 Minutes 0 Seconds Router#

: 1

: Mon Jul 7 16:29:09 2014

: 0 *

: Thu Jun 12 12:59:25 2014 show mesh-security session all To view the Cisco Resilient Mesh security session details, use the show mesh-security session all command:

39 REVIEWDRAFT-CISCOCONFIDENTIAL Note The output for this command shows only new or re-authentications. It will not show nodes that are in the process of warm-starting (and have cached the security credentials). State Router# show mesh-security session all MAC Address 00:07:81:08:00:3C:25:03 Encryption Enabled 00:17:3B:0B:00:21:00:2F Encryption Enabled 00:07:81:08:00:3C:22:02 Encryption Enabled 00:07:81:08:00:3C:25:02 Encryption Enabled 00:07:81:08:00:3C:22:0A Encryption Enabled 00:07:81:08:00:3C:22:06 Encryption Enabled 00:07:81:08:00:3C:24:05 Encryption Enabled 00:07:81:08:00:3C:24:08 Encryption Enabled 00:07:81:08:00:3C:23:01 Encryption Enabled Configuring IPv6 Multicast Agent Mesh Keys 11.. 1.. 11.. 11.. 11.. 11.. ... ... 11.. You must configure an IPv6 multicast agent to enable multicasting traffic between IoT FND, or the Advanced-Metering Infrastructure

(AMI) application server in a Network Operations Center (NOC), and the Cisco Resilient Mesh network. IPv6-multicasting requires proper configuration on the head-end router (Cisco ASR 1000) as well as on IoT FND and the AMI head-end server. The following figure shows an IPv6 FAN with a multicast configuration. Figure10:MulticastinIPv6Field-AreaNetwork The IPv6 multicast configuration has the following characteristics:

40 REVIEWDRAFT-CISCOCONFIDENTIAL IPv6 Multicast is used between the IoT FND or CE and the Cisco Resilient Mesh endpoints when performing:

Software upgrade of the endpoints Demand reset messages Demand response messages (there could be more than one group for this per meter) Targeted pings (group of meters on a given feeder, for example) Group of meters with the same read time/cycle Each PAN is a multicast group with the unicast-prefix-based multicast address (RFC 3306) The head-end router routes (PIMv6 SSM) all multicast traffic to the unicast-prefix-based multicast address to the CGR (MLDv2) CGR multicast agent receives the multicast The following guide shows an overview of the Multicast operation in an IPv6 FAN:

Figure11:MulticastOperation For sample configuration, see Sample Router Configuration, on page 62. For more on dot1x, see show dot1x all details, on page 38. Forwarding Multicast Traffic There are two ways to forward multicast traffic to a CGR running Cisco IOS from the head-end:

Configure the CGR as multicast client where the tunnel is configured with ipv6 mld join-group. Enable IPv6 multicast routing on the and configure it as a PIM6 router. This is the preferred method. 41 REVIEWDRAFT-CISCOCONFIDENTIAL Method 1: Configuring MLD on the IPv6 Tunnel Interface For this method, configure the CGR tunnel interface with MLD as follows:

Router (config)# interface Tunnel100 Router (config-if)# ipv6 mld join-group ff38:40:2001:0db8:beef:cafe:0:1 Method 2: Configuring CGR as PIM6 Router The preferred method of forwarding multicast traffic to the CGR is to enable ipv6 multicast routing on the CGR and configure it as a PIM6 router. Because the unicast-prefix-based multicast address is still needed for WPAN, you must configure it under loopback0 on the CGR, and configure the CGR to become a PIM-neighbor with the ASR head-end. To configure this method, perform the following steps on the CGR:

Procedure Step 1 Enable IPv6 multicast-routing:

Router (config)# ipv6 multicast-routing Step 2 Configure MLD under the loopback0:

Example:

Router (config-if)# interface loopback 0 Router (config-if)# ipv6 mld join-group ff38:40:2001:0db8:beef:cafe:0:1 Step 3 Configure the IPv6 PIM Rendezvous Point (RP):

Router (config)# ipv6 pim rp-address 2333::1 Configuring Dual-PHY WPAN This section describes how to configure the Dual-PHY WPAN feature. Configuring the Dual-PHY Master-Slave Relationship Follow this procedure to configure master and slave WPANs on a CGR. Before you begin Do not configure mesh-security keys on the slave WPAN. You must configure mesh-security keys on the master WPAN after the slave WPAN is functionally up. 42 REVIEWDRAFT-CISCOCONFIDENTIAL Leave the rpl route poisoning configuration of the slave WPAN unchanged. If you want a Cisco Resilient Mesh node to dynamically switch a connection or PAN between different WPAN interfaces (for example, a DUAL-PHY node dynamically switching between RF and PLC), the master and slave WPAN must have same SSID. This is an optional configuration. This requirement is so the mesh-side node can see two PHYs as being from the same network (SSID) and can dynamically select either interface. The SSIDs can be different on the WPAN and CGR side. Note Configure master-slave WPANs in the following order; otherwise, the master-slave configuration may not work properly. Procedure Step 1 Step 2 Step 3 Step 4 Expire all the mesh-security keys on master and slave WPAN slots. Configure both WPANs, slave and master, as if they are two independent WPANs. Ensure that you do not enable rpl route-poisoning on any WPANs. Determine master and slave nodes, and then configure the following on the slave-slot:

Example:

(config)# interface wpan <slave-slot>/1

(config-if)# slave-mode <master-slot>

Step 5 If network mesh security mode is enabled, configure the mesh-security key(s) on the master slot. The same mesh-key on the slave WPAN module are enabled internally. On the CGR side, the mesh-security key is associated only with the master slot. Step 6 Reload only the slave module. To retain the Dual-PHY master-slave relationship, a CGR requires a sequential reload of first slave and then master WPANs in the following cases, even when the configuration remains unchanged:

What to do next After reload of master slot WPAN After reload of slave slot WPAN After reload of the CGR After an image upgrade of the CGR and subsequent mandatory reload Master-Slave WPAN Configuration Example Dual-PHY can have master and slave for PLC and RF WPAN modules. The IPv6 prefix of the master is used for IPv6 addressing of the nodes. Router# show running-config interface wpan 4/1 Building configuration... Current configuration : 471 bytes 43 REVIEWDRAFT-CISCOCONFIDENTIAL

interface Wpan5/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7215 ieee154 ssid plc123 slave-mode 4 rpl dag-lifetime 240 rpl dio-min 21 rpl version-incr-time 240 authentication host-mode multi-auth authentication port-control auto ipv6 address 2091:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator end Router#

show commands for Master-Slave WPANs You can use the following show wpan commands to trace nodes in a Dual-PHY master-slave configuration:

show wpan <master slot >/1 rpl itableShows information for the actual slot from which RPL DAOs originated. show wpan <master slot >/1 rpl stableShows slave slot information for the actual slot from which RPL DAOs originated. show wpan <master slot >/1 rpl streeShows the link type (or slave slot information) for each node in the RPL tree. show wpan <master slot >/1 eap-tableShows slave slot information for the actual slot from which IEEE802.1x traffic originated. All configurations and show commands related to the physical layer or the WPAN module hardware remain as is; show wpan

<slot >/1 hardware * remains the same, per the actual physical slot. Router# show wpan 4/1 link-neighbors table

------------------------- WPAN LINK NEIGHBOR TABLE [4] -------------------------

LAST_HEARD EUI64 00078108003C2200 14:08:02 FIRST_HEARD 12:02:18 RSSIR

-78 RSSIF

-70 LQIR 9 LQIF 58 44 REVIEWDRAFT-CISCOCONFIDENTIAL 00078108003C2201 00078108003C2202 00078108003C2203 00078108003C2204 00078108003C2205 00078108003C2206 00078108003C2207 00078108003C2209 00078108003C220A Number of Entries in WPAN LINK NEIGHBOR TABLE: 10 Router# show wpan 5/1 link-neighbors table

-------------------------------------------------------------------------------- WPAN LINK NEIGHBOR TABLE [5]

13:05:15 11:51:40 11:51:55 12:02:34 12:02:12 12:02:08 13:04:39 11:58:20 12:13:40 13:53:48 14:06:09 14:07:28 14:01:45 14:06:04 14:08:12 14:03:56 14:02:20 14:07:48 n/a

-72

-73

-71

-74

-73

-72

-73

-74

-75

-74

-76

-75

-77

-74

-70

-77

-75 n/a 35 9 35 18 19 15 45 5 18 64 17 23 16 26 75 36 27

EUI64 RSSIF RSSIR LQIF LQIR MODF MODR TXGAINF TXGAINR TXRESF TXRESR TMF TMR TXCOEFFF TXCOEFFR DPHASE APHASE LOCKF LOCKR LAST_HEARD 000781FE0000012C 000781FE0000012D 0000FFFFFFFF 0000FFFFFFFF 000781FE0000012E 114 114 114 114 114 114 95 0000FFFFFFFF 96 0000FFFFFFFF 114 114 114 114 104 120 101 95 96 104 120 101 3 3 3 3 3 D8PSK D8PSK D8PSK D8PSK D8PSK D8PSK 0 D8PSK 0 D8PSK 0 D8PSK 0 D8PSK 0 0 0 0 0 0 5 5 5 5 5 1 1 1 1 1 1 1 1 1 1 14:05:00 13:55:54 14:08:39 14:07:15 13:59:39 6 6 6 6 6 0000FFFFFFFF 0000FFFFFFFF 000781FE0000012F 000781FE00000130 0000FFFFFFFF 0000FFFFFFFF 0000FFFFFFFF 0000FFFFFFFF 3F 3F 3F 3F 3F NEXTHOP_IP 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1:AAAA:8108:3C:2204 2092:1:1:1::

2092:1:1:1::

2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 Number of Entries in WPAN LINK NEIGHBOR TABLE: 5 Router#

Router#

Router# show wpan 4/1 rpl table

-------------------------------- WPAN RPL ROUTE TABLE [4] --------------------------------

LAST_HEARD NODE_IPADDR 2092:1:1:1:AAAA:8108:3C:2200 13:47:54 13:45:25 2092:1:1:1:AAAA:8108:3C:2201 13:48:53 2092:1:1:1:AAAA:8108:3C:2202 13:49:42 2092:1:1:1:AAAA:8108:3C:2203 13:44:41 2092:1:1:1:AAAA:8108:3C:2204 2092:1:1:1:AAAA:8108:3C:2205 13:58:26 13:58:15 2092:1:1:1:AAAA:8108:3C:2206 14:01:42 2092:1:1:1:AAAA:8108:3C:2209 13:57:39 2092:1:1:1:AAAA:8108:3C:220A 14:05:12 2092:1:1:1:AAAA:8108:3C:2300 2092:1:1:1:AAAA:8108:3C:2301 13:37:31

<!---snip--!>

2092:1:1:1:AAAA:8108:3C:240A 2092:1:1:1:AAAA:8108:3C:240B 2092:1:1:1:AAAA:81FE:0:12C 2092:1:1:1:AAAA:81FE:0:12D 2092:1:1:1:AAAA:81FE:0:12E 2092:1:1:1:AAAA:81FE:0:12F 2092:1:1:1:AAAA:81FE:0:130 Number of Entries in WPAN RPL ROUTE TABLE: 36 Router#

Router#

Router# show wpan 4/1 rpl itable

----------------------------- WPAN RPL IPROUTE INFO TABLE [4] -----------------------------

NODE_IPADDR 2092:1:1:1:AAAA:8108:3C:2303 2092:1:1:1:AAAA:8108:3C:2301 2092:1:1:1::

2092:1:1:1::

14:03:54 13:35:32 13:51:17 13:55:54 14:01:06 13:53:45 13:59:39 VERSION NEXTHOP_IP RANK RSSIR RSSIF HOPS 2092:1:1:1:AAAA:8108:3C:2200 PARENTS SSLOT 523 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1:AAAA:8108:3C:2201 2092:1:1:1:AAAA:8108:3C:2203

-50

-47

-77

-512

-562

-771 2092:1:1:1:AAAA:8108:3C:2202 2092:1:1:1:AAAA:8108:3C:2203 3 3 3 4 4 4 4 3 4 4 527 333 269 2092:1:1:1::

2092:1:1:1::

6 6 6 6 6 1F 3F 3F 3F 1F ETX_P ETX_L 263 265 0 0 256 256 333 265 45 REVIEWDRAFT-CISCOCONFIDENTIAL 2092:1:1:1:AAAA:8108:3C:2300 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2301 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2204 2092:1:1:1:AAAA:8108:3C:2205 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2209 2092:1:1:1:AAAA:8108:3C:220A

-70

-72

-74

-71

-73

-72

-76 116 116 116 116 116

-721

-731

-721

-751

-761

-751

-692

-782 1161 1161 1161 1161 1161

<!---truncated--!>

2092:1:1:1:AAAA:81FE:0:12C 2092:1:1:1:AAAA:81FE:0:12D 2092:1:1:1:AAAA:81FE:0:12E 2092:1:1:1:AAAA:81FE:0:12F 2092:1:1:1:AAAA:81FE:0:130 1 2 3 1 3 3 3 3 1 2 3 3 3 4 4 4 4 4 4 4 4 5 5 5 5 5 290 292 256 366 345 512 512 302 309 331 348 342 4 4 4 4 4 4 4 4 4 4 4 4 2092:1:1:1::

2092:1:1:1::

258 258 0 0 0 0 0 0 0 0 0 0 285 287 256 352 345 256 256 291 302 321 336 321 Number of Entries in WPAN RPL IPROUTE INFO TABLE: 36 Router#

Router# show wpan 4/1 rpl stable

------------------------------ WPAN RPL ROUTE SLOT TABLE [4] ------------------------------

NODE_IPADDR 2092:1:1:1:AAAA:8108:3C:2200 2092:1:1:1:AAAA:8108:3C:2201 2092:1:1:1:AAAA:8108:3C:2202 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1:AAAA:8108:3C:2204 2092:1:1:1:AAAA:8108:3C:2205 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2209 2092:1:1:1:AAAA:8108:3C:220A 2092:1:1:1:AAAA:8108:3C:2300 2092:1:1:1:AAAA:8108:3C:2301 2092:1:1:1:AAAA:8108:3C:2302

<!---snip--!>

2092:1:1:1:AAAA:81FE:0:12C 2092:1:1:1:AAAA:81FE:0:12D 2092:1:1:1:AAAA:81FE:0:12E 2092:1:1:1:AAAA:81FE:0:12F 2092:1:1:1:AAAA:81FE:0:130 Number of Entries in WPAN RPL ROUTE SLOT TABLE: 36 (external 0) (RF 31) (PLC 5) NEXTHOP_IP 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1::

2092:1:1:1::

2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 SSLOT 4 4 4 4 4 4 4 4 4 4 4 4 2092:1:1:1::

2092:1:1:1::

5 5 5 5 5 LAST_HEARD 15:12:29 14:43:10 15:16:55 15:13:21 14:48:37 15:05:00 15:01:05 15:06:11 14:58:23 15:05:55 15:04:19 14:56:48 14:53:32 14:50:57 15:06:24 15:15:45 15:03:24 Router# show wpan 4/1 rpl stree

----------------------------- WPAN RPL SLOT TREE [4] -----------------------------

[2092:1:1:1::]

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2202

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2203

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2200

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2201

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2204

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2205

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2206

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2300

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2301

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2406 46 REVIEWDRAFT-CISCOCONFIDENTIAL

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2408

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2302

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2303

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2407

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:240A

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2304

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2400

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2403

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2404

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2305

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2307

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2402

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2405

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2308

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2309

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:240B

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:230A

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:230B

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2409

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:2209

\--(RF )-- 2092:1:1:1:AAAA:8108:3C:220A

\--(PLC)-- 2092:1:1:1:AAAA:81FE:0:12C

\--(PLC)-- 2092:1:1:1:AAAA:81FE:0:12D

\--(PLC)-- 2092:1:1:1:AAAA:81FE:0:12E

\--(PLC)-- 2092:1:1:1:AAAA:81FE:0:12F

\--(PLC)-- 2092:1:1:1:AAAA:81FE:0:130 RPL SLOT TREE: Num.DataEntries 36, Num.GraphNodes 37 (external 0) (RF 31) (PLC 5) Removing the Dual-PHY Master-Slave WPAN Configuration This section describes how to remove the Dual-PHY master-slave relationship on a WPAN. Before you begin Use show wpan 5/1 config to verify that the slave module is currently configured as slave. If the slave WPAN does not already have an IPv6 prefix assigned, assign a new IPv6 prefix while still in slave mode; for example, ipv6 address 2091:1:1:1::/64. Use show mesh-security keys to verify that the slave module has no mesh-security keys configured. (See detailed CLI output To remove an existing master-slave relationship between two WPANs, follow this procedure in exactly the sequence shown. The example in this procedure uses WPAN 4/1 as master and WPAN 5/1 as slave. below.) Procedure Step 1 From the interface config mode of the slave WPAN, enter no slave-mode <master-slot-number>:

Example:

Router# config t Router(config)# interface wpan 5/1 Router(config-if)# no slave-mode 4 Router(config-if)# end Step 2 Reload the slave module by powering off and then powering on:

47 REVIEWDRAFT-CISCOCONFIDENTIAL Wait for WPAN power down messages, and then wait another 60-90 seconds. Then, power up the module:

Router# config t Router(config)# hw poweroff 5 Router(config)# no hw poweroff 5 Wait for WPAN power on messages, and then wait another 60-90 seconds before proceeding. Step 3 Add mesh-security keys for the slaves. (The slave module should not have its own mesh-security keys when in the master-slave relationship.) Router# mesh-security set mesh-key interface wpan 5/1 key 5551 Key ID Key expiry Router# mesh-security set mesh-key interface wpan 5/1 key 5552 Key ID Key expiry

: 1

: Mon Jul 21 12:55:43 2014

: 0

: Sat Jun 21 12:55:43 2014 You can add up to four mesh-keys for the WPAN slot. Step 4 Check the status of the WPAN previously configured as slave using the following commands:

Example:

Router# show run interface wpan 5/1 Router# show wpan 5/1 hardware config Router# show wpan 5/1 link-neighbor table Router# show wpan 5/1 rpl table Router# show wpan 5/1 rpl stable See Removing Master-Slave Relationship Configuration Example, on page 48 for sample command output. Removing Master-Slave Relationship Configuration Example This section shows example output from the commands to remove the master-slave relationship between two CGR WPAN modules. In this example, the master WPAN module is in slot 4, and the slave WPAN module is in slot 5. Checking Existing Configuration of the Master and Slave Modules Router# show run interface wpan 4/1

!<<<<<---- #Initially configured as master WPAN Building configuration... Current configuration : 471 bytes

interface Wpan4/1 no ip address ip broadcast-address 0.0.0.0 48 REVIEWDRAFT-CISCOCONFIDENTIAL no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7224 ieee154 ssid migration_far2 ieee154 txpower -30 authentication host-mode multi-auth authentication port-control auto ipv6 address 2092:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator mesh-security mesh-key lifetime 259200 end Router# show run interface wpan 5/1

!<<<<<---- #Initially configured as slave Building configuration... Current configuration : 481 bytes

!<<<<---- #WPAN 5/1 has a master WPAN in slot 4 rpl dag-lifetime 240 rpl dio-min 21 rpl version-incr-time 240 authentication host-mode multi-auth authentication port-control auto ipv6 address 2091:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator end PLC-WPAN (IEEE P1901.2 PLC) plc123 7215 Router# show wpan 5/1 config module type:

ssid:

panid:

transmit power: 32 ref-phase:

tonemap:

phy_params:

beacon async:

security mode: 1 test mode:

admin_status:

rpl prefix:

rpl route-poisoning:

rpl dodag-lifetime:

rpl dio-dbl:

rpl dio-min:

rpl version-incr-time: 240 detach bridge:

no 0 (test firmware only) up 2091:1:1:1::/64 off 240 0 21 1 unlocked (not used) 1 (ceneleca) 000000000FFFFFFFFF min-interval 120 max-interval 900 suppression-coefficient 1 Check configuration of the slave module where slave mode displays the master-slot number as shown below:

49 REVIEWDRAFT-CISCOCONFIDENTIAL bootloader mode:

mcast-agent:

firmware version:

slave mode:

no FF38:40:2091:1:1:1:0:1 61624 1153 5.5.48 4

(slot 5 is attached to master slot 4) Removing Slave Mode from Slave WPAN Configuration Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface wpan 5/1 Router(config-if)# no slave-mode 4

!<<<<<---- #Ends slave mode to master-slot 4 Router(config-if)# end Router#

Reloading the Slave WPAN Router(config)# hw poweroff 5 Router(config)#

*May 22 12:42:15.511 PST: %CGR1K_SYS-5-MODULE_POWER_DOWN: Module in slot 5 is powered down. Router(config)#

*May 22 12:42:17.539 PST: %LINK-3-UPDOWN: Interface Wpan5/1, changed state to down

*May 22 12:42:18.539 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wpan5/1, changed state to down Router(config)#

Router(config)# no hw poweroff 5

*May 22 12:43:38.763 PST: %CGR1K_SYS-5-MODULE_POWER_UP: Module in slot 5 is powered up. Router(config)#

*May 22 12:43:56.591 PST: %LINK-3-UPDOWN: Interface Wpan5/1, changed state to up

*May 22 12:43:57.591 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Wpan5/1, changed state to up Router(config)# end Adding Mesh-Security keys for WPAN 5/1 Router# mesh-security set mesh-key interface wpan 5/1 key 5551 Key ID Key expiry Router# mesh-security set mesh-key interface wpan 5/1 key 5552 Key ID Key expiry

: 1

: Mon Jul 21 12:55:43 2014

: 0

: Sat Jun 21 12:55:43 2014 Note There can be up to four mesh-security keys configured for a WPAN slot. Verifying that the WPAN is no Longer Configured as Slave Router# show run interface wpan 5/1 Building configuration... Current configuration : 467 bytes

interface Wpan5/1 50 REVIEWDRAFT-CISCOCONFIDENTIAL no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7215 ieee154 ssid plc123 rpl dag-lifetime 240 rpl dio-min 21 rpl version-incr-time 240 authentication host-mode multi-auth authentication port-control auto ipv6 address 2091:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator 1 unlocked (not used) 1 (ceneleca) 000000000FFFFFFFFF min-interval 120 max-interval 900 suppression-coefficient 1 0 (test firmware only) up 2091:1:1:1::/64 off 240 0 21 PLC-WPAN (IEEE P1901.2 PLC) plc123 7215 no no FF38:40:2091:1:1:1:0:1 61624 1153 5.5.48 no end Router#

Router# show wpan 5/1 config module type:

ssid:

panid:

transmit power: 32 ref-phase:

tonemap:

phy_params:

beacon async:

security mode: 1 test mode:

admin_status:

rpl prefix:

rpl route-poisoning:

rpl dodag-lifetime:

rpl dio-dbl:

rpl dio-min:

rpl version-incr-time: 240 detach bridge:

bootloader mode:

mcast-agent:

firmware version:

slave mode:

Router#

Router# show mesh-security keys Mesh Interface: Wpan4/1 Master Key Lifetime : 12 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 6 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 3 Days 0 Hours 0 Minutes 0 Seconds Key ID Key expiry Time remaining : 1 Days 22 Hours 55 Minutes 39 Seconds Key ID Key expiry Time remaining : 4 Days 22 Hours 55 Minutes 39 Seconds Key ID Key expiry Time remaining : 7 Days 22 Hours 55 Minutes 39 Seconds Key ID Key expiry Time remaining : 10 Days 22 Hours 55 Minutes 39 Seconds Mesh Interface: Wpan5/1 Master Key Lifetime : 120 Days 0 Hours 0 Minutes 0 Seconds Temporal Key Lifetime: 60 Days 0 Hours 0 Minutes 0 Seconds Mesh Key Lifetime

: 30 Days 0 Hours 0 Minutes 0 Seconds Key ID Key expiry

: 0 *

: Sat May 24 11:51:35 2014

: 0 *

: Sat Jun 21 12:55:43 2014

: 1

: Tue May 27 11:51:35 2014

: 3

: Mon Jun 2 11:51:35 2014

: 2

: Fri May 30 11:51:35 2014 51 REVIEWDRAFT-CISCOCONFIDENTIAL Time remaining : 29 Days 23 Hours 59 Minutes 47 Seconds Key ID Key expiry Time remaining : 59 Days 23 Hours 59 Minutes 47 Seconds Router#

: 1

: Mon Jul 21 12:55:43 2014 Verifying that WPAN 5/1 Forms Own RPL Table Router# show wpan 5/1 rpl table

-------------------------------- WPAN RPL ROUTE TABLE [5] --------------------------------

NODE_IPADDR NEXTHOP_IP 2091:1:1:1:AAAA:81FE:0:12C 2091:1:1:1:AAAA:81FE:0:12D 2091:1:1:1:AAAA:81FE:0:12F Number of Entries in WPAN RPL ROUTE TABLE: 3 LAST_HEARD 2091:1:1:1::

2091:1:1:1::

13:42:17 13:40:47 13:41:59 Notice above RMEs showing IPv6 address based on the WPAN 5/1 prefix. Router# show wpan 5/1 rpl stable

------------------------------ WPAN RPL ROUTE SLOT TABLE [5] ------------------------------

NODE_IPADDR 2091:1:1:1:AAAA:81FE:0:12C 2091:1:1:1:AAAA:81FE:0:12D 2091:1:1:1:AAAA:81FE:0:12F Number of Entries in WPAN RPL ROUTE SLOT TABLE: 3 (external 0) (RF 0) (PLC 3) 2091:1:1:1:: 5 13:42:17 2091:1:1:1:: 5 13:40:47 2091:1:1:1:: 5 13:41:59 NEXTHOP_IP SSLOT LAST_HEARD Notice above RMEs showing slot 5 for the WPAN 5/1. Verifying the IPv6 Path to WPAN 5/1 Nodes Router# ping 2091:1:1:1:AAAA:81FE:0:12C Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2091:1:1:1:AAAA:81FE:0:12C, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 256/268/276 ms Router#

The Cisco Resilient Mesh uses EST over CoAP/DTLS/UDP for certificate enrollment. During the initial bootstrapping process, nodes that have already joined the network (enrolled and authenticated) act as DTLS relays for nodes being bootstrapped. Configuring DTLS Relay for EST Use the following command to configure DTLS relay:

CGR#configure terminal CGR(config)#interface wpan 4/1 CGR(config-if)#dtls-relay ?

X:X:X:X::X IPv6 address (aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh, aaaa::bbb) CGR(config-if)#dtls-relay 2060:FACD::6 ?

lifetime max-sessions specify maximum number of sessions port specify session lifetime destination port 52 REVIEWDRAFT-CISCOCONFIDENTIAL Example CGR(config-if)#dtls-relay 2060:FACD::6 port 61629 max-sessions 10 lifetime 300 Use the following show command to verify the configuration:

#show wpan 4/1 config Module Type: RF-WPAN (IEEE 802.15.4e/g RF OFDM) ssid: 510P1-lzhao3 panid: 925 phy_mode: 149 band-id: 4 transmit power: 15 channel: 254 dwell: window 12400 max-dwell 400 fec: n/a beacon async: min-interval 15 max-interval 60 suppression-coefficient 1 security mode: 1 test mode: 0 (test firmware only) admin_status: up rpl prefix: 2022:AAAA::10/64 rpl route-poisoning: off rpl dodag-lifetime: 15 rpl dio-dbl: 1 rpl dio-min: 14 rpl version-incr-time: 10 detach bridge: no bootloader mode: no mcast-agent: FF38:40:2022:AAAA::1 61624 61628 1153 firmware version: 6.1(6.1.27) slave mode: no wisun mode: no ieee154 beacon ver incr time: 60 seconds DTLS Relay: 2060:FACD::6 max-sessions 10 lifetime 300 Configuring Wi-SUN Mode Wi-SUN mode is supported from Cisco Resilient Mesh Release 6.1. To enable Wi-SUN mode, use the following comand under interface configuration mode:

(config-if)#wisun-mode Note Changing wisun-mode requires module reload. In Wi-SUN mode, storing mode is not supported. In Wi-SUN mode, the mesh key should be reconfigured after changing PANID. Use the following command to configure wisun ucast dwell, bcast dwell, and bcast interval under WPAN interface:

(config-if)#ieee154 wisun-dwell ucast-dwell-int <125> bcast-dwell-int <125> bcast-int <500>

53 REVIEWDRAFT-CISCOCONFIDENTIAL Note For Release 6.1 Wi-SUN mode, you need to configure phy mode 66 or 64. For Release 6.2 Wi-SUN mode, you need to configure phy mode 40 or 42. When CGR is in Wi-SUN mode, if there are nodes in the WPAN route table and route poisoning is not enabled, changing PANID will enable temporary RPL poisoning. It will be disabled automatically. The new panid will take affect after 3 DIO messages are sent. Verifying Connectivity to the CGR To verify connectivity to the CGR before querying the system, use the ping command in EXEC mode:

To discover the routes that packets will actually take when traveling to their destination across an IPv6 network, use the traceroute ipv6 command in EXEC mode.

# Router# ping ?

Ping destination address or hostname ATM echo CLNS echo WORD atm clns ethernet Ethernet echo ip ipv6 mpls sna srb tag

<cr>

IP echo IPv6 echo MPLS echo SNA APING transaction program srb echo Tag encapsulated IP echo

# traceroute ipv6 [host-name|ip-address]

show Command Examples Use the following command to view all WPAN show commands:

Router# show wpan 4/1 ?

config data-rate eap-table hardware ieee154 ieeep19012 link-neighbors module-type oui-table Configuration information Data rate during last 1 minute Recent EAP node table Hardware information IEEE 802.15.4 related information IEEE P1901.2 related information Layer 3 link neighbor information Module type (RF or PLC) OUI mapping table for 8-to-6 MAC address translation

(EUI64 <-->IEEE MAC) WPAN outage server WPAN outage table Packet counts outage-server outage-table packet-count restoration-table WPAN restoration table rpl service-state slave-mode RPL related information WPAN service state Slave mode This section covers the following RPL and WPAN show commands:

show wpan config, on page 55 54 REVIEWDRAFT-CISCOCONFIDENTIAL show wpan hardware, on page 55 show wpan packet-count, on page 57 show wpan link-neighbors, on page 58 show wpan outage, on page 59 show wpan restoration-table, on page 59 show wpan rpl, on page 59 show wpan config

<-- #See Naming the SSID, on page 28.

<-- #See Naming Your PAN, on page 27.

<-- #See Configuring Transmit Power, on page 28.

<-- #Channel hopping setting RF-WPAN (IEEE 802.15.4e/g RF 900MHz) migration_far2 7224 Router# show wpan 4/1 config module type:

ssid:

panid:

transmit power: -30 254 channel:

window 20000 max-dwell 400 dwell:

beacon async:

min-interval 120 max-interval 900 suppression-coefficient 1 security mode: 1 test mode:

admin_status:

2092:1:1:1::/64 rpl prefix:

off rpl route-poisoning:

120 rpl dodag-lifetime:

0 rpl dio-dbl:

rpl dio-min:

20 rpl version-incr-time: 60 no detach bridge:

no bootloader mode:

FF38:40:2092:1:1:1:0:1 61624 1153 mcast-agent:

firmware version:

5.5.48 no slave mode:

0 (test firmware only) up show wpan hardware To view the WPAN configuration that resides on the WPAN hardware, use the show wpan <slot >/1 hardware configuration command:

: OWCM Router# show wpan 4/1 hardware hwversion hardware version: Itron OWCM Hardware rev : 3.1 Model name Hardware ID : RFLAN/3.60/3.80 Router# show wpan 4/1 hardware version firmware version: 5.5.48, apps/bridge, master, 4b89e37, Apr 4 Router# show wpan 4/1 hardware config serial number: FF-FF-FF-FF-FF-FF-FF-FF eui64:

ssid:

panid:

transmit power: -30 (<-txpower_reg 0x12) channel:

channel notch: none dwell:

beacon async:

security mode: 1 000781080067B074 migration_far2 7224 254 window 20000 max-dwell 400 min-interval 120 max-interval 900 suppression-coefficient 1 55 REVIEWDRAFT-CISCOCONFIDENTIAL The output of the command show wpan <slot >/1 hardware key shows mesh-security keys (GTKs) that reside on the WPAN hardware. The show wpan <slot >/1 hardware key output should agree with the output of show mesh-security-keys . (See show mesh-security keys, on page 39.) The show wpan <slot >/1 hardware link-neighbor command shows the list of recently heard IEEE 802.15.4 link neighbors. These link neighbors are RMEs within a 1-hop transmit range from the CGR and from which the CGR has recently heard IEEE 802.15.4 frames. The list shows only the most recently heard subset from all possible 1-hop neighbors. sent / ack rssif / rssir lqif / lqir n/a / -99 n/a / -86 n/a / -114

- 71 / -74

- 71 / -77

- 71 / -76 n/a / 41 n/a / 76 n/a / 127 36 / 14 72 / 36 14 / 18 admin_status:

up Other show wpan hardware options are:

Router# show wpan 4/1 hardware ?

Channel list Configuration Debug information Global time Hardware version Mesh key information LED status Layer 2 link neighbor information Link statistics channel-list config debug global-time hwversion key-info leds link-neighbors link-stats network-if-stats Network interface statistics security-mode test-mode uptime version Security mode (enabled by dot1x) Test mode (for test firmware only) Uptime Firmware version Router# show wpan 4/1 hard key keyinfo:

key 0: valid *

key 1: valid key 2: empty key 3: empty key x: valid Router# show wpan 4/1 hardware link-neighbors eui64 0007810800A909A1 0007810800CBF246 0007810800000001 00078108003C2206 00078108003C2202 00078108003C2207 etx 65535 65535 65535 263 278 258 heard 5 23 38 59 65 113 0 / 0 0 / 0 0 / 0 3 / 3 0 / 0 1 / 1 Router# show wpan 4/1 hardware link-stats ?

Link statistics bridge Link statistics brief bridge brief ieee154-beacon Link statistics ieee154 beacon ieee154-device Link statistics ieee154 device ieee154-mac lowpan radio Link statistics ieee154 mac Link statistics lowpan Link statistics radio Router# show wpan 4/1 hardware link-stats brief linkstats info:

lowpan tx frames: 5244 (1349356 bytes) rx frames: 2483 (740228 bytes) tx errors: 0 rx errors: 0 56 REVIEWDRAFT-CISCOCONFIDENTIAL tx discards: 113 rx discards: 22 serial tx frames: 2340 (250602 bytes) rx frames: 1031 (308456 bytes) tx errors: 0 rx errors: 3 tx discards: 0 rx discards: 0 show wpan packet-count Router# show wpan 4/1 packet-count TOTAL:

incoming: 940 outgoing: 739

(183959

(192452 bytes) bytes)

lowpan:

incoming: 395 outgoing: 79

(81660

(11483 bytes) bytes) dot1x:

incoming: 545 outgoing: 660

(102299

(180969 bytes) bytes)

lowpan.icmp:

outage:

restoration:

incoming: 0 incoming: 0 lowpan.dhcp:

lowpan.csmp:

lowpan.c1222:

incoming: 143 rpl dao: 41 rpl dio: 38 rpl dis: 0 nd ns : 39 outgoing: 40 rpl ra : 0 nd rs : 0 incoming: 179 outgoing: 27 incoming: 73

- mcast: 0

- ucast: 73 outgoing: 1

- mcast: 0

- ucast: 1 incoming: 0

- mcast: 0

- ucast: 0 outgoing: 0

- mcast: 0

- ucast: 0 incoming: 0 outgoing: 0 incoming: 0 outgoing: 0 lowpan.other_udp:

lowpan.tcp:

(16601

(7160

(4125

(2816

(4000

(23850

(6595

(41209

(52

(0 bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) bytes) lowpan.other_ip:

incoming: 0 outgoing: 11

(836

57 REVIEWDRAFT-CISCOCONFIDENTIAL ucast:

mcast:

bcast:

incoming: 902 outgoing: 728

(179834

(191616 bytes) bytes) incoming: 0 outgoing: 0 incoming: 38 outgoing: 11 incoming: 0 outgoing: 0

(4125

(836

(0 bytes) bytes) bytes) bytes) bytes) bytes)

bridge:

(ios):

incoming: 792 outgoing: 861

(169418

(155858 bytes) bytes)

(hdlc):

incoming: 2131 outgoing: 972

(216892

(306238 bytes) bytes)

udp checksum error:

incoming: 0 bytes)

(0 icmp checksum error:

incoming: 0 tcp checksum error:

incoming: 0

(0 bytes) bytes)

queue overflow:

hdlc queue: 0 hold queue: 0 Router#

show wpan link-neighbors The command show wpan link-neighbors shows the information about the WPAN link neighbors. These link neighbors are RMEs within a 1-hop transmit range from the CGR that sent at least one IPv6 or IEEE 802.1X packet to the CGR during the last hour. Router# show wpan 4/1 link-neighbors table

------------------------- WPAN LINK NEIGHBOR TABLE [4] -------------------------

LQIR LAST_HEARD EUI64 7 16:38:17 00078108003C2200 14 00078108003C2201 16:39:57 21 16:51:14 00078108003C2202 10 16:45:44 00078108003C2203 14 16:49:39 00078108003C2204 15 16:35:16 00078108003C2205 20 00078108003C2206 16:50:37 16 16:37:48 00078108003C2207 7 16:44:15 00078108003C2208 15 16:51:16 00078108003C2209 16:49:21 14 00078108003C220A 9 00078108003C220B 16:47:55 Number of Entries in WPAN LINK NEIGHBOR TABLE: 12 FIRST_HEARD 15:09:50 14:46:01 14:51:32 14:49:31 15:09:39 14:45:01 15:09:44 14:46:25 14:52:51 15:13:34 14:51:51 15:09:37 RSSIR

-76

-77

-74

-75

-76

-75

-78

-76

-76 RSSIF

-69

-72

-71

-70

-74

-70

-71

-73

-72

-69 LQIF 51 29 72 57 8 76 36 14 47 66 18 45 Router# show wpan 4/1 link-neighbors brief Number of Entries:

Last Reset:

First Heard:

Last Joined:

Last Heard:

2014:05:18-14:43:33 2014:05:18-14:45:01 2014:05:18-15:13:34 2014:05:18-16:58:54 12 00078108003C2205 00078108003C2209 00078108003C2208

-76

-80

-75

-70

-73

-71 58 REVIEWDRAFT-CISCOCONFIDENTIAL Note The minimum RSSI to join a mesh network is -95 dBm; a lower RSSIF/RRSIR value will not allow the node to establish connectivity. show wpan outage The show wpan <slot>/1 outage table command shows recent power-outage notification (PON) events in the PAN during the past hour. Route# show wpan 4/1 outage-table

---------------------- WPAN POWER OUTAGE NOTIFICATION TABLE ----------------------

EUI64 00078108003C2200 00078108003C2201 Number of Entries in WPAN RECENT POWER OUTAGE NOTIFICATION (PON) TABLE: 2 SSLOT 12:39:51 12:39:54 1399405190 1399405193 12:39:51 12:39:54 FIRST_HEARD LAST_HEARD TIMESTAMP CNT_B CNT_R 0 0 1 1 4 4 show wpan restoration-table The show wpan <slot>/1 restoration-table command shows recent power restoration notification (PRN) events in the PAN during the past hour. Router# show wpan 4/1 restoration-table

---------------------- WPAN POWER RESTORATION NOTIFICATION TABLE ---------------------

EUI64 00078108003C2200 00078108003C2201 Number of Entries in WPAN RECENT PRN TABLE (POWER RESTORATION NOTIFICATION): 2 CNT_B CNT_R FIRST_HEARD LAST_HEARD SSLOT 1399405190 1399405193 1399405290 1399405293 12:54:15 12:53:26 12:53:30 12:52:44 OUTAGE_TIME TIMESTAMP 33 34 3 2 4 4 show wpan rpl To view the RPL Directed Acyclic Graph (DAG) and its routing table, use the following commands:

Router# show wpan 4/1 rpl ?

atable atree brief config dag-lifetime dio-dbl dio-min etree hopinfo itable ptable route-poisoning stable stree table tree version-incr-time Show version increment time in minutes Show RPL routing table with external modules Show RPL routing tree figure with external modules Show RPL routing table brief information Show RPL configuration Show DAG lifetime in minutes Show DIO dbl value Show DIO minimum value Show RPL routing tree figure with EUI64 Show RPL routing tree hops information Show RPL routing table with IP route information Show RPL routing table with parent information Show route poisoning Show RPL routing table with actual slot info Show RPL routing tree figure with actual slot info Show RPL routing table Show RPL routing tree figure Router# show wpan 4/1 rpl table

-------------------------------- WPAN RPL ROUTE TABLE [4] --------------------------------

LAST_HEARD NODE_IPADDR 16:29:40 2092:1:1:1:AAAA:8108:3C:2200 16:43:10 2092:1:1:1:AAAA:8108:3C:2203 16:47:38 2092:1:1:1:AAAA:8108:3C:2205 2092:1:1:1:AAAA:8108:3C:2206 16:55:09 16:53:00 2092:1:1:1:AAAA:8108:3C:2207 NEXTHOP_IP 2092:1:1:1::

2092:1:1:1::

2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1::

2092:1:1:1::

59 REVIEWDRAFT-CISCOCONFIDENTIAL 2092:1:1:1:AAAA:8108:3C:2208 2092:1:1:1:AAAA:8108:3C:2209 2092:1:1:1:AAAA:8108:3C:220A 2092:1:1:1:AAAA:8108:3C:220B 2092:1:1:1:AAAA:8108:3C:2301 2092:1:1:1:AAAA:8108:3C:2302 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2306 2092:1:1:1:AAAA:8108:3C:2308 2092:1:1:1:AAAA:8108:3C:2309 2092:1:1:1:AAAA:8108:3C:2402 2092:1:1:1:AAAA:8108:3C:2403 2092:1:1:1:AAAA:8108:3C:2404 2092:1:1:1:AAAA:8108:3C:2405 2092:1:1:1:AAAA:8108:3C:2406 2092:1:1:1:AAAA:8108:3C:2407 2092:1:1:1:AAAA:8108:3C:2409 2092:1:1:1:AAAA:8108:3C:240A 2092:1:1:1:AAAA:8108:3C:240B Number of Entries in WPAN RPL ROUTE TABLE: 24 2092:1:1:1::

2092:1:1:1::

2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:220A 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2308 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 16:43:36 17:02:49 16:55:20 16:58:26 16:55:35 16:53:06 16:42:55 16:47:15 16:49:26 17:00:24 16:29:54 16:56:58 17:02:23 16:40:57 17:05:55 17:03:14 17:06:08 16:36:29 16:56:51 Router# show wpan 4/1 rpl tree

----------------------------- WPAN RPL TREE FIGURE [4] -----------------------------

[2092:1:1:1::] (8/25)

\--- 2092:1:1:1:AAAA:8108:3C:2200

\--- 2092:1:1:1:AAAA:8108:3C:2203

\--- 2092:1:1:1:AAAA:8108:3C:2206 (7/16)

\--- 2092:1:1:1:AAAA:8108:3C:2201

\--- 2092:1:1:1:AAAA:8108:3C:2205

\--- 2092:1:1:1:AAAA:8108:3C:2301

\--- 2092:1:1:1:AAAA:8108:3C:2302

\--- 2092:1:1:1:AAAA:8108:3C:2304 (7)

\--- 2092:1:1:1:AAAA:8108:3C:2403

\--- 2092:1:1:1:AAAA:8108:3C:2404

\--- 2092:1:1:1:AAAA:8108:3C:2405

\--- 2092:1:1:1:AAAA:8108:3C:2407

\--- 2092:1:1:1:AAAA:8108:3C:2409

\--- 2092:1:1:1:AAAA:8108:3C:240A

\--- 2092:1:1:1:AAAA:8108:3C:240B

\--- 2092:1:1:1:AAAA:8108:3C:2308 (2)

\--- 2092:1:1:1:AAAA:8108:3C:2402

\--- 2092:1:1:1:AAAA:8108:3C:2406

\--- 2092:1:1:1:AAAA:8108:3C:2309

\--- 2092:1:1:1:AAAA:8108:3C:2207

\--- 2092:1:1:1:AAAA:8108:3C:2208

\--- 2092:1:1:1:AAAA:8108:3C:2209

\--- 2092:1:1:1:AAAA:8108:3C:220A (1)

\--- 2092:1:1:1:AAAA:8108:3C:2306

\--- 2092:1:1:1:AAAA:8108:3C:220B RPL TREE: Num.DataEntries 25, Num.GraphNodes 26 Router# show wpan 4/1 rpl atable

-------------------------------- WPAN RPL ROUTE TABLE [4] --------------------------------

LAST_HEARD NODE_IPADDR 17:12:08 2092:1:1:1:AAAA:8108:3C:2200 17:11:59 2092:1:1:1:AAAA:8108:3C:2201 16:43:10 2092:1:1:1:AAAA:8108:3C:2203 2092:1:1:1:AAAA:8108:3C:2205 16:47:38 16:55:09 2092:1:1:1:AAAA:8108:3C:2206 16:53:00 2092:1:1:1:AAAA:8108:3C:2207 17:11:41 2092:1:1:1:AAAA:8108:3C:2208 17:02:49 2092:1:1:1:AAAA:8108:3C:2209 2092:1:1:1:AAAA:8108:3C:220A 16:55:20 16:58:26 2092:1:1:1:AAAA:8108:3C:220B NEXTHOP_IP 2092:1:1:1::

2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1::

2092:1:1:1::

60 REVIEWDRAFT-CISCOCONFIDENTIAL 2092:1:1:1:AAAA:8108:3C:2301 2092:1:1:1:AAAA:8108:3C:2302 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2306 2092:1:1:1:AAAA:8108:3C:2308 2092:1:1:1:AAAA:8108:3C:2309 2092:1:1:1:AAAA:8108:3C:2402 2092:1:1:1:AAAA:8108:3C:2403 2092:1:1:1:AAAA:8108:3C:2404 2092:1:1:1:AAAA:8108:3C:2405 2092:1:1:1:AAAA:8108:3C:2406 2092:1:1:1:AAAA:8108:3C:2407 2092:1:1:1:AAAA:8108:3C:2409 2092:1:1:1:AAAA:8108:3C:240A 2092:1:1:1:AAAA:8108:3C:240B Number of Entries in WPAN RPL ROUTE TABLE: 25 (external 0) 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:220A 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2308 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2308 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 2092:1:1:1:AAAA:8108:3C:2304 16:55:35 16:53:06 16:42:55 16:47:15 16:49:26 17:00:24 17:09:36 16:56:58 17:02:23 16:40:57 17:05:55 17:03:14 17:06:08 17:10:25 16:56:51 Router# show wpan 4/1 rpl ptable

----------------------------- WPAN RPL PARENT INFO TABLE [4] -----------------------------

NODE_IPADDR NODE_EUI RANK VERSION PRIMARY NEXTHOP_IPADDR 2092:1:1:1:AAAA:8108:3C:2200 NEXTHOP_EUI ETX_P ETX_L RSSIR 00078108003C2200 000781080067B074 0 298 RSSIF 298

-74 LQIR 3

-78 LQIF

7 HOPS PARENTS SSLOT 2092:1:1:1::

7 1 3 00078108003C2206 256 256

-42

-47 67 00078108003C2200 00078108003C2200 00078108003C220A 258 256

-49

-51 58 2092:1:1:1:AAAA:8108:3C:2200 2092:1:1:1:AAAA:8108:3C:2206 2092:1:1:1:AAAA:8108:3C:2200 2092:1:1:1:AAAA:8108:3C:220A 2 2 2 2 3 3 3 3 4 4 4 4 4 4 4 2092:1:1:1:AAAA:8108:3C:2201 2092:1:1:1:AAAA:8108:3C:2206 00078108003C2201

00078108003C2206 256 256

-40

-45 38 2092:1:1:1:AAAA:8108:3C:2201 2092:1:1:1:AAAA:8108:3C:2208 00078108003C2201 00078108003C2208 267 256

-41

-40 67 2092:1:1:1:AAAA:8108:3C:2201 00078108003C2201 000781080067B074 550

-70 2092:1:1:1:AAAA:8108:3C:2203 00078108003C2203 000781080067B074 347

-74 0 0 3

-76 3

-74 2092:1:1:1::

12 38 22 1 1 2092:1:1:1::

3 3 3 3 3 3 298 298 512 512 512 360

<-..truncated..->

Router# show wpan 4/1 rpl brief Number of Entries:

Last Reset:

First Heard:

Last Joined:

Last Heard:

2014:05:18-14:57:10 2014:05:18-15:25:43 2014:05:18-17:11:59 2014:05:18-17:13:21 25

(reason: configure panid) 2092:1:1:1:AAAA:8108:3C:220A 2092:1:1:1:AAAA:8108:3C:2201 2092:1:1:1:AAAA:8108:3C:2405 NUM_NODES Router# show wpan 4/1 rpl hopinfo

-------- RPL TREE HOP INFO [4] --------

(REPORTED) 1) 8) 8) 9) Hop 0:

Hop 1:

Hop 2:

Hop 3:

RPL HOPINFO: # DataEntries 25, # External 0, # GraphNodes 26 1 8 8 9

Debugging the WPAN Module To debug the WPAN module, use the debug wpan all command:

22 26 10 73 61 REVIEWDRAFT-CISCOCONFIDENTIAL

# debug wpan all Sample Router Configuration Note The dwell attribute indicates the maximum transmission time on a channel to comply with government regulations, most of which limit transmissions on a channel to X ms within Y ms (minimum and maximum duration). The dwell command allows you to set both X and Y . In the U.S., they are typically 400 ms to 20000 ms. The following example is for a CGR with a basic WPAN configuration:

! Last configuration change at 22:59:13 PST Tue Apr 22 2014 by cisco

version 15.4 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption

hostname Router

boot-start-marker boot system flash:/cgr1000-universalk9-mz.SSA.154-2.07.CG boot-end-marker

enable password cisco

aaa new-model

aaa group server radius nps-group server name nps-radius

aaa authentication enable default none aaa authentication dot1x default group nps-group aaa authorization network FLEX local

aaa session-id common clock timezone PST -8 0 clock summer-time PST recurring

dot11 ssid ArifNXTSY authentication key-management wpa2

62 REVIEWDRAFT-CISCOCONFIDENTIAL no ip domain lookup ip name-server 171.70.168.183 ip name-server 171.68.226.120 ip cef ipv6 unicast-routing no ipv6 cef

multilink bundle-name authenticated

crypto pki trustpoint SG enrollment mode ra enrollment url http://192.168.193.20:80/certsrv/mscep/mscep.dll serial-number revocation-check none rsakeypair SG 2048

crypto pki profile enrollment SG enrollment url http://192.168.193.20/certsrv/mscep/mscep.dll

crypto pki certificate map FlexVPN_CertMap 10 issuer-name co lab-ca-ca

crypto pki certificate chain SG certificate 568DE8A10000000002D3 3082058E 30820476 A0030201 02020A56 8DE8A100 00000002 D3300D06 092A8648 86F70D01 010B0500 30553113 3011060A 09922689 93F22C64 01191603 636F6D31 15301306 0A099226 8993F22C 64011916 05636973 636F3113 3011060A 09922689 93F22C64 01191603 6C616231 12301006 03550403 13096C61 622D4341 2D434130 1E170D31 33313031 34323032 3333395A 170D3135 31303134 32303333 33395A30 33311430 12060355 0405130B 4A414631 37323242 4A485431 1B301906 092A8648 86F70D01 0902130C 6E78742D 63616C2D 32303131 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00F21122 FD3F48E1 8FBE5482 54615561 DF3396C4 882918E6 994051A1 912E9BDC EBCEF48C 9A875EFA 5AC179BB 94F79367 23D12DF3 C5D0D467 92FE85CB C8C7754C 25E398E0 4C0F1BA2 4C83C20E 6AC42267 8A277B1C D25B76B8 41CF8190 6264C4D3 F9B031CA 2E81A6A0 D73033DD 9889D25B D1658304 9015E2B6 044D4BBC 81B9ECBF 6A043C8B 956A5B41 58EF163B B645A243 20C097D9 6AA6F605 A6A58F09 DAE10425 4A1C6DFB 69578A14 F806480E D1C288A1 E2395C31 6B0BADC7 2AE9842E 7CB6C4AD 16118511 0914C654 C42C2F7B 94E51EEE 6F5D94B0 B380B8AF 77DC489C 03CAEEA2 DF540E37 936673D6 E8E45929 D1E004BD 41BA3981 B05B8518 EF200A7A C43BC00F 9D020301 0001A382 02803082 027C300B 0603551D 0F040403 0204F030 1D060355 1D0E0416 04143C3C E038B3EF C9B9E3A8 E946DCB3 03987F91 DDF8301F 0603551D 23041830 16801441 150D5D07 77986E59 1B324A0C 73250D53 EEDE8130 81C70603 551D1F04 81BF3081 BC3081B9 A081B6A0 81B38681 B06C6461 703A2F2F 2F434E3D 6C61622D 43412D43 412C434E 3D43412C 434E3D43 44502C43 4E3D5075 626C6963 2532304B 65792532 30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44 433D6C61 622C4443 3D636973 636F2C44 433D636F 6D3F6365 72746966 69636174 65526576 6F636174 696F6E4C 6973743F 62617365 3F6F626A 65637443 6C617373 3D63524C 44697374 72696275 74696F6E 506F696E 743081C0 06082B06 01050507 01010481 B33081B0 3081AD06 082B0601 05050730 028681A0 6C646170 3A2F2F2F 434E3D6C 61622D43 412D4341 2C434E3D 4149412C 434E3D50 75626C69 63253230 4B657925 32305365 72766963 65732C43 4E3D5365 72766963 65732C43 4E3D436F 6E666967 75726174 696F6E2C 44433D6C 61622C44 433D6369 73636F2C 44433D63 6F6D3F63 41436572 74696669 63617465 3F626173 653F6F62 6A656374 436C6173 733D6365 72746966 69636174 696F6E41 7574686F 72697479 301A0603 551D1101 01FF0410 300E820C 6E78742D 63616C2D 32303131 303C0609 2B060104 01823715 07042F30 2D06252B 06010401 82371508 83C9F868 84EE915C 83B19F2D 86B2B915 83B6C825 7B868CCB 44FEEC25 02016402 0104301D 0603551D 25041630 1406082B 06010505 07030106 082B0601 05050703 02302706 092B0601 04018237 150A041A 3018300A 06082B06 01050507 0301300A 06082B06 01050507 0302300D 06092A86 4886F70D 01010B05 00038201 01004F3E D2E3D281 CED5959B 434FD199 63 REVIEWDRAFT-CISCOCONFIDENTIAL 8143DE46 93D0D02A FC674878 144AC78A D0E21E61 4F30DD59 CCA368F4 EF3149F4 ABED3B24 5AD842A3 96518B3B 10FDA919 561E0C11 F81D008D 41475822 19130E03 FA383535 93D7483E E4BC9DC8 E0516A5C 9ED96039 3D9A0524 7DAD11F6 51F4B672 630E58E8 DABE6DA2 DF2B7E95 B9702F58 9C0EF21A 35133191 65A2C009 16179F36 CC47E1C3 7F76F2CC D91D37CD 85AEB4F7 5B0E17AA 434A447E 1D6C804C C1A1F9CF 07976C03 43CBCBA4 3835508E FAC51BC4 85B87722 486DACE8 80F1E5DA C1000F71 D78B2EB3 7927943C B36297F7 0A34C043 93BC9F76 0F85E5E6 126D59CB D31341E8 64C44C02 4DDFEEE9 DEAA11B0 CB5184FF 33DA quit certificate ca 57DDCBEA41D1B0A14540C10330393E2D 3082039D 30820285 A0030201 02021057 DDCBEA41 D1B0A145 40C10330 393E2D30 0D06092A 864886F7 0D01010B 05003055 31133011 060A0992 268993F2 2C640119 1603636F 6D311530 13060A09 92268993 F22C6401 19160563 6973636F 31133011 060A0992 268993F2 2C640119 16036C61 62311230 10060355 04031309 6C61622D 43412D43 41301E17 0D313231 30333030 31303535 315A170D 31373130 33303031 31353531 5A305531 13301106 0A099226 8993F22C 64011916 03636F6D 31153013 060A0992 268993F2 2C640119 16056369 73636F31 13301106 0A099226 8993F22C 64011916 036C6162 31123010 06035504 0313096C 61622D43 412D4341 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00BBF4CA 721F8DD1 DF0CCA3D 201F0396 1513BB4C 62BF0235 854B0C36 337B7D08 15C30A5B 39D2D24A 2337B18D 87849B36 69873BFF 92EF321F 1D09154D B3E33182 DCA2D4F5 E4106255 5C0393C4 05B7A458 7233263E 282F7808 08FB08F3 A7C70321 2DE2449B B6C20373 E464EE3F A3E1FD24 9A59D2C7 9DD0A395 4FAEB007 D0598DC1 8307F07B 80E875A6 89DA9493 86644B95 05CFE98A E97A1BBC 8AE5BDB1 8544805A 6C7D4899 5B9BB9F6 7F3F0C7A A3637387 7A57688B A8CB48EB D3ECC52F F4DA59A8 D5C60E05 E4565E04 5D11B2CD 85F0D1FC 28E60152 06663003 D8E3B511 76B63788 017FFA4B BF17F98E 64F948E3 93C54321 229A12DC 539A942E 5C674889 DCA3850D 51020301 0001A369 30673013 06092B06 01040182 37140204 061E0400 43004130 0E060355 1D0F0101 FF040403 02018630 0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04 16041441 150D5D07 77986E59 1B324A0C 73250D53 EEDE8130 1006092B 06010401 82371501 04030201 00300D06 092A8648 86F70D01 010B0500 03820101 005CBD0E 7053D3D5 D3C8D9F8 7737499A 71061FB4 1C7B30DB 80979784 2DADB2C3 2FB12FD0 9AA3FD02 48C6B9B1 3E4279A6 C3595D52 A93F42DE 0ABB5A87 44D3EC17 E49A1419 6FD8F891 F62EEB9A C302B910 421F67AF 943EBE1D 5047A4C9 BD7AE152 05E3722E 88B0C9FC B1028743 48D14D35 0331A3DF F7F71D90 384B6BCD F4112383 6A956096 6C282BEE B7F4AAE4 35004B6E 491C12D5 0FB0D05A DE1FC94C 453A759A 0615DCA2 94ED2583 18E9BA04 EC79E0B1 515B9C88 A3FFFA89 C821A4F4 CDE2DABB E2ECAD3F EC8C1AE1 82390AC9 E7AB1918 99356652 F97160A0 5E6C7200 AF3E1882 70415116 DAB441EB A7268B52 F7BC6878 4068277C 4734CFF1 732853CA 12932AB3 32 quit

chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

chat-script cdma "" "atdt#777" TIMEOUT 60 "CONNECT"

license udi pid CGR1240/K9 sn JAF1723AHFE license accept end user agreement license boot cgr1000 technology-package securityk9 license boot cgr1000 technology-package datak9 dot1x system-auth-control

hw-module poweroff 3 hw-module poweroff 5

username cisco password 0 cisco username admin password 0 Cisco12345

redundancy

crypto ikev2 authorization policy FLEX route set interface route set access-list 90 route set access-list ipv6 IPv6_access_list

64 REVIEWDRAFT-CISCOCONFIDENTIAL

crypto ikev2 profile default match certificate FlexVPN_CertMap identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint SG aaa authorization group psk list FLEX FLEX aaa authorization group cert list FLEX FLEX

crypto ikev2 dpd 30 5 on-demand

ip ftp username lab ip ftp password lab123 ip ssh version 2 ip scp server enable

interface Loopback0 ip address 2.2.2.2 255.255.255.0 ipv6 address 2081::1/64 ipv6 enable

interface Tunnel0 ip address negotiated ipv6 address 2002:DEAD:CAFE:C5C0:AAAA:BBBB:CCCC:5/128 ipv6 enable tunnel source GigabitEthernet2/1 tunnel destination 100.0.0.1 tunnel protection ipsec profile default

interface Tunnel1 description IPsec tunnel to CGR1240/K9+JAF1722BJHT no ip address

interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto

interface Dot11Radio2/1 ssid ArifNXTSY suppress ssid ip address 192.168.111.111 255.255.255.0 no mop enabled no mop sysid

interface FastEthernet2/3 no ip address

interface FastEthernet2/4 no ip address 65 REVIEWDRAFT-CISCOCONFIDENTIAL

interface FastEthernet2/5 no ip address

interface FastEthernet2/6 no ip address

interface GigabitEthernet2/1 no switchport ip address 100.0.0.2 255.255.255.0 duplex auto speed auto ipv6 enable

interface GigabitEthernet2/2 no switchport ip address 172.27.162.22 255.255.255.0 duplex auto speed auto

interface Wpan3/1 no ip address

interface Wpan4/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 121 max-interval 601 suppression-coefficient 1 ieee154 dwell window 20000 max-dwell 401 ieee154 panid 7221 ieee154 ssid migration_far2 ieee154 txpower -30 authentication host-mode multi-auth authentication port-control auto ipv6 address 2091:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 <-- #See Configuring IPv6 DHCP Relay, on page 34. dot1x pae authenticator

<-- #See Naming Your PAN, on page 27.

<-- #See Naming the SSID, on page 28.

<-- #See Configuring Transmit Power, on page 28.

<-- #WPAN module is a client of dot1x. no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 1 ieee154 panid 7219 ieee154 ssid plc123 rpl dag-lifetime 240 rpl dio-min 21 rpl version-incr-time 240 authentication host-mode multi-auth authentication port-control auto ipv6 address 2092:1:1:1::/64 ipv6 enable ipv6 dhcp relay destination 2010:A0B0:1001:22::2 dot1x pae authenticator

interface Wpan5/1 no ip address

interface Wpan6/1

interface Vlan1 no ip address

interface Async1/1 no ip address 66 REVIEWDRAFT-CISCOCONFIDENTIAL encapsulation scada

interface Async1/2 no ip address encapsulation scada

ip forward-protocol nd

no ip http server no ip http secure-server

ip route 0.0.0.0 0.0.0.0 172.27.162.1 ip route 0.0.0.0 0.0.0.0 100.0.0.1 ip route 10.0.0.0 255.0.0.0 172.27.162.1 ip route 172.27.0.0 255.255.0.0 172.27.162.1 ip route 192.168.193.0 255.255.255.0 100.0.0.1

route-map WPAN permit 10

access-list 90 permit 2.2.2.2

radius server nps-radius address ipv4 192.168.193.21 auth-port 1645 acct-port 1646 key Cisco123

ipv6 access-list IPv6_access_list permit ipv6 2091:1:1:1::/64 any sequence 11 permit ipv6 2092:1:1:1::/64 any sequence 40 permit ipv6 any any

control-plane

line con 0 exec-timeout 0 0 privilege level 15 line 1/1 1/2 transport preferred none stopbits 1 line 1/3 1/6 transport preferred none transport output none stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco login authentication cisco transport input all line vty 5 10 transport input all

end 67 REVIEWDRAFT-CISCOCONFIDENTIAL Sample CGR and ASR Configuration This section contains sample configurations for a CGR and an ASR in a Cisco Resilient Mesh network. Sample CGR Configuration CGR-JAF1626AQED# show run brief Building configuration... Current configuration : 13616 bytes

! Last configuration change at 11:35:03 PDT Fri May 16 2014

version 15.4 service timestamps debug datetime msec service timestamps log datetime localtime no service password-encryption service internal

hostname CGR-JAF1626AQED

boot-start-marker boot system flash:/cgr1000-universalk9-mz.SSA.154-2.12.CG015 boot-end-marker

no logging console

aaa new-model

aaa group server radius nps-group server name nps-radius

aaa authentication dot1x default group nps-group aaa authorization network FlexVPN_Author local

aaa session-id common clock timezone PST -8 0 clock summer-time PDT recurring

dot11 ssid sol50_wifi authentication key-management wpa2 wpa2-psk ascii encrypted 7 072C285F4D0626544541

68 REVIEWDRAFT-CISCOCONFIDENTIAL ip dhcp pool GOS host 192.168.1.1 255.255.255.0 client-identifier d48c.b5a2.ee4c

no ip domain lookup ip domain name ipv6lab.com ip host cenbu-tps1.ipv6lab.com 192.168.193.120 ip host cenbu-nms1.ipv6lab.com 2001:C1::C0A8:C10E ip inspect WAAS flush-timeout 10 ip cef ipv6 unicast-routing ipv6 cef

multilink bundle-name authenticated

crypto pki trustpoint LDevID enrollment mode ra enrollment profile LDevID serial-number none fqdn none ip-address none password fingerprint F23314787BD98B99AF1FE0B2D338961D125EAE51 subject-name CN=CGR-JAF1626AQED/serialNumber=PID:CGR1120/K9 SN:JAF1626AQED revocation-check none rsakeypair LDevID 2048

crypto pki profile enrollment LDevID enrollment url http://192.168.100.120/certsrv/mscep/mscep.dll

crypto pki certificate map FlexVPN_Cert_Map 1 issuer-name co cn = ipv6lab-sol-radius1-ca

crypto pki certificate chain LDevID certificate 610380E2000100000120 certificate ca 2539E6B5CFF2FB894AC90A73EA69A645

chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"

license udi pid CGR1240/K9 sn JAF1626BKLG license accept end user agreement license boot module cgr1000 technology-package securityk9 license boot module cgr1000 technology-package datak9 dot1x system-auth-control

archive path flash:/archive/

maximum 8 username admin privilege 15 password 0 Cisco_123 username cg-nms-administrator privilege 15 password 0 Cisco_123

redundancy notification-timer 60000

crypto ikev2 authorization policy FlexVPN_Author_Policy route set interface 69 REVIEWDRAFT-CISCOCONFIDENTIAL route set access-list FlexVPN_Client_IPv4_LAN route set access-list ipv6 FlexVPN_Client_IPv6_LAN

crypto ikev2 proposal FlexVPN_IKEv2_Proposal encryption aes-cbc-128 integrity sha1 group 5

crypto ikev2 policy FLexVPN_IKEv2_Policy proposal FlexVPN_IKEv2_Proposal

crypto ikev2 profile FlexVPN_IKEv2_Profile match certificate FlexVPN_Cert_Map identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint LDevID aaa authorization group cert list FlexVPN_Author FlexVPN_Author_Policy

crypto ikev2 dpd 30 5 on-demand crypto ikev2 client flexvpn FlexVPN_Client peer 1 173.36.248.224 client connect Tunnel0

controller Cellular 3/1

ip ssh rsa keypair-name CGR-JAF1626AQED ip ssh version 2

crypto ipsec transform-set AES_128_SHA1 esp-aes esp-sha-hmac mode transport

crypto ipsec profile FlexVPN_IPsec_Profile set transform-set AES_128_SHA1 set ikev2-profile FlexVPN_IKEv2_Profile

interface Loopback0 ip address 20.211.0.11 255.255.255.255 ipv6 address 2001:420:7BF:7E8::B/128 ipv6 enable ipv6 ospf 1 area 1

interface Tunnel0 description IPsec tunnel to SOL-ASR-7 ip unnumbered Loopback0 ip pim sparse-mode ipv6 unnumbered Loopback0 ipv6 enable ipv6 mld join-group FF38:40:2006:DEAD:BEEF:CAFE:0:1 ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore tunnel source Dialer1 tunnel destination dynamic 70 REVIEWDRAFT-CISCOCONFIDENTIAL tunnel protection ipsec profile FlexVPN_IPsec_Profile

interface Tunnel1 no ip address

interface GigabitEthernet0/1 ip address 100.0.0.1 255.255.255.0 duplex auto speed auto

interface Dot11Radio2/1 ssid sol50_wifi power local 8 ip address 192.168.111.254 255.255.255.0 load-interval 30 ipv6 enable no mop enabled no mop sysid

interface FastEthernet2/3 no switchport no ip address

interface FastEthernet2/4 no switchport no ip address shutdown ipv6 address 2011:DEAD:BEEF:CAFE::2/64 ipv6 enable ipv6 mld join-group FF38:40:2006:DEAD:BEEF:CAFE:0:1 ipv6 ospf 1 area 1

interface FastEthernet2/5 no switchport ip address 172.27.126.11 255.255.255.128

interface FastEthernet2/6 no switchport ip address 2.4.53.7 255.255.0.0

interface GigabitEthernet2/1 no switchport ip address 1.0.0.11 255.255.255.0 shutdown duplex auto speed auto

interface GigabitEthernet2/2 description SPIRENT-ip address 201.0.0.1 255.255.255.0 no switchport ip address 201.0.0.1 255.255.255.0 load-interval 30 duplex auto speed auto

interface Wpan5/1 no ip address ip broadcast-address 0.0.0.0 no ip route-cache ieee154 beacon-async min-interval 120 max-interval 900 suppression-coefficient 0 ieee154 panid 99 ieee154 ssid migration_soltn ieee154 txpower 2 outage-server cenbu-nms1.ipv6lab.com 71 REVIEWDRAFT-CISCOCONFIDENTIAL rpl dag-lifetime 60 rpl dio-min 18 rpl version-incr-time 120 authentication host-mode multi-auth authentication port-control auto ipv6 address 2006:DEAD:BEEF:CAFE::/64 ipv6 dhcp relay destination 2001:64::C0A8:647D ipv6 ospf 1 area 1 dot1x pae authenticator mesh-security max-active-key-exchange 10 mesh-security max-active-authentication 15 mesh-security authentication-timeout 45

interface Cellular3/1 ip address negotiated ip virtual-reassembly in encapsulation slip load-interval 30 dialer in-band dialer pool-member 1 dialer idle-timeout 0 no peer default ip address async mode interactive routing dynamic

interface Vlan1 no ip address

interface Async1/1 no ip address encapsulation raw-tcp

interface Async1/2 no ip address encapsulation scada

interface Dialer1 ip address negotiated ip virtual-reassembly in encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string hspa-R7 dialer persistent

router ospfv3 1

address-family ipv6 unicast redistribute connected route-map WPAN router-id 2.0.0.7 exit-address-family

router ospf 1 network 1.0.0.0 0.0.0.255 area 1 network 20.211.0.11 0.0.0.0 area 1

ip forward-protocol nd

ip http server ip http authentication local ip http secure-server ip http secure-ciphersuite aes-128-cbc-sha aes-256-cbc-sha dhe-aes-128-cbc-sha dhe-aes-256-cbc-sha ip http secure-client-auth 72 REVIEWDRAFT-CISCOCONFIDENTIAL ip http secure-port 8443 ip http secure-trustpoint LDevID ip http max-connections 2 ip http timeout-policy idle 600 life 86400 requests 3 ip http client connection timeout 5 ip http client connection retry 5 ip http client source-interface Loopback0 ip http client secure-ciphersuite aes-128-cbc-sha aes-256-cbc-sha dhe-aes-128-cbc-sha dhe-aes-256-cbc-sha

ip route 10.28.29.227 255.255.255.255 172.27.126.1 ip route 101.0.0.100 255.255.255.255 192.168.160.1 ip route 101.0.0.101 255.255.255.255 192.168.161.1 ip route 101.0.0.102 255.255.255.255 192.168.162.1 ip route 170.0.0.2 255.255.255.255 192.168.161.1 ip route 171.70.60.115 255.255.255.255 172.27.126.1 ip route 172.27.167.0 255.255.255.128 172.27.126.1 ip route 173.36.248.197 255.255.255.255 Dialer1 ip route 173.36.248.224 255.255.255.255 Dialer1 ip route 173.36.248.225 255.255.255.255 Dialer1 ip route 192.168.100.121 255.255.255.255 192.168.160.1 ip route 192.168.100.168 255.255.255.255 192.168.160.1 ip route 223.255.254.252 255.255.255.255 2.4.0.1

ip access-list standard FlexVPN_Client_IPv4_LAN permit 20.211.0.11

dialer-list 1 protocol ip permit ipv6 pim rp-address 2333::1

route-map WPAN permit 10 match interface Wpan5/1

snmp-server group cgnms v3 priv snmp-server group cg-nms-administrator v3 priv snmp-server ifindex persist snmp-server trap-source Loopback0 snmp-server enable traps snmp linkdown linkup coldstart snmp-server enable traps flash removal snmp-server enable traps flash low-space snmp-server enable traps cisco-sys heartbeat snmp-server enable traps auth-framework auth-fail snmp-server enable traps c3g snmp-server enable traps envmon status snmp-server enable traps wpan snmp-server enable traps aaa_server snmp-server enable traps entity-ext snmp-server enable traps fru-ctrl snmp-server enable traps mempool snmp-server host 2001:C1::C0A8:C10E version 3 priv cg-nms-administrator

radius server nps-radius address ipv4 192.168.100.121 auth-port 1645 acct-port 1646 key Cisco123

ipv6 access-list FlexVPN_Client_IPv6_LAN sequence 20 permit ipv6 host 2001:420:7BF:7E8::B any

control-plane

73 REVIEWDRAFT-CISCOCONFIDENTIAL

line con 0 exec-timeout 0 0 privilege level 15 line 1/1 raw-socket tcp server 5001 transport preferred none transport input telnet stopbits 1 line 1/2 transport preferred none transport input telnet stopbits 1 line 1/3 1/6 transport preferred none transport input all transport output all stopbits 1 line 3/1 script dialer hspa-R7 modem InOut no exec transport input telnet transport output all rxspeed 21600000 txspeed 5760000 line vty 0 4 exec-timeout 0 0 privilege level 15 length 0 transport input all transport output all

ntp server 192.168.100.250 wsma agent exec profile exec profile cgmsexec

wsma agent config profile config

wsma agent filesys profile filesys

wsma profile listener exec transport https path /wsma/exec

wsma profile listener cgmsexec transport http path /cgmsexec

wsma profile listener config transport https path /wsma/config

wsma profile listener filesys transport https path /wsma/filesys

wsma profile listener cgmslisten cgna gzip cgna geo-fence interval 1 cgna geo-fence active cgna heart-beat interval 15 cgna heart-beat active

74 REVIEWDRAFT-CISCOCONFIDENTIAL cgna profile cg-nms-tunnel add-command show hosts | format flash:/managed/odm/cg-nms.odm add-command show ipv6 interface | format flash:/managed/odm/cg-nms.odm add-command show interfaces | format flash:/managed/odm/cg-nms.odm add-command show version | format flash:/managed/odm/cg-nms.odm interval 10 url https://cenbu-tps1.ipv6lab.com:9120/cgna/ios/tunnel gzip

cgna profile cg-nms-register add-command show hosts | format flash:/managed/odm/cg-nms.odm add-command show interfaces | format flash:/managed/odm/cg-nms.odm add-command show ipv6 dhcp | format flash:/managed/odm/cg-nms.odm add-command show ipv6 interface | format flash:/managed/odm/cg-nms.odm add-command show platform gps location | format flash:/managed/odm/cg-nms.odm add-command show platform hypervisor | format flash:/managed/odm/cg-nms.odm add-command show sd-card password status | format flash:/managed/odm/cg-nms.odm add-command show snmp mib ifmib ifindex | format flash:/managed/odm/cg-nms.odm add-command show tpm application list | format flash:/managed/odm/cg-nms.odm add-command show version | format flash:/managed/odm/cg-nms.odm interval 10 url https://cenbu-nms1.ipv6lab.com:9121/cgna/ios/registration gzip

cgna profile cg-nms-periodic add-command show version | format flash:/managed/odm/cg-nms.odm add-command show environment temperature | format flash:/managed/odm/cg-nms.odm add-command show hosts | format flash:/managed/odm/cg-nms.odm add-command show interfaces | format flash:/managed/odm/cg-nms.odm add-command show ipv6 dhcp | format flash:/managed/odm/cg-nms.odm add-command show ipv6 interface | format flash:/managed/odm/cg-nms.odm add-command show snmp mib ifmib ifindex | format flash:/managed/odm/cg-nms.odm add-command show platform hypervisor | format flash:/managed/odm/cg-nms.odm add-command show sd-card password status | format flash:/managed/odm/cg-nms.odm add-command show platform gps location | format flash:/managed/odm/cg-nms.odm add-command show raw-socket tcp sessions | format flash:/managed/odm/cg-nms.odm add-command show raw-socket tcp statistics | format flash:/managed/odm/cg-nms.odm add-command show scada tcp | format flash:/managed/odm/cg-nms.odm add-command show scada statistics | format flash:/managed/odm/cg-nms.odm add-command show tpm application list | format flash:/managed/odm/cg-nms.odm add-command show controllers dot16radio 6/1 | format flash:/managed/odm/cg-nms.odm add-command show interfaces dot16radio 6/1 association | format flash:/managed/odm/cg-nms.odm add-command show wpan 5/1 hardware version | format flash:/managed/odm/cg-nms.odm add-command show cellular 3/1 all | format flash:/managed/odm/cg-nms.odm interval 5 url https://cenbu-nms1.ipv6lab.com:9121/cgna/ios/metrics gzip active

cgna profile cg-nms-rpl interval 480

cgna exec-profile cgdm-dashboard-profile add-command show inventory | format flash:/managed/odm/cg-dm.odm add-command show module | format flash:/managed/odm/cg-dm.odm add-command show platform led | format flash:/managed/odm/cg-dm.odm add-command show platform led summary | format flash:/managed/odm/cg-dm.odm add-command show processes cpu | format flash:/managed/odm/cg-dm.odm add-command show memory statistics | format flash:/managed/odm/cg-dm.odm interval 10 exec-count 1

cgna exec-profile cgdm-minidashboard-profile 75 REVIEWDRAFT-CISCOCONFIDENTIAL add-command show version | format flash:/managed/odm/cg-dm.odm add-command show inventory | format flash:/managed/odm/cg-dm.odm add-command show environment temperature | format flash:/managed/odm/cg-dm.odm add-command dir | format flash:/managed/odm/cg-dm.odm add-command show platform hypervisor | format flash:/managed/odm/cg-dm.odm interval 10 exec-count 1

event manager environment ZTD_SCEP_CGNA_Profile cg-nms-tunnel event manager environment ZTD_SCEP_LDevID_trustpoint_name LDevID event manager directory user policy "flash:/eem"

event manager policy tm_ztd_scep.tcl type system event manager policy cg-nms-eem.tcl

end CGR-JAF1626AQED#

Sample ASR Configuration SOL-ASR-7# show run brief Building configuration... Current configuration : 5512 bytes

! Last configuration change at 10:38:26 PST Fri May 16 2014 by admin

! NVRAM config last updated at 13:44:36 PST Thu May 15 2014 by admin

version 15.4 service timestamps debug datetime msec service timestamps log datetime localtime no platform punt-keepalive disable-kernel-core

hostname SOL-ASR-7

boot-start-marker boot system flash:asr1000rp1-adventerprisek9.03.11.00.S.154-1.S-std.bin boot-end-marker

aqm-register-fnf

vrf definition Mgmt-intf

address-family ipv4 exit-address-family

address-family ipv6 exit-address-family

no logging console

aaa new-model

aaa authentication login default local aaa authorization exec default local aaa authorization network FlexVPN_Author local

aaa session-id common clock timezone PST -8 0

76 REVIEWDRAFT-CISCOCONFIDENTIAL

no ip domain lookup ip domain name ipv6lab.com

ipv6 unicast-routing ipv6 multicast-routing

subscriber templating

multilink bundle-name authenticated

crypto pki trustpoint LDevID enrollment retry count 10 enrollment retry period 2 enrollment mode ra enrollment profile LDevID serial-number ip-address none password fingerprint F23314787BD98B99AF1FE0B2D338961D125EAE51 revocation-check none rsakeypair LDevID

crypto pki profile enrollment LDevID enrollment url http://192.168.100.120/certsrv/mscep/mscep.dll

crypto pki certificate map FlexVPN_Cert_Map 1 issuer-name co cn = ipv6lab-sol-radius1-ca

crypto pki certificate chain LDevID certificate 4B8801480001000000FC certificate ca 2539E6B5CFF2FB894AC90A73EA69A645 spanning-tree extend system-id

username admin privilege 15 password 0 cisco

redundancy mode none

crypto ikev2 authorization policy FlexVPN_Author_Policy route set interface route set access-list FlexVPN_Client_Default_IPv4_Route route set access-list ipv6 FlexVPN_Client_Default_IPv6_Route 77 REVIEWDRAFT-CISCOCONFIDENTIAL

crypto ikev2 redirect gateway init crypto ikev2 proposal FlexVPN_IKEv2_Proposal encryption aes-cbc-128 integrity sha1 group 5

crypto ikev2 policy FLexVPN_IKEv2_Policy proposal FlexVPN_IKEv2_Proposal

crypto ikev2 cluster port 2000 standby-group group1 slave priority 90 slave max-session 10 no shutdown

cdp run

ip tftp source-interface GigabitEthernet0/0/3 ip ssh version 2

crypto ipsec transform-set AES_128_SHA1 esp-aes esp-sha-hmac mode transport

crypto ipsec profile FlexVPN_IPsec_Profile set transform-set AES_128_SHA1 set ikev2-profile FlexVPN_IKEv2_Profile responder-only

interface Loopback0 ip address 20.0.0.3 255.255.0.0 ipv6 address 2003:20::1/128 ipv6 address 2333::1/64 ipv6 enable ipv6 ospf 1 area 1

interface GigabitEthernet0/0/0 78 REVIEWDRAFT-CISCOCONFIDENTIAL ip address 173.36.248.224 255.255.255.192 negotiation auto cdp enable

interface GigabitEthernet0/0/1 ip address 10.0.2.70 255.255.255.0 ip pim sparse-mode negotiation auto ipv6 address 2001:A02::A00:246/64 ipv6 enable ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore cdp enable

interface GigabitEthernet0/0/2 ip address 11.0.0.70 255.255.255.0 standby 1 ip 11.0.0.100 standby 1 priority 110 standby 1 name group1 negotiation auto ipv6 enable cdp enable

interface GigabitEthernet0/0/3 ip address 11.0.1.70 255.255.255.0 negotiation auto cdp enable

interface GigabitEthernet0/1/0 description WIMAX-BASESTATION ip address 192.10.0.88 255.255.255.0 negotiation auto

interface GigabitEthernet0/1/1 no ip address ip pim sparse-mode negotiation auto ipv6 address 2010:DEAD:BEEF:CAFE::1/64 ipv6 enable ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore

interface GigabitEthernet0/1/2 no ip address ip pim sparse-mode negotiation auto ipv6 address 2011:DEAD:BEEF:CAFE::1/64 ipv6 enable ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore

interface GigabitEthernet0/1/3 no ip address shutdown negotiation auto

interface GigabitEthernet0/1/4 no ip address shutdown negotiation auto

interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address 79 REVIEWDRAFT-CISCOCONFIDENTIAL shutdown negotiation auto

interface Virtual-Template1 type tunnel description ip pim sparse-mode ip unnumbered Loopback0 ipv6 address autoconfig ipv6 unnumbered Loopback0 ipv6 enable ipv6 ospf 1 area 1 ipv6 ospf mtu-ignore tunnel protection ipsec profile FlexVPN_IPsec_Profile

router ospf 1 redistribute static subnets network 10.0.2.0 0.0.0.255 area 1 network 11.0.0.0 0.0.0.255 area 1 network 11.0.1.0 0.0.0.255 area 1 network 173.36.0.0 0.0.255.255 area 1 network 192.10.0.0 0.0.0.255 area 1

ip forward-protocol nd

no ip http server no ip http secure-server ip route 10.0.0.0 255.255.255.0 173.36.248.193

ip access-list standard FlexVPN_Client_Default_IPv4_Route permit any

ipv6 route 2005:DEAD:BEEF:CAFE::/64 2001:420:7BF:7E8::1 ipv6 route 2006:DEAD:BEEF:CAFE::/64 2001:420:7BF:7E8::B ipv6 local pool IPV6_POOL 2001:10::/64 64 ipv6 pim rp-address 2333::1 ipv6 router ospf 1 redistribute static

ipv6 access-list FlexVPN_Client_Default_IPv6_Route permit ipv6 any any

control-plane

line con 0 exec-timeout 0 0 privilege level 15 stopbits 1 line aux 0 stopbits 1 line vty 0 4 privilege level 15 80 REVIEWDRAFT-CISCOCONFIDENTIAL transport input all transport output all

ntp server 192.168.100.250 netconf max-sessions 16 netconf ssh

end SOL-ASR-7#

Checking and Upgrading the WPAN Firmware Version This section describes how to check the WPAN hardware and firmware versions and perform firmware upgrades. Note WPAN firmware is not upgraded automatically when the CGR is upgraded to a new image integrated with new WPAN firmware. Minimum Firmware Version The minimum supported firmware version for FSK WPAN is 5.2.82. The minimum supported firmware version for OFDM WPAN is 5.7.27. Checking the WPAN Hardware and Firmware Versions To check the version of the WPAN hardware in slot 4, run the following command:

Router# show wpan 4/1 hardware hwversion hardware version: Itron OWCM Hardware rev : 3.1 Model name Hardware ID : RFLAN/3.60/3.80

: OWCM To check the installed firmware version of the WPAN, run the following command:

Router# show wpan 4/1 hardware version firmware version: 5.5.48, apps/bridge, master, 4b89e37, Apr 4 2014 Router# show wpan 4/1 hardware version

!NOTE! Current version of WPAN firmware is old. Please upgrade WPAN firmware. firmware version: 5.2.82, apps/bridge, cg-mesh-5.2.82, c181854, Apr 24 2013 The show wpan <slot >/1 config command also displays the WPAN firmware version:

RF-WPAN (IEEE 802.15.4e/g RF 900MHz) migration_far2 7224 cgr1000# show wpan 4/1 config module type:

ssid:

panid:

transmit power: -34 254 channel:

dwell:

window 20000 max-dwell 400 beacon async:

min-interval 262 max-interval 1048 suppression-coefficient 1 security mode: 1 If the firmware integrated in the CGR image is later than the one installed on the WPAN, the CGR displays the following message:

81 REVIEWDRAFT-CISCOCONFIDENTIAL 0 (test firmware only) up test mode:

admin_status:

2091:1:1:1::/64 rpl prefix:

off rpl route-poisoning:

120 rpl dodag-lifetime:

0 rpl dio-dbl:

rpl dio-min:

20 rpl version-incr-time: 60 no detach bridge:

no bootloader mode:

mcast-agent:

FF38:40:2091:1:1:1:0:1 61624 1153 5.5.48 firmware version:

slave mode:

no Use the install-firmware check command to determine the available WPAN firmware version integrated in the CGR image:

Router# config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# interface wpan 4/1 Router(config-if)# install-firmware check WPAN firmware version 5.5.48 is to be installed when executing "install-firmware release"

Upgrading WPAN firmware There are two ways to upgrade the WPAN firmware:

Upgrade from the current firmware (if older) to an integrated WPAN release firmware version. Upgrade from the current firmware to a WPAN firmware copied to the CGR flash. To upgrade the WPAN module to the firmware version integrated in the CGR image, follow these steps:

Upgrading to the Release Firmware Procedure Step 1 Install the release firmware:

Example:

Step 2 Power down the WPAN module:

Example:

Router# config t Router(config)# hw poweroff 4 Example:

82 Router(config-if)# install-firmware release Firmware upgrade starting. This may take several minutes. Please do not interrupt. .................... Installed the WPAN 5.0 firmware successfully (94 sec). Please reload the WPAN module in slot 4!!

Step 3 Wait for WPAN power-down messages, and then wait another 60-90 seconds. Then, power up the module:

REVIEWDRAFT-CISCOCONFIDENTIAL Router(config)# no hw poweroff 4 Step 4 Wait for WPAN power-up messages, and then wait at least 500 seconds before proceeding with any task on a WPAN under reload. Then, check WPAN status and hardware version:

Example:

Router# show ip interface brief | inc Wpan Wpan4/1 unassigned YES unset up up Router# show wpan 4/1 hardware version firmware version: 5.5.48, apps/bridge, master, 4b89e37, Apr 4 2014 Upgrading to a non-integrated WPAN firmware You can upgrade to a custom WPAN firmware other than the one integrated in current CGR image. The appropriate WPAN firmware image must be copied and available on the CGR flash in the root directory. To upgrade the WPAN to a non-integrated, custom firmware, follow these steps:

Router(config-if)# install-firmware <firmware-filename>

Firmware upgrade starting. This may take several minutes. Please do not interrupt. .... Procedure Step 1 Install the non-integrated firmware:

Example:

Step 2 Power down the WPAN module:

Example:

Router# config t Router(config)# hw poweroff 4 Example:

Router(config)# no hw poweroff 4 Step 3 Wait for WPAN power-down messages, and then wait another 60-90 seconds. Then, power up the module:

Step 4 Wait for WPAN power-up messages, and then wait at least 500 seconds before proceeding with any task on a WPAN under reload. Then, check WPAN status and hardware version:

Example:

Router# show ip interface brief | inc Wpan Wpan4/1 Router# show wpan 4/1 hardware version firmware version: 5.5.48, apps/bridge, master, 4b89e37, Apr 4 2014 YES unset up unassigned up 83 REVIEWDRAFT-CISCOCONFIDENTIAL Consult the following resources for related information about the Connected Grid WPAN Module for technical assistance. Related Documentation Hardware Overview and Installation Cisco Connected Grid Module Guides http://www.cisco.com/go/cgmodules Cisco CGR 1240 Hardware Installation Guide http://www.cisco.com/go/cgr1000-docs Cisco CGR 1120 Hardware Installation Guide http://www.cisco.com/go/cgr1000-docs Cisco Field Network Director documentation https://www.cisco.com/c/en/us/support/cloud-systems-management/iot-field-network-director/tsd-products-support-series-home.html Supported Cisco Antennas and Accessories Cisco CGR 1000 and 2000 Series Connected Grid Antennas Guides http://www.cisco.com/en/US/docs/routers/connectedgrid/antennas/installing/cg_antenna_install_guide.html Regulatory, Compliance, and Safety Information Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information http://www.cisco.com/en/US/docs/routers/access/interfaces/rcsi/IOHrcsi.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0. This document is to be used in conjunction with the documents listed in Related Documentation, on page 84. 84 2014-2020 Cisco Systems, Inc. All rights reserved. REVIEWDRAFT-CISCOCONFIDENTIAL Americas Headquarters Cisco Systems, Inc. San Jose, CA 95134-1706 USA Asia Pacific Headquarters CiscoSystems(USA)Pte.Ltd. Singapore Europe Headquarters CiscoSystemsInternationalBV Amsterdam,TheNetherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. 2020 Cisco and/or its affiliates. All rights reserved.

exhibit
download
text

1 2 3 4

Modular Approval Letter

Cover Letter(s)

pdf

26.91 KiB

September 15 2020

		frequency	equipment class	purpose
1	2020-09-15	902 ~ 928	DSS - Part 15 Spread Spectrum Transmitter	Class II Permissive Change
2		902 ~ 928	DTS - Digital Transmission System
3	2018-03-13	902 ~ 928	DTS - Digital Transmission System	Original Equipment
4		902 ~ 928	DSS - Part 15 Spread Spectrum Transmitter

Application Forms

app s	Applicant Information
1 2 3 4	Effective	2020-09-15
1 2 3 4	Effective	2018-03-13
1 2 3 4	Applicant's complete, legal business name	Cisco Systems Inc
1 2 3 4	FCC Registration Number (FRN)	0004968939
1 2 3 4	Physical Address	125 West Tasman Drive
1 2 3 4		San Jose, CA
1 2 3 4		San Jose, California 95134-1706
1 2 3 4		United States

app s	TCB Information
1 2 3 4	TCB Application Email Address	f******@cetecom.com
1 2 3 4	TCB Scope	A4: UNII devices & low power transmitters using spread spectrum techniques

app s	FCC ID
1 2 3 4	Grantee Code	LDK
1 2 3 4	Equipment Product Code	CGMOFDM

app s	Person at the applicant's address to receive grant or for contact
1 2 3 4	Name	L**** C******
1 2 3 4	Name	G** T******
1 2 3 4	Title	Manager, Engineering
1 2 3 4	Telephone Number	408-5********
1 2 3 4	Telephone Number	408-5********
1 2 3 4	Fax Number	408-5********
1 2 3 4	Fax Number	408-5********
1 2 3 4	E-mail	L******@cisco.com
1 2 3 4	E-mail	g******@cisco.com

app s	Technical Contact
		n/a

app s	Non Technical Contact
		n/a

app s	Confidentiality (long or short term)
1 2 3 4	Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	Yes
1 2 3 4	Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	No
1 2 3 4		Yes
1 2 3 4	If so, specify the short-term confidentiality release date (MM/DD/YYYY format)	09/09/2018
	if no date is supplied, the release date will be set to 45 calendar days past the date of grant.

app s	Cognitive Radio & Software Defined Radio, Class, etc
1 2 3 4	Is this application for software defined/cognitive radio authorization?	No
1 2 3 4	Equipment Class	DSS - Part 15 Spread Spectrum Transmitter
1 2 3 4	Equipment Class	DTS - Digital Transmission System
1 2 3 4	Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant)	Connected Grid WPAN Module for Cisco 1000 Series Connected Grid Router
1 2 3 4	Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application?	No
1 2 3 4	Modular Equipment Type	Limited Single Modular Approval
1 2 3 4	Modular Equipment Type	Does not apply
1 2 3 4	Purpose / Application is for	Class II Permissive Change
1 2 3 4	Purpose / Application is for	Original Equipment
1 2 3 4	Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization?	Yes
1 2 3 4	Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization?	No
1 2 3 4	Grant Comments	Powers listed are conducted. This device must be installed to provide a separation distance of at least 20 cm from all persons. Installers must be provided with antenna installation and transmitter operating conditions for satisfying RF exposure compliance. This C2PC for limited single modular approval authorizes integration into host products of the grantee under the condition of adherence to the published module integration guidance.
1 2 3 4		Powers listed are conducted. This device must be installed to provide a separation distance of at least 20 cm from all persons. Installers must be provided with antenna installation and transmitter operating conditions for satisfying RF exposure compliance. This C2PC for limited single modular approval authorizes integration into host products of the grantee under the condition of adherence to the published module integration guidance.
1 2 3 4		Powers listed are conducted. This device must be installed to provide a separation distance of at least 20cm from all persons. Installers must be provided with antenna installation and transmitter operating conditions for satisfying RF exposure compliance.
1 2 3 4	Is there an equipment authorization waiver associated with this application?	No
1 2 3 4	If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded?	No

app s	Test Firm Name and Contact Information
1 2 3 4	Firm Name	CETECOM Inc.
1 2 3 4	Firm Name	Cisco Systems, Inc.
1 2 3 4	Name	K****** L******
1 2 3 4	Name	G**** T******
1 2 3 4	Telephone Number	408-5********
1 2 3 4	Telephone Number	408-5********
1 2 3 4	Fax Number	408-5********
1 2 3 4	Fax Number	40852********
1 2 3 4	E-mail	k******@cetecom.com
1 2 3 4	E-mail	g******@cisco.com

Equipment Specifications
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
1	1	15C		902.00000000	928.00000000	0.7943000
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
2	1	15C		902.00000000	928.00000000	0.6309000
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
3	1	15C		902.00000000	928.00000000	0.6309000
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
4	1	15C		902.00000000	928.00000000	0.7943000

some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details

recent releases: 2ASCB-DH055TLB D2G Group LLC XPYJODYW562 u-blox AG 2AN3BA001-029 CUBTEK INC. A3LBE201D Samsung Electronics Co Ltd 2AUYFRMX3943 Realme Chongqing Mobile Telecommunications Corp., Ltd.