Industrial IOT Gateways in Secure and Resilient Cellular · •Introduction • Cisco IR829 ... Cellular0 AUX SIM1-Modem1 Differences in RF connectors between single LTE and dual

Industrial IOT Gateways in Secure and Resilient Cellular and VPN Deployments

Kawal Grover, Technical Marketing Engineer

Pawel Cecot, Customer Support Engineer

LTRIOT-2570

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRIOT-2570


Meet the Team

Pawel CecotCustomer Support Engineer

Kawal Grover Technical Marketing Engineer

• Introduction

• Cisco IR829 Overview

• Cisco IR829 in IoT Deployment Use Cases

• Security and Resiliency of IoT deployments

• Hands-on lab

• IR829 LTE with FlexVPN Lab (physical)

• FlexVPN Lab (virtual)

Agenda

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRIOT-2570

Utility

• Long distance connection

• Harsh environment

• 3G/4G Backhaul

Manufacturing

• Non Stop Operation

• Flexible Layout Change

• Deterministic Control

• Security

Oil & Gas

• Pipeline Monitoring

• Long distance operation

• Extreme weather

• 3G/4G Backhaul

Transportation/Public Safety

• Incident Response

• Traffic/Signal Monitoring

• Passenger WiFi

• Physical Security

• Video Surveillance

Municipality

• Intelligent Traffic System

• Surveillance

• City-wide WiFi

• Lighting/Energy Mgmt

IR829(Single & Dual LTE)

IR809

Extending Intelligence to Operational Networks

Security High Availability FOGRuggedized

IR807

Cisco IOT Gateway Portfolio

7


Cisco Mobile Routers Portfolio

2xLTE

EDGE

COMPUTEWiFiRUGGEDIZED

OPERATIONSGYROSCOPE &

ACCELEROMETER AVAILABILITYLTEGPS

IR 809

60º

-40ºGlobally

IR 829 Dual LTE

60º

-40º

North

America

& Europe

only

IR 829 Single LTE

60º

-40ºGlobally

60º

-40º

U.S and

Europe

onlyIR 807

LTRIOT-2570 8

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

WLAN 2.4/5GHz

Dimensions: 7.7”x11”x1.73”

(DxWxH)

Temperature:-40C to +60C

Four 10/100/1000Base-T

30W Shared PoE/PoE+

SFP WAN Port

One RJ-45 RS232 Serial Port

One RJ-45 RS232/RS485 Serial Port

USB Type A port

6-32 VDC Power Input

Ignition Sense

Cellular1 MAIN

WLAN 2.4/5 GHzGPS Cellular1 Aux

Accelerometer

and Gyroscope

Cellular 0 MAIN

Mini USB Console SIM0-Modem0

Cellular0 AUX

SIM1-Modem1

Differences in RF

connectors between

single LTE and dual

LTE models

Available US, Europe, Canada

Cisco IR829 Industrial Integrated Services Routers (Dual LTE)

New

LTRIOT-2570


WLAN 5GHz

Dimensions: 7.7”x11”x1.73”

(DxWxH)

10.55”x11”x1.73”

(DxWxH)


Four 10/100/1000Base-T

30W Shared PoE/PoE+

SFP WAN Port

One RJ-45 RS232 Serial Port

One RJ-45 RS232/RS485 Serial Port

USB Type A port

6-32 VDC Power Input

Ignition Sense

WLAN 2.4 GHz

WLAN 5 GHzGPS WLAN 2.4 GHz

Accelerometer

and Gyroscope

Cellular MAIN

Mini USB Console Dual SIM

Cellular AUX

Available Worldwide

Cisco IR829 Industrial Integrated Services Routers (Single LTE)

LTRIOT-2570


mSATA SSD FRU

100GB / 50GB*

*FCS 1HCY2018. New hardware IR829M as it requires motherboard changes to IR829

Dimensions: 7.7”x11”x1.73” (DxWxH)


mSATA SSD

Endurance:100GB: 33TBW

50GB: 18TBW

New Cisco IR829M: mSATA SSD connector + POEFCS

1HCY2018

LTRIOT-2570 11


Pervasive Security

• Services included area firewall, VPN, which requires no additional hardware or client software.

• Hardware encryption, with greater scale

• Cisco IOS offers multiple VPN alternatives, based on the specific deployment needs. Two of the most commonly deployed for IoT is DMVPN and FlexVPN

IOx, Edge Computing

• Enable remote monitoring and controlling at the edge and improve process efficiency by moving the intelligence to edge rather than cloud.

• Scalable application life cycle management Via Fog director

Ruggedized, Purpose Built, Certified

• Ruggedized for Manufacturing, transportation, utilities, oil and gas, mining and municipality.

• Industrial: EN61131-2,Automotive, and SAEJ1455Military: MIL-STD-810G

Services Rich

• Gyroscope/accelerometer

• Dynamic and static routing

• IPV6 support on Ethernet as well as Cellular

• Ignition Power management

IR829 – More Than Just An Industrial Router

LTRIOT-2570 12

Management


* Kinetic GW Management: Available for Limited Availability

Branch IT Sophistication Level

Lower

Higher

Sc

ale

of

De

plo

ym

en

t

HigherSimplest

Ease of Management: Cloud, On-Prem and On-Device

Cloud Managed

IR829

Kinetic GW

Management*

Cloud

All

CCP Express

On-Device

<20

Units

Virtualized FND

On-prem on Server

ISR4K with UCSE

100-1K

Units

Field Network

Director

Cisco Prime

SNMP MIBs

On-prem infra

1K+Units

LTRIOT-2570 14


Cisco Configuration Professional Express (CCP Express)Onboard Device Management Shipping

IR8xx

Day to Day router management

Interface information and status

Traffic volume

Device information (Hostname, IOS version etc)

Cisco Active Advisor: Lifecycle information of network inventory

VPN: Advance configuration

Day 0 setup includes

Cellular

WAN

LAN

IOx

WiFi

Security

LTRIOT-2570 15


Kinetic GMM – Gateway Monitoring

16


Cisco IoT Gateway

App / Container

Edge Control

Apps, Analytics

and Services

MQTT, AMAP, etc..

Networking

OS

VPN

Gateway

Management

Operations

Center

Cisco Cellular Gateway Deployment Model

Cloud

Management

Platform

Secure

Connections

Cellular

Gateway

Connected

Devices

LTRIOT-2570 17


Kinetic GMM – Zero Touch Deployment

19


Kinetic GMM – Location Tracking

20

Cisco IR829 in IoT Deployment Use Cases


• Two concurrent LTE connections for

WAN redundancy and higher throughput

• Two models to cover the U.S and

EMEA regions:

• IR829-2LTE-EA-BK9 – U.S

• IR829-2LTE-EA-EK9 – EMEA

• Load balancing between

two carriers for better user

experience

• Routing based on signal

strength, technology, etc.

Police Cars /

AmbulancesAsset Management

Connected Mass Transit /

Fleet Management

Cisco IR829 Dual Active LTEPurpose built to withstand shock, vibration, humidity, temperature and dust

LTRIOT-2570 24


Cisco IoT Gateway in ActionPolice Car Use Case for IR829

Police Department in US

Business and Technology DriversProvide data, voice & video connectivity to police

vehicle while driving to incident site (mobile) and at

incident site (remote location) to coordinate response

system. Ability to backhaul recorded video over WiFi

once the police vehicle is back at the police station.

Cisco SolutionThe IR829 was deployed on each police vehicle that

provided highly secure connectivity on the move as

well as in remote locations. The ignition management

system on IR829 allowed the router to be powered on

for 15 minutes using battery even when the engine was

turned off to automatically upload the recorded videos

over WiFi backhaul at the police station.

25


Business and Technology DriversPressure to lower the opex and lower cost of operation

with LTE as compared to wireline triggered the

technology upgrade of ATM machines.

Cisco SolutionCisco Dual LTE IR829 for secure, reliable and

redundant LTE connectivity for financial transactions

and ATM inventory management. LTE WAN saves

70% opex as compared to wireline. Compact, rugged

form factor of Dual LTE IR829 meets space and

environmental constraints for cabinet installations.

Video surveillance and incident reporting uses edge

compute (IOx/Fog).

Cisco IoT Gateway in ActionATM Use Case for Dual LTE IR829

Large Bank in US

26


Business and Technology DriversExisting system to monitor fog encountered frequent

breakdowns resulting in safety concerns for commuters

and employees dispatched to close fog gates.

Cisco SolutionCisco IR829 with IOx fog computing for polling

roadside fog sensors in real-time and automated

response per policy at the edge for faster response

rather than sending all the data to control center.

Secure, reliable LTE connectivity for sending relevant

data to regional traffic center for deep learning of big

data. Paving way to additional use cases – Car as a

Sensor and Wrong Way Detection.

Cisco IoT Gateway in ActionRoadside Infrastructure Monitoring Use Case for IR829

Department of Transportation, US

27


Business and Technology DriversTwo way communication between home and grid for

energy delivery over 28,000 distribution miles. 3000

residential rooftops connect to 410 substations.

Cisco SolutionThe IR809 with IEC 61850-3 & IEEE 1613 compliance

won against GE MDS. Monitoring and managing

cellular signal strength, SMS notifications upon

anomalies way key to winning this account. IR809

provided enterprise-class secure VPN connectivity

over cellular, ruggedized to meet harsh Arizona

summer (120F) and ease of management with Cisco

Prime and APIC-EM.

$7200 in saving per resident.

Cisco IoT Gateway in ActionUtility Use Case for IR809

Electric Company in US

28


Business and Technology DriversWiFi hot spot for bus customers & Serve Dynamic

Media content for targeted Advertising. Generate new

revenue stream for the transportation company.

Cisco SolutionCisco IR829M provides onboard entertainment over

wifi to passengers on the bus. The IOx fog computing

hosts the Wifi Captive portal and Media server

applications. The 100GB Industrial grade mSATA SSD

(field replicable unit) stores large media files such as

movies and advertisements. The passengers can

access Internet on their devices using the Dual LTE

IR829 which support two active LTE WAN access with

different service providers simultaneously.

Cisco IoT Gateway in ActionOnboard Entertainment system and Advertisement

Use Case for Dual LTE IR829M – mSATA SSD (storage) +

IOX (application hosting)

Connect to the

Wi-fi portal

Review terms

and conditions

Gain mobile

internet

connectivity

Access

personalized

media and

content

100GB

mSATA

SSD

IR829M

FCS

1HCY2018

New IR829M hardware for mSATA SSD as it

requires motherboard changes to IR829

LTRIOT-2570 29

Security and Resiliency of IoT Deployments


IR800 Series Security Features

HARDWAREMechanical & Sensors

HARDWAREProcessors & Electronics

SOFTWAREApplications & Resources

Accelerometer

& Gyroscope*

Input Alarm

for Digital Sensors

GPS Asset Tracking

& Geo Fencing

Sim Card

Locking Plate

Trust Anchor Module

(ACT2 Chipset)

Fast Hardware

Based Encryption

Digital Signage

Validation

Code Signage

Application Level

Firewall

Secure Boot

Cisco Process

(CSDL, Vulnerability

Testing, PSIRT,

TALOS Group)

Hosted App

lifecycle security

with Cisco IOX*

* Not available on IR807LTRIOT-2570 31


WAN Security

WAN Security / VPN

• Flex

• DMVPN

• GRE

• IPSEC

• Mobile IP: NEMO &

PMIPv6

• Dynamic routing

Easy Management,

Web UI, Security

Preferences

Easy Scaling,

High Visibility

IR 829 Single LTE

IR 809

IR 829 Dual LTE

ASR 1000

ASR 5500

ASR 9000

IR800 Series Security Features

LTRIOT-2570 32

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33LTRIOT-2570

FlexVPN Technology Overview

• What is FlexVPN?

• IKEv2 based unified VPN that combines Site-to-Site, Remote-Access, Hub-Spoke

and Spoke-Spoke topologies

• FlexVPN highlights

• Unified CLI

• Leverages common IOS Point-to-Point tunnel interface implementation

• Feature-rich: AAA, config-mode, dynamic routing, IPv6

• Simplified configuration using Smart Defaults

• IKEv2 standard compliant – interoperable with non-Cisco implementations

• Easy to learn, deploy, and manage


FlexVPN and Interfaces

Hub 1

Spoke 1

Tu0

VT1

VT1

VA1 VA2

VA1

Tu0

VT1VA1

Tu0

Hub 2

Tu0

VA3 Remote Access

Hub & Spoke

Dynamic Mesh

Site to Site

Tu

VT

VA

Static Tunnel

Virtual Template

Virtual Access

VT2

34LTRIOT-2570

Spoke 2 Remote

User


IKEv2 Exchanges Overview

IKE_SA authentication

parameters negotiated

IKE_SA_INIT

(2 messages)

IKE Authentication occurs

and one CHILD_SA created

IKE_AUTH + CREATE_CHILD_SA

(2 messages)

[ Second CHILD_SA created ]CREATE_CHILD_SA

(2 messages)

Protected dataA B


Configuration Payload

Initiator Responder

The server responds with the address

HDR,SK {IDr, AUTH,

CP(CFG_REPLY), SAr2, TSi, TSr}

HDR, SK {IDi, AUTH,

CP(CFG_REQUEST), SAi2, TSi, TSr}

The client asks for the address in IKE_AUTH


FlexVPN: IKEv2 Routing

• Route exchange during IKE negotiation is driven from the IKEv2 authorization policy

• This authorization profile is either locally defined or centralized (AAA server)!

• Administrative distance can be modified via route accept any distance <x>

C 192.168.1.0/24 Eth0

C 10.0.0.2 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

S 192.168.0.0/16 Tunnel0Routin

g T

able

C 192.168.100.0/24 Eth0

C 10.0.0.254/32 -> Loopback0

S 0.0.0.0/0 Dialer0

S 192.168.0.0/16 Null0

S 10.0.0.2/32 Tunnel0

S 192.168.1.0/24 Tunnel0

Routin

g T

able

Route Accept?

CFG_SET

CFG_ACK

CFG_REQUEST

CFG_REPLY

Route Accept?

Routes sent to peer are determined by:

interface (‘route set interface’)

access-list (‘route set access-list’)

direct statement (‘route set remote’)

Initiator sends its own routes to the

responder

Initiator Responder

Inbound route filter (by tag or AD) is possible using ‘route accept’

Default is ‘accept any’!

For maximal security, remote routes

can be denied and route addition can

be controlled locally using ‘route set local’

LTRIOT-2570 37

Routing Based Resiliency


1.

39LTRIOT-2570

FlexVPN BackupRouting Based Multi-Hub Resiliency (1)

192.168.100.0/24

2.

Tunnels to

both hubs are

constantly active

Traffic can transit via

either tunnel (active-

standby) or both tunnels

(load-balancing)


1.

40LTRIOT-2570


192.168.100.0/24

2.

Hub 1 fails,

Tunnels go down

(IKEv2 liveness,

hold timer,…)

Traffic goes through

remaining tunnel


1.

40LTRIOT-2570


192.168.100.0/24

2.

Hub 1 fails,

Tunnels go down

(IKEv2 liveness,

hold timer,…)


remaining tunnel


1.

40LTRIOT-2570


192.168.100.0/24

2.

Hub 1 fails,

Tunnels go down

(IKEv2 liveness,

hold timer,…)


remaining tunnel

Non-Routed Backup Mechanisms


1.

44LTRIOT-2570

FlexVPN Backup Peers (1)

192.168.100.0/24

2.

Tunnels are set up

to a primary Hub1

172.16.0.2172.16.0.1


1.

43LTRIOT-2570


192.168.100.0/24

2.172.16.0.1 172.16.0.2

The primary Hub1

fails


1.

43LTRIOT-2570


192.168.100.0/24

2.172.16.0.1 172.16.0.2

New tunnels are set up

to a backup Hub2

The primary Hub1

fails


RADIUS Backup List Attribute

ipsec:ipsec-backup-gateway

47LTRIOT-2570

FlexVPN Backup Peers (3) – Spoke Config.

Also works with Routing Protocol

crypto ikev2 authorization policy default

route set interface

route set access-list 99

aaa authorization network default local

crypto ikev2 profile default

match certificate HUBMAP

identity local fqdn Spoke1.cisco.com

authentication remote rsa-sig

authentication local pre-shared

keyring local

pki trustpoint CA

aaa authorization group cert list default default

dpd 30 2 on-demand

crypto ikev2 client flexvpn default

client connect tunnel 0

peer 1 172.16.1.254

peer 2 172.16.1.253

interface Tunnel0

ip address negotiated

tunnel source FastEthernet0/0

tunnel destination dynamic

tunnel protection ipsec profile default

Destination

managed by

FlexVPN

Detect Hub Failure

To Primary Hub

To Secondary Hub

Powerful Peer Syntaxpeer reactivate

peer <n> <ip>

peer <n> <ip> track <x>

peer <n> <fqdn> [dynamic [ipv6]]

peer <n> <fqdn> [dynamic …] track <x>

Up to 10 backup gateways pushed by config-exchange

Nth source selected only if corresponding track object is up

Switch back


FlexVPN Tunnel Pivot

• Use when different Service Providers are used to connect to remote host

Client Hub

Service Provider 2

GigE0/0

FastE2/0

ICMP-echo IP SLA probe

IPsec Tunnel

Tracker state (Up/Down)

Service Provider 1

LTRIOT-2570 45

track 1 ip sla 1 reachability

crypto ikev2 flexvpn client remote1

peer 10.0.0.1

source 1 interface GigabitEthernet0/0 track 1

source 2 interface FastEthernet2/0


interface Tunnel0


…

tunnel source dynamic


…




Client Hub

Service Provider 2

GigE0/0

FastE2/0


IPsec Tunnel


Service Provider 1

LTRIOT-2570 45



peer 10.0.0.1




interface Tunnel0


…



…




Client Hub

Service Provider 2

GigE0/0

FastE2/0


IPsec Tunnel


Service Provider 1

LTRIOT-2570 45



peer 10.0.0.1




interface Tunnel0


…



…




Client Hub

Service Provider 2

GigE0/0

FastE2/0


IPsec Tunnel


Service Provider 1

LTRIOT-2570 45



peer 10.0.0.1




interface Tunnel0


…



…

IoT Deployment Lab (physical)


IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel

Standby IPSEC Tunnel

IoT Depolyment Lab Topology

Data Center / Head Router

192.168.101.254/24

Hub-1

Hub-2173.36.209.22/26

192.168.123.123/24

192.168.X.254/24SP

eNodeB

Traffic Flow

LAN Devices

IR829

LTRIOT-2570

192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

173.36.209.21/26

53


IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel


Non-Mission Critical Application


Hub-1

Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

192.168.101.254/24

173.36.209.22/26

192.168.123.123/24

192.168.X.254/24

192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

173.36.209.21/26

LTRIOT-2570 48


IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel




Hub-1

Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

192.168.101.254/24

173.36.209.22/26

192.168.123.123/24

192.168.X.254/24

192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

173.36.209.21/26

LTRIOT-2570 48


IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel




Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

LTRIOT-2570

192.168.101.254/24

173.36.209.22/26

192.168.123.123/24

192.168.X.254/24

192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

173.36.209.21/26

Hub-1

56


Hub-1

IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel


Mission Critical Application


Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

LTRIOT-2570

192.168.101.254/24

192.168.123.123/24192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

192.168.X.254/24

173.36.209.22/26

173.36.209.21/26

50


Hub-1

IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel




Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

LTRIOT-2570

192.168.101.254/24

192.168.123.123/24192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

192.168.X.254/24

173.36.209.22/26

173.36.209.21/26

50


Hub-1

IPv4 WAN Connection

LAN Connection

Active IPSEC Tunnel




Hub-2

SP

eNodeB

Traffic Flow

LAN Devices

IR829

LTRIOT-2570

192.168.101.254/24

192.168.123.123/24192.168.101.1/24

192.168.102.1/24

192.168.102.254/24

192.168.X.254/24

173.36.209.22/26

173.36.209.21/26

Hub-1

59

FlexVPN Lab (virtual)


Internet

IPv4 WAN Connection

IPv6 WAN Connection

LAN Connection

IPSEC Tunnel

FlexVPN in IoT Lab Topology

Spoke-1

Spoke-2

Hub-2Hub-1

209.1.1.2/24

209.1.2.2/24

172.16.1.0/24

172.16.2.0/24

.2

.1

.1.2

200.1.1.0/24

.2 .3

172.16.0.0/24

.2

.100

209.1.3.2/24

.2

.1172.16.3.0/24

DHCP

Spoke-3

Spk-1-Host

Spk-2-Host

Spk-3-Host

FreeRadius Server

.3

Broadband Backup

LTRIOT-2570 61


Hands-on lab

• Lab access – printed instructions.

• Lab guide

• Desktop

• http://cs.co/LTRIOT-2570

• In IoT Deployment Lab (physical), due to lack of console access, please DO NOT:

• Reload the router.

• Modify the GigabitEthernet1 or Vlan1 configuration.

• Add default/summary routes which can impact the connectivity

• In FlexVPN Lab (virtual) the simulations are already started – skip Step 3.

• 90 min per lab.

62LTRIOT-2570

http://cs.co/LTRIOT-2570


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRIOT-2570


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

65LTRIOT-2570

Thank you

Documents

Industrial IOT Gateways in Secure and Resilient Cellular · •Introduction • Cisco IR829 ... Cellular0 AUX SIM1-Modem1 Differences in RF connectors between single LTE and dual