IOK Implementation

This chapter includes the following major topics:

This chapter describes the implementation steps and configurations needed to deploy the end-to-end IOK AMI solution using the recommended reference topology. All configurations in this chapter are aligned with design recommendations stated previously in Chapter3, “System Architecture” Each configuration item is described individually to allow a modular approach to implementation and illustrates specific data flows and the associated network components.

The following steps describe the necessary installations and configurations required to implement the IOK AMI architecture:

Step 1 Install VMware ESXi 5.5 hypervisor software on the Cisco UCS.

Step 2 Configure UCS as an NTP client using Utilities NTP Time Source.

Step 3 Set up an ECC-based CA server for mesh endpoint authentication.

Step 4 Generate ECC certificates for Smart Meters and the radius server.

Step 5 Install the IOK software package on UCS.

Step 6 Apply licenses to various IOK components, such as, CA, RA, FND.

Step 7 Ensure the necessary licenses such as ipbasek9 and securityk9 are Active and In-Use on CGR.

Step 8 Perform Zero Touch Deployment (ZTD) on CGR.

Step 9 Verify IPSec tunnel is UP between CGR and HER.

Step 10 Verify the status of CGR and HER on FND.

Step 11 Verify the necessary routing and switching features in the topology.

Step 12 Configure and integrate the firewall in the topology based on best practices.

Step 13 Configure and integrate Smart Meters with CGR and IOK HEN.

Step 14 Verify manageability of CGRs and CGEs in FND.

Step 15 Configure and integrate Itron Collection Engine with IOK HEN.

 

Prerequisites for Deploying IOK

Hardware

Table 5-1 shows the minimum requirements for installing the IOK solution on a Cisco UCS server.

 

Table 5-1 Hardware Requirements for IOK Deployment
Hardware
Specification

CPU

Two CPU with 24 cores total, 12 cores per CPU with each running at 2GHz

Hard Disk

850 GB within a minimum 10,000 rpm

Memory

72 GB

NIC

Two Gigabit Ethernet ports

Hypervisor

VMware vSphere ESXi 5.0 or later software environment

Software

The following software is required:

  • Itron OpenWay Field Pro
  • Itron OpenWay Shop Manager
  • Itron OpenWay Collection Engine
  • VMWare ESXi 5.5
  • Windows Server 2012 R2
  • Windows 7 workstation
  • IOK Software package from CCO

Licensing

The following are the required licenses:

  • IoT-FND license
  • RA License (for ESR5921 platform)
  • Internal CA License (for ESR5921 platform)
  • SecurityK9 License for CGR1K
  • DataK9 License for CGR1K

IPv4 Addressing

 

Table 5-2 IPv4 Addressing
Network
vSwitch
IP Addressing

IOK Operation Network

vSwitch0

10.106.224.128/26

IOK Internal Network

vSwitch1

192.168.234.0/25

IOK DMZ Network

vSwitch2

10.10.10.0/24

Tunnel Loopbacks

N/A

192.168.150.0/24

IPv6 Addressing

 

Table 5-3 IPv6 Addressing
Network
IPv6 Prefix

Tunnel Loopbacks

2001:DB8:2:2::/64

IOK Operation Network

2001:FACE::/64

Mesh Endpoint Network

2001:DB8:4:4::/64

Certificates

The following certificates are required for IOK install:

  • ECC Root CA certificate in pem/cer file format (base64 encoded)
  • ECC CPAR server certificate in pfx/PKCS12 format

Note The RSA type certificates are managed by the IOK’s internal CA and the ECC type certificates would require an External CA.

Refer to ECC Type CA Server Configuration to set up an External CA and obtain the necessary certificates before proceeding to install IOK.

ECC Type CA Server Configuration

Root Certificate Authority (Root CA) Installation

The following prerequisites are required to install a root CA:

  • Configure the system time and date on the Windows Server 2012 R2 machine (to install the root CA) to correct time and date or enable the Windows Time service to sync time with an authoritative time source.
  • For each configuration page mentioned in the following steps, any settings/options that are not mentioned can remain at their default value.
  • For this installation, the server machine configured with Active Directory Certificate Services will be configured with Cryptographic Service Provider (CSP) as ECDSA P256#Microsoft Software Key Storage Provider.
  • In the following procedure to install the root CA, it is assumed that you want to install the Active Directory Certificate Services on a server machine that has successfully joined the Active Directory Domain as a member server.
  • If you want to install the root CA on a server machine that will also serve as a domain controller (DC) of an existing or new Active Directory Domain forest, you will need to promote the member server to be a DC manually.

To install a root CA, complete the following steps:

Step 1 In the Windows 2012 R2 server, choose Start, and then click Server Manager.

If Server Manager is not in the menu items, click Start, click the smart search box, and type server manager.

Step 2 Open Server Manager and under the Manage tab, click Add Roles and Features. Once the Add Roles and Features Wizard appears, click Next.

Step 3 For the installation type, select Role-based or Feature-based installation and click Next.

Step 4 For server selection, choose Select a server from the server pool and click Next.

The server pool contains the existing server on which CA role is being installed.

Step 5 For server roles selection, check Active Directory Certificate Services (ADCS). In the pop-up that appears, click on Add Features required for ADCS and click Next.

Step 6 On the Features page, click Next.

Step 7 On the ADCS page, click Next.

Step 8 On the Select Role Services page, check the following role services and then click Next.

Click on Add Features in the following pop-ups that appear:

  • Certification Authority
  • Certification Authority Web Enrollment
  • Online Responder

Step 9 On the Webserver Role (IIS) page, click Next.

Step 10 On the select Role Services page, click on Web Server and leave the default settings enabled. Click Next.

Step 11 On the Confirmation page, check the Restart the destination server automatically if required option. Click Yes on the pop-up that appears and click on Install. Once the install is completed, click Close.

Step 12 On the Server Manager page, click on the notification that appears regarding Post-deployment Configuration for ADCS.

Step 13 On the Credentials page, specify the Domain Administrator account in the credentials box and click Next.

Step 14 On the Role Services page, verify the roles selected in Step 8 are checked and click Next.

Step 15 On the Setup type page, select Enterprise CA to configure this CA to be a member of a domain and to use Active Directory Services to issue and manage certificates and click Next.

Note You must have a network connection to a domain controller to install an enterprise CA. If the server machine on which you are installing the root CA is a DC, this requirement is automatically fulfilled.

Step 16 On the Specify CA Type page, click Root CA. Click Next.

Step 17 On the Set Up Private Key page, click Create a new private key . Click Next .

Step 18 On the Configure Cryptography for CA page, select the following CSP, key length, and hash algorithm:

  • Choose ECDSA P256#Microsoft Software Key Storage Provider for cryptographic service provider (CSP) to create a CA issuing certificates for mutual authentication between smart meters (CG-Mesh nodes) and FreeRADIUS (AAA server).
  • Choose 256 bit as the key length.
  • Choose SHA256 as the hash algorithm for signing certificates issued by this CA and click Next.

Step 19 On the Specify CA Name page, review the CA Common name and Distinguished name suffix (modify if required) and click Next.

Step 20 On the Set Validity Period page, specify the number of years or months that the root CA certificate is valid. You can choose the default validity period of 5 years or choose a shorter period if security is of prime concern. Click Next.

Step 21 On the CA database page, leave the default settings for Certificate database and database log locations and click Next.

Step 22 On the Confirmation page, review all selected configuration settings. To accept these options, click Configure and wait until the setup process completes.

Once the server role installation is completed, the Installation Results dialog displays.

Step 23 Verify that all desired server role services, features are shown with Configuration succeeded. Click Close to close this dialog.

Certificate Templates Using ECC Algorithm on the CA Server

Before creating certificate templates and issuing client certificates, ensure some Additional fields are not included in the issued certificates as they increase the size of the certificate and also increase network traffic. In some cases, these additional fields will cause authentication to fail. Specifically, the client certificates should not include the Authority Information Access (AIA) and the CRL Distribution Point (CDP) extensions.

Step 1 On the CA server machine, in the Server Manager tab, click Tools and click Certification Authority which opens the certsrv window.

Step 2 Right-click the CA server installed and select Properties.

Step 3 Inside the CA properties window, click the Extensions tab. Under Select Extension, choose CDP, select the ldap:/// location and uncheck the option to include in the CDP extension of issued certificates. Repeat this step to also remove the AIA extension.

Step 4 Next restart the Certificate Authority service. To do this, right-click the CA server inside the certsrv window and select All Tasks > Stop Service. This action stops the CA service.

Step 5 Now select All Tasks > Start Service to restart the CA service. Finally, close the certsrv window.

 

Smart Meter Certificate Template

Step 1 On the CA server machine, in the Server Manager tab, click Tools and click Certification Authority, which opens the certsrv window.

Step 2 Right-click the CA server installed and select Properties.

Step 3 In the General tab, complete the following steps:

a. Select View Certificate and click the Details tab.

b. Scroll down to see that the Signature algorithm used is SHA256ECDSA. The Public key should be ECC (256 Bits).

c. Once verified, click OK to close both the open windows.

Step 4 Now inside the certsrv window, click the installed CA to expand the tree view. Right-click Certificate Templates in the left tree menu and select Manage , which opens the Certificate Templates Console.

Step 5 Select and duplicate the Computer certificate template within the Certificate Templates Console.

Step 6 Under Compatibility tab settings, in Certification Authority and Certificate recipient select Windows Server 2012 R2 and approve the resulting changes. This is for Windows CA support to ensure that the certificate generated is X.509 version 3 and supports ECC/ECDSA-based keys.

Step 7 On the General tab rename the duplicated certificate template to a more intuitive name, for example, SmartMeter_Template and specify the Validity and Renewal periods as needed.

Step 8 On the Request Handling tab Change Purpose to Signature. Select Yes in the Certificate Templates warning dialog. To allow certificate private key exports in the Request Handling tab, select Allow private key to be exported.

Step 9 On the Cryptography tab for the Provider Category, select Key Storage Provider . For algorithm name, select ECDSA_P256 . Minimum key size should be 256. For the Request hash select SHA256 .

Step 10 On the Subject Name tab choose Supply in the request option and select Yes in the Certificate Templates warning dialog. This is to enter the Subject Name and Common Name , which can be the EUI64 MAC address string of a smart meter that can be used for additional user authentication against the RADIUS server.

Step 11 On the Security tab for all listed group or user names, ensure that the Enroll and Auto-enroll permissions are check marked.

Step 12 Close the Certificate Templates Console, select the Certificate Templates folder from the certsrv window and complete the following steps:

a. Select New, and then set Certificate Template to Issue.

b. Select the new certificate template, SmartMeter_Template, and then click OK.

The new certificate template should be listed within the Certificate Templates folder in the certsrv window.

 

RADIUS Server Certificate Template

The following steps for generating a certificate used by the RADIUS server are similar to the previous steps used to create the client identity (smart meter) certificate:

Step 1 On the CA server machine, in the Server Manager tab, click Tools and click Certification Authority, which opens the certsrv window.

Step 2 Inside the certsrv window, click the installed CA to expand the tree view. Right-click Certificate Templates in the left tree menu and select Manage, which opens the Certificate Templates Console.

Step 3 Duplicate the Web Server certificate template.

Step 4 Under the Compatibility tab settings, in Certification Authority and Certificate recipient, select Windows Server 2012 R2 and approve the resulting changes. This is for Windows CA support to ensure that the certificate generated is X.509 version 3 and supports ECC/ECDSA-based keys.

Step 5 On the General tab rename the duplicated certificate template to a more intuitive name, such as, RADIUS and specify the Validity and Renewal periods as needed.

Step 6 On the Request Handling tab, change Purpose to Signature. Select Yes in the Certificate Templates warning dialog. To allow certificate private key exports in the Request Handling tab, select Allow private key to be exported.

Step 7 On the Cryptography tab for the Provider Category, select Key Storage Provider. For algorithm name, select ECDSA_P256. Minimum key size should be 256. For the Request hash, select SHA256.

Step 8 On the Subject Name tab choose Supply in the request option and select Yes in the Certificate Templates warning dialog. This is to enter the Subject Name and Common Name of the RADIUS server.

Step 9 On the Security tab for all listed group or user names, ensure that the Enroll and Auto-enroll permissions are check marked.

Step 10 On the Extensions tab, select Application Policies and click Edit. Remove Client authentication, ensuring only Server Authentication is present. Close the Certificate Templates Console.

Step 11 Finally, enable the RADIUS server certificate by allowing this certificate template to be issued.

 

Generating Smart Meter and RADIUS Server Certificates

Step 1 On the CA server machine, open a cmd console. Type and enter each line as shown below:

certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
certutil -setreg policy\DisableExtensionList +2.5.29.32
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.10
certutil -setreg policy\DisableExtensionList +2.5.29.14
certutil -setreg policy\DisableExtensionList +2.5.29.35
 

Step 2 Restart the Certificate Authority Service for the above commands to take effect. These commands eliminate the Certificate Template Name, Certificate Template Information, Certificate Policies, and Application Policies extensions from the certificates.

Step 3 In the Run field or command shell, enter MMC.

Step 4 From the MMC console, select File and then Add/Remove Snap-in .

Step 5 Select Certificates from the left column and click Add to add it to the right column.

Step 6 Select Computer account and click Next.

Step 7 Select Local computer and then click Finish and click OK to close the Add or Remove Snap-ins window.

Step 8 From Console1, complete the following steps:

a. Click the Certificates (Local Computer) label to expand the view and click on the Personal folder.

b. Right-click it and select All Tasks > Request New Certificates.

c. Click Next.

Step 9 On the Certificate Enrollment Policy page, click Next. On the Request Certificates page, select the smart meter and the RADIUS server templates and then click More information is required to enroll for this certificate. Click here to configure settings link. Repeat this for both of the certificates.

Step 10 In the Certificate Properties window, under the Subject tab for the Subject Name Type, select Common.

  • For the Smart Meter template, use the EUI 64 address of the communications module within the target smart meter.
  • For the RADIUS server template, choose any name, for example, RADIUS.
  • Click Add to move the value to the right column.
  • Click Apply or OK.

Step 11 After the certificate is generated, go back to the certsrv window and the Issued Certificates folder.

Step 12 Double-click the last issued certificates and click Details.

Step 13 Ensure that the Subject field contains the common name entered during the certificate enrollment request.

Step 14 To export the new certificates, re-open the MMC Console and select Certificates (Local Computer), then Personal, and Certificates.

Step 15 In the center pane, right-click the new certificate and then select All Tasks > Export.

Step 16 Select Yes, export the private key. To export the .cer format of the certificate without the private key, do not select the Yes, export the private key option in this step.

Step 17 Select Personal Information Exchange - PKCS #12 (.PFX) as the certificate format. It is important to select Include all certificates in the certification path if possible option to ensure that the CA certificate is included in the export file. Leave the other two selections unchecked.

Step 18 On the next page for security, check the Password box and provide a password for the private key and click Next.

Step 19 Save the certificate file on the local machine and export it securely. Repeat the export steps for both certificates (Smart Meter and RADIUS server).

 

IOK Installation

This section describes the step-by-step procedure to install Cisco IOK on a Cisco UCS server. IOK VM components are installed using Microsoft Windows7 installer script.

The script will create the VMs, install the host OS, deploy the IOK components, and also configure it.

Preparing the UCS

Follow the steps in the sections below to prepare the Cisco UCS for IOK deployment.

Installing Hypervisor ESXi Host

Follow the VMware vSphere 5.5 Documentation to install ESXi hypervisor on Cisco UCS.

Disassociate ESXi Host from vCenter Server

If the ESXi host is managed by vCenter Server, then you need to disassociate it before starting to install the Cisco IOK solution.

IOK installer script requires complete control of ESXi host for creating VMs, creating vSwitch ports and configuring IOK-VMs on ESXi host, so users need to disassociate the ESXi host from vcenter, if it is managed by vCenter.

Note ESXi host can be associated again with vSphere after installing the Cisco IOK package.

Step 1 On the summary pane of the ESXi host, click the Disassociate host from vcenter link, as shown in Figure 5-1.

Figure 5-1 vCenter Control—Disassociate ESXi Host from vCenter

 

Step 2 Verify that ESXi host is disassociated by checking on the Summary pane that the link Disassociate host from vCenter server… is no longer available, as shown in Figure 5-2.

Figure 5-2 vCenter control—Disassociate vCenter

 

 

Configuring the ESXi Host as NTP Server for all IOK VMs

Complete the following steps to configure Cisco UCS server with enterprise NTP source:

Step 1 On the vSphere client application, select the ESXi host IP on the left pane and then select the Configuration tab on right pane, as shown in Figure 5-3. Navigate following the number sequence as marked.

Figure 5-3 Preparing ESXi Host—Setting NTP Source for UCS Server

 

Step 2 Click the Add button, as shown in Figure 5-4.

Figure 5-4 Preparing ESXi Host—Adding New NTP Source

 

Step 3 Enter the NTP source IP address and click the OK button, as shown in Figure 5-5.

Figure 5-5 Preparing ESXi Host—Save NTP Source IP

 

 

Step 4 Verify that the NTP servers are updated, the NTP client is Running, and the Date and Time is synchronized with enterprise the NTP server clock.

Figure 5-6 Preparing ESXi Host—Verify NTP Settings

 

 

Preparing the IOK Configuration XML File

The IOK installer package will include a XML configuration template. Users can use the template and make the required modification in it appropriately to meet the deployment environment. The filled in XML configuration will be used as an input file for the IOK installer script.

Table 5-4 explains the XML tags usage.

 

Table 5-4 IOK Configuration Template Information

System
Variables
Description

DMZ network settings

<dmz_interface>

 

Information required for connection to the DMZ network.

<gateway>ip address</gateway>

Enter the gateway address for the Ethernet port on the server (IOK) that connects to the DMZ network.

<netmask>mask address</netmask>

 

Enter the subnet mask address for the DMZ network. The default value is 255.255.255.0.

<dns>ip address</dns>

 

Enter the Domain Name Server (DNS) address for the DMZ network.

Note You may leave this field blank if you do not know the DNS address.

NTP server <ntp_server>

Information required for the NTP server(s). You can define multiple NTP servers.

<server>ip address | server name</server>

Enter either the IP address or name of the NTP server. When you use an NTP server name, the server must have a DNS defined that is accessible to the UCS server.

<version>version</version>

Enter the NTP protocol version. If you do not enter an NTP protocol version, the software assigns the default value of 4 (NTPv4). You can also assign a value of 3 (NTPv3).

RSA certificate

RSA certificate is required for security. You can use either the CA virtual machine or an external server. If you use an external server, you will need to provide the SCEP URL and CA certificate.

<using_external_ca>true | false <using_external_ca>

Enter false if you want to use the CA server virtual machine. Enter true if you want to use an external CA server.

External CA

Information required if you are using an external CA server.

<scep-url>URL<scep-url>

Enter the URL for the CA certificate provided by the customer infrastructure (.cer or .pem). The head-end router (CSR 1000V) and CGR 1000 router require the SCEP to enroll the certificates.

<ca-cert>path<ca-cert>

Enter the path to the NMS certificate in pfx/PKCS12 format.

<nms-cert>password<nms-cert>

Enter the NMS certificate import password for the NMS certificate in pfx/PKCS12 format.

<tps-cert>password<nms-cert>

Enter the TPS certificate import password. It is usually set when you import the pfx certificate.

Internal CA server

Information required if you install an CA server virtual machine.

<ca_ipv4>IPv4 address<ca_ipv4>

Enter the IPv4 address for the CA virtual machine.

<login>admin<login>

Enter admin as username login for the CA virtual machine.

<password>password<password>

(Optional) Password required to turn on privileged commands. You can configure this later.

<enable_secret>password<enable_secret>

(Optional) Enables the newly defined password.

NMS and TPS certificates <certificate>

Security information required for NMS and TPS virtual machines.

<ca_cert>customer CA certificate</ca_cert>

Enter the CA certificate provided by the customer's Certificate Authority infrastructure.

<nms_cert>NMS certificate</nms_cert>

Enter the NMS server certificate in pfx/PKCS12 format.

<nms_cert_password>NMS certificate import password</nms_cert_password>

Enter the certificate password set when you imported the pfx certificate.

<tps_cert>TPS certificate</tps_cert>

Enter the TPS server certificate in pfx/PKCS12 format.

tps_cert_password>TPS certificate import password</tps_cert_password>

Enter the certificate password set when you imported the pfx certificate.

ECC certificate

<ca_cert>CA certificate<ca_cert>

Enter path for customer-provided ECC Root CA certificate pem/cer file (Base-64 encoded).

<subca_cert>CA certificate<ca_cert>

(Optional) Enter path for customer-provided ECC Sub CA certificate in pem/cer format.

<cpar_cert>CA certificate<cpar_cert>

Enter path for CPAR ECC certificate in pfx/PKCS12 format.

<cpar_cert_password>password <cpar_cert_password>

Import password to protect the private key for CPAR ECC certificate.

Operation IPs

<vm_ip>

Operation IP addresses must be reserved for each of the following virtual machines (NMS, TPS, Oracle, CPAR, Orchestration) installed on the server.

<nms_ipv4>ip address</nms_ipv4>

Enter the NMS operation IPv4 address.

<oracle_ipv4>ip address</oracle_ipv4>

Enter the Oracle operation IPv4 address.

<cpar_ipv4>ip address</cpar_ipv4>

Enter the CPAR operation IPv4 address.

<orch_ipv4>ip address</orch_ipv4>

Enter the Orchestration/Controller operation IPv4 address.

<tps_ipv4>ip address</tps_ipv4>

Enter the TPS operation IPv4 address.

License <license>

Information about NMS and CPAR licenses.

<nms_license>NMS license</nms_license>

(Optional) Enter the file path of the NMS production or evaluation license on the Windows 7 PC where the installer resides.

NMS can support up to 25 end devices without a license.

<cpar_license>CPAR license</cpar_license>

(Mandatory) Enter the file path of the CPAR production or evaluation license on the Windows 7 PC where the installer resides.

Head-end Router <router_csr1000v_her>

Information required for the Head-end router, Cisco CSR 1000V, that connects to both the Public Network (DMZ network) and Private Network (Data Center network). You must define at least one interface to each of the networks.

<datacenter_interface>

<ipv4>ip address</ipv4>

Enter the IPv4 address for the router interface that will connect to the data center network (Private Network).

<ipv6>ip address/prefix</ipv6>

(Optional) Enter the IPv6 address for the router interface that will connect to the Private Network (data center network). Otherwise, leave this field blank.

Example IPv6 address: 2001:1234::1/64.

<dmz_interface>

<ipv4>ip address</ipv4>

Enter the IPv4 address for the router interface that will connect to the Public Network (DMZ).

<ipv6>ip address</ipv6>

(Optional) Enter the IPv6 address for the router interface that will connect to the Public Network (DMZ). Otherwise, leave the field blank.

<loopback_interface>

<ipv4>ip address</ipv4>

Loopback interface reserved for FlexVPN virtual template. All defined FlexVPNs will use this interface for traffic forwarding.

Enter the IPv4 address for the router loopback interface.

Note Interface can also be used by the NMS and data center network for management purposes. IP addresses can be pulled from the IP pool defined in the <ip_management> section.

<netmask>ip address</netmask>

Enter the mask address for the loopback interface. The Default value is 255.255.255.0.

<ipv6>ip address</ipv6>

(Optional) Enter the IPv6 address for the loopback interface. Otherwise, leave the field blank.

Router Login Username <login>

Information about the head-end router login username and secret word.

<password>password</password>

Enter the password for the router login username or leave the field blank and enter it during installation.

<enable_secret>secret</enable>

Enter the router secret word to turn on privileged commands or leave field blank and enter it during installation.

Simple Certificate Enrollment Protocol (SCEP)

Information about the SCEP URL used to authenticate and enroll certificate.

<scep_url>SCEP_URL<scep_url>

Enter the SCEP URL. For example, http://server name or IP/certsrv/mscep/mscep.dll.

Registration Authority <router_esr5921_ra>

Information on the router, Cisco 5921 ESR, that serves as Registration Authority. You must define at least one interface to the Public Network (DMZ network) and one interface to the Private Network (data center network).

<ipv4>ip address</ipv4>

Enter the IP address for the RA router that will connect to the NMS and CA server in the Private Network (data center network).

Note NMS and CA server must be able to reach this router.

<ipv6>ip address</ipv6>

(Optional) Enter the IPv6 address for the router interface that will connect to the Private Network (data center network). Otherwise, leave the field blank.

<ipv4>ip address</ipv4>

Enter the IP address for the RA router that will connect to the Public Network (DMZ).

Note Interface must be reachable by field end devices before the secure tunnel is established.

<ipv6>ip address</ipv6>

(Optional) Enter the IPv6 address for the router interface that will connect to the Public Network (DMZ). Otherwise, leave the field blank.

Router Login Username

<login>

Information about Registration Authority router login username and secret word.

<password>password</password>

Enter the password for the router login username or leave the field blank and enter it during installation.

Router Provision <router_provisions>

(Optional) Only required if the Head-end infrastructure needs to support mesh endpoints. For router only deployment, leave this section unconfigured.

<mesh_provision>

IPv6 address information for NMS and Orchestration virtual machine interfaces in the data center network and in some cases the Service Provider data collection engine (CE).

Note The IPv6 address for the CE is only required when it is not in the same subset as the NMS virtual machine.

Note Ensure that the IPv6 addresses for NMS, Orchestration and HER virtual machines are in the same subnet.

<nms_ipv6>ipv6 address</nms_ipv6>

IPv6 address for the NMS virtual machine interface in the data center network.

<orch_ipv6>ipv6 address</orch_ipv6>

IPv6 address for service provider data collection engine (CE).

Note Optional configuration if the IPv6 DHCP server for mesh endpoints is configured on CGR 1000.

<ce_ipv6>ipv6 address</ce_ipv6>

IPv6 address for service provider data collection engine (CE).

Note Only required when the IPv6 address for the CE is not in the same subnet as the NMS virtual machine.

<ip_management>

Information on IPv4 pools for field end devices and head-end router loopback interfaces.

<ip_subnet>subnet</ip_subnet>

Define an IPv4 subnet such as, 192.168.100.0.

<ip_netmask>mask address</ip_netmask>

Enter the mask address. The default value is 255.255.255.0.

<ip_start>ip address</ip_start>

Enter the starting IPv4 address within the subnet.

<ip_end>ip address</ip_end>

Enter the ending IPv4 address within the subnet.

Information on IPv6 pools for field end devices and head-end router loopback interfaces.

Interfaces are also a path for communication with NMS.

<ip_prefix>prefix scope</ip_prefix>

Define the prefix scope, such as, 2001:cafe:bear::/64.

<ip_start>ip address</ip_start>

Enter the starting IPv6 address within the prefix scope.

<ip_end>ip address</ip_end>

Enter the ending IPv6 address within the prefix scope.

(Optional) Device Import <device_import>

 

You can configure field end device files prior to the software bundle installation so that the installer will automatically import the devices in to NMS database as part of the installation.

The following is the format for listing each imported device file: <device_file>filepath</device_file>.

If you have no device file for import, then leave the tag value empty.

Installing IOK Package

To install the IOK package, complete the following steps:

Step 1 On a Windows 7 PC (where the IOK installer package is available), open the command prompt and navigate to the IOK build folder location. On the Orchestration web GUI and click the CISCO-IOK-RA component.

Step 2 Execute the command cisco_iok_installer.exe, as shown in Figure 5-7.

Figure 5-7 Installing IOK Package—Trigger the Installation

 

Step 3 Wait for the installation to complete, as shown in .

Figure 5-8 Installing IOK Package

 

Step 4 Once the installation is complete, copy the serial number of the RA and CA devices from the installation log, as highlighted in Figure 5-8.

Step 5 Also verify that all the IOK VMs are installed and powered up. This can be verified from the vSphere client, as shown in Figure 5-9.

Figure 5-9 Installing IOK Package—Verifying the Installation

 

Step 6 Verify the network port groups, as described in IPv4 addressing under prerequisite section and as shown in Figure 5-10, Figure 5-11, and Figure 5-12.

Figure 5-10 Installing IOK Package—Verifying IOK Operations Port Group

 

Figure 5-11 Installing IOK Package—Verifying IOK Internal Port Group

 

Figure 5-12 Installing IOK Package—Verifying IOK DMZ Port Group

 

Step 7 Open orchestration using the Orchestration IP. On first login, the server will prompt the user to change the default password, as shown in Figure 5-13.

 

Table 5-5 Orchestration
Description
Value
Comments

Orchestration Web GUI

http://<OrchestrationIP>

Orchestration IP is assigned in cisco-iok-installer.xml during installation.

Default Username

root

--

Default Password

root123

--

Figure 5-13 Verifying IOK Installation—Changing the Orchestration Web GUI Password

 

Step 8 Follow the same procedure as in Step 6 to change the default FND password. Whenever required, replace Orchestration IP with FND IP.

Step 9 Verify the running status of IOK components in the Orchestration web GUI, as shown in Figure 5-14.

Figure 5-14 Verifying IOK Installation—Process Status on Orchestration GUI

 

 

Licensing

This section describes the step-by-step procedure to install or import a license into Cisco IOK components.

Installing RA License

To install an ESR5921 license for RA, complete the following steps:

Step 1 On the Orchestration web GUI, click the CISCO-IOK-RA component, as shown in Figure 5-15.

Figure 5-15 Installing License for RA—Component Info Screen

 

Step 2 On the right pane, click the Import License button, as shown in Figure 5-16.

Figure 5-16 Installing License for RA—Viewing Existing License

 

Step 3 On the pop-up window, click the Browse button, as shown in Step 3.

Figure 5-17 Installing RA License—Choose the License File

 

Step 4 Once the license file is selected, click the Import button, as shown in Figure 5-18.

Figure 5-18 Installing RA License—Import License File

 

Step 5 While the Orchestration imports the license, it will show the Importing license file… progress bar, as shown in Figure 5-19.

Figure 5-19 Installing RA License—Import in-Progress

 

Step 6 Once the license file import successful, it displays the message (shown in Figure 5-20) and reboots the RA to apply the new license.

Figure 5-20 Installing RA License—Import Successful

 

Step 7 The latest license information can be verified in the screen shown in Figure 5-21.

Figure 5-21 Installing RA License—Verifying the License Info

 

 

Installing Internal CA License

Follow the procedure in Installing RA License, to install a license for CA.

Installing FND License

Follow the procedure in Installing RA License, to install a license for FND.

Installing HER License

Follow the procedure inInstalling RA License, to install licenses for all HERs.

Verifying License on CGR

Ensure the necessary licenses, such as ipbasek9 and securityk9, are Active and In-Use on the CGR well before ZTD staging is done.

The user needs to have access and telnet to CGR and execute the following command to verify the license:

CGR #sh license
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: 3 weeks 0 day
Period Used: 5 weeks 3 days
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: Low
Index 3 Feature: datak9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
 

To activate securityk9 or datak9 licenses on the CGR, use the following command:

CGR(config)# license boot module cgr1000 technology-package securityk9
CGR(config)# license boot module cgr1000 technology-package datak9

Router ZTD Staging

ZTD for a Single CGR (One at a Time)

Zero Touch Deployment (ZTD) is used to configure the FAR device. A detailed explanation of the ZTD process is available in Zero-Touch Deployment Staging by IOK.

Step 1 On the Orchestration web GUI, click the Router ZTD Staging menu, as shown in Figure 5-22.

Figure 5-22 ZTD Form for a Single FAR Device Configuration

 

Step 2 Fill in the form with the information for your deployment environment and click the ZTD Staging button, as shown in Figure 5-23.

Figure 5-23 Single ZTD Configuration with Configuration Values

 

Step 3 Verify that the CGR added in the above step is visible in FND and shows a status of UP, as shown in Figure 5-24.

Figure 5-24 Single ZTD Configuration—Meter Status in FND

 

Step 4 Click the CGR link and then select the Running Config tab to view the running configuration of the CGR, as shown in Figure 5-25.

Figure 5-25 Single ZTD Configuration with Configuration Values

 

Step 5 The sequence of the events can be viewed as shown in Figure 5-26.

Figure 5-26 Single ZTD Configuration with Configuration Values

 

 

Batch ZTD (Multiple CGRs at a Time)

Batch ZTD staging supports configuring multiple FAR devices. The configuration details are provided in the csv file, which is imported during the Batch ZTD process.

Step 1 On the Orchestration web GUI, click the Router ZTD Staging menu and select the tab Batch ZTD Settings on the router ZTD staging pop-up window, as shown in Figure 5-27.

Figure 5-27 Batch ZTD Windows

 

Step 2 Fill in all of the required CGR details in the Excel file.

Step 3 Browse to the csv file in the local file system, which already has the details of multiple FAR devices.

Step 4 Click the ZTD Staging button to start the Batch ZTD process, as shown in Figure 5-28.

Figure 5-28 Batch ZTD—Success

 

Step 5 On the FND application, verify that all FAR devices included in the csv file in the Batch ZTD process are visible and their status is UP, as shown in Figure 5-29.

Figure 5-29 FAR Device Status in FND

 

 

Routing Configuration

This section covers the routing configuration required for end-to-end communication between CG-Mesh and the IOK AMI Head End Network. The key elements that perform routing for this end-to-end communication are CGR and a cluster of HERs.

In IOK AMI deployments, CGR is initially configured using the Router ZTD Staging process. All additional routing configuration is then pushed to both the CGR and the HER as part of the ZTD process.

Routing is split into the following two sections:

  • WAN Routing—Reachability between CGR and HER is mandatory to initiate ZTD and thus constitutes WAN routing.
  • Overlay Routing—Meter and HER Ipv6/Ipv4 prefixes exchanged using OSPFv3 over WAN routing.

The following steps verify the routing configuration provisioned on both the CGR and HER after the ZTD staging process has been completed:

Step 1 Verify the OSPFv3 Routing Configuration on CGR and HER (see Table 5-6 ).

.

Table 5-6 OSPFv3 Routing Configuration on CGR and HER

CGR

HER
CGR# sh run int loopback0
interface Loopback0
ip address 192.168.150.6 255.255.255.255
ipv6 address 2001:DB8:2:2::149/128
ipv6 mld join-group FF38:40:2001:DB8:4:4:0:1
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
end
 
CGR# sh run int tunnel 0
interface Tunnel0
description IPsec tunnel to CISCO-IOK-HER
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
tunnel source GigabitEthernet2/1
tunnel destination dynamic
tunnel protection ipsec profile FlexVPN_IPsec_Profile
 
CGR# sh run | sec ipv6 router ospf
ipv6 router ospf 2
redistribute connected
redistribute static

 
HER# sh run int loopback 0
interface Loopback0
ip address 192.168.150.1 255.255.255.0
ipv6 address 2001:DB8:2:2::100/128
ipv6 enables
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
end

 

 

HER# sh run int virtual-template 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 enable
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
tunnel protection ipsec profile FlexVPN_IPsec_Profile
end
 
HER#sh run | sec ipv6 router ospf
ipv6 router ospf 2
redistribute connected
redistribute static

Note The following static routes configured in HER during ZTD to establish communication between master HER/FND/Orchestrator/CA.

 
HER#sh run | sec ip route
 
Route to master HER:
ip route 10.106.224.128 255.255.255.128 GigabitEthernet2 10.106.224.185
Route to FND:
ip route 10.106.224.181 255.255.255.255 GigabitEthernet2 10.106.224.185
Route to Orchestrator:
ip route 10.106.224.182 255.255.255.255 GigabitEthernet2 10.106.224.185
Route to CA Server:
ip route 10.106.224.187 255.255.255.255 GigabitEthernet2

 

Step 2 Verify OSPFv3 neighbors and routing information between CGR and HER, as shown in Table 5-7 .

Table 5-7 OSPFv3 Neighbors and Routing Information
CGR
HER
CGR# sh ipv6 ospf neighbor
 
OSPFv3 Router with ID (10.10.10.30) (Process ID 2)
Neighbor ID Pri State Dead Time Interface ID Interface
192.168.150.5 0 FULL/ - 00:00:35 13 Tunnel0
 
 
CGR # sh ipv6 route ospf
O 2001:DB8:2:2::100/128 [110/1001]
via FE80::21E:49FF:FED3:DC00, Tunnel0
O 2001:DB8:2:2::101/128 [110/1001]
via FE80::21E:49FF:FED3:DC00, Tunnel0
O 2001:DB8:2:2::102/128 [110/1001]
via FE80::21E:49FF:FED3:DC00, Tunnel0
O 2001:DB8:2:2::103/128 [110/1001]
via FE80::21E:49FF:FED3:DC00, Tunnel0
O 2001:FACE::/64 [110/1001]
via FE80::21E:49FF:FED3:DC00, Tunnel0
OE2 2001:FACE::180/128 [110/20]
via FE80::21E:49FF:FED3:DC00, Tunnel0
OE2 2001:FACE::190/128 [110/20]
via FE80::21E:49FF:FED3:DC00, Tunnel0
OE2 2001:FACE::200/128 [110/20]
via FE80::21E:49FF:FED3:DC00, Tunnel0

 

CGR#sh ip route
S* 0.0.0.0/0 is directly connected, Tunnel0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet2/1
L 10.10.10.30/32 is directly connected, GigabitEthernet2/1
192.168.150.0/32 is subnetted, 2 subnets
S 192.168.150.3 is directly connected, Tunnel0
C 192.168.150.6 is directly connected, Loopback0
HER# sh ospfv3 neighbor
 
OSPFv3 2 address-family ipv6 (router-id 192.168.150.5)
 
Neighbor ID Pri State Dead Time Interface ID Interface
10.10.10.30 0 FULL/ - 00:00:32 23 Virtual-Access1
192.168.150.1 1 FULL/DROTHER 00:00:37 6 GigabitEthernet2
192.168.150.2 1 FULL/DR 00:00:31 6 GigabitEthernet2
192.168.150.3 1 FULL/DROTHER 00:00:38 6 GigabitEthernet2
192.168.150.4 1 FULL/DROTHER 00:00:30 6 GigabitEthernet2
 
HER# sh ipv6 route ospf
O 2001:DB8:2:2::100/128 [110/1]
via FE80::20C:29FF:FE51:69B2, GigabitEthernet2
O 2001:DB8:2:2::101/128 [110/1]
via FE80::20C:29FF:FE3C:44E2, GigabitEthernet2
O 2001:DB8:2:2::102/128 [110/1]
via FE80::20C:29FF:FEAD:E1E8, GigabitEthernet2
O 2001:DB8:2:2::103/128 [110/1]

 

 
 
via FE80::20C:29FF:FEF5:B68E, GigabitEthernet2
OE2 2001:DB8:4:4::/64 [110/20]
via FE80::EA65:49FF:FE5D:2C79, Virtual-Access1
OE2 2001:FACE::180/128 [110/20]
via FE80::20C:29FF:FE51:69B2, GigabitEthernet2
OE2 2001:FACE::190/128 [110/20]
via FE80::20C:29FF:FE51:69B2, GigabitEthernet2
OE2 2001:FACE::200/128 [110/20]
via FE80::20C:29FF:FE51:69B2, GigabitEthernet
 
 
HER#sh ip route
S* 0.0.0.0/0 [240/0] via 10.10.10.1, GigabitEthernet1
10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet1
L 10.10.10.16/32 is directly connected, GigabitEthernet1
C 10.106.224.128/25 is directly connected, GigabitEthernet2
L 10.106.224.176/32 is directly connected, GigabitEthernet2
S 10.106.224.181/32 [1/0] via 10.106.224.185, GigabitEthernet2
S 10.106.224.182/32 [1/0] via 10.106.224.185, GigabitEthernet2
S 10.106.224.187/32 is directly connected, GigabitEthernet2
O E2 10.142.121.0/24 [110/20] via 10.106.224.129, 3d23h, GigabitEthernet2
192.168.150.0/24 is variably subnetted, 7 subnets, 2 masks
C 192.168.150.0/24 is directly connected, Loopback0
O 192.168.150.1/32 [110/2] via 10.106.224.185, 5d23h, GigabitEthernet2
O 192.168.150.2/32 [110/2] via 10.106.224.173, 5d23h, GigabitEthernet2
O 192.168.150.3/32 [110/2] via 10.106.224.174, 5d23h, GigabitEthernet2
O 192.168.150.4/32 [110/2] via 10.106.224.175, 5d23h, GigabitEthernet2
L 192.168.150.5/32 is directly connected, Loopback0
S 192.168.150.6/32 is directly connected, Virtual-Access1
192.168.234.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.234.0/25 is directly connected, GigabitEthernet3
L 192.168.234.15/32 is directly connected, GigabitEthernet3

 

FlexVPN IPSec Tunnel Configuration

This section covers the configuration required to enable secure communications between the CGR in the field and the IOK inside the AMI Headend via the HER.

As the CGR is configured using ZTD in IOK AMI, all the necessary configuration to enable secure communication using IPSec (FlexVPN) tunnels is pushed to both the CGR and HER as part of the ZTD process.

The following sections verify the IKEv2 based FlexVPN configuration provisioned on both CGR and the HER from the ZTD process.

Step 1 Verify the IKEv2 proposal and policy used in the negotiation of IKE security associations (SA), as shown Table 5-8 .

 

Table 5-8 IKEv2 Proposal and Policy
CGR
HER
CGR# sh run | sec crypto ikev2 proposal
crypto ikev2 proposal FlexVPN_IKEv2_Proposal
encryption aes-cbc-256
integrity sha256
group 14
!
CGR# sh crypto ikev2 proposal
IKEv2 proposal: FlexVPN_IKEv2_Proposal
Encryption : AES-CBC-256
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_2048_MODP/Group 14
 
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
!
!
CGR# sh run | sec crypto ikev2 policy
crypto ikev2 policy FlexVPN_IKEv2_Policy
proposal FlexVPN_IKEv2_Proposal
!
!
CGR # sh crypto ikev2 policy
IKEv2 policy : FlexVPN_IKEv2_Policy
Match fvrf : global
Match address local : any
Proposal : FlexVPN_IKEv2_Proposal
 
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
!
HER# sh run | sec crypto ikev2 proposal
crypto ikev2 proposal FlexVPN_IKEv2_Proposal
encryption aes-cbc-256
integrity sha256
group 14
!
CGR# sh crypto ikev2 proposal
IKEv2 proposal: FlexVPN_IKEv2_Proposal
Encryption : AES-CBC-256
Integrity : SHA256
PRF : SHA256
DH Group : DH_GROUP_2048_MODP/Group 14
 
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
!
!
HER# sh run | sec crypto ikev2 policy
crypto ikev2 policy FlexVPN_IKEv2_Policy
proposal FlexVPN_IKEv2_Proposal
!
!
HER# sh crypto ikev2 policy
IKEv2 policy : FlexVPN_IKEv2_Policy
Match fvrf : global
Match address local : any
Proposal : FlexVPN_IKEv2_Proposal
 
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
!

Step 2 Verify the pki trustpoint and certificate map used for RSA certificate-based mutual authentication between FlexVPN peers, as shown in Table 5-9 .

 

Table 5-9 The pki Trustpoint and Certificate Map
CGR
HER
CGR# sh run | sec crypto pki
 
crypto pki trustpoint LDevID
enrollment mode ra
enrollment profile LDevID
serial-number none
fqdn none
ip-address none
password
fingerprint C3EAEC9A50A2016B4CA1511F639F6ADB74B5B0BC
subject-name serialNumber=PID:CGR1240/K9 SN:JAD192901QE,CN=CGR1000_JAD192901QE
revocation-check none
rsakeypair LDevID 2048
!
crypto pki profile enrollment LDevID
enrollment url http://ra.iok.cisco.com
!
crypto pki certificate map FlexVPN_Cert_Map 1
issuer-name co cn = iok-ca-ios
!
<Output omitted>
HER# sh run | sec crypto pki
 
crypto pki trustpoint LDevID
enrollment retry count 10
enrollment retry period 2
enrollment profile LDevID
serial-number
ip-address none
password
fingerprint 0EF0A2AD7FDBDF91F707DFD9E75A3978B5EC1045
revocation-check none
rsakeypair LDevID
!
crypto pki profile enrollment LDevID
enrollment url http://10.106.224.187
!
crypto pki certificate map FlexVPN_Cert_Map 1
issuer-name co cn = iok-ca-ios
!
!
<Output omitted>

Step 3 Verify the local IKEv2 authorization policy that provides the policy for an authenticated session, as shown in Table 5-10 .

 

Table 5-10 Local IKEv2 Authorization Policy
CGR
HER
CGR# sh run | in aaa authorization network
aaa authorization network FlexVPN_Author local
!
CGR# sh run | sec crypto ikev2 authorization policy
crypto ikev2 authorization policy FlexVPN_Author_Policy
route set interface
route set access-list FlexVPN_Client_IPv4_LAN
route set access-list ipv6 FlexVPN_Client_IPv6_LAN
!
CGR# sh run | s (ip|ipv6) access-list
ip access-list standard FlexVPN_Client_IPv4_LAN
permit 192.168.150.6
ipv6 access-list FlexVPN_Client_IPv6_LAN
sequence 20 permit ipv6 host 2001:DB8:2:2::149 any
!
HER# sh run | in aaa authorization network
aaa authorization network FlexVPN_Author local
!
HER# sh run | sec crypto ikev2 authorization policy
crypto ikev2 authorization policy FlexVPN_Author_Policy
route set interface
route set access-list FlexVPN_Client_Default_IPv4_Route
route set access-list ipv6 FlexVPN_Client_Default_IPv6_Route
!
HER# sh run | s (ip|ipv6) access-list
ip access-list standard FlexVPN_Client_Default_IPv4_Route
permit any
!
ipv6 access-list FlexVPN_Client_Default_IPv6_Route
permit ipv6 any any

Step 4 Verify the IKEv2 profile that specifies the local identity and authentication methods and services available to authenticated peers that match the profile, as shown in Table 5-11 .

 

Table 5-11 Local Identity and Authentication Methods and Services
CGR
HER
CGR# sh run | sec crypto ikev2 profile
 
crypto ikev2 profile FlexVPN_IKEv2_Profile
match certificate FlexVPN_Cert_Map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint LDevID
dpd 120 3 periodic
aaa authorization group cert list FlexVPN_Author FlexVPN_Author_Policy
!
CGR# sh crypto ikev2 profile
 
IKEv2 profile: FlexVPN_IKEv2_Profile
Ref Count: 5
Match criteria:
Fvrf: global
Local address/interface: none
Identities: none
Certificate maps: FlexVPN_Cert_Map
Local identity: DN
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: none
Trustpoint(s): LDevID
Lifetime: 86400 seconds
DPD: interval 120, retry-interval 3, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization:
cert: list FlexVPN_Author, username FlexVPN_Author_Policy
AAA user authorization: none
CGR #

 
HER# sh run | sec crypto ikev2 profile
 
crypto ikev2 profile FlexVPN_IKEv2_Profile
match certificate FlexVPN_Cert_Map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint LDevID
dpd 30 3 periodic
aaa authorization group cert list FlexVPN_Author FlexVPN_Author_Policy
virtual-template 1
!
HER# sh crypto ikev2 profile
IKEv2 profile: FlexVPN_IKEv2_Profile
Ref Count: 4
Match criteria:
Fvrf: global
Local address/interface: none
Identities: none
Certificate maps: FlexVPN_Cert_Map
Local identity: DN
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: none
Trustpoint(s): LDevID
Lifetime: 86400 seconds
DPD: interval 30, retry-interval 3, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: 1
mode auto: No
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization:
cert: list FlexVPN_Author, username FlexVPN_Author_Policy
AAA user authorization: none
HER #

 

Step 5 Verify the IPSec profile that defines the encryption method to use in the tunnels, as shown in Table 5-12 .

Note CGR is the IKEv2 initiator and HER is the IKEv2 responder.

 

Table 5-12 IPSec Profile
CGR
HER
CGR# sh run | s crypto ipsec
 
crypto ipsec transform-set FlexVPN_IPsec_Transform_Set esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FlexVPN_IPsec_Profile
set transform-set FlexVPN_IPsec_Transform_Set
set pfs group14
set ikev2-profile FlexVPN_IKEv2_Profile
!
 
CGR# sh crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
 
Transform set FlexVPN_IPsec_Transform_Set: { esp-aes esp-sha256-hmac }
will negotiate = { Tunnel, },
 
CGR# sh crypto ipsec profile
IPSEC profile FlexVPN_IPsec_Profile
IKEv2 Profile: FlexVPN_IKEv2_Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group14
Mixed-mode : Disabled
Transform sets={
FlexVPN_IPsec_Transform_Set: { esp-aes esp-sha256-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
 
HER# sh run | s crypto ipsec
 
crypto ipsec transform-set FlexVPN_IPsec_Transform_Set esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FlexVPN_IPsec_Profile
set transform-set FlexVPN_IPsec_Transform_Set
set pfs group14
set ikev2-profile FlexVPN_IKEv2_Profile
responder-only
!
HER# sh crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
 
Transform set FlexVPN_IPsec_Transform_Set: { esp-aes esp-sha256-hmac }
will negotiate = { Tunnel, },
 
HER# sh crypto ipsec profile
IPSEC profile FlexVPN_IPsec_Profile
IKEv2 Profile: FlexVPN_IKEv2_Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): Y
PFS (Y/N): Y
DH group: group14
Mixed-mode : Disabled
Transform sets={
FlexVPN_IPsec_Transform_Set: { esp-aes esp-sha256-hmac } ,
}
 
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Step 6 Verify the tunnel interface configuration on CGR and HER and also the client profile on the CGR, which specifies the peer address and a unique tunnel interface.

The CGR is configured with a Static VTI interface. The tunnel source on the CGR is the WAN facing interface and the destination is the IPv4 address of the HER IKEv2 cluster. The HER is configured with a multi-SA DVTI interface.

The IPv6 GRE tunnel traffic from the CGR is encrypted and carried over the IPv4 tunnels.

OSPFv3 routing protocol is used on both CGR and HER and the tunnel interfaces are defined to be a part of this protocol to advertise the reachability on both sides. Also, the loopback interfaces are configured to be part of the OSPF routing protocol so that reachability is advertised to the other device to bring the tunnel up.

IKEv2 clustering is enabled within the IOK Headend on HERs to enable a cluster of FlexVPN gateways. The HSRP and FlexVPN server are configured on the HER and FlexVPN client functionality on the CGR.

 

Table 5-13 IKEv2 Clustering
CGR
HER
CGR# sh run int tunnel0
!
interface Tunnel0
description IPsec tunnel to CISCO-IOK-HER
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
tunnel source GigabitEthernet2/1
tunnel destination dynamic
tunnel protection ipsec profile FlexVPN_IPsec_Profile
!
CGR# sh run | s crypto ikev2 client
crypto ikev2 client flexvpn FlexVPN_Client
peer 1 10.10.10.100
client connect Tunnel0
!
CGR# sh run | s router ospf
ipv6 router ospf 2
redistribute connected
redistribute static
!
CGR# sh run int lo0
interface Loopback0
ip address 192.168.150.6 255.255.255.255
ipv6 address 2001:DB8:2:2::149/128
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
!
CGR# sh run | in crypto ikev2 redirect client
crypto ikev2 redirect client max-redirects 15
!
!
!
!
!
CGR# sh run int g2/1
interface GigabitEthernet2/1
no switchport
ip address 10.10.10.10 255.255.255.0
duplex auto
speed auto
ntp broadcast
ipv6 enable
!
 
HER# # sh run int Virtual-Template1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ipv6 unnumbered Loopback0
ipv6 enable
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
tunnel protection ipsec profile FlexVPN_IPsec_Profile
!
!
!
!
!
!
!
!
HER# sh run | s ipv6 router ospf
ipv6 router ospf 2
redistribute connected
redistribute static
!
HER# sh run int lo0
interface Loopback0
ip address 192.168.150.1 255.255.255.0
ipv6 address 2001:DB8:2:2::100/128
ipv6 enable
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
!
HER# sh run | sec crypto ikev2 cluster
crypto ikev2 cluster
standby-group group1
slave priority 50
slave max-session 300
no shutdown
!
HER# sh run | in crypto ikev2 redirect
crypto ikev2 redirect gateway init
!
HER# sh run int Gi1
interface GigabitEthernet1
ip address 10.10.10.12 255.255.255.0
standby 1 ip 10.10.10.100
standby 1 priority 205
standby 1 preempt
standby 1 name group1
standby 1 track 1 decrement 10
negotiation auto
ipv6 enable
ntp broadcast
!

Step 7 Use the following commands to verify the tunnel status, FlexVPN session on both peers, and clustering statistics on HER:

CGR# sh crypto ikev2 session
CGR# sh crypto ipsec sa
HER# sh crypto ikev2 cluster
HER# sh standby neighbors
HER# sh standby brief
HER# sh standby all

 

ASA Firewall Configuration

As depicted in the solution topology in Figure 4-1, an ASA firewall in transparent mode may be deployed to protect the IOK headend from all the traffic coming in from the FARs. The firewall can be configured to permit traffic during ZTD staging, IPSec traffic between FARs and HERs (over which all further communication happens from the mesh endpoints to IOK headend servers), and deny the rest of the traffic towards the head end network.

Step 1 Configure the ASA firewall to operate in transparent mode with the following command:

ASA (config)# firewall transparent
 

Step 2 Configure a Bridge-group Virtual Interface (BVI) interface on the firewall with the following command:

ASA(config)# interface BVI <number>
ASA(config-if)# ip address <IPv4 address> <subnet mask>
ASA(config-if)# ipv6 enable
ASA(config-if)# ipv6 address <IPv6 address/prefix length>
 

For the devices connected in the network on either side of the firewall, the IPv4 and the IPv6 address of their interfaces must be in the same subnet as the BVI interface.

Step 3 Configure the interfaces on the Cisco ASA firewall connected to the trusted network (towards the HEN) and the untrusted network (towards the FAR) and configure the security levels of the interfaces.

The interface connected to the outside network has a security level of 0, making it an untrusted interface, and the interface connected to the inside network has a security-level of 100, making it a trusted interface.

ASA(config)# interface GigabitEthernet <module/slot>
ASA(config-if)# nameif outside
ASA(config-if)# security-level 0
ASA(config-if)# bridge-group <BVI number>
ASA(config)# interface GigabitEthernet <module/slot>
ASA(config-if)# nameif inside
ASA(config-if)# security-level 100
ASA(config-if)# bridge-group <BVI number>
 

In transparent mode, the Cisco ASA firewall blocks traffic from the untrusted interface towards the trusted interface. Based on the traffic coming in towards the IOK head end, specific ports and protocols must be allowed using access lists.

Step 4 Use the ports and protocols in Table 5-14 to provide access to and from the HEN.

 

Table 5-14 Firewall Ports to be Opened

IOK Component
Protocol
Port
Service
Interface on the ASA
Direction

RA

TCP

80

HTTP for scep

Outside

Inbound

TPS

TCP

9120

HTTPS

Outside

Inbound

HER

UDP

123

NTP

Outside

Inbound

HER

ESP

-

IP protocol 50

Outside

Inbound

HER

UDP

500

IKE

Outside

Inbound

Step 5 Based on Table 5-14 , the example below shows the access-list configuration for FlexVPN tunnel formation between CGR and HER. Other types of traffic can be configured similarly.

  • Configure the access-list for both IPv4 and IPv6 traffic:
ASA(config)# access-list <access-list name> extended permit udp <FAR subnet> <HER subnet> eq 500
ASA(config)# access-list <access-list name> extended permit esp <FAR subnet> <HER subnet>
ASA(config)# access-list <access-list name> extended permit icmp any any
 
  • Now apply the access list on the interface. This access list above must be applied on the untrusted network (outside) in the inbound direction.
ASA(config)# access-group <access-list name> in interface outside
 

 

CG-Mesh Configuration

This section describes the configurations and implementation steps for the IOK AMI RF Mesh using Itron OpenWay Smart Meters as the Connected Grid endpoints. The configuration includes the required features to be enabled for communications between the Smart Meters, CGR, and various applications in the IOK HEN.

CGR Configuration

The WPAN interface module on the CGR enables communication with the mesh endpoint smart meters.

Communication with the smart meters is possible in two modes—secure and non-secure:

  • In secure mode, IOK’s FreeRadius server authenticates the smart meters. Digital certificates are installed in the meters during manufacturing and are signed by the Utility CA server. After successful authentication from the FreeRadius server, the smart meters obtain an IPv6 address from the IOS DHCPv6 server on CGR.
  • In non-secure mode, the meters do not need certificates and use only the services of the IOS DHCPv6 server to obtain an IPv6 address.

In IOK AMI deployments, CGR is configured using Zero Touch Deployment (ZTD). All necessary configuration for secure communication with the smart meters is pushed to the CGR.

To verify the configuration on the CGR, perform the following steps:

Step 1 Log in to the CGR1K console. Verify the WPAN module is operational and the firmware version matches with the version on the Smart Meter.

 
CGR#show module
Mod Ports Module-Type Model Status
--- ----- ----------------------------------- ------------------ ----------
1 2 CGR1000 Supervisor Module CGR1240/K9 active
2 7 CGR1000 Onboard Interface Module CGR1000 ok
3 1 Connected Grid Module - 3G Generic CGM-3G-HSPA-G ok
4 1 Connected Grid Module - IEEE 802.15 CGM-WPAN-FSK-NA ok
 
Mod Hw Serial-Num Last reload reason
--- ----- --------------------- ------------------------------------
1 1.0 JAD192701KU
2 N/A NA
3 1.0 JAD192303LV
4 1.0 JAF1622AHJN
 
CGR#show wpan 4/1 hardware version
firmware version: 5.5.80, apps/bridge, master, 1ca0551, Feb 10 2015
 

Step 2 Verify the WPAN interface configuration that was pushed through IOK ZTD.

CGR#sh run int wpan 4/1
Building configuration...
Current configuration : 448 bytes
!
interface Wpan4/1
no ip address
ip broadcast-address 0.0.0.0
no ip route-cache
ieee154 beacon-async min-interval 20 max-interval 120 suppression-coefficient 0
ieee154 panid 100
ieee154 ssid ciscodemo
ieee154 txpower 2
outage-server 2001:FACE::190
authentication host-mode multi-auth
authentication port-control auto
ipv6 address 2001:DB8:4:4::1/64
ipv6 dhcp server iok-dhcpd6 rapid-commit
dot1x pae authenticator
end
 

Step 3 Verify SSID is configured appropriately. The SSID on the WPAN interface must match with the SSID configured on the Smart Meter.

CGR#sh wpan 4/1 config
module type: RF-WPAN (IEEE 802.15.4e/g RF 900MHz)
ssid: ciscodemo
panid: 100
transmit power: 2
channel: 254
dwell: window 20000 max-dwell 400
beacon async: min-interval 20 max-interval 120 suppression-coefficient 0
security mode: 1
test mode: 0 (test firmware only)
admin_status: up
rpl prefix: 2001:DB8:4:4::1/64
rpl route-poisoning: off
rpl dodag-lifetime: 120
rpl dio-dbl: 0
rpl dio-min: 15
rpl version-incr-time: 60
detach bridge: no
bootloader mode: no
mcast-agent: FF38:40:2001:DB8:4:4:0:1 61624 1153
firmware version: 5.5.80
slave mode: no
 

Step 4 Verify the link neighbors table and ensure the smart meter is shown as an RF neighbor on the WPAN interface.

CGR#sh clock
11:16:44.528 UTC Tue Oct 27 2015
 
CGR#sh wpan 4/1 hardware link-neighbors
eui64 heard etx sent / ack rssif / rssir lqif / lqir
0007810800BFA06B 15 310 1 / 1 - 45 / -46 27 / 18
 
CGR#sh wpan 4/1 link-neighbors table
------------------------- WPAN LINK NEIGHBOR TABLE [4] ----------------
EUI64 RSSIF RSSIR LQIF LQIR FIRST_HEARD LAST_HEARD
0007810800BFA06B -35 -39 19 30 14:58:46 11:16:24
Number of Entries in WPAN LINK NEIGHBOR TABLE: 1

Note Check whether link neighbors are recently heard (within ~15minutes). Check firmware compatibility between CGR WPAN module and Smart Meter. Check certificates on Smart Meters.

Note RSSI should be around -85dbm or stronger. Required Minimum is -95dbm for forming RPL network. Forward RSSI and Reverse RSSI should be similar. Check txpower on CGR, antenna, physical distance, etc.

Note ETX is generally closer to 256 in good deployments.

Step 5 Verify IEEE 802.1x is globally enabled and also enabled on the WPAN interface.

CGR#sh run | i dot1x system
dot1x system-auth-control
 
CGR#sh dot1x interface wpan 4/1
Dot1x Info for Wpan4/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
 

Step 6 Verify the AAA configuration and radius server configuration required to authenticate the smart meters.

CGR#show run aaa group server radius
aaa group server radius iok-aaa
server name aaa_server
 
CGR#show run aaa authentication | include dot1x
aaa authentication dot1x default group iok-aaa
 
CGR#sh run | sec radius server
radius server aaa_server
address ipv4 10.106.224.181 auth-port 1812 acct-port 1813
key 7 0147122863481E317004652E50
 

Step 7 Verify whether IEEE 802.1x authentication was successful.

CGR#sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Wpan4/1 0108.00bf.a06b dot1x DATA Authz Success C0A89603000000000003E432
 
CGR#show dot1x interface wpAN 4/1 details
Dot1x Info for Wpan4/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
 
Dot1x Authenticator Client List
-------------------------------
EAP Method = (13)
Supplicant = 0108.00bf.a06b
Session ID = C0A89603000000000003E432
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
 
CGR#sh authentication sessions interface wpan 4/1
Interface : Wpan4/1
MAC Address: 0108.00bf.a06b
IP Address : Unknown
User-Name : host/iok-meter
Status : Authz Success
Domain : DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
AAA Policies:
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A89603000000000003E432
Acct Session ID: 0x00000002
Handle: 0xF7000001
 
Runnable methods list:
Method State
dot1x Authc Success
 

Step 8 Verify IPv6 address configuration on WPAN interface and IOS DHCPv6 Server configuration.

The smart meters communicate with the CGR and obtain an IPv6 address from the IOS DHCPv6 server running on the CGR. IOS DHCPv6 server configuration is pushed to the CGR using ZTD. In the IOS DHCPv6 server configuration settings, vendor specific options are configured to include the IPv6 addresses of FND and Itron Collection Engine. These options are passed onto the smart meters.

CGR#sh run int wpan 4/1 | i ipv6
ipv6 address 2001:DB8:4:4::1/64
ipv6 dhcp server iok-dhcpd6 rapid-commit
 
CGR#sh ipv6 dhcp interface wpan 4/1
Wpan4/1 is in server mode
Using pool: iok-dhcpd6
Preference value: 0
Hint from client: ignored
Rapid-Commit: enabled
 
CGR#sh ipv6 dhcp pool
DHCPv6 pool: iok-dhcpd6
Address allocation prefix: 2001:DB8:4:4::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts)
Vendor-specific Information options:
Enterprise-ID: 26484
suboption 1 address 2001:FACE::190
suboption 2 address 2001:FACE::180
Active clients: 1
 

Step 9 Verify RPL tree formation and IPv6 address assignment to the Smart Meter:

CGR#sh wpan 4/1 rpl tree
----------------------------- WPAN RPL TREE FIGURE [5] -----------------------
[2001:DB8:4:4::1] (1)
\--- 2001:DB8:4:4:F042:13C3:5C9C:53F6
 
RPL TREE: Num.DataEntries 1, Num.GraphNodes 2
 
CGR#sh wpan 4/1 rpl etree
----------------------------- WPAN RPL EUI64 TREE [5] --------------------------
 
[0007810800D390A0]
\--(-34)-- 0007810800BFA06B
 
RPL EUI64 TREE: Num.DataEntries 1, Num.GraphNodes 2
 

Step 10 Verify reachability of the smart meter from CGR using ping.

CGR#ping 2001:DB8:4:4:F042:13C3:5C9C:53F6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:4:4:F042:13C3:5C9C:53F6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 248/692/1538 ms
 

Step 11 Execute the following commands on CGR for further debugging and troubleshooting:

debug wpan all
debug dot1x all
debug radius
debug ipv6 dhcp detail
 

 

Itron OpenWay Smart Meter Configuration

In the IOK AMI Solution Validation project, Itron Openway Smart Meters have been used as Connected Grid End-points (CGEs). This section describes programming the Itron Smart Meters and integrating them with IOK AMI deployments.

In order to enable Itron OpenWay Smart Meters to securely communicate with the CGR’s WPAN interface, perform the following tasks:

a. Download the Register firmware into the Smart Meter.

b. Download the Comm Module firmware into the Smart Meter.

c. Program the Smart Meters with various configuration parameters such as SSID, security certificates, etc.

Step 1 Obtain the compatible Register firmware image based on the Smart Meter Hardware version.

Step 2 Open the Itron OpenWay Shop Manager. Select the Firmware Files tab in the left pane. Click Import under Firmware Options.

Step 3 In the Import Firmware window, select the correct firmware file and import it into the Shop Manager utility.

Step 4 In the Firmware Files window, navigate to OpenWay CENTRON > Hardware 3.1 > Single Phase ITRD > Register. In the right pane, click the check box under the column Active to select the file for downloading into the Smart Meter, as shown in Figure 5-30.

Figure 5-30 Itron OpenWay ShopManager —Import Register Firmware

 

Step 5 Launch the Itron OpenWay Field-Pro utility. Select Generic 1 probe under Options > Optical Probe Selection, as shown in Figure 5-31.

Figure 5-31 Itron OpenWay Field-Pro—Optical Probe Selection

 

Step 6 Select the correct COM port under Options > Communications Port, as shown in Figure 5-32.

Figure 5-32 Itron OpenWay Field-Pro—Communications Port Selection

 

Step 7 Select Options > Maximum Baud Rate > 19200. Press F1 or select Logon, as shown in Figure 5-33.

Figure 5-33 Itron OpenWay Field-Pro—Maximum Baud Rate Selection

 

Step 8 Select Programming Functions > Firmware Load. Under Select a firmware file and press F1 to continue, select the file AMI_HW360_REG_ITRD_005_005_068.bin listed under Register Firmware and click Select Firmware File, as shown in Figure 5-34.

Figure 5-34 Itron OpenWay Field-Pro—Select Register Firmware

 

Step 9 Select Confirm Download or Press F1 to begin downloading firmware, as shown in Figure 5-35.

Figure 5-35 Itron OpenWay Field-Pro—Confirm Download Register Firmware

 

Step 10 Wait for the download process to complete successfully. The Green Color Progress Bar in the lower right corner of the Field-Pro utility window shows the download status.

Step 11 In the Download Completed! page, select Logoff. Wait for a few minutes for the register firmware to be installed and activated on the Smart Meter.

Step 12 Select Logon. In the Meter Summary page, confirm that the Register Firmware Version shows the correct version of firmware loaded, as shown in Figure 5-36.

Figure 5-36 Itron OpenWay Field-Pro—Meter Summary Register Firmware Version

 

Step 13 Check the firmware version of WPAN module on CGR. Log in to the console of CGR1K and execute the following command:

CGR#sh wpan 4/1 hardware version
firmware version: 5.5.80, apps/bridge, master, 1ca0551, Feb 10 2015
 

Step 14 Obtain the Smart Meter Comm Module’s RF Mesh firmware image that is compatible with both the hardware version of the Smart Meter and also the firmware version of the WPAN module located on the CGR.

Step 15 Open Itron OpenWay Shop Manager. Select the Firmware Files tab in the left pane.

Step 16 Click Import under Firmware Options. In the Import Firmware window, select the firmware file (cg-mesh-node-ITRDPKG-5.5.80-1ca0551-RELEASE-itron30.bin) and import it into the Shop Manager utility.

Step 17 In the Firmware Files window, navigate to OpenWay CENTRON > Hardware 3.1 > Single Phase ITRD > RF Mesh. In the right pane, click the check box under the column Active to select the file cg-mesh-node-ITRDPKG-5.5.80-1ca0551-RELEASE-itron30.bin for downloading into the Smart Meter, as shown in Figure 5-37.

Figure 5-37 Itron OpenWay Field-Pro—Import RF Mesh Firmware

 

Step 18 Open the Itron OpenWay Field-Pro utility. Press F1 or click Logon.

Step 19 Select Programming Functions > Firmware Load. Under Select a firmware file and press F1 to continue, select the file cg-mesh-node-ITRDPKG-5.5.80-1ca0551-RELEASE-itron30.bin listed under RF Mesh Firmware and click Select Firmware File, as shown in Figure 5-38.

Figure 5-38 Itron OpenWay Field-Pro—Select RF Mesh Firmware

 

Step 20 Select Confirm Download or Press F1 to begin downloading firmware, as shown in Figure 5-39.

Figure 5-39 Itron OpenWay Field-Pro—Confirm Download RF Mesh Firmware

 

Step 21 Wait for the download process to complete successfully. The Green Color Progress Bar in the right corner of the Field-Pro utility window shows the download status.

Step 22 In the Download Completed! page, select Logoff. Wait for a few minutes for the RF Mesh Comm Module firmware to be activated.

Step 23 Select Logon. In the Meter Summary page, confirm that the Comm Module Firmware Version shows the correct version of firmware loaded, as shown in Figure 5-40.

Figure 5-40 Itron OpenWay Field-Pro—eter Summary RF Mesh Firmware Version

 

Step 24 Prepare the RF Mesh configuration in binary format using CGE Configuration Writer utility.

The Connected Grid Endpoint (CGE) Configuration Writer utility (cfgwriter) is a Java-based utility that takes as input an XML file with the endpoint configuration information and produces a binary (.bin) memory file. This utility may be executed on any host platform with the Java Run Time Environment installed. The endpoint configuration information includes the SSID of the WPAN it must join, the security certificates, etc. The binary configuration file (.bin) is programmed into the Communication Module on the Smart Meter. Refer to Figure 5-41.

Figure 5-41 Configuration Writer Utility—cfgwriter

 

The schema of the XML configuration file is dynamic and may change with each release of the CGE firmware. The documentation packaged with each cfgwriter release ZIP file is the most accurate source of information for the config schema. An example XML file (ciscodemo.xml) is shown below:

========================ciscodemo.xml================================
<DevCfgSchema>
<Ieee_Cfg>
<SSID>ciscodemo</SSID>
<SecurityMode>1</SecurityMode>
<Ieee8021xAuthIntervalMax>300</Ieee8021xAuthIntervalMax>
<Ieee8021xAuthIntervalMin>20</Ieee8021xAuthIntervalMin>
<Ieee802154Mode>1</Ieee802154Mode>
</Ieee_Cfg>
<CC1101_Cfg>
<PATABLE>\xCF\xCF\xCF\xCF\xCF\xCF\xCF\xCF</PATABLE>
</C1101_Cfg>
<Csmp_Cfg>
<RegIntervalMax>600</RegIntervalMax>
<RegIntervalMin>30</RegIntervalMin>
<ReqSignedPost>false</ReqSignedPost>
<ReqValidCheckPost>false</ReqValidCheckPost>
<ReqTimeSyncPost>false</ReqTimeSyncPost>
<ReqSecLocalPost>false</ReqSecLocalPost>
<ReqSignedResp>false</ReqSignedResp>
<ReqValidCheckResp>false</ReqValidCheckResp>
<ReqTimeSyncResp>false</ReqTimeSyncResp>
<ReqSecLocalResp>false</ReqSecLocalResp>
<NMS_X509Cert>60\202\1\330\60\202\1\173\240\3\2\1\2\2\4\161\352\63\213\60\14\6\10\52\206\110\316\75\4\3\2\5\0\60\140\61\13\60\11\6\3\125\4\6\23\2\125\123\61\13\60\11\6\3\125\4\10\23\2\103\101\61\21\60\17\6\3\125\4\7\23\10\123\141\156\40\112\157\163\145\61\16\60\14\6\3\125\4\12\23\5\103\151\163\143\157\61\16\60\14\6\3\125\4\13\23\5\103\105\116\102\125\61\21\60\17\6\3\125\4\3\14\10\123\123\115\137\103\123\115\120\60\36\27\15\61\64\60\67\62\62\62\63\63\62\65\62\132\27\15\64\64\60\67\62\61\62\63\63\62\65\62\132\60\140\61\13\60\11\6\3\125\4\6\23\2\125\123\61\13\60\11\6\3\125\4\10\23\2\103\101\61\21\60\17\6\3\125\4\7\23\10\123\141\156\40\112\157\163\145\61\16\60\14\6\3\125\4\12\23\5\103\151\163\143\157\61\16\60\14\6\3\125\4\13\23\5\103\105\116\102\125\61\21\60\17\6\3\125\4\3\14\10\123\123\115\137\103\123\115\120\60\131\60\23\6\7\52\206\110\316\75\2\1\6\10\52\206\110\316\75\3\1\7\3\102\0\4\43\322\203\105\350\325\337\206\235\156\347\130\15\301\217\65\235\127\261\75\120\112\26\1\25\304\201\31\260\346\140\270\144\24\1\135\126\203\276\341\205\230\313\220\341\367\233\364\63\132\113\51\255\65\151\233\117\334\102\177\353\302\231\245\243\41\60\37\60\35\6\3\125\35\16\4\26\4\24\340\71\253\46\176\123\170\52\363\355\175\216\162\153\56\62\325\225\31\112\60\14\6\10\52\206\110\316\75\4\3\2\5\0\3\111\0\60\105\2\40\146\77\0\150\233\120\117\215\12\127\276\133\350\215\110\63\272\106\366\46\250\342\162\207\26\72\61\265\264\175\252\276\2\41\0\210\154\252\327\157\240\134\120\213\303\360\207\56\117\47\323\226\202\352\337\300\347\106\270\376\322\340\17\114\10\210\254\0</NMS_X509Cert>
</Csmp_Cfg>
</DevCfgSchema>
=========================================================

Step 25 Now use the cfgwriter utility to convert the XML file into a binary format. Successful execution of the cfgwriter utility with the XML file and Smart meter certificates as input will return a ‘0’ numeric code to Standard Output (stdout).

java -jar cfgwriter-5.5.80.jar -i ITRD -x Meter.pfx -ca CAcert.cer -p keystore -w ciscodemo.xml ciscodemo5580.bin
 

The command line parameters used in the above command are explained in Table 5-15 .

 

Table 5-15 Command Line Parameters
Parameter
Description

-w <config_file>

Write out a self-contained binary config given an input configuration file in XML format.

-i <class>

Generate Itron OpenWay binary file.

-ca <derfile>

CA Certificate (DER encoded) to be installed on the smart meter.

-x <pfxfile>

Smart Meter Certificate and Private Key file in PKCS12(.pfx) format.

-p <password>

Supplicant Certificate and Key PFX password.

Step 26 To download the RF Mesh configuration file (.bin) to the Smart Meter, open Itron OpenWay Shop Manager. Select the Firmware Files tab in the left pane. Click Import under Firmware Options.

Step 27 In the Import Firmware window, select the firmware file (ciscodemo5580.bin) and import it into the Shop Manager utility.

Step 28 In the Firmware Files window, navigate to OpenWay CENTRON > Hardware 3.1 > Single Phase ITRD > RF Mesh Config. In the right pane, click the check box under the column Active to select the file ciscodemo5580.bin for downloading into the Smart Meter, as shown in Figure 5-42.

Figure 5-42 Itron OpenWay Shop Manager—Import RF Mesh Configuration

 

Step 29 Open the Itron OpenWay Field-Pro utility. Press F1 or click Logon. Select Programming Functions > Firmware Load. Under Select a firmware file and press F1 to continue, select the file ciscodemo5580.bin listed under RF Mesh Configuration and click Select Firmware File, as shown in Figure 5-43.

Figure 5-43 Itron OpenWay Field-Pro—Select RF Mesh Configuration

 

Step 30 Select Confirm Download or Press F1 to begin downloading firmware, as shown in Figure 5-44.

Figure 5-44 Itron OpenWay Field-Pro—Confirm Download RF Mesh Configuration

 

Step 31 Wait for the download process to complete successfully. The Green Color Progress Bar in the right corner of the Field-Pro utility window shows the download status.

Step 32 In the Download Completed! page, select Logoff. Wait a few minutes for the RF Mesh Configuration to be activated.

Step 33 Open Itron OpenWay Field-Pro. Select Logon. In the Meter Summary page, confirm that the Register Firmware Version and Comm Module Firmware Version show the correct versions that were downloaded in the previous steps. Note the ZigBee (HAN) MAC Address for the smart meter, as shown in Figure 5-45.

Figure 5-45 Itron OpenWay Field-Pro—Meter Summary Firmware Versions

 

Step 34 Navigate to Meter Operations > Comm Module Operations > Communication Status. In the Communication Status page, check the IEEE 802.1x Status, as shown in Figure 5-46.

Figure 5-46 Itron OpenWay Field-Pro Communication Status—802.1x Enabled Status

 

Step 35 Wait for a few minutes for the RPL tree formation. Verify the Comm Module IP Address obtained by the Smart Meter in the Meter Summary page.

Figure 5-47 Itron OpenWay Field-Pro—Meter Summary with IPv6 Address

 

 

Multicast Configuration

This section describes the configuration required for multicast communication between CGR and IOK AMI head-end systems, such as FND. Multicast communication is primarily used by FND for firmware upgrade of Smart Meters. When the CGR receives IPv6 multicast traffic, it forwards the traffic over the WPAN interface as Layer 2 broadcast. Therefore, there is no IPv6 multicast on CGEs.

Refer to the Figure 3-12 depicting the traffic flow between AMI IOK head-end systems and CGR.

In the IOK AMI architecture, IPv6 multicast is deployed using PIM sparse mode and the HER (CSR1000V) as the Rendezvous Point (RP). CGR is configured to join the multicast group and receives the multicast packets from FND.

In IOK AMI deployments, the necessary configuration on the CGR for multicast communication is provisioned using ZTD.

To verify the multicast configuration, complete the following steps:

Step 1 Log in to CGR1K’s console. Verify whether IPv6 multicast routing has been enabled, IPv6 PIM has been configured, and RP address has been configured:

CGR#sh run | i pim
ipv6 multicast pim-passive-enable
ipv6 pim rp-address 2001:FACE::150
 

The IPv6 address 2001:FACE::150 is the address of CSR1000v (HER)

Step 2 Verify whether CGR has been configured to join the IPv6 prefix-based multicast group with the address - FF38:40:<IPv6 Prefix of the WPAN interface>:

CGR#sh run int loopback 0
Building configuration...
Current configuration : 218 bytes
!
interface Loopback0
ip address 192.168.150.8 255.255.255.255
ipv6 address 2001:DB8:2:2::139/128
ipv6 mld join-group FF38:40:2001:DB8:4:4:0:1
ipv6 ospf 2 area 10.106.224.182
ipv6 ospf network point-to-point
end
 

Step 3 Verify the IPv6 multicast routing table on the CGR.

CGR#sh ipv6 mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT, Y - Joined MDT-data group,
y - Sending to MDT-data group
g - BGP signal originated, G - BGP Signal received,
N - BGP Shared-Tree Prune received, n - BGP C-Mroute suppressed,
q - BGP Src-Active originated, Q - BGP Src-Active received
E - Extranet
Timers: Uptime/Expires
Interface state: Interface, State
 
(*, FF05::1:3), 03:21:58/never, RP 2001:FACE::150, flags: SCLJ
Incoming interface: Tunnel0
RPF nbr: FE80::21E:49FF:FED3:DC00
Immediate Outgoing interface list:
Wpan4/1, Forward, 03:21:58/never
 
(*, FF38:40:2001:DB8:4:4:0:1), 03:22:31/never, RP 2001:FACE::150, flags: SCLJ
Incoming interface: Tunnel0
RPF nbr: FE80::21E:49FF:FED3:DC00
Immediate Outgoing interface list:
Loopback0, Forward, 03:22:31/never
 
(2001:FACE::20C:29FF:FEE3:BF49, FF38:40:2001:DB8:4:4:0:1), 00:00:36/00:02:53, flags: SJT
Incoming interface: Tunnel0
RPF nbr: FE80::21E:49FF:FED3:DC00
Inherited Outgoing interface list:
Loopback0, Forward, 03:22:31/never
 

Step 4 Log in to the CSR1000V console. Verify whether IPv6 multicast routing has been enabled and IPv6 PIM has been configured.

iok-csr#sh run | i multicast
ipv6 multicast-routing
ipv6 multicast pim-passive-enable
iok-csr#
 

Step 5 Verify the IPv6 multicast routing table on CSR1000V.

iok-csr#sh ipv6 mroute
Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
C - Connected, L - Local, I - Received Source Specific Host Report,
P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
J - Join SPT, Y - Joined MDT-data group,
y - Sending to MDT-data group
g - BGP signal originated, G - BGP Signal received,
N - BGP Shared-Tree Prune received, n - BGP C-Mroute suppressed,
q - BGP Src-Active originated, Q - BGP Src-Active received
E - Extranet
Timers: Uptime/Expires
Interface state: Interface, State
 
(*, FF05::1:3), 2d00h/never, RP ::, flags: SPC
Incoming interface: Null
RPF nbr: ::
Immediate Outgoing interface list:
GigabitEthernet2, Null, 2d00h/never
 
(2001:FACE::20C:29FF:FEE3:BF49, FF38:40:2001:DB8:4:4:0:1), 00:00:41/00:02:48, flags: SP
Incoming interface: GigabitEthernet2
RPF nbr: 2001:FACE::20C:29FF:FEE3:BF49
Outgoing interface list: Null
 

Step 6 Log in to FND using SSH. Verify the IPv6 addresses configured on the Eth0 interface:

[root@iok-fnd ~]# ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:face::20c:29ff:fee3:bf49/64 scope global dynamic
valid_lft 2591988sec preferred_lft 604788sec
inet6 2001:face::190/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee3:bf49/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::20c:29ff:fee3:bf53/64 scope link
valid_lft forever preferred_lft forever
[root@iok-fnd ~]#
 

Step 7 Ping the IPv6 Multicast Address and confirm reachability.

[root@iok-fnd ~]# ping6 FF38:40:2001:DB8:4:4:0:1
PING FF38:40:2001:DB8:4:4:0:1(ff38:40:2001:db8:4:4:0:1) 56 data bytes
64 bytes from 2001:db8:2:2::149: icmp_seq=6 ttl=63 time=43.3 ms
^C
--- FF38:40:2001:DB8:4:4:0:1 ping statistics ---
8 packets transmitted, 1 received, 87% packet loss, time 7000ms
rtt min/avg/max/mdev = 43.385/43.385/43.385/0.000 ms
 

 

Firmware Management

Field Network Director (FND) serves as a repository for CGR and CGE firmware images. FND can be used to upgrade the firmware running on groups of devices by loading the firmware image file onto the FND server and then uploading the image to devices in the group. Once uploaded, the firmware image can be installed on the devices directly from FND. IOS Upgrades of FAR (CGR1K) devices uses unicast communication while firmware upgrade of a group of CGEs (smart meters) uses either unicast or multicast communication.

IOS Upgrade of CGR using FND

FND can be used to upgrade the firmware running on FARs (CGR) by storing the firmware binaries in its database for later transfer to FARs in a firmware group through a CGDM file transfer.

To perform firmware upgrade of FAR using FND, perform the following tasks:

Step 1 Log in to the FND Web GUI.

Step 2 Choose Config > Firmware Update.

Step 3 Click the Groups tab.

Step 4 In the FIRMWARE GROUPS pane, select default-cgr1000.

Step 5 Click Add Group at the top-right of the FIRMWARE GROUPS pane.

Step 6 In the Add Group dialog box, enter the name of the firmware group as IOS-1551T.

Step 7 Click Add. The new group label IOS-1551T appears under the ROUTER device type in the FIRMWARE GROUPS pane, as shown in Figure 5-48.

Figure 5-48 Firmware Groups—Add Group

 

Step 8 In the FIRMWARE GROUPS pane on the left, select default-cgr1000. In the right-hand pane, select the check box of the CGRs on which firmware upgrade will be done and click Change Firmware Group.

Step 9 From the Firmware Group drop-down menu, choose the firmware group IOS-1551T and click Change Firmware Group, as shown in Figure 5-49.

Figure 5-49 Firmware Groups—Change Firmware Group

 

Step 10 In the FIRMWARE GROUPS pane, select IOS-1551T and verify the CGRs selected earlier are now shown as members of the new group, as shown in Figure 5-50.

Figure 5-50 Firmware Groups—New Group Membership

 

Step 11 Choose Config > Firmware Update. Click the Images tab.

Step 12 In the FIRMWARE IMAGES pane, select ROUTER and IOS-CGR as the device type.

Step 13 Click Add Image at the top right of the pane. Click Browse to locate the firmware image to upgrade the CGR. Select the image and click Add File, as shown in Figure 5-51.

Figure 5-51 Upload FAR Firmware Image

 

Step 14 Verify that the newly added FAR firmware image appears in the FIRMWARE IMAGES pane, as shown in Figure 5-52.

Figure 5-52 Verify Uploaded FAR Firmware Image

 

Step 15 To upload the firmware image to the ROUTER firmware group IOS-1551T, click the Groups tab.

Step 16 In the FIRMARE GROUPS pane, select the firmware group IOS-1551T. Click Upload Image.

Step 17 From the Select Type drop-down menu, choose IOS-CGR. From the Select an Image drop-down menu, choose the FAR firmware image uploaded to FND in earlier steps. Click Upload Image. Refer to Figure 5-53.

Figure 5-53 Upload Image to New Firmware Group

 

Step 18 On the right-hand pane, verify that the Current Action shows Upload Image and the Current Status shows Running. The Activity and Update Progress columns in Figure 5-54 show AWAITING_UPLOAD and 0% respectively.

Figure 5-54 Firmware Update Progress—Awaiting Upload

 

Step 19 Monitor the Activity and Update Progress columns in the right-hand pane. Activity shows as Partially Uploaded and Update Progress column shows the percentage upload completed, as shown in Figure 5-55.

Figure 5-55 Firmware Update Progress—Partially Uploaded

 

Step 20 Confirm the firmware upload is complete by viewing the Activity and Update Progress columns, as shown in Figure 5-56.

Figure 5-56 Firmware Update Progress—Fully Uploaded

 

Step 21 Click on the Install Image option at the top to upgrade the CGR firmware and accept the prompt that appears, as shown in Figure 5-57.

Figure 5-57 Firmware Install Progress—Awaiting Install

 

Step 22 During the firmware update process, notice that the CGR goes down for a reboot with the Reload reason as Firmware Upgrade, as shown in Figure 5-58.

Figure 5-58 Firmware Install Progress—Updating Firmware

 

Step 23 Finally, after the CGR comes back up, verify the software version is upgraded as expected. Notice the last reload reason shows Firmware Upgrade in the show version command output.

CGR#sh version
Cisco IOS Software, cgr1000 Software (cgr1000-UNIVERSALK9-M), Version 15.5(1)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 02-Mar-15 06:33 by prod_rel_team
 
ROM: Bootstrap program is CGR1000
 
CGR uptime is 3 minutes
System returned to ROM by CLI initiated reload at 13:21:52 UTC Mon Nov 2 2015
System image file is "flash:/managed/images/cgr1000-universalk9-mz.SPA.155-1.T1"
Last reload reason: Firmware Upgrade
< Output Omitted>
 

 

Firmware Upgrade of CGEs using FND

FND can also be used for firmware upgrade of a group of CGEs (smart meters). Firmware update actions from FND communicate with the nodes over both multicast and sequential unicast, chosen per PAN and per message. Multicast communication is used when many nodes in the PAN need to be contacted. In general, multicast is used when more than 10% of the nodes in the PAN need the message. Otherwise, unicast communication is used.

To perform firmware upgrade of Itron Smart Meters using FND, perform the following tasks:

Step 1 Log in to FND web GUI.

Step 2 Choose Config > Firmware Update.

Step 3 Click the Groups tab.

Step 4 In the FIRMWARE GROUPS pane, select default-cgmesh.

Step 5 Click Add Group at the top-right of the FIRMWARE GROUPS pane.

Step 6 In the Add Group dialog box, enter the name of the firmware group as NewFirmwareGroup.

Step 7 Click Add. The new group label NewFirmwareGroup appears under the ENDPOINT device type in the FIRMWARE GROUPS pane, as shown in Figure 5-59.

Figure 5-59 Firmware Management—Add Firmware Group

 

Step 8 In the FIRMWARE GROUPS pane, select default-cgmesh. Select the Devices tab.

Step 9 Select the check boxes of the devices to be moved. Click Change Firmware Group.

Step 10 From the Firmware Group drop-down menu, choose the firmware group NewFirmwareGroup.

Step 11 Click Change Firmware Group, as shown in Figure 5-60.

Figure 5-60 Firmware Management—Change Firmware Group

 

Step 12 In the FIRMWARE GROUPS pane, select NewFirmwareGroup. Select the Devices tab. Verify the endpoint devices are shown as members, as shown in Figure 5-61.

Figure 5-61 Firmware Management—Group Members

 

Step 13 Choose Config > Firmware Update. Click the Images tab.

Step 14 In the FIRMWARE IMAGES pane, select ENDPOINT and RF as the device type.

Step 15 Click Add Image. Click Browse to locate the firmware image. Select the image and click Add File, as shown in Figure 5-62.

Figure 5-62 Firmware Management—Add Firmware Image to Endpoint

 

Step 16 Verify that the image appears in the FIRMWARE IMAGES pane, as shown in Figure 5-63.

Figure 5-63 Firmware Management—RF Firmware Images List

 

Step 17 Upload the firmware image to the ENDPOINT firmware group NewFirmwareGroup by clicking the Groups tab.

Step 18 In the FIRMARE GROUPS pane, select the firmware group NewFirmwareGroup. Click Firmware Management. Click Upload Image.

Step 19 From the Select Type drop-down menu, choose RF. From the Select an Image drop-down menu, choose the firmware image. Click Upload Image. Refer to Figure 5-64.

Figure 5-64 Firmware Management—Upload Image to Firmware Group

 

Step 20 Under Firmware Management, verify the Current Status. The status is shown as Image Loading, as shown in Figure 5-65.

Figure 5-65 Firmware Management—Firmware Upload Status

 

Step 21 Click Devices tab, monitor the Activity column. The status is shown as Partially Uploaded. The Update Progress column shows the percentage upload completed, as shown in Figure 5-66.

Figure 5-66 Firmware Management—Firmware Upload Activity Progress

 

Step 22 Click the Devices tab and confirm the upload of firmware is complete, as shown Figure 5-67.

Figure 5-67 Firmware Management—Firmware Upload Completed

 

Step 23 Click Firmware Management. Click the Schedule Install and Reload button. Specify the date and time for the installation of the image and the rebooting of the device. Click Set Reboot Time. Refer to Figure 5-68.

Figure 5-68 Firmware Management—Schedule Install and Reload

 

Step 24 Under Firmware Management, verify the status of Scheduled Reload, as shown in Figure 5-69.

Figure 5-69 Firmware Management—Scheduled Reload Status

 

Step 25 Click Logs. The events under this tab show the status of the firmware upload and whether unicast/multicast is being used for communication with the CG Mesh Endpoints. In this case, unicast communication was used (Multicast=no). Refer to Figure 5-70.

Figure 5-70 Firmware Management—Event Logs

 

In the Logs tab, the Multicast column indicates yes if multicast communication has been used, as shown in Figure 5-71. The Address column shows the multicast group address that was used for this communication.

Figure 5-71 Firmware Management—Multicast Status Logs

 

Step 26 Under the Devices tab, verify that the firmware versions of the CGEs now show the upgraded version, as per the firmware image that was uploaded to them. Refer to Figure 5-72.

Figure 5-72 Firmware Management—Firmware Upgrade Completed

 

Step 27 Open Itron OpenWay Field-Pro. Select Logon. In the Meter Summary page, verify the Comm Module Firmware Version shows the correct version that was downloaded to it using FND, as shown in Figure 5-73.

Figure 5-73 Firmware Management—Itron Smart Meter Comm Module Firmware Version

 

 

IOK Field Network Director

Integration with GIS

Step 1 On the FND web GUI, select Devices > Field Devices > ENDPOINT, as shown in Figure 5-74.

Figure 5-74 FND GIS -Endpoint in GIS

 

Step 2 Verify that on the right pane, all the endpoints are marked on the map.

 

CG-Mesh Node Reachability

Ping CG-Mesh Node

Step 1 On the FND GUI, select Field Device > ENDPOINT, and on the right pane check the endpoint serial number, as shown in Figure 5-75.

Figure 5-75 FND Meter Ping—Select the Endpoint to Ping

 

Step 2 Click the Ping button, as shown in Figure 5-76.

Figure 5-76 FND Meter Ping—Initiate Ping

 

Step 3 Verify the ping was successful, as shown in Figure 5-77.

Figure 5-77 FND Meter Ping—Successful Ping

 

Step 4 Verify the ping output in detail, as shown in Figure 5-78.

Figure 5-78 FND Meter Ping —Ping Output in Detail

 

 

Traceroute to CG-Mesh Node

Step 1 On the FND GUI, select Field Device > ENDPOINT, and on right pane check the endpoint serial number, as shown in Figure 5-79.

Figure 5-79 FND Meter Ping—Select Endpoint to Trace

 

Step 2 Click the traceroute button, as shown in Figure 5-80.

Figure 5-80 FND Meter Ping—traceroute in Progress

 

Step 3 Verify the traceroute was successful, as shown in Figure 5-81.

Figure 5-81 FND Meter Ping—traceroute in Progress

 

 

IOK Advanced Metering Infrastructure

Itron OpenWay Collection Engine

This section explains the procedure to integrate Itron Openway Collection with IOK.

Integration with IOK

For Itron Collection to communicate with IOK deployment, the following procedure needs to be executed to integrate the Itron Collection engine and IOK:

Step 1 Open the command prompt and change to the folder C:\Users\itronee>.

Step 2 Execute the command sqlplus AMI/AMI@Openway to log in to SQL.

Step 3 Execute the command SELECT serialnumber,nativeaddress FROM node.

Step 4 Update the node using the command UPDATE server SET nativeaddress = '[<native IPv6 address>]' WHERE serialnumber in ('MasterRelay', 'CollectionEngine').

Example:

C:\Users\itronee>UPDATE server SET nativeaddress = '[2001:face::180]' WHERE serialnumber in ('MasterRelay', 'CollectionEngine');
 

Step 5 Save the changes using the command COMMIT.

Step 6 Update the preferred IP address for CE using the command UPDATE server SET PREFERREDIPADDRESSC1222 = '<IPv4 address>'.

Example:

C:\Users\itronee>UPDATE server SET PREFERREDIPADDRESSC1222 = '10.106.224.188';
 
Update the preferred IPv6 address for CE using the command UPDATE server SET PREFERREDIPADDRESSC1222_IPV6 = '<IPV6 address>';.
 

Example:

C:\Users\itronee> UPDATE server SET PREFERREDIPADDRESSC1222_IPV6 = '2001:face::180';
 

Step 7 Save the changes using the command COMMIT.

Step 8 Exit the SQL mode using the command quit.

 

Meter Management

Adding Smart Meters to Collection Engine System

Step 1 Open the Itron OpenWay Collection Engine application on a web browser with the url http://<CE_IP>. Use the default username admin and default password 1234, as shown in Figure 5-82.

Figure 5-82 Adding Meters to CE—Home Screen

 

Step 2 Select Group Management under the Meter Management menu item, as shown in .

Figure 5-83 Adding Meters to CE—Group Management Menu

 

Step 3 Click the Add Endpoint to System link, as shown in Figure 5-84.

Figure 5-84 Adding Meters to CE—Import Endpoints Details

 

Step 4 Click the Browse button and choose the XML file, which contains the endpoints/meter information. The contents of the XML file would be similar to the example shown in Figure 5-85.

Figure 5-85 Adding Meters to CE—XML File Contents for Adding Meters into CE

 

Step 5 Click the Add Endpoints button, as shown in Figure 5-86.

Figure 5-86 Adding Meters to CE—Adding Endpoints Window

 

Step 6 Click the OK button on the pop-up window to confirm adding endpoints to the system, as shown in Figure 5-87.

Figure 5-87 Adding Meters to CE—Confirm Adding Endpoints to System

 

Step 7 Verify that the endpoints were added to the system successfully, as shown in Figure 5-88.

Figure 5-88 Adding Meters to CE—Home Screen

 

In Figure 5-88, out of four endpoints defined in the XML file, only three are added to the system. The remaining one endpoint is excluded because it was added to the system previously.

 

Assigning Endpoints to Group

Endpoints/Smart Meters need to be assigned to a specific group to acquire the configuration from the group.

Launch the Itron OpenWay Collection Engine on a web browser and complete the following procedure to assign endpoints to a group:

Step 1 Select Group Management under the Meter Management menu item, as shown in Figure 5-89.

Figure 5-89 Assign Endpoints to a Group—Group Management Menu

 

Step 2 Click the Assign Endpoint Group Membership link, as shown in Figure 5-90.

Figure 5-90 Assign Endpoints to a Group—Home

 

Step 3 Select the drop-down menu to choose the specific group, as shown in Figure 5-91.

Figure 5-91 Assign Endpoints to a Group—Group Membership Window

 

Step 4 Choose the group where the endpoints need to be assigned, as shown in Figure 5-92.

Figure 5-92 Assign Endpoints to a Group—Group Selection

 

Step 5 Click the Browser button to import text file, which contains the endpoints serial number, as shown in Figure 5-93.

Figure 5-93 Itron Assigning Meter to group—Browse Input File

 

Step 6 Click the Add Endpoints button to add the endpoints defined in the text file, as shown in Figure 5-94.

Figure 5-94 Itron Assigning Meter to Group—Choosing the Endpoint Text File

 

Step 7 Confirm by clicking the OK button on the confirmation window, as shown in Figure 5-95.

Figure 5-95 Itron Assigning Meter to Group—Home

 

Step 8 Verify that in the Results pane, the results show as Successful, as shown in Figure 5-96.

Figure 5-96 Itron Assigning Meter to Group—Successful

 

 

Node Ping

Step 1 Click the meter configuration menu item, as shown in Figure 5-97.

Figure 5-97 Itron CE Node Ping—Home Screen

 

Step 2 Click Configuration Management under the Meter Management menu item, as shown in Figure 5-98.

Figure 5-98 Itron CE Node Ping—Meter Configuration List

 

Step 3 Click the meter configuration menu item, as shown in Figure 5-99.

Figure 5-99 Itron CE Node Ping—Configuration List Continued

 

Step 4 Click the meter configuration menu item, as shown in Figure 5-100.

Figure 5-100 Itron CE Node Ping—Meter Details

 

Step 5 Click the Node Ping link, as shown in Figure 5-101.

Figure 5-101 Itron CE Node Ping—Meters Information

 

Step 6 Verify that Node Ping is being processed, as shown in Figure 5-102.

Figure 5-102 Itron CE Node Ping—Node Ping Progress

 

Step 7 Verify the Node Ping was successful, as shown in Figure 5-103.

Figure 5-103 Itron CE Node Ping—Node Ping Successful

 

 

Interactive Read

Interactive read can be used to read the Smart Meter data.

Step 1 Select the Interactive Read function, which is available under the Tools menu item, as shown in Figure 5-104.

Figure 5-104 Itron CE Interactive Read—Interactive Read

 

Step 2 Input the endpoint serial number and click the Find Endpoints button, as shown in Figure 5-105.

Figure 5-105 Itron CE Interactive Read—Search Endpoints

 

Step 3 Choose the endpoint for which the meter data needs to be read, as shown in Figure 5-106.

Figure 5-106 Itron CE Interactive Read—Choose Endpoint

 

Step 4 Click the Read Endpoints button, as shown in Figure 5-107.

Figure 5-107 Itron CE Interactive Read—Read Endpoint

 

Step 5 Click the meter configuration menu item, as shown in Figure 5-108.

Figure 5-108 Itron CE Interactive Read—Meter Data Reading Running

 

Step 6 Verify that Meter/ Endpoint data is displayed on the screen, as shown in Figure 5-109.

Figure 5-109 Itron CE Interactive Read—Meter Data Display

 

 

IOK Upgrade

Step 1 On the Orchestration web GUI, click the Upgrade button and browse to the file system to select the upgrade patch for the version installed.

Figure 5-110 Upgrade—Launch Upgrade

 

Step 2 Verify the successful message after the upgrade and click the OK button, as shown in Figure 5-111.

Figure 5-111 Upgrade—Upgrade Completed

 

Step 3 Verify that when the upgrade is completed, the Orchestration is logged. The user needs to log in again with default credentials, as shown in Figure 5-112.

Figure 5-112 Upgrade—Upgrade Restart

 

 

IOK Backup and Restore

IOK Backup

The IOK backup feature available in the Orchestration GUI is used for taking the configuration copies of the current IOK deployment.

Complete the following steps for the backup procedure:

Step 1 From orchestration GUI select the Backup option and confirm the backup, as shown in Figure 5-113.

Figure 5-113 Initiate and Confirm IOK Backup

 

Step 2 Choose OK when the backup is successfully completed, as shown in Figure 5-114.

Figure 5-114 Complete the IOK Backup

 

 

IOK Restore

The IOK Restore feature available in the Orchestration GUI is used for restoring the IOK configuration from the backup copies.

Complete the following steps for the backup restore procedure:

Step 1 From orchestration GUI, select Restore and select the backup configuration file to restore, as shown in Figure 5-115.

Figure 5-115 Retrieving the IOK Backup Files

 

Step 2 Choose Restore when the backup file has been retrieved, as shown in Figure 5-116.

Figure 5-116 Choose the IOK Backup Files

 

 

Uninstalling IOK Deployment

This section discusses how to uninstall IOK. The uninstaller script which comes with the IOK package is used to clean/uninstall the IOK deployment. The script will delete all VMs after powering them off and also cleans up all network interface configurations created during installation.

Step 1 Open the command prompt and go to folder where the IOK installation files are available.

Step 2 Execute the uninstaller script by using the command cisco_iok_uninstaller.exe.

Step 3 If a configuration XML file is already available with ESXi host details, such as, ESXi host IP, username and password, it will not ask for any further details. Press Y to start the uninstallation process, as shown in .

Figure 5-117 Uninstalling IOK—Using XML Configuration File

 

Step 4 If there is no XML configuration, the uninstaller script will ask for the ESXi host IP, username and password. When all information is typed in on the command, the uninstaller script will start immediately, as shown in Figure 5-118.

Figure 5-118 Uninstalling IOK—Without XML Configuration File