Curso 5 Capacitación 1921 NEMS

Administrator Guide for
SecureMesh WAN and NEMS

for NEMS version 10
Item Number: DP-1388

Revision: 2.1
Item Name: Document - Administrator Guide for SecureMesh WAN and NEMS
Trilliant Inc.
1100 Island Drive
Redwood City, California 94065
NOTICE: The contents of this document are proprietary and confidential and the property of Trilliant Holdings, Inc., its subsidiaries, affiliats, and/or licensors.
This document is provided subject to the confidentiality obligations set forth in the agreement between your company and Trilliant. The contents may not be
used or disclosed without the express written consent of Trilliant.
Trilliant
Proprietary Notice
Copyright © Trilliant Holdings Inc. 2004 – 2015. All rights reserved.
This document describes products, software and services (“Products”) of Trilliant Holdings Inc.,
its parents, subsidiaries, affiliates and/or its licensors. This document is licensed, not sold.
Except as set out in the License or other written agreement between Trilliant and your company:
(1) the purchase or use of a Product from Trilliant does not convey a license under any patent
rights, copyrights, trademark rights, or any other of the intellectual property rights of Trilliant or
third parties; (2) Trilliant does not assume any responsibility or liability arising out of the use of
this document or any Product it describes; and (3) no part of the document may be disclosed in
any form to any third party.
Trilliant reserves the right to make changes to this document or to any Products it describes at any
time with or without notice.
Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-
14 (g) (2) (6/87) and FAR 52.227-19 (6/87), or DFAR 252.227-7015 (b) (6/95) and DFAR
227.7202-3 (a).
Trilliant®, SecureMesh®, and UnitySuite® are registered trademarks of Trilliant. Any third-party
name or mark mentioned in this document may be a trademark of its owners.
August 3, 2015
i
Trilliant
ii
Trilliant
iii
Trilliant
Table of Contents
Chapter 1 - About this Guide.......................................................................................................................................1
Audience and Purpose .............................................................................................................................................2
How This Guide Is Organized .................................................................................................................................3
Conventions Used in This Guide .............................................................................................................................4
Text Conventions ..............................................................................................................................................4
Syntax Conventions ..........................................................................................................................................4
Chapter 2 - Installing the OS and NEMS ...................................................................................................................5

Required Hardware and Software............................................................................................................................6
Design Your Simple Network ..................................................................................................................................8
Installing CentOS...................................................................................................................................................10
To install CentOS:...............................................................................................................................10
Installing NEMS ....................................................................................................................................................21
To install NEMS: ................................................................................................................................21
Chapter 3 - Getting Started with NEMS...................................................................................................................35

Example SecureMesh WAN Network Layout .......................................................................................................36
Configuring DHCP ................................................................................................................................................37
Enabling DHCP in NEMS ..................................................................................................................37
Adding a Gateway .................................................................................................................................................43
Gateway Troubleshooting...............................................................................................................................55
Creating Node Profiles...........................................................................................................................................57
Creating an Extender Bridge Profile...............................................................................................................57
Creating a Connector Profile ..........................................................................................................................59
Configuring Data Collection Intervals............................................................................................................61
Adding an Extender Bridge ...................................................................................................................................64
Extenders and Extender Bridges with PSUs...................................................................................................68
Adding a Connector ...............................................................................................................................................71
Adding a Collector.................................................................................................................................................75
Manually adding a Collector ..........................................................................................................................75
Setting up Collector Discovery.......................................................................................................................76
Chapter 4 - The NEMS Interface ..............................................................................................................................79

Using the Trilliant NEMS Interface.......................................................................................................................80
Compatible Browsers......................................................................................................................................80
Logging into NEMS .......................................................................................................................................80
To log into NEMS:..............................................................................................................................80
Changing your NEMS Password ....................................................................................................................83
To change your NEMS password .......................................................................................................83
User Management: Changing Another User’s Password ...............................................................................85
To change a user’s password...............................................................................................................85
To force a user to change password at login .......................................................................................88
Setting your View Preference .........................................................................................................................91
To change your view preference .........................................................................................................91
Using the Display Pane...................................................................................................................................92
Administrator Guide for SecureMesh WAN and NEMS iv

Chapter 1 - Trilliant
Searching in NEMS ........................................................................................................................................94

Global vs Local Searches Example .........................................................................................................94
Perform a Local Search.......................................................................................................................95
Perform a Global Search .....................................................................................................................96
Opening a new tab in NEMS ..........................................................................................................................96
Monitoring Your SecureMesh Devices..................................................................................................................98
Unified View Toolbar Buttons......................................................................................................................100
WAN Network Inventory Graph ...........................................................................................................102
Monitoring Your SecureMesh WAN Devices......................................................................................................105
WAN Tree View............................................................................................................................................106
Displaying the WAN Tree view........................................................................................................106
WAN Flat View.............................................................................................................................................107
Displaying the Flat View ..................................................................................................................107
WAN Node Icons in the Display Pane..........................................................................................................107
WAN View Toolbar Buttons .........................................................................................................................110
Monitoring your NAN Devices ........................................................................................................................... 111
NAN Tree View ............................................................................................................................................112
The Global Collector Devices Window ................................................................................................112
Displaying the Global Collector Devices Window...........................................................................112
The Subnet-Based Window...................................................................................................................113
Displaying the Subnet-Based Window .............................................................................................113
The Collector-Based Window ...............................................................................................................115
Displaying the Collector-Based Window..........................................................................................115
Export from the Tabular Node View ................................................................................................117
NAN Node Icons in the Display Pane ..........................................................................................................124
NAN View Toolbar Buttons .........................................................................................................................126
Chapter 5 - Alarms and Events in NEMS...............................................................................................................129

Alarms and Events Overview ..............................................................................................................................130
Alarms...........................................................................................................................................................130
Alarm Severity.......................................................................................................................................131
Events ...........................................................................................................................................................132
Event Severity .......................................................................................................................................134
Viewing Alarms and Events.................................................................................................................................136
Viewing Alarms ............................................................................................................................................136
The Global Alarms Summary................................................................................................................137
The Tree View.......................................................................................................................................137
The Alarm Details Window...................................................................................................................138
Viewing Events.............................................................................................................................................139
Viewing All Events ...............................................................................................................................140
To see a list of all events:..................................................................................................................140
Viewing Events Related to an Alarm ....................................................................................................141
View an alarm’s related events .........................................................................................................141
Working with Alarms, Performance Thresholds, and Event Monitoring ............................................................143
Alarms...........................................................................................................................................................143
Acknowledging and Clearing Alarms ...................................................................................................143
Acknowledge an alarm......................................................................................................................143
Clear an alarm ...................................................................................................................................145
Deleting Alarms.....................................................................................................................................147
Performance Thresholds ...............................................................................................................................149
v Administrator Guide for SecureMesh WAN and NEMS

Trilliant
Modulation Thresholds..........................................................................................................................149
Create New Modulation Thresholds .................................................................................................150
Edit Existing Modulation Thresholds ...............................................................................................153
Delete an existing Modulation Threshold .........................................................................................155
Modulation and RSSI Thresholds .........................................................................................................156
Create a new Modulation and RSSI Threshold.................................................................................156
Edit an existing Modulation Rate and RSSI Threshold ....................................................................159
Delete a Modulation and RSSI Threshold ........................................................................................161
RSSI Thresholds....................................................................................................................................163
Create a new RSSI Threshold ...........................................................................................................163
Edit an existing RSSI Threshold .......................................................................................................166
Delete an RSSI Threshold.................................................................................................................168
NAN Threshold Monitoring ..................................................................................................................169
Create a new NAN Threshold ...........................................................................................................170
Edit an existing NAN Threshold.......................................................................................................172
Delete a NAN Threshold...................................................................................................................174
Event Monitoring..........................................................................................................................................176
Trap Parsers ...........................................................................................................................................176
Display Trap Parsers .........................................................................................................................176
Create a new Trap Parser ..................................................................................................................178
Edit an existing Trap Parser ..............................................................................................................183
Delete a Trap Parser ..........................................................................................................................187
Northbound Trap Receivers ..................................................................................................................190
Display Northbound Trap Receivers.................................................................................................191
Create a new Northbound Trap Receiver..........................................................................................192
Edit an existing Northbound Trap Receiver......................................................................................195
Delete a Northbound Trap Receiver .................................................................................................196
Email Notification of Alarms ................................................................................................................198
Configure the mail server..................................................................................................................198
Create a new Alarm Mail Notification..............................................................................................200
Edit an existing Alarm Mail Notification..........................................................................................202
Delete an Alarm Mail Notification ...................................................................................................204
Fault-Based Alarms .............................................................................................................................................207
NAN SNMP Traps........................................................................................................................................207
WAN SNMP Traps .......................................................................................................................................212
NEMS-Generated Alarms.............................................................................................................................214
Chapter 6 - Advanced NEMS Topics ......................................................................................................................217

Virtual Local Area Networks (VLANs)...............................................................................................................218
VLANs on WAN devices..............................................................................................................................219
A Typical VLAN Implementation ................................................................................................................220
Planning Your VLAN Implementation.............................................................................................221
Implementing VLANs using the SecureMesh WAN........................................................................221
Configuring a Management VLAN ..................................................................................................222
Defining a Data or Collector VLAN (automatic provisioning) ........................................................223
Adding a Data VLAN to a Node Profile...........................................................................................225
Peer-to-Peer (P2P) Switching .......................................................................................................................228
Adding VPN to Your Network.............................................................................................................................231
VPN Configuration.......................................................................................................................................231
How VPN is Used.........................................................................................................................................231
Administrator Guide for SecureMesh WAN and NEMS vi

Overview of Adding VPN to your Network.................................................................................................232

Configuring a DHCP Tunnel IP range..........................................................................................................233
WAN equipment VPN provisioning .............................................................................................................235
Adding VPN Tunnel IP Addresses to Devices .............................................................................................236
Adding Tunnel IPs During Provisioning...........................................................................................236
Manually Adding VPN Tunnel IP Addresses in Node Maintenance................................................238
Determine the Firmware Version associated with a particular Collector ............................................................240
Changing and Upgrading Firmware on WAN Devices .......................................................................................242
Avoiding Firmware Upgrade Issues .............................................................................................................242
Overview of the Firmware Upgrade Process................................................................................................243
Viewing Current Firmware Packages ...........................................................................................................243
To view device firmware: .................................................................................................................244
Uploading New Firmware to the NEMS Server...........................................................................................246
To upload a new Firmware package to the NEMS server: ...............................................................246
Creating a Software Schedule.......................................................................................................................248
To create a Software Schedule:.........................................................................................................248
Verifying a Software Schedule .....................................................................................................................251
Selecting Firmware in a WAN Device Node Profile ....................................................................................252
To select a device’s firmware: ..........................................................................................................254
Reloading a Device................................................................................................................................258
To Reload a Device:..........................................................................................................................258
Waiting for a Device’s Config Lease Time to Expire...........................................................................259
To set a device’s Config Lease Time Value: ....................................................................................259
Upgrading Firmware using the CLI..............................................................................................................261
Upgrade Procedure (Manual Mode)......................................................................................................261
Swapping Firmware Images .........................................................................................................................262
To Swap Device Firmware Images ...................................................................................................262
Pre-Provisioning Large Numbers of Devices ......................................................................................................265
Creating a Node Maintenance Entry.............................................................................................................265
Changing WAN Device SFTP Password .............................................................................................................270
Default versus Custom SFTP User Name ....................................................................................................270
Changing a single WAN device’s username / password from Node Maintenance.......................................271
To change a single device’s username / password............................................................................272
Changing the WAN device username / passwords using a Node Profile .....................................................273
To change a device class’ password(s) .............................................................................................274
Resetting the device passwords to default ....................................................................................................276
To reset a device’s password(s) ........................................................................................................276
Chapter 7 - The CLI and Troubleshooting .............................................................................................................279

Connecting to the Command Line Interface........................................................................................................280
Connecting Using the Ethernet Port .............................................................................................................280
Connecting using the Ethernet port:..................................................................................................281
Connecting Using the Serial Port .................................................................................................................283
Connecting using the serial port:.......................................................................................................283
Troubleshooting with Basic CLI Commands.......................................................................................................286
Configuring a Device....................................................................................................................................287
Verifying Provisioning Mode................................................................................................................287
show prov node .................................................................................................................................287
Verifying Provisioning Parameters .......................................................................................................288
vii Administrator Guide for SecureMesh WAN and NEMS

Trilliant
show prov IP .....................................................................................................................................288

show freq...........................................................................................................................................289
show netkey.......................................................................................................................................290
Basic Device Configuration ..................................................................................................................290
set netkey...........................................................................................................................................290
set prov auto ......................................................................................................................................291
set prov IP .........................................................................................................................................291
set prov manual .................................................................................................................................293
Resetting a device to factory defaults....................................................................................................293
!!!trilliantfactory!!!............................................................................................................................294
Verifying Device Status ................................................................................................................................294
show link ...........................................................................................................................................294
show link all ......................................................................................................................................295
show prov node .................................................................................................................................295
show dhcp..........................................................................................................................................296
show gps............................................................................................................................................297
show psu............................................................................................................................................297
show collector ...................................................................................................................................298
Monitoring link establishment and the device provisioning process............................................................299
show link all ......................................................................................................................................299
show prov node .................................................................................................................................300
debug on ............................................................................................................................................300
set log link 2 ......................................................................................................................................301
set log prov 2.....................................................................................................................................303
Common Problems and Solutions........................................................................................................................304
Common Software Problems and Solutions .................................................................................................304
Starting and Stopping NEMS services ..................................................................................................304
To start and stop NEMS services:.....................................................................................................304
Cannot access the NEMS ......................................................................................................................306
To check firewall status: ...................................................................................................................306
Common Device Problems and Solutions ....................................................................................................308
Verifying Provisioning Mode................................................................................................................308
show prov node .................................................................................................................................308
Resetting a device to factory defaults....................................................................................................309
!!!trilliantfactory!!!............................................................................................................................309
Device will not come online, “show link” shows the link in 'auth fail' status.......................................310
Device will not come online, “show link” shows the link in 'prov fail' status ......................................310
To determine the cause of prov fail status: .......................................................................................311
Device will not come online, “show link” shows nothing. ...................................................................312
Device rebooted unexpectedly ..............................................................................................................312
show reboot .......................................................................................................................................312
show uptime ......................................................................................................................................312
Appendix A - Optional Settings ...............................................................................................................................315

Changing the Frequency Region and Country Code ...........................................................................................316
Changing the Channel Width...............................................................................................................................318
Changing Channel Width through the CLI...................................................................................................318
Changing Channel Width through NEMS ....................................................................................................319
Device GPS Bypass .............................................................................................................................................321
Configuring a Custom Netkey .............................................................................................................................323
Administrator Guide for SecureMesh WAN and NEMS viii

Advanced Firewall Settings .................................................................................................................................324

To apply advanced firewall settings to CentOS:...............................................................................324
Ports and Protocols for External Firewall Devices.......................................................................................326
Advanced GPS Settings .......................................................................................................................................327
Importing GPS data ......................................................................................................................................328
Manually setting GPS data ...........................................................................................................................329
Setting GPS data from Node Maintenance .......................................................................................329
Setting GPS data from the Tree View...............................................................................................331
ftpimage Command Reference ............................................................................................................................333
ix Administrator Guide for SecureMesh WAN and NEMS

1
About this Guide
This document contains procedures and guidelines to enable you to deploy a basic network.
Topics discussed include installing the server operating system, installing NEMS, and adding
devices to the network.
This chapter explains what's in this guide and how it's organized.
• “Audience and Purpose” on page 2
• “How This Guide Is Organized” on page 3
• “Conventions Used in This Guide” on page 4
Administrator Guide for SecureMesh WAN and NEMS 1

Chapter 1 - About this Guide Trilliant
Audience and Purpose

This guide is intended to enable you to successfully create a basic network. To this end, you
should be familiar with the following:
• Burning ISO disc images and booting from a DVD-ROM or CD-ROM
• Installing operating systems and software
• Basic networking concepts and design
• Firewall configuration
• Connecting hardware using cables (see required cables listed in “Connecting to the Com-
mand Line Interface” on page 280)
• Connecting to and communicating with a device using a terminal client (such as Tera
Term or telnet)
• Using browser-based applications
Note: Trilliant recommends that if you are connecting to an existing network, you work with
your IT department to ensure that the network that you are creating will not conflict
with any other networks at your location.
2 Administrator Guide for SecureMesh WAN and NEMS

Trilliant How This Guide Is Organized
How This Guide Is Organized

This guide is organized as follows:
• “Installing the OS and NEMS” on page 5 describes the required hardware and software
you will need to begin creating a network, how to design your basic network, as well as
how to install both the operating system and NEMS itself.
• “Getting Started with NEMS” on page 35 describes how to discover/provision Trilliant
devices, how to troubleshoot any issues you may have, and how to use the Command Line
Interface to communicate directly with the devices.
• “The NEMS Interface” on page 79 describes the Trilliant hardware and software compo-
nents; the operations, administration, and maintenance tasks that you can perform; and
how to use the Trilliant NEMS application.

Chapter 1 - About this Guide Trilliant
Conventions Used in This Guide

This section describes the text and syntax conventions used in this guide.
Text Conventions
This guide uses the following text conventions:
• Italic is used to introduce new terms.
• Bold is used to indicate what you click in a graphical user interface or type on your key-
board (for example, command names). In examples showing user interaction with the
command-line interface, bold is used to indicate user input. In examples of command out-
put, bold indicates relevant content.
• A monospace font is used for code elements (variable names, data values, function
names, and so forth), command lines, scripts, and source code listings. It is also used to
indicate text to enter in a graphical user interface.
• Italic-monospace is used for replaceable elements and placeholders within code
listings.
Syntax Conventions
This guide uses the following conventions when showing syntax:
• Angle brackets, “<” and “>”, enclose mandatory elements. You must enter these elements.
For example:
ping <IP-address>
• Square brackets, “[” and “]”, enclose optional elements. You can omit these elements. For
example:
show filter [filter-table-number]
Square brackets are also used to show the current value of parameters in the output of
some commands.
• A vertical bar, “|”, separates choices. For example:
show bridge [cache | port]

2
Installing the OS and NEMS
To begin working with NEMS, you must ensure that you have the proper installation environment
available. This chapter discusses gathering and preparing the hardware and software you need for
a basic NEMS deployment:
• “Required Hardware and Software” on page 6
• “Design Your Simple Network” on page 8
• “Installing CentOS” on page 10
• “Installing NEMS” on page 21

Chapter 2 - Installing the OS and NEMS Trilliant
Required Hardware and Software

Gather the following hardware components:
• Two computers:
• One computer to use as communications terminal. OS is unimportant so long as it can
open telnet sessions or SSH sessions and has at least one each of physical Ethernet
AND Serial ports.
Note: You must use a separate computer as the communications terminal, because the comms
terminal is on a specific IP subnet (192.168.0.6–192.168.0.254) that is separate from
the NEMS server machine in order to enable communicating with devices using the
Command Line Interface. The default CLI password is public and the default SSH
credentials are username: trilliant and password: secret.
Note: For networks using VLAN, if the management domain is on a different VLAN than the
data VLAN, you cannot access the 192.168.0.2 address from the local port. Instead, you
can access the CLI by starting a telnet session from a computer on the same data VLAN.
• One computer to use as the NEMS server. Operating system is a 64-bit version
of CentOS or RedHat Enterprise (v 5.5 - v5.11). Must have at least one physical
Ethernet port to connect to a Gateway device, a CD/DVD drive for installing the
operating system, and any brand x86 64bit CPU for small or medium size NEMS
installs (Intel Xeon E5 with four or more cores for large and very large size NEMS
installs).
Note: Installing NEMS on a virtual machine may affect system performance, as virtual
machines typically have lower computation performance and much lower disk
performance than physical systems. For this reason, Trilliant recommends using
dedicated non-virtual hardware.
Table 2.1 lists additional requirements dependent on deployment size.
Table 2.1 System Requirements
Deployment Max WAN Max NAN Recommended Recommended
Size Devices Devices Hardware Database Server
Hardware
Small (Demo) 100 10,000 4GB RAM, 120GB Disk N/A
Medium 300 75,000 8GB RAM, 250GB Disk N/A
Large 900 850,000 16GB RAM, 360GB Disk 32GB RAM, 400GB Disk
Very Large 1500+ 1,000,000+ 24GB RAM, 360GB Disk 48GB RAM, 400GB Disk
Note: Neither the 32-bit versions nor the 64-bit 6.x (and above) versions of CentOS and
RedHat Enterprise are supported.
• One Gateway (+1 POE power supply and 2 RJ45 Ethernet cables)
• One Extender Bridge (+1 POE power supply and 1 RJ45 Ethernet cable)

Trilliant Required Hardware and Software
• One Connector (+1 POE power supply and 2 RJ45 Ethernet cables)
• One RJ45-DB9 (Ethernet to serial) adapter and 1 RJ45 Ethernet cable to connect the
communications terminal to a Gateway or Extender Bridge device
Gather the following software components:
• CentOS or RedHat Enterprise disc images (ISO images) burned to CD or DVD. See
http://wiki.centos.org/Download for links to the CentOS installation files. Visit http://
www.redhat.com for links to RedHat installation files.
Note: There are different installation files for 32-bit and 64-bit processors. Be sure to
download the 64-bit version.
• NEMS Installation files. You can obtain the NEMS installation files from Trilliant Sup-
port:
• NEMS10_Installer.bin
• NEMS10_DBSetup.bin
Note: The NEMS10_DBSetup.bin file is used to create remote databases.
• License.dat
Note: Trilliant NEMS will not install unless the License.dat file is customized for the MAC
address of the computer on which you are installing NEMS. Contact Trilliant Support
for help getting the appropriate files for your installation.
• (Optional) Secure File Transfer Protocol (SFTP) software. NEMS makes use of secure
FTP through SSH during the installation process.

Design Your Simple Network

Before installing anything, begin by designing the network you are going to use. You need the
following:
• Static IP address for the NEMS server
• Static IP address for the Gateway
• DHCP range sufficient for all connected devices
• Static IP address for the Communications Terminal
Note: The communications terminal requires an address in a specific subnet of 192.168.0.6 to
192.168.0.254 in order to be able to communicate with devices via direct Ethernet
connection. Do not use an address outside of this range, or you will not be able to
communicate with the devices using the device’s persistent local IP address
(192.168.0.2).
The following sample network design is sufficient for a deployment that includes a NEMS server,
one Gateway, two Extender Bridges, two Collectors (inside the Extender Bridges), and one
Connector.
Figure 2.1 Basic SecureMesh WAN network design

Trilliant Design Your Simple Network
The range of available DHCP addresses must be sufficient to cover the number of devices that
will require a DHCP-assigned IP address. In the above case, the DHCP range covers 172.16.1.3 to
172.16.1.10.

Installing CentOS
While NEMS can also run on RedHat Enterprise, these instructions cover installing NEMS on
CentOS (the following screenshots are from version 5.9). If you choose to use another version of
CentOS, or use RedHat Enterprise, the installation procedures for supported versions of CentOS
and RHEL may vary slightly.
Note: The computer you use as the server for NEMS must run on a 64-bit version of CentOS
or RedHat Enterprise (v 5.5 - v5.11). Refer to “Required Hardware and Software” on
page 6 for the complete list of requirements.
The following instructions assume that you know how to boot from a disc and do not already have
a version of Linux installed. If a version of Linux is already installed, these steps will erase and
reinstall the OS, and all customizations and packages will be lost.
To install CentOS:
Note: Trilliant recommends that you install NEMS on a dedicated computer with a fresh OS
install. Following these instructions will permanently erase any existing data from the
machine’s drive.
1. Download and burn ISOs for the 64-bit version of CentOS to either CDs or DVDs. See
http://wiki.centos.org/Download for links to the appropriate ISO files.
2. Insert the first disc into the system, and boot from the disc.
Figure 2.2 CentOS Installation splash screen
3. Press [ENTER] to begin installing.

Trilliant Installing CentOS
4. Press the right arrow to highlight Skip, and then press [ENTER]. (See Figure 2.3.)
Note: If your installation media has never been used before, it's a good idea to test it. To test,
highlight OK and press [ENTER]. Once the test is complete, continue to the next step.
Figure 2.3 CentOS media testing screen
5. CentOS displays the installer screen. Click Next to continue. (See Figure 2.4.)
Figure 2.4 The CentOS installer screen

6. On the next screen, select the language to use during installation. Click Next.
7. Select the keyboard language you are using, then click Next.
8. Select Remove all partitions on selected drives and create default layout. Click Next.
(See Figure 2.5.)
Note: Selecting this option will wipe all data off of the drive. Any existing data will be
permanently erased.
Figure 2.5 Selecting partition options
9. CentOS displays a warning that proceeding will remove all existing partitions on the
drive. Click Yes. (See Figure 2.6.)
Figure 2.6 Removing all partitions warning
10. In Network Devices, ensure that Active on Boot for eth0 is checked, then click Edit.
(See Figure 2.7.)

Figure 2.7 Network Devices screen
11. Select an addressing format (IPv4 support is mandatory, and that IPv6 is optional):
• (Mandatory) Enable IPv4 support: Uses IPv4 addressing format. Select Manual
configuration and enter the IP Address for the computer (which you chose earlier in
“Design Your Simple Network” on page 8), and set the Prefix (Netmask) to
255.255.255.0. (See Figure 2.8.)
Figure 2.8 Editing the network interface

Note: You can use a prefix other than 255.255.255.0, as appropriate for your network.
• (Optional) Enable IPv6 support: Uses IPv6 addressing format. Select Manual
configuration and enter the IP Address for the computer, and set the Prefix
(Netmask).
12. Click OK. CentOS returns you to the previous screen.
13. For Hostname, click manually and enter a domain name (for example,
nems.domain.com) in the field. (See Figure 2.9.)
Figure 2.9 Updated Network Devices screen
14. Leave the Miscellaneous Settings fields blank, and click Next.
15. NEMS displays warning screens about the Gateway and Primary DNS fields being
unspecified. Click Continue to dismiss these warnings.
16. Select the time zone you are in and click Next.
Note: You can leave the “System clock uses UTC” setting as is.
17. Enter a password in the Root Password and Confirm fields, then click Next. (See
Figure 2.10.)

Figure 2.10 Creating a Root Password
Note: Make sure you note your password, because it is required to install NEMS.
18. Select a desktop version and click Next. (See Figure 2.11.)
Note: Trilliant recommends selecting Gnome, as this is the version shown during NEMS
installation.
Figure 2.11 Selecting a desktop version
19. Click Next to begin installing CentOS. (See Figure 2.12.)

Figure 2.12 CentOS ready to begin installing
The installer will display several screens while the installation proceeds. When it is fin-
ished, it displays a success screen. (See Figure 2.13.)
Figure 2.13 CentOS Installation complete
20. Click Reboot to finish.

21. After CentOS reboots, it displays a Welcome message. Click Forward to proceed.
CentOS’s default firewall settings will interfere with NEMS operation. Trilliant recom-
mends that you disable the firewall (see Step 22).
Note: To configure the firewall to allow NEMS traffic, see “Advanced Firewall Settings” on
page 324.
22. On the Firewall page, select Disabled and then click Forward (Figure 2.14). Click Yes to
confirm that you want the firewall disabled (Figure 2.15).
Figure 2.14 Setting the firewall options in CentOS
Figure 2.15 Confirming firewall selection
23. On the SELinux page, confirm the default selection of Enforcing, and click Forward.
(See Figure 2.16.)

Figure 2.16 Selecting a Security Enhanced Linux level
24. On the Date and Time page, set the current date and time, then click Forward. (See
Figure 2.17.)
Figure 2.17 Date and time settings
25. On the Create User page, you can add an additional user to your system. If you choose to
add a user, be sure to note their username and password. Click Forward. (See
Figure 2.18.)

Note: To install NEMS you will need to log in as root, so this user account is for only post-
NEMS installation use.
Figure 2.18 Create additional users
26. If your system has a sound card, the Sound Card menu will prompt you to configure the
sound card.

27. On the Additional CDs screen, click Finish. (See Figure 2.19.)
Figure 2.19 Additional CDs screen
CentOS is now installed and ready to use. The next step is Installing NEMS (see page 21).

Trilliant Installing NEMS
Installing NEMS
Note: NEMS will install MySQL and Java, and if there are any conflicting packages (i.e.
Apache) already installed, they will be removed during NEMS installation.
To install NEMS:
1. Obtain license files that are customized for your installation environment.
Note: Trilliant NEMS will not install unless the license files are customized for the MAC
address of the computer on which you are installing NEMS. Contact Trilliant Support
for help getting the appropriate files for your installation.
2. Ensure that you are logged into the server as root.
3. Copy the NEMS installation files into the root home directory ( /root ):
• NEMS10_Installer.bin
• NEMS10_DBSetup.bin
Note: The NEMS10_DBSetup.bin file is used to create remote databases. Refer to supporting
documentation concerning remote databases for more information and procedures.
• License.dat
Note: Filenames are case-sensitive.
4. From the root directory, open a terminal:
• File > Open In Terminal or
• Applications > Accessories > Terminal
5. Type the following command, and press [ENTER]:
sh ./NEMS10_Installer.bin
The NEMS Installer launches.

Figure 2.20 Installing NEMS: Starting the installation process
6. To begin installing NEMS, press 1 then press [ENTER].

7. To continue with the installation, press Y then press [ENTER].
8. Press the space bar to read through the license terms.

Figure 2.21 NEMS license agreement
9. Press Y to agree to the license terms, then press [ENTER].

10. Choose an installation size:
• To configure NEMS for a small-scale installation (up to 100 WAN devices and 10,000
NAN devices), press S then press [ENTER].
• To configure NEMS for a medium-scale installation (up to 300 WAN devices and
75,000 NAN devices), press M then press [ENTER].
• To configure NEMS for a large-scale installation (up to 900 WAN devices and 850,000
NAN devices), press L and then press [ENTER].
• To configure NEMS for a very-large-scale installation (1500+ WAN devices and
1,000,000+ NAN devices), press V and then press [ENTER].
Note: For Large and Very Large installs, consult your Trilliant representative for guidance on
required hardware and advanced NEMS configurations.

Figure 2.22 Selecting a NEMS configuration mode
NEMS presents you with choices about the kind of installation to perform, including the
types of devices NEMS will support, whether or not to use SSL security when accessing
the NEMS interface, and where to install the NEMS database.
11. Press B to support both WAN and NAN devices in NEMS, and then press [ENTER].
12. Press Y to use SSL security in the NEMS web interface, and then press [ENTER].
13. Press L to install the NEMS database locally, and then press [ENTER].

Figure 2.23 Additional NEMS configuration options
14. Press [ENTER] to accept root as the database username.

15. Press [ENTER] to accept no password as the database password.

Figure 2.24 NEMS installation ready to begin
16. To specify the location of the NEMS license files, type /root then press [ENTER].

Figure 2.25 Specifying location of NEMS license files in root home ( /root )
17. Specify that NEMS is not behind NAT. Press N then press [ENTER].
18. Specify that you want to use SFTP to facilitate WAN firmware upgrades. Press Y and then
[ENTER].
Note: For some versions of NEMS and device firmware, SFTP is required. To avoid issues
with WAN firmware upgrades, Trilliant recommends using SFTP. If you selected not to
use SFTP, skip to step 20.

Figure 2.26 Specifying that the server is not behind NAT
19. Specify an SFTP username and password. Trilliant recommends that you accept the
default username (trilliantsftp) and password (public).
20. Press Y to have the system’s DHCP configuration files updated now, then press
[ENTER].
21. Press [ENTER] to accept the default of eth0 for the interface name.

Figure 2.27 Setting eth0 as the default interface
NEMS begins installing on the server. When it is finished, it displays the following:

Figure 2.28 NEMS installation complete
Note the NEMS URL and the default administrator credentials:

• Username: admin
• Password: admin123!
22. Launch a web browser and enter the NEMS URL.
Note: If you get a timeout error, see “Cannot access the NEMS” on page 306 for
troubleshooting instructions.
23. If you use Firefox to access the NEMS, Firefox displays a warning that the connection is
not secure. Click I Understand the Risks and then Add Exception. (See Figure 2.29.)
Note: Other supported browsers may display a similar warning. See “Compatible Browsers”
on page 80 for specifics.

Figure 2.29 Starting NEMS using Firefox for the first time
24. Firefox displays the Add Security Exception screen. Ensure that the check-box next to
Permanently Store Exception is filled, and click Confirm Security Exception.

Figure 2.30 Add Security Exception screen
Note: To prevent this security exception from appearing, work with your Network
Administrator to obtain and install a signed certificate on your NEMS server. There are
several vendors that can provide signed certificates.
25. The browser displays the NEMS login screen. Enter the username and password supplied
during installation (Figure 2.28), and click Sign In.
The default administrator credentials are:
• Username: admin
Note: After logging into NEMS for the first time, you should change the default password. See
“Changing your NEMS Password” on page 83 for more information.

Figure 2.31 NEMS login screen
26. The first time you log in, NEMS asks which view you want to be the default. Select WAN
View and click Save (Figure 2.32).
Figure 2.32 First time logging into NEMS
The NEMS installation process is now complete. Proceed to Chapter 3 “Getting Started
with NEMS” on page 35 to begin configuring NEMS and creating your simple network.
Note: If you have any issues starting NEMS, see “Cannot access the NEMS” on page 306.


3
Getting Started with NEMS
Once NEMS is installed, you’ll need to configure NEMS and add devices. This chapter covers
those tasks:
• “Example SecureMesh WAN Network Layout” on page 36
• “Configuring DHCP” on page 37
• “Adding a Gateway” on page 43
• “Creating Node Profiles” on page 57
• “Adding an Extender Bridge” on page 64
• “Adding a Connector” on page 71
• “Adding a Collector” on page 75

Chapter 3 - Getting Started with NEMS Trilliant
Example SecureMesh WAN Network Layout

Once the server’s OS and NEMS software are installed and running, you can begin connecting
and provisioning devices. Because you will be physically connecting devices and cables to create
a basic network, it is worth taking some time to consider the physical layout of your network.
Figure 3.1 The physical setup of a SecureMesh WAN network including NEMS
The physical space in which you set up your network must be big enough to contain two
computers, at least three physical devices, and all of the cables and POE power supplies necessary
to power the devices. Figure 3.1 illustrates the devices and the cables necessary to connect them
to their power supplies and each other.

Trilliant Configuring DHCP
Configuring DHCP
Most NEMS deployments use DHCP (Dynamic Host Configuration Protocol) to assign IP
addresses to devices on the network. This section describes how to enable and configure DHCP
from within NEMS.
Enabling DHCP in NEMS

1. From the View menu, select DHCP Tree View (Figure 3.2).
Figure 3.2 View menu with DHCP Tree View highlighted
NEMS opens the DHCP Tree View window (Figure 3.3).
Figure 3.3 DHCP Tree View window

2. (Optional) From the tool bar at the top of the DHCP Tree View window, click
Add DHCP Subnet (second icon from the left).
Note: NEMS automatically creates a subnet entry for the subnet where the NEMS is located.
Subnets only needed to be added for devices outside of this NEMS subnet.
NEMS opens the Add Subnet window (Figure 3.4).
Figure 3.4 Add Subnet window
3. Enter a Name for the Subnet.

4. Enter the Subnet IP address.
5. Select a NetMask from the drop-down list.
6. Next to TFTP, click .
NEMS opens the DHCP TFTP Server window (Figure 3.5).

Figure 3.5 DHCP TFTP Server window
7. Click Add .
8. Enter the NEMS IP address and click Save (Figure 3.6).
Figure 3.6 Configured DHCP TFTP Server window
NEMS returns you to the Add Subnet window.

9. Next to Provisioning, click .
NEMS opens the DHCP Provisioning Server window (Figure 3.7).

Figure 3.7 DHCP Provisioning Server window
10. Click Add .

11. Enter the NEMS Provisioning Server IP address and press Save (Figure 3.8).
Figure 3.8 Configured DHCP Provisioning Server window
Optional: If you want to use dynamic assigned IP address for non-Gateway devices, con-
tinue to Step 12, otherwise skip to Step 16. Assigning a DHCP Dynamic Range configures
a “pool” of IP addresses which can be dynamically assigned to devices on an as-needed
basis.
NEMS returns you to the Add Subnet window.
12. Next to Dynamic Range, click .
NEMS opens the DHCP Dynamic Range window (Figure 3.9).

Figure 3.9 DHCP Dynamic Range window
13. Click Add .

14. Enter a starting and ending IP range that does not include NEMS itself or your Gate-
way’s IP (for instance, 10.18.71.12 to 10.18.71.20). (Figure 3.10)
Figure 3.10 Configured DHCP Dynamic Range window
15. Click Save.

NEMS returns you to the Add Subnet window (Figure 3.11).

Figure 3.11 Configured DHCP Subnet window
16. The VPN button enables you to specify the IP address of the VPN router(s). If your net-
work is using VPN, before completing this procedure, refer to “Adding VPN to Your
Network” on page 231.
17. In Routers, enter the NEMS IP address (or the default router, if your SecureMesh WAN
installation is part of a larger network).
Note: In most deployment scenarios there will most likely be routing equipment between the
WAN equipment and the NEMS. In such a scenario you would specify the IP address of
the appropriate router for the subnet (also commonly called the “default gateway”)
rather than the NEMS IP address.
18. Click Save .
19. Click Close .

Trilliant Adding a Gateway
Adding a Gateway
Gateway and Extender device types, including the Extender Bridge, require a GPS signal in order
to function. When possible, for best GPS reception, you should place the devices in a location
where they will have an unobstructed view of the sky. In a lab setting, you can use Derived
Timing to operate without GPS, but Trilliant recommends using GPS whenever possible. See
“Device GPS Bypass” on page 321 for more information.
Before you add your first device, if any of the following is true, STOP:
• You are using US devices but plan to use a different frequency region than FCC High
• You are using non-US devices (for example, a US part number could be 710-06030-08R,
where a non-US part number could be 710-06730-08R).
• Your devices are using something other than the standard 20 MHz channel width
• You plan to use VPN or VLAN in your network
You must address the applicable above issues before continuing:
• To add VLAN to your network, see “Virtual Local Area Networks (VLANs)” on
page 218.
• To add VPN to your network, see “Adding VPN to Your Network” on page 231.
• To change the frequency region and country code of your devices, see “Changing the Fre-
quency Region and Country Code” on page 316. This step is REQUIRED for non-US
devices.
• To change the channel width of your devices, see “Changing the Channel Width” on
page 318.
The next step after configuring DHCP is to add a Gateway Node Profile and then provision the
first Gateway device.
1. From the WAN Provisioning menu, select Node Profile (Figure 3.12).

Figure 3.12 WAN Provisioning menu > Node Profile highlighted
NEMS opens the Provisioning - Node Profile window (Figure 3.13).
Figure 3.13 Provisioning - Node Profile window
2. Click Add .
NEMS opens a window that enables you to create a new Node Profile record
(Figure 3.14).

Figure 3.14 Generic Node Profile window- Creating a new entry for a Gateway
Note: Any field not specifically called out in the instructions below can be left in its default
setting.
3. In the Name field, enter a name for the Node Profile.
Note: No spaces are allowed in this field. Use an underscore ( _ ) in place of spaces.
4. From the NodeType drop-down list, select SM Gateway.
5. In the Domain field, select Create New.
NEMS opens the Domain window (Figure 3.15).

Figure 3.15 Add Domain window to create a new domain for a Gateway
Domains allow you to partition your network into independent sub-networks. Devices
configured for a specific domain will only form links with other devices configured for the
same domain. Non-Gateway devices can be configured for domain “All,” and will be able
to join any domain. A typical network configuration will use a single domain for all
devices.
6. In Domain Name, enter a name.
7. In the Domain# field, enter a number for the domain. This value can be between 1 and
10000.
8. Click Save.
NEMS returns you to the Node Profile window.
9. Set the Frequency Region to FCC High Band.
Note: For users outside of the US, you must use the CLI to configure the country code,
frequency region, and channel width on each Gateway before the devices will be
operable. Devices will not form links until you configure the these items. See “Changing
the Frequency Region and Country Code” on page 316 before continuing.
10. Set the Primary Frequency that the Gateway and all devices that will join through this
Gateway will use.
11. In the Primary Software field, select a software package for the Gateway.
Note: You must select a software package that supports the hardware version of your
Gateway.
12. Select the appropriate Time Zone.
13. Set the Power Mode to Low.
Note: Low power mode will reduce transmit power of the devices, and is appropriate for lab
settings, especially in unshielded environments. If you are in a shielded environment or
the Gateway and other devices will be located outside, you can leave the Power Mode
at Full. The default setting is Full. You can change this setting at any time.

14. Set the Config Lease Time to 60.

Note: This field determines how often, in minutes, the Gateway will check for updates to the
device configuration. If you set this value to 0, the Gateway will only check for
configuration updates at bootup time. You can manually reload the Gateway to apply
configuration changes at any time by right-clicking on the Gateway and selecting
Reload from the context menu.
The Gateway’s Node Profile should now resemble Figure 3.16.
Figure 3.16 Completed Node Profile for a Gateway
15. Click Save.

16. NEMS asks if you want to finish configuring attributes for the Gateway node profile.
Click No.

17. Close the window.

NEMS displays the new Node Profile entry (Figure 3.17).
Figure 3.17 New Gateway Node Profile entry
18. From the WAN Provisioning menu, select Node Maintenance (Figure 3.18).
Figure 3.18 WAN Provisioning menu with Node Maintenance highlighted
NEMS opens the Node Maintenance window (Figure 3.19).

Figure 3.19 Node Maintenance window
19. Click Add .

NEMS opens a new Node Maintenance entry window (Figure 3.20).
Figure 3.20 New Node Maintenance entry window

20. In the MAC Address field, enter the new Gateway’s MAC address.
Note: When entering the MAC address, do not enter any colons, For example, if the MAC
Address is listed as 00:0A:DB:xx:xx:xx, enter 000ADBxxxxxx.
The MAC address is printed on the asset tag on the bottom of the Gateway.
Note: If you cannot read or do not have easy access to the asset tag, you can connect to the
Gateway via the serial console, and determine the device’s MAC address via the “show
version” CLI command (see “Connecting Using the Serial Port” on page 283 for
more information). However, this will require you to power on the Gateway early, which
may change your Gateway provisioning experience.
21. From the Node Type drop-down list, select SM Gateway.
22. From the Node Profile drop-down list, select the Node Profile you just created.
23. Select the appropriate DHCP IP Assignment mode for this device:
• Fixed: The device will use specific IP address in the DHCP subnet range.
• Dynamic: The device will use any available IP address in the subnet range.
Note: This option is not available for Gateway devices. Gateway devices using DHCP must
use a fixed IP address.
• Non-DHCP: The device will not use DHCP, and instead will use a statically assigned
address configured through the CLI.
Note: To avoid IP conflicts, the statically assigned IP address should not be within the
dynamic range selected for the subnet (if any).
24. In the IP Address column, enter the IP address for the Gateway (if you are using Dynamic
IP assignment, you can leave this field blank).
Note: When specifying an IP address, if you are using Dynamic IP assignment and if you
leave the IP address blank, NEMS will select an IP address from the defined dynamic
range. Otherwise, you must enter an IP address.
Note: Leave the Tunnel (inner) IP address empty unless your network is using VPN. Refer to
“Adding VPN to Your Network” on page 231 for instructions on how to provision VPN
inner IP tunnel addresses.
In this below example, the Gateway IP address is: 10.18.71.100 (Figure 3.21).

Figure 3.21 New Gateway’s Node Maintenance entry
25. Click Save .

26. NEMS prompts you to configure the Gateway’s Profile Attributes. Either select Yes to
configure profile attributes (such as Data Collection Intervals), or No to close the window.
27. Power up the physical Gateway device.
28. From the View menu, select Unified Tree View.
The Gateway appears underneath the frequency you selected in the Node Profile. The sta-
tus is “Down” (Figure 3.22).

Figure 3.22 Gateway begins provisioning
Within five minutes, the new Gateway device should have a green icon and a status of
“Up” (Figure 3.23).
Figure 3.23 Successfully provisioned and joined Gateway
Note: The Alarm Severity will be orange, rather than green, which indicates that the GW was
restarted during the provisioning process. Clear the alarm before you continue.
At any point after turning the Gateway on and letting it start provisioning, you can config-
ure the data collection intervals to a shorter period so that you get status, statistics, and
node information sooner.
If the Gateway fails to acquire a green icon and a status of Up, see “Gateway Trouble-
shooting” on page 55.

Figure 3.24 WAN Provisioning menu with Node Profile highlighted
30. Double-click the Gateway entry.

NEMS opens the Node Profile Attributes window for the Gateway.
31. Click the Data Collection tab (Figure 3.25).
Figure 3.25 Node Profile Attributes window - Data Collection tab
32. For Status Poll, click next to the interval.

33. Change the interval to 1 Minute(s) and click Save (Figure 3.26).
Figure 3.26 Setting polling interval

34. Change Statistics Poll to 2 Minute(s) and Node Info to 1 Hour(s).
Figure 3.27 Intervals configured
35. Click Save .

36. NEMS asks if you want to reload associated devices now. Click No, as the changes made
do not require a reload.
Figure 3.28 Reload Confirmation
37. OPTIONAL: When the Gateway is green, you can set the netkey that all devices will use
to connect to the Gateway. Devices will not be able to provision without a netkey that
matches the Gateway’s netkey. For instructions on setting the netkey, see “Configuring a
Custom Netkey” on page 323.
If you do NOT set a new netkey, skip netkey steps for other devices.
While lab environments may use the default netkey, all live environments should use a
unique netkey to increase security.
Note: If you are using advanced options like VLAN, VPN, frequency region, and channel
width, you must set additional parameters. For VLAN, refer to “Virtual Local Area
Networks (VLANs)” on page 218. For VPN, refer to “Adding VPN to Your Network” on
page 231. For channel width, refer to “Changing the Channel Width” on page 318. 
If you are using the VLAN feature, you must provision a management VLAN on the
Gateway (all other devices inherit the management VLAN from the Gateway). Data and
Collector VLAN types are provisioned entirely on the NEMS and do not require any CLI

interaction. See “Virtual Local Area Networks (VLANs)” on page 218 for more
information.
Gateway Troubleshooting
If you have followed the above instructions and your Gateway appears in the tree view but its icon
is not green, try the following:
• The operating system firewall will prevent a Gateway from provisioning. Trilliant recom-
mends that you disable the OS Firewall entirely.
• Ensure that the Firewall on the NEMS server is either disabled or configured to allow
NEMS traffic. See Step 22 (see page 17) of the OS installation instructions for firewall
configuration settings.
• Right-click on the Gateway and select Poll Now (see Figure 3.29). Then click
Refresh .
Figure 3.29 Gateway’s right-click contextual menu with Poll Now command highlighted
• Right-click on the Gateway and select Node Details (see Figure 3.30). Verify that the
MAC address for the Gateway is correct (see Figure 3.31). Check the Last Config
Received Time field to ensure that the device is receiving configuration data.
Figure 3.30 Gateway’s right-click contextual menu with Node Details command highlighted

Figure 3.31 Node Details screen for a Gateway with the MAC Address and Last Config Received time fields
highlighted
• Check to make sure DHCP is being obtained and that the Gateway is receiving a configu-
ration file from NEMS. See “show dhcp” on page 296, “debug on” on page 300, and “set
log prov 2” on page 303. Depending on the error message you receive, you may have to
take additional action. Contact your Trilliant representative for assistance.
• Check to see if the Gateway has a GPS lock.
• In the CLI, if the command prompt indicates “waiting for GPS” it is still waiting to
receive GPS coordinates and will not form any links until GPS is locked.
• Confirm that the Gateway’s GPS mode is Enabled and GPS is locked (see “show gps”
on page 297).
• Confirm that the Gateway is in Auto mode (see “show prov node” on page 295).

Trilliant Creating Node Profiles
Creating Node Profiles

After successfully provisioning a Gateway, the next step is to create Node Profiles for all other
devices that will join your network.
Note: NEMS also allows you to pre-provision WAN devices, which can be very useful in large
scale deployments (rather than auto discovering and provisioning devices on a one-by-
one basis). See “Pre-Provisioning Large Numbers of Devices” on page 265 for more
information.
Creating an Extender Bridge Profile

NEMS opens the Provisioning - Node Profile window. Note the presence of a Gateway
Profile (Figure 3.33).

2. Click Add .
NEMS opens a new Node Profile window.
3. In the Name field, enter a name.
4. In the NodeType field, select SM Extender Bridge.
5. In the Domain field, select a domain.
6. In the Frequency Region field, select FCC High Band.
Note: If you are not in the United States, select a frequency region appropriate for your
location. If this frequency region does not match the Gateway’s frequency region, your
Extender Bridge will not provision successfully.
7. In the Frequency field, select the same frequency that the Gateway is using.
8. In the Primary Software field, select a software package for the Extender Bridge.
Note: You must select a software package that supports the hardware version of your Extender
Bridge.
9. In the Time Zone field, select the appropriate Time Zone.
Note: This field determines how often, in minutes, the Extender Bridge will check for updates
to the device configuration. If you set this value to 0, the Extender Bridge will only
check for configuration updates at bootup time. You can manually reload the Extender
Bridge to apply configuration changes at any time by right-clicking on the Extender
Bridge and selecting Reload from the context menu.
11. Click Save .
12. NEMS prompts you to configure the Profile Attributes. Either select Yes to configure pro-
file attributes (such as Data Collection Intervals), or No to close the window.
Your Extender Bridge node profile should now look similar to Figure 3.34.
Figure 3.34 Completed node profile for an Extender Bridge

13. If your network is using VLAN, you need to add the data and Collector VLANs to the
node profile as well. For instructions, see “Virtual Local Area Networks (VLANs)” on
page 218.
14. (Optional) If your deployment includes Extender devices, repeat this procedure to create
the Extender device Node Profile, being sure to select the appropriate firmware.
Creating a Connector Profile

2. Click Add .
NEMS opens a new Node Profile window.
3. In the Name field, enter a name.

4. In the NodeType field, select SM Connector.

5. In the Domain field, select a domain.
6. In the Frequency Region field, select FCC High Band.
Note: If you are not in the United States, select a frequency region appropriate for your
location. If this frequency region does not match the Gateway’s frequency region, your
Connector will not provision successfully.
7. In the Frequency field, select the same frequency that the Gateway is using.
8. In the Primary Software field, select a software package for the Connector.
Note: You must select a software package that supports the hardware version of your
Connector.
9. In the Time Zone field, select the appropriate Time Zone.
Note: This field determines how often, in minutes, the Connector will check for updates to the
device configuration. If you set this value to 0, the Connector will only check for
configuration updates at bootup time. You can manually reload the Connector to apply
configuration changes at any time by right-clicking on the Connector and selecting
Reload from the context menu.
11. Click Save .
12. NEMS prompts you to configure the Profile Attributes. Either select Yes to configure pro-
file attributes (such as Data Collection Intervals), or No to close the window.
Your completed Connector node profile should look similar to Figure 3.37.
Figure 3.37 Completed node profile for a Connector
13. If your network is using VLAN, you need to add the data VLAN to the node profile as
well. For instructions, see “Virtual Local Area Networks (VLANs)” on page 218.

Configuring Data Collection Intervals

After creating your Extender Bridge and Connector node profiles, configure their data collection
intervals to match those of the Gateway. Shorter data collection intervals will ensure you get
status, statistics, and node information sooner.
2. Double-click the Extender Bridge profile.

NEMS opens the Node Profile window for the Extender Bridge (Figure 3.40).

Figure 3.40 Extender Bridge Node Profile window
3. Click the Data Collection tab (Figure 3.25).
Figure 3.41 Node Profile Attributes window - Data Collection tab

4. For Status Poll, click next to the interval.

5. Change the interval to 1 Minute(s) and click Save (Figure 3.42).
Figure 3.42 Setting polling interval
6. Change Statistics Poll to 2 Minute(s) and Node Info to 1 Hour(s).
Figure 3.43 Intervals configured
7. Click Save .
8. NEMS asks if you want to reload associated devices now. Click No, as the changes made
do not require a reload.
9. Click to close the Node Profile Attributes window.
10. Repeat from Step 2 for all other node profiles.

Adding an Extender Bridge

where they will have an unobstructed view of the sky. In a lab setting, you can use Derived
Timing to operate without GPS, but Trilliant recommends using GPS whenever possible. See
“Device GPS Bypass” on page 321 for more information.
After creating your node profiles, the next step is to add an Extender Bridge.
1. Power on the Extender Bridge.
Note: For the Extender Bridge to successfully connect to the Gateway, it must have the same
Country Code, be in the same Frequency Region, have the same netkey, be on the same
domain (or be configured for all domains), and use the same Channel Width. You can
verify the frequency region with the “show freq” CLI command (see “show freq” on
page 289), can change the frequency region with the “set prov freq” CLI command (see
“Changing the Frequency Region and Country Code” on page 316), and set the
Country Code with the “set prov chanwidth” CLI command (“Changing the Channel
Width” on page 318).
2. If you changed the netkey on the Gateway to something other than the default, continue to
the next step, otherwise skip to Step 8.
3. In the CLI for the Extender Bridge, type set netkey and press [ENTER].
Note: Like the Gateway, the Extender Bridge uses an Ethernet cable with a DB-9 adapter to
communicate with the console. See “Connecting to the Command Line Interface” on
page 280 for more information about using the CLI.
4. Enter the same netkey that you configured on the Gateway, and press [ENTER].
5. Enter the netkey again, and press [ENTER].
6. Type show netkey and press [ENTER].
7. Compare the netkey code to the Gateway’s netkey code. They should be the same. If they
are not, repeat from step 2.
8. Allow the Extender Bridge to attempt to link to the Gateway.
Note: This may take up to an hour. If the Extender Bridge’s primary frequency is set
beforehand to match the frequency used by the Gateway, the Extender Bridge will link
much faster.
Note: If you are using VPN, the Extender Bridge must also have the correct VPN shared
secret in order to establish a VPN tunnel. Refer to “Adding VPN to Your Network” on
page 231 for more information.
In NEMS, the Extender Bridge will appear in the Tree View under “Discovered” (See
Figure 3.44).

Trilliant Adding an Extender Bridge
Figure 3.44 WAN View - Discovered Extender Bridge
9. Right-click on the device and select Provision Node (Figure 3.45).
Figure 3.45 Extender Bridge’s right-click contextual menu with Provision Node command highlighted
NEMS opens the Node window, which enables you to set provisioning parameters for the
Extender Bridge.

Figure 3.46 Node Profile window for discovered device
10. Ensure that the appropriate profile is selected in Node Profile.

11. Ensure that Frequency Region is set to FCC High Band, and that the Frequency listed
matches the Gateway’s frequency (in our example, 5735).
Note: For users outside of the US, you must use the CLI to configure the country code on each
device before the device will be operable. Devices will not form links until you configure
the country code. See “Changing the Frequency Region and Country Code” on
page 316 before continuing.
12. In Shared Network, select a network for the device to join.
13. In Subnet, select the subnet to which the device will belong.
Note: For Extender Bridges, you must define an IP address for both the WAN equipment and
Collector.

Note: If your network is using VPN, refer to “Adding VPN to Your Network” on page 231 for
more information. If your network is NOT using VPN, leave the inner IP address blank.
14. Click Save and then Close .
After closing, NEMS displays the Provision Collector window (Figure 3.47).
Figure 3.47 Provision Collector window
15. From DHCP IP Assignment, select Fixed. Fixed IP assignment is required for non-VPN
deployments.
16. In the IP Address field, enter or select the device’s outer IP address.
17. Leave the Tunnel IP field blank.
Note: If you are using VPN in your network, you can instead select Dynamic for DHCP IP
Assignment, and then specify a Tunnel IP. See “Adding VPN to Your Network” on
page 231 for more information on inner and outer IP addresses.
18. From Shared Network, select the same network as the Extender Bridge.
19. From DHCP Subnet, select the same subnet as the Extender Bridge.
20. Click Provision Collector.
Within about five minutes, the new Extender Bridge device should have a green icon and a
status of “Up.” It should have a Polled IP address within the DHCP range you created, and
be a child node to the Gateway device (Figure 3.48).

Figure 3.48 Successfully joined Extender Bridge
Extenders and Extender Bridges with PSUs

Extenders and Extender Bridges that use a Trilliant SecureMesh 24V Power Service Unit (PSU)
provision the same as those devices that do not have a PSU, and are powered by the included POE
power supply. Once the Extender or Extender Bridge provisions, NEMS detects whether or not a
PSU is present. If a PSU is present, the PSU icon appears next to the device (Figure 3.49).
Figure 3.49 Extender Bridge with PSU
A device with a PSU has a PSU tab available in the Attributes window (Figure 3.50). This tab
provides details about the PSU itself, including its serial number, MAC address, battery status,
and more.

Figure 3.50 PSU tab in a device’s Attributes window
Devices that do not have a PSU have a disabled PSU tab in the Attributes window (Figure 3.51).

Figure 3.51 Attribute window with a disabled PSU tab

Trilliant Adding a Connector
Adding a Connector
After successfully adding an Extender Bridge, the next device to add is a Connector.
1. Power on the Connector.
Note: For the Connector to successfully connect to the Gateway, it must have the same
Country Code, be in the same Frequency Region, have the same netkey, be on the same
domain (or be configured for all domains), and use the same Channel Width. You can
verify the frequency region with the “show freq” CLI command (see “show freq” on
page 289), can change the frequency region with the “set prov freq” CLI command (see
“Changing the Frequency Region and Country Code” on page 316), and set the
Country Code with the “set prov chanwidth” CLI command (“Changing the Channel
Width” on page 318).
2. If you changed the netkey on the Gateway to something other than the default, continue to
the next step, otherwise, skip to Step 8.
3. In the CLI for the Connector, type set netkey and press [ENTER].
4. Enter the same netkey that you configured on the Gateway, and press [ENTER].
5. Enter the netkey again, and press [ENTER].
6. Type show netkey and press [ENTER].
7. Compare the netkey code to the Gateway’s netkey code. They should be the same. If they
are not, repeat from step 2.
8. Allow the Connector to attempt to link to the Gateway.
Note: This may take up to an hour. If the Connector’s primary frequency is set beforehand to
match the frequency used by the Gateway, the Connector will link much faster.
Note: If you are using VPN, the Connector must also have the correct VPN shared secret in
order to establish a VPN tunnel. Refer to “Adding VPN to Your Network” on page 231
for more information. Not having the correct VPN shared secret will not affect the
device discovery process, but will affect the provisioning process and the ability for the
device to form an active link.
In NEMS, the Connector will appear in the WAN View tree under “Discovered” (See
Figure 3.52).

Figure 3.52 WAN View - Discovered devices in the tree view, with a Connector selected
9. Right-click on the device and select Provision Node.

NEMS opens the Node window, which enables you to set provisioning parameters for the
Connector.

Trilliant Adding a Connector
Figure 3.53 Connector’s node window with Connector_Profile already selected
10. Ensure that the appropriate profile is already selected in Node Profile.
11. Ensure that Frequency Region is set to FCC High Band, and that the Frequency listed
matches the Gateway’s frequency (in our example, 5790).
Note: For users outside of the US, you must use the CLI to configure the country code on each
device before the device will be operable. Devices will not form links until you configure
the country code. See “Changing the Frequency Region and Country Code” on
page 316 before continuing.
12. Leave the Connector’s Tunnel IP entry blank if your network does not use VPN. If it does
use VPN, refer to “Adding VPN to Your Network” on page 231 for more information.
13. Click Save .
Within five minutes, the new Connector device should have a green icon and a status of
“Up.” It should have a Polled IP address within the DHCP range you created, and be a
child node to either the Gateway device or the Extender Bridge (Figure 3.54).

Figure 3.54 Successfully joined Connector

Trilliant Adding a Collector
Adding a Collector
When you provision an Extender Bridge, you will provision its associated Collector at the same
time, and do not need to add the Collector again (see Step 14 of “Adding an Extender Bridge” on
page 64 for instructions). However, if you have a standalone Collector (without an associated
Extender Bridge), you will still have to provision the Collector using either the manual method or
automatic discovery.
There are two methods to add Collectors to NEMS. The first is a manual method that requires you
to know the Collector’s IP address. The second method sets up automatic discovery based on an
IP range.
Trilliant recommends enabling an automatic discovery range for all installations to simplify the
Collector provisioning process.
Manually adding a Collector

This method requires that you know the specific IP address that the Collector is using. If you do
not know the IP address, or you are adding multiple Collectors, you should instead set up and use
Collector discovery (see “Setting up Collector Discovery” on page 76).
1. If you are in the WAN View, switch to the NAN View (see “Displaying the Collector-
Based Window” on page 115).
2. In the NAN Tree, right click on Global and select Add Collector.
Figure 3.55 NAN View - Context menu from Global in the NAN Tree with Add Collector highlighted
NEMS opens the Add Collector window.

Figure 3.56 Add Collector window
3. In the IP Address field, enter the Collector’s IP address.

4. Optional: Enter a Name for the Collector.
5. Click Save .
NEMS adds the Collector to a subnet in the NAN Tree based on the Collector’s IP address.
Setting up Collector Discovery

If you do not know the IP address, or you are adding multiple Collectors, NEMS provides
Collector discovery. This method requires DHCP to be configured on your server and within
NEMS (see “Configuring DHCP” on page 37).
1. If necessary, switch to the NAN View (see “Displaying the Collector-Based Window” on
page 115).
2. From the NAN Provisioning menu, select Discovery IP.

Trilliant Adding a Collector
Figure 3.57 NAN Provisioning menu with the Discovery IP Range option highlighted
NEMS opens the Discovery IP Range screen.
Figure 3.58 Discovery IP Range window
3. Click New .
NEMS creates opens the Add - Network Details window (Figure 3.59).
Figure 3.59 Add - Network Details window

4. At the top of the window, select IP Address Range.

5. In Start IP Address, enter the starting IP of your DHCP address range.
6. In End IP Address, enter the ending IP of your DCHP address range.
7. In Recurrence Details, select the following:
• For Recurrence Type, select Day. Keep the default of Every 1 Day(s).
• For Recurrence Start, enter a date.
• For Recurrence End, select Forever.
8. Click Save .
NEMS will discover the Collector within a day of the Extender being active (Figure 3.60).
Figure 3.60 Discovered Collector

4
The NEMS Interface
The NEMS interface contains many different views and buttons. This chapter defines those major
items that you will see and use in NEMS:
• “Using the Trilliant NEMS Interface” on page 80
• “Logging into NEMS” on page 80
• “Changing your NEMS Password” on page 83
• “User Management: Changing Another User’s Password” on page 85
• “Setting your View Preference” on page 91
• “Using the Display Pane” on page 92
• “Searching in NEMS” on page 94
• “Opening a new tab in NEMS” on page 96
• “Monitoring Your SecureMesh Devices” on page 98
• “Unified View Toolbar Buttons” on page 100
• “Monitoring Your SecureMesh WAN Devices” on page 105
• “WAN Tree View” on page 106
• “WAN Flat View” on page 107
• “WAN Node Icons in the Display Pane” on page 107
• “WAN View Toolbar Buttons” on page 110
• “Monitoring your NAN Devices” on page 111
• “NAN Tree View” on page 112
• “NAN Node Icons in the Display Pane” on page 124
• “NAN View Toolbar Buttons” on page 126

Chapter 4 - The NEMS Interface Trilliant
Using the Trilliant NEMS Interface

Trilliant NEMS is accessible through a web browser. This section describes how to log in and
how to use the different search capabilities.
• “Logging into NEMS” on page 80
• “Setting your View Preference” on page 91
• “Using the Display Pane” on page 92
• “Searching in NEMS” on page 94
Compatible Browsers
Trilliant NEMS supports the following browsers and versions:
• Linux:
• Mozilla Firefox 31.5.x (Included with RHEL/CentOS 5.11)
• Windows:
• Mozilla Firefox 35-39
• Mozilla Firefox ESR 31.x
• Google Chrome, 39-44
• Windows Internet Explorer 11*
* Earlier versions of Internet Explorer were not tested with this release and results may
vary.
Note: Trilliant NEMS should work with newer versions of Mozilla Firefox and Google
Chrome as they become available.
Logging into NEMS

To use Trilliant NEMS, you must be able to access the NEMS server with a Web browser. In
addition to the URL, you need a user name and a password.
To log into NEMS:

1. In a Web browser window, enter the NEMS URL provided at the completion of your
installation (for example, https://172.16.1.1).
NEMS displays a login screen (Figure 4.1).

Trilliant Using the Trilliant NEMS Interface
Figure 4.1 NEMS Login Screen
2. Enter your user name and password. The default is:

• User Name: admin
3. Click Sign In.
The first time you log into NEMS, NEMS asks whether you want the WAN, NAN, or Uni-
fied view to be your default view (Figure 4.2). Trilliant recommends selecting the Unified
View as your default.
Figure 4.2 User Preferences window
4. Select WAN View, NAN View or Unified View.

5. Click Save.
NEMS displays your Trilliant network in the view of your choice: WAN View
(Figure 4.3), NAN View (Figure 4.4), or Unified View (Figure 4.5).

Note: Do NOT use the browser’s Back button to return to a previous screen. Use the NEMS
navigation options instead.
Figure 4.3 NEMS WAN View
Figure 4.4 NEMS NAN View

Figure 4.5 NEMS Unified View
Note: After 30 minutes of inactivity, NEMS logs you out of the server.
Changing your NEMS Password

You can change your password at any time. Your password must meet the following security
requirements:
• At least 8 characters
• Mix of upper and lower-case characters
• Alphanumeric
• Must contain at least one special character (~!@#$%^&*_-?)
• Cannot be one of the past three (3) previously-used passwords.
To change your NEMS password

1. From the Administration menu, select Change Password (Figure 4.6).

Figure 4.6 Administration menu with Change Password highlighted
The Reset Your Password window appears (Figure 4.7).
Figure 4.7 Change Password window
2. In the New Password field, enter your new password.

The password must meet the following requirements:
• Alphanumeric
3. Enter your new password again in the Confirm Password field.
4. (Optional) Check the Send mail notifications box to send an email to the registered email
address about this password change.

5. (Optional) Check the Change Password on Re-Login box to require the user to change
the password again when the next login occurs. This effectively marks the password as
expired and therefore requires the user to change the password again when logging in.
6. Click Apply.
User Management: Changing Another User’s Password

The User Management window displays the list of current NEMS users (Figure 4.8).
Figure 4.8 User Management window
From this window, you can select a user and change their password, or force them to change their
password on their next login.
To change a user’s password

1. From the Administration menu, select Access Management > User Management
(Figure 4.9).

Figure 4.9 Administration menu with Access Management > User Management highlighted
The User Management window appears (Figure 4.10).
2. Select the user whose password you want to change, then click Edit .
NEMS opens the Edit User window (Figure 4.11).

Figure 4.11 Edit User window
3. In the New Password field, enter the user’s new password.

The password must meet the following requirements:
• Alphanumeric

Figure 4.12 Edit User window’s Change Password section
4. In the Confirm Password field, re-enter the user’s new password.

5. (Optional) Check the Send mail notification box to send an email to the user’s registered
email account to notify them that their password has been changed.
6. Click Save.
To force a user to change password at login

1. From the Administration menu, select Access Management > User Management
(Figure 4.13).

Figure 4.13 Administration menu with Access Management > User Management highlighted
The User Management window appears (Figure 4.14).
2. Select the user whose password you want to change, then click Edit .
NEMS opens the Edit User window (Figure 4.15).

Figure 4.15 Edit User window
3. In the Personal Information section, check the Password Change on Re-Login box.

Figure 4.16 Edit User window’s Personal Information section
4. Click Save.
Setting your View Preference

The first time you log in, NEMS asks you to set your home page view preference: the WAN view
or NAN view (Figure 4.17). You can change your view preference later using this procedure.
To change your view preference

1. From the Tools menu, select User Preferences.
NEMS shows you what your view is currently set to display.

Figure 4.17 User Preferences window
2. Select either NAN View or WAN View.

3. Click Ok.
Using the Display Pane

The display pane is the viewing area for network components, configuration screens, alarms,
events, reports, and integrated applications (such as Google Earth). The display pane includes
typical user interface features:
• Context-sensitive menus that are accessible by right-click. For example, right click on
any device to display the device menu.
Figure 4.18 NEMS device context-sensitive menu - Gateway example
• Multiple selection of rows using either CRTL-click or SHIFT-click.

Figure 4.19 CRTL-click example
Figure 4.20 SHIFT-click example
• Row sorting using column headings. Click on a column to sort rows by that column’s
contents.
Figure 4.21 Sorting rows by column (NAN view) - Number of Hops example, descending order
• Row filtering using specific search filters (available only in flat views). Select a cate-
gory from the Filter By list (number 1 in image below), an operator from the operator list
(number 2 below; equals, contains, etc.), and enter a value in the text box (number 3
below), then press Enter (Figure 4.22). Only those rows that match your search filter will
display. (To clear the filter, click Reset Filter, number 4 below.)

Figure 4.22 Filter By list
Searching in NEMS
In addition to the display pane’s search filter (see “Using the Display Pane” on page 92), you can
perform two types of searches in NEMS:
• Local: A local search presents results that are limited to just the current screen and view
you are on in NEMS. However, the results you receive depend on what screen and view of
NEMS you are on when you perform the search. So, if you search from the WAN View,
you will not see results from NAN View content, even if there are possible matches.
• Global: A global search opens a new window that searches throughout all of NEMS (not
just the content in your current screen/view).
Note: Searches are case-insensitive. For example, NEMS treats AB123 the same as ab123.
NEMS searches through the following records: node maintenance, node profile, and customer
maintenance (see Table 4.1). Global Search also searches NAN devices by MAC address, Device
ID, and AP Title.
Table 4.1 Record types and search criteria
Record type Search criteria
node maintenance MAC address, host name, IP address,
Tunnel IP address, and node (device) type
node profile Node profile name, node type
customer All customer maintenance fields
maintenance
Global vs Local Searches Example

If you search in for a meter with “6E794” as part of its MAC Address (number 1 in Figure 4.23)
and click Global Search , NEMS returns all results containing that search term (Figure 4.24),
whether or not they are visible in the current view.

Figure 4.23 Searching for a part of device’s MAC Address
Figure 4.24 Global search results showing matching results
However, if you perform the search locally instead (by pressing Enter, see number 1 in
Figure 4.25), NEMS searches only the items in that view for matches. Any matches, if found, are
highlighted in the current view (number 2 in Figure 4.25).
Figure 4.25 Local search showing a matching result
Perform a Local Search

1. In the Search box at the top of the screen, enter your search terms.

2. Press Enter.
Perform a Global Search

1. In the Search box at the top of the screen, enter your search terms.
2. Click Global Search .
Opening a new tab in NEMS

After performing a local or global search, you can choose to open links listed in the search results
in a new browser tab.
1. Perform a global search. See “Searching in NEMS” on page 94.
NEMS lists the search results in a window in the current tab.
Figure 4.26 Search results showing a matching result
2. Click a link to open that link in a new browser tab.

NEMS opens the relevant information in a new tab in your browser (number 1 below).
Depending on the search result you clicked, the information may be displayed in a Collec-
tor Details window (number 2 below). The matching information will be on that screen
(number 3 below).

Figure 4.27 Search results displayed in a new browser tab

Monitoring Your SecureMesh Devices

NEMS’ Unified View shows you all of the WAN and NAN devices in your network in a tree
hierarchy. This view displays the following columns for all devices:
• Alarm Severity
• Topology
• Device ID
• IP Address
• Status
Additionally, for WAN devices, the Unified View also displays the following:
• Downstream Mod/RSSI
• Upstream Mod/RSSI
• Slot Utilization (%)
• Throughput Down/Up (Kbps)
WAN devices are displayed in the display pane grouped by the domains to which they belong. If
you use more than one domain in your deployment, there will be several domains listed. In each
domain, devices are further grouped by the frequency they use to communicate. If you segregate
your devices by frequency, you will see each frequency listed, with the devices using those
frequencies sorted accordingly. In this section, Collector devices are shown as children of the
Extender Bridges to which they belong.
Figure 4.28 Collector devices in the WAN section of the Unified View
Additionally, for NAN devices, the Unified View also displays the following:
• Number of Nodes (using the Downstream Mod / RSSI Column)
• Number of Alive Nodes / Number of Power Down Nodes (using the Upstream Mod /
RSSI Column)
• Number of Not Reporting Nodes (using the Slot Utilization % Column)
• Number of Unconfirmed Power Down Nodes (using the Throughput Down / Up Column)

Trilliant Monitoring Your SecureMesh Devices
In the NAN section of this view, NAN devices are grouped by their device type.
Figure 4.29 NAN devices in the Unified View
The Unified View is comprised of the following components, as labeled in Figure 4.30.
Figure 4.30 NEMS Unified View components
1. Menu Bar—Contains menus of commands that allow you to set global network configu-
ration items, as well as manage the windows in the display pane.
2. Tool Bar—Contains context-sensitive buttons used to view and manage your Trilliant net-
work; for details, see “Unified View Toolbar Buttons” on page 100. The tool bar buttons
are enabled only when they’re applicable to the display pane’s active window.
3. Display Title—Indicates the display pane’s current contents.

4. Display Pane—Shows the selected view of your Trilliant network.

5. Device Alarm Severity—Color-coded indication of the alarm severity for a particular
device. To see alarm details, click the alarm’s color.
6. Search Controls—A text field that enables you to search for specific devices in NEMS.
See “Searching in NEMS” on page 94.
7. Global Alarm Summary—Shows the number of active alarms for four alarm types: crit-
ical, major, minor, and warning.
8. View List—Switches between the Unified, WAN, and NAN views.
9. About and Logout Buttons—The About button displays version/copyright information,
while the Logout button ends your NEMS session and returns you to the login screen.
Unified View Toolbar Buttons

NEMS offers the following buttons on Unified View toolbars (shown in “NEMS Unified View
Toolbar Buttons” on page 101).

Table 4.2 NEMS Unified View Toolbar Buttons

Button Function Description
Add/New Context-sensitive. Creates a new version of the same type of item as is
currently selected.
Save Saves any new or revised items in the current view.
Delete Deletes the currently selected item.
Refresh Refreshes the display pane.
WAN Opens the WAN Network Inventory Graph. For more information about
Network this window and its contents, see “WAN Network Inventory Graph” on
Inventory page 102.
Graph
Global Searches for any text value amongst all devices, profiles, and addresses
Search present in NEMS (case-insensitive). For more information, see
“Searching in NEMS” on page 94.
About Provides version and copyright information about Trilliant NEMS.
Logout Ends your current NEMS session.
Node Color Opens a window that enables you to set the color of a node in the Tabular
Configuration view.
Link Color Opens a window that enables you to set the color of link health types in
Configuration the Show All Paths view.
Export Opens a dialogue that enables you to export data from the current
window.
Edit Opens an editable node attributes window.
Attributes
Alarm Details Opens the Alarm Details window.
Assign Opens a window that enables you to assign resolution responsibility for
Owner one or more alarms to a user.
Column Opens a window that enables you to show/hide and freeze/unfreeze
Properties certain columns in the current display.
Alarm Opens the Trap window, which enables you to configure traps and email,
Forwarding and forward alarms.
Clear Clears the currently selected alarm(s).
Hide Cleared Hides cleared alarms from the current view.

Alarms
Alarm Stats Opens the Alarm Stats window, which presents charts about alarm
statistics in four categories: Severity, Acknowledge, Owner, and Element.
Time periods for alarms covered are configurable from 1 hour to 1 year.
Print Alarms Opens the Print Preview window, from which you can see and print Alarm
details.


Filter Opens the Alarm Filter Manager window, which enables you to create,
save, edit, and delete filters that you can apply to views.
Show Shows the Management Filter pane at the top of windows.
Management
Filter
Hide Hides the Management Filter pane at the top of windows.
Management
Filter
Reset Filter Removes any applied filters from the view.
WAN Network Inventory Graph

The WAN Network Inventory Graph window displays four different types of information about
the devices in your network (Figure 4.31).
Figure 4.31 WAN Network Inventory Graph window

Devices in Network: How many of each of the different types of devices are currently in the
network. Hover over a segment of a graph to see statistics for that particular device type
(Figure 4.32).
Figure 4.32 Devices in Network
Device Status in Network: The number of devices that correlate to each status. Hover over a
segment of a graph to see statistics for that particular device type (Figure 4.33).
Figure 4.33 Device Status in Network
Frequency Usage: The number of devices communicating using a particular frequency. Hover
over a segment of a graph to see statistics for that particular frequency (Figure 4.34).

Figure 4.34 Frequency Usage
Firmware Usage: The number of devices using a particular firmware version. Hover over a
segment of a graph to see statistics for that particular firmware version (Figure 4.35).
Figure 4.35 Firmware Usage

Trilliant Monitoring Your SecureMesh WAN Devices
Monitoring Your SecureMesh WAN Devices

The WAN View shows all of your WAN devices including the WAN component of Extender
Bridge devices. This view displays devices grouped by the domains and frequencies to which they
belong. This view is comprised of the following components, as labeled in Figure 4.36.
Figure 4.36 NEMS WAN View components
work; for details, see “WAN View Toolbar Buttons” on page 110. The tool bar buttons are
enabled only when they’re applicable to the display pane’s active window.
4. Display Pane—Shows the selected view of your Trilliant network.

There are two views within the WAN View: The WAN Tree View (see page 106) and the WAN
Flat View (see page 107). The WAN View defaults to showing the WAN Tree View. Both the tree
and flat views display information about the WAN devices within your network.
WAN Tree View

A SecureMesh WAN deployment may include thousands of devices. The WAN Tree View groups
by domain, frequency, and topology, which you can then drill-down into to see individual devices.
Both the WAN and NAN have tree views, though they are organized differently (the NAN Tree
View groups devices based on their IP addresses). In the WAN view, the tree view is displayed in
the Display Pane, and shows a topology of your network (see Figure 4.37).
Figure 4.37 WAN tree view hierarchy
Displaying the WAN Tree view

In the WAN view, the tree view is the default view. If you have switched to another view, follow
this step to return to the tree view:
• From the View menu, click WAN Tree View .

Note: The WAN Flat View is available as a “pop-up” window from all major views (Unified
View, WAN View, and NAN View), and does not require you to leave the current view or
close any existing windows

WAN Flat View

In NEMS, a “flat” view presents information about your network in a tabular format. The flat
view enables you to filter, sort, and analyze your network information with regards to device
composition, rather than topology. For instance, you could filter the flat view to show you all
devices by which domain they belong to, their node type, their status, etc.
Figure 4.38 WAN Flat View
Displaying the Flat View

Follow this step to go to the flat view:
• From the View menu, click WAN Flat View .
WAN Node Icons in the Display Pane

You can quickly determine a node’s device type and state from the icon. An abbreviated MAC
address is also included next to the icon for device identification purposes.
In Figure 4.39, three callouts identify the following:
• The lettering on the icon identifies the type of device. Callout 1 points at a Gateway
device, while callout 3 points at an Extender Bridge.
• The color of the icon represents the device’s state: callout 1 is green, which indicates a
device that is in the Up status; callout 3 is blue, which indicates a device that has been Dis-
covered, but has not yet been provisioned.
• The shortened MAC Address of a device: callout 2 points at the Gateway device’s MAC
address. Every device in NEMS (discovered or not) has a MAC address.

Figure 4.39 WAN Node Icons
Table 4.3, “WAN Node Icons,” on page 109, defines all icons shown in WAN View.

Table 4.3 WAN Node Icons

Icon SecureMesh Device
SecureMesh Gateway
SecureMesh Extender
SecureMesh Extender Bridge
SecureMesh Connector
SecureMesh PSU
Shown with Extender and Extender Bridge devices that also have a PSU. For example, the
following is an Extender Bridge with a PSU:
Manual Mode
This icon will appear next to any device that is currently in manual mode. Devices without this
icon are currently in auto mode.
Table 4.4 WAN Device Node Icon Colors
Color Status Example Description
green Up Node is managed, reachable, and responding. For PSUs,
the battery is connected.
orange Agent Down Node is managed and reachable, but not responding to
SNMP requests (the SNMP agent is down)
red Down Node is managed but unreachable. For PSUs, the battery is
disconnected.
blue Discovered Node is discovered (via the SecureMesh Gateway), but not
managed. The device may be active (provisioned and
communicating with the Gateway, but not managed by
NEMS) or inactive (device is up but not provisioned).
purple Status Node is managed, reachable, and responding, however,
Awaited or Status Awaited is a transitory state (such as when polling
Status is enabled after being disabled).
Unknown
For a node that is non-managed, non-reachable, or non-
responsive devices, the state is Status Unknown.
gray Polling Device polling has been disabled through NEMS.
Disabled
Note: Icon color is separate from Alarm color/severity.a

a.There are two exceptions to this rule. The Down and Agent Down node icon colors will always match the
severity of the Alarms to which they are bound. By default, they are configured to be Critical (red) and Ma-
jor (orange), respectively. If you change Agent Down’s SNMP alarm severity to be Minor (yellow), the icon
color will also be yellow. Likewise, if you change the Down status’ ICMP alarm severity to be Warning
(blue), its icon color will also be blue.
WAN View Toolbar Buttons

NEMS offers the following buttons on the WAN View Toolbars.
Table 4.5 NEMS WAN View Toolbars Buttons
currently selected.
Inventory page 102.
Graph
Edit Opens an editable node attributes window.

Attributes

Trilliant Monitoring your NAN Devices
Monitoring your NAN Devices

The NAN View shows all of your NAN devices including:
• the NAN component of Extender Bridge devices (i.e., Collectors)
• stand alone Collector devices, such as the COLL-31xx series
• other NAN devices, such as repeaters, meters, and RACs
This view displays Collector devices grouped by the subnets to which they belong, and other
NAN devices within the Tabular Node View of the associated Collector.
This view is comprised of the following components, as shown in Figure 4.40.
Figure 4.40 NEMS NAN View
work; for details, see “NAN View Toolbar Buttons” on page 126. The tool bar buttons are
enabled only when they’re applicable to the display pane’s active window.
4. Display Pane—Shows the selected view of your Trilliant network. This pane lists all the
NAN devices in your network, organized by IP subnet.

NAN Tree View

As shown in Figure 4.41, the NAN Tree View is organized by subnet (1) and then Collectors (2)
(Figure 4.41).
Figure 4.41 NAN Tree View
In the NAN View, you can filter, sort, and analyze your NAN network with regards to subnet
composition and device associations. For instance, you could filter all Collectors in a particular
subnet by their status, number of associated nodes, and so on.
The Global Collector Devices Window
Displaying the Global Collector Devices Window

• At the top of the tree, double-click the keyword Global. (See number 1 in Figure 4.42)
Figure 4.42 Global keyword in the NAN View
NEMS opens the Global Collector Devices window, which contains all Collectors in
NEMS (Figure 4.43).

Figure 4.43 Global Collector Devices window
The Subnet-Based Window
Displaying the Subnet-Based Window

• Double-click a subnet address. For example, in Figure 4.44, the display pane shows the
selected subnet of 166.130.47.0.
The Subnet-Based Window displays information about the Collectors of that subnet in four tabs,
as shown in Figure 4.44.
Figure 4.44 Subnet-based window
1. Tabular View—Lists the provisioned Collectors in the subnet, as well as useful statistics
related to those Collectors, such as Collector Status and # of Nodes (the number of devices
associated with that Collector).

2. Collector Stats—Lists statistics on a per-Collector basis, which can help determine the
health of the Collectors, as well as the NAN on which the Collectors reside
3. WAN IF Stats—Lists statistics about the WAN backhaul on a per-Collector basis
4. Inventory—Lists the number of associated devices per Collector, as well as types of asso-
ciated devices.
Some of the most common ways to use the Subnet-Based Window include:
Get an overview of the health of the Collectors in a subnet.

On the Tabular View tab, a Collector Status of Alive means that the Collector is communicating
normally with NEMS. Other possible statuses include:
• Power Down: the device has powered down and should resume communication when it
powers back on
• Not Responding: the device is not responding for an unknown reason
• Unconfirmed Power Down: NEMS believes that the device is powered down, but did not
receive notification that the power-down was intended, and cannot communicate with the
device to determine the reason for the power-down.
View aggregate communication information for Collectors in a subnet.

The Collector Stats tab includes communication statistics on a per-Collector basis. This can help
you determine the health of individual Collectors, as well as the NAN on which those Collectors
reside. For instance, the NAN Avg Round Trip Time field displays the average latency for
communication between the Collector and its associated NAN devices. If a single Collector takes
an unusually long period to send and/or receive responses, then this may indicate a localized issue
with the NAN for this Collector (for example, there may be unusually high network load). But if
multiple Collectors report similarly high average round trip times, it may indicate an issue
affecting all NAN devices, in which case more investigation is warranted.
View the overall health of the subnet in context of the wider WAN.
The WAN IF Stats tab includes statistics that can indicate how healthy the WAN (e.g., cellular
WAN) is. Reports of irregular bytes transferred (high or low), excessive connection attempts, and
so on can indicate cellular service level agreement (SLAs) issues, or even security issues.
View the list of devices associated with the Collectors in a subnet.

The Inventory tab provides a count of all NAN devices associated with each Collector in a subnet.
This view enables you to see which Collectors are most or least heavily linked to other devices,
and can help you determine whether you should make changes to your network design to better
spread load at the device level.

The Collector-Based Window

The Collector-Based Window enables you to filter within the Collector, such as by the type of
device associated with the Collector, or by the devices that make the highest number of hops to
reach the Collector (see Figure 4.45).
Displaying the Collector-Based Window

• Double-click a Collector icon. For example, in Figure 4.45, the window shows the
devices associated with the selected Collector NDUA0000042.
The Collector-Based Window displays information relevant to that specific Collector, as shown in
Figure 4.45.
Figure 4.45 NAN Tree View - Collector-Based Window
1. Collector Details—Lists details about the Collector, including general information (like
its name, MAC address, etc.), topology, location details, and SNMP information.
2. Tabular Node View—Lists the devices associated with the Collector and their status.
This tab provides at-a-glance information about each device, including device status, node
type, and success rate.
3. Node Stats—Lists connectivity statistics about the devices associated with the Collector.
4. Alarm Details—Lists alarms associated with the Collector and associated devices.
Alarms are color-coded and ranked, with the most serious alarms appearing at the top of
the list.
5. Component Details—Lists firmware information about the device (both Collector and
radio firmware versions)
6. Inventory—Lists the number of associated devices, as well as types (meters and repeat-
ers).
7. Statistics—Lists numerical statistics about the Collector, including outage counts, number
of bytes sent and received, failure and success percentages, etc.

Some of the most common ways to use the Collector-Based View include:
Identify which NAN devices associated with a Collector are not performing well.
On the Tabular View, the Status column (see number 1 in Figure 4.46) shows the current status of
each device associated with the selected Collector. If the status is “Not Reporting” then the
Collector cannot communicate with the device, which may need investigation. # of Hops (number
2) indicates how many hops a device has to make before it gets back to a Collector, so an
abnormally high value in this column could indicate problems with one or more of the devices it
normally hops through. Finally, the Last Activity date (number 3), if it doesn’t show a date that
matches the other devices, could indicate a communication issue.
Figure 4.46 Collector View: Performance indicators in the Tabular View
View the paths a NAN device uses to get back to a Collector.

The Node Paths window provides information about every path that a NAN device can use to
connect to a Collector.
• In the Tabular Node View, right-click on a meter and select Show All Paths (Figure 4.47).

Figure 4.47 NAN Tabular Node View: Selecting Show All Paths for a meter
This opens the Node Paths window (Figure 4.48).
Figure 4.48 Node Paths window
Export data from the Tabular Node View

You may need to export the data shown in the Tabular View. You can export everything shown on
the tab, or filter the data first, then export just the filtered data. Exportable formats are CSV, PDF,
XLS, XLSX, XML, or HTML.
Export from the Tabular Node View

1. If you want to export a filtered list, filter the contents of the Tabular Node View (see
“Using the Display Pane” on page 92 for information on filtering using column headings).

Figure 4.49 Tabular Node View: Filtered to show only Basic Meters
2. Click Export . The Configure Export Parameters window opens.
Figure 4.50 Configure Export Parameters window
3. From File Type, select the type of file to save the exported data as: CSV, PDF, XLS,
XLSX, XML, or HTML.
4. From Column Configuration, select an option:
• Visible Column
• All Columns
5. From Export Type, select an option:
• Whole Data
• Selected Data
• Current View
6. (Optional) Fill the Use Current Filter check box to export only data that matches your
current filter.

7. Click Apply to generate the export file in the format you selected. The Download Files
window opens.
Figure 4.51 Download Files window
8. Click the Download Exported File link. Your browser opens a window that enables you
to open or save the file.
Alarm Details: Identify the alarms associated with a Collector.

On the Alarm Details tab, alarms are ranked by severity (with the most severe at the top), and then
the number of events related to that alarm (with the highest number of related events listed first).
Each alarm listing is associated with a particular alarm type, for instance, a RAM failure (major
severity) or System Reboot (warning severity). All alarms associated with a particular Collector
are listed on this tab, from Critical (red) to Info (gray). For more information about Alarms, see
“Alarms and Events in NEMS” on page 129.
Figure 4.52 Alarm Details tab
Node Stats: Identify which Collectors and associated devices are experiencing
connectivity issues.
The Node Stats tab displays the count of particular communication events between a Collector
and associated node (for instance, a smart meter). Numbers that are noticeably low or high for a
particular kind of communication event could indicate a problem that may need further
investigation.

Figure 4.53 Node Stats tab
Component Details: Determine the Firmware of the components in the Collector

The Component Details tab lists the firmware versions currently being used by the Collector and
its radio.
Figure 4.54 Component Details tab
Inventory: Determine the identity and configuration of a Collector and the number
of NAN devices associated with the Collector.
The Inventory tab lists the number of devices that are associated with a Collector, a count for each
type of device, and some key configuration and identifiers for the Collector.

Figure 4.55 Inventory tab
View performance statistics for the Collector

You can view aggregate statistics for the Collector. Available data includes the number of outage
notifications, how many resets occurred, many types of data frame statistics, etc.

Figure 4.56 Statistics tab
Obtain more information about a particular device associated with a Collector.

If you want more information about a particular device associated with a Collector, you can
access the device’s Node Details window, which provides three tabs of information (general
device physical and topology information, performance statistics, and internal component
information).
• From the Collector’s Tabular View, right-click on a device and select Node Details
(Figure 4.57).

Figure 4.57 Node Details highlighted in right-click menu

Figure 4.58 Node Details window
NAN Node Icons in the Display Pane

You can quickly determine a node’s device type and state from the icon. Table 4.6, “NAN View
Icons,” on page 125, defines all icons shown in the NAN View.

Table 4.6 NAN View Icons

Icon Device
SecureMesh Extender’s Collector
SecureMesh NAN Collector 3100
Meter*
Thermostat*
Remote Appliance Controller
In-Home Display
Repeater
* Icon is used for more than one device type (for

example, RCS and Energate meters). The node’s
device type displays next to the node name in both
the tabular view and in Node Details.
As of the release date of this document, NEMS supports the device classes listed in Table 4.7.
Table 4.7 NAN Device Classes
Device Class
SecureMesh Repeater ND06
Basic Electric Meter ND04
Thermostat (RCS) ND08
RAC ND09
DDX Meter w/ Disconnect ND10
Basic Electric Meter w/ Disconnect ND12
DLMS/COSEM Meter ND14
ELONET II Protocol Meter ND16
DataCollector for ANSI Meter Array ND17
Thermostat (Energate) EG01
IHD AZ01
You can quickly determine a node’s state from the icon color, as shown in Table 4.8.

Table 4.8 NAN Collector Node Icon Colors

Color Status Example Description
green Up A green device is managed, reachable, and responding to
NEMS.
orange Agent Down An outlined orange device is managed and reachable, but
not responding to SNMP requests (the SNMP agent is
down).
An orange device (no outline) is pingable but has no SNMP

response.
red Down An outlined red device is managed by NEMS but currently
unreachable.
A red device (no outline) has been configured within NEMS,

but has not ever communicated with NEMS (possibly
because the device has not yet been discovered, or may
not exist yet in the field).
Note: Icon color is separate from Alarm color/severity.
NAN View Toolbar Buttons

NEMS offers the following buttons on the NAN View toolbars.

Table 4.9 NEMS NAN View Toolbars Buttons

currently selected.
Inventory page 102.
Graph
Node Color Opens a window that enables you to set the color of a node in the Tabular
Configuration view.
Link Color Opens a window that enables you to set the color of link health types in
Configuration the Show All Paths view.
Export Opens a dialogue that enables you to export data from the current
window.
Alarm Details Opens the Alarm Details window.
Assign Opens a window that enables you to assign resolution responsibility for
Owner one or more alarms to a user.
Column Opens a window that enables you to show/hide and freeze/unfreeze
Properties certain columns in the current display.
Alarm Opens the Trap window, which enables you to configure traps and email,
Forwarding and forward alarms.
Clear Clears the currently selected alarm(s).
Hide Cleared Hides cleared alarms from the current view.

Alarms
Alarm Stats Opens the Alarm Stats window, which presents charts about alarm
statistics in four categories: Severity, Acknowledge, Owner, and Element.
Time periods for alarms covered are configurable from 1 hour to 1 year.
Print Alarms Opens the Print Preview window, from which you can see and print Alarm
details.
Filter Opens the Alarm Filter Manager window, which enables you to create,
save, edit, and delete filters that you can apply to views.


Show Shows the Management Filter pane at the top of windows.
Management
Filter
Hide Hides the Management Filter pane at the top of windows.
Management
Filter
Reset Filter Removes any applied filters from the view.

5
Alarms and Events in

NEMS
The Alarms and Events features in NEMS are designed to monitor for, respond to, and alert you to
certain things that happen within your network. This chapter defines those alarms and events that
you will see and deal with in NEMS:
• “Alarms and Events Overview” on page 130
• “Alarms” on page 130
• “Events” on page 132
• “Viewing Alarms and Events” on page 136
• “Viewing Alarms” on page 136
• “Viewing Events” on page 139
• “Viewing Events Related to an Alarm” on page 141
• “Working with Alarms, Performance Thresholds, and Event Monitoring” on page 143
• “Alarms” on page 143
• “Acknowledging and Clearing Alarms” on page 143
• “Deleting Alarms” on page 147
• “Performance Thresholds” on page 149
• “Modulation Thresholds” on page 149
• “Modulation and RSSI Thresholds” on page 156
• “RSSI Thresholds” on page 163
• “NAN Threshold Monitoring” on page 169
• “Event Monitoring” on page 176
• “Trap Parsers” on page 176
• “Northbound Trap Receivers” on page 190
• “Email Notification of Alarms” on page 198

Chapter 5 - Alarms and Events in NEMS Trilliant
Alarms and Events Overview

NEMS has sophisticated event monitoring capabilities that help you monitor the health of the
network and devices. When an event occurs, NEMS responds by assigning a severity to the event
and creating an alarm (or associating the event with an existing alarm), which is also color-coded
according to the severity of the event. NEMS can generate events and alarms reactively (in
response to SNMP traps coming directly from a device) or pro-actively (based on NEMS polling
a device or discovering that a value has crossed a user-generated threshold).
This section explains how NEMS monitors for events and generates alarms, and how to see events
and alarms in the NEMS interface. Refer to “Working with Alarms, Performance Thresholds, and
Event Monitoring” on page 143 for information on how to acknowledge, clear, and delete alarms,
and how to customize event monitoring.
Alarms
NEMS generates alarms based on thresholds (described below) and events (described in “Events”
on page 132).
You can configure thresholds to monitor for when a value on a device (that is communicating and
operating normally) meets or exceeds a certain level. For example, if you enable and define a
threshold for WAN device modulation rates, when NEMS detects a value that triggers the
threshold, NEMS creates an event accordingly and updates the UI (Figure 5.1). NEMS
additionally associates this event with an existing alarm (Figure 5.2), or uses it as the basis for a
new alarm. See “Performance Thresholds” on page 149 for more information on creating, editing,
and deleting thresholds. New NEMS installations include default WAN threshold values that must
be enabled before use, and can be customized to meet the needs of your particular deployment.
NAN thresholds must be defined before use.

Trilliant Alarms and Events Overview
Figure 5.1 WAN View - Modulation threshold values for a Connector device
Figure 5.2 Modulation threshold alarm details
Alarm Severity
An alarm can be associated with one or more events and are categorized by severity:
• Info: alarms that are generated by routine operations. These alarms are informational only
and require no further action, and are color-coded gray.
• Cleared: alarms that have been acknowledged (and then cleared) by a NEMS operator.
These alarms require no further action and are color-coded green.

• Indeterminate: alarms that may or may not be an issue, but do not meet enough criteria to
be labeled as a more serious alarm type. These alarms should be investigated if associated
with a particular trouble-shooting exercise, and are color-coded gray.
• Warning: alarms that may indicate an issue that merits investigation, especially if associ-
ated with a particular trouble-shooting exercise. These alarms are color-coded blue.
• Minor: alarms that indicate abnormal or unexpected behavior by the associated device(s),
but which are not preventing the device(s) from successfully communicating with NEMS.
These alarms should be investigated and resolved in a timely manner, and are color-coded
yellow.
• Major: alarms that indicate severely abnormal or unexpected behavior by the associated
device(s), and which may be preventing the device(s) from successfully communicating
with NEMS. These alarms should be investigated and resolved as soon as possible, and
are color-coded orange.
• Critical: alarms that are severe enough to prevent the device(s) from communicating with
NEMS, or which indicate severely abnormal behavior for the device(s). These alarms
should be investigated immediately, and are color-coded red.
To meet the needs of your organization, the severity of most alarms are operator-configurable via
node profile, trap parser, and threshold configuration. For example, while a WAN Gateway outage
may be considered Critical, a Connector used for field surveys (and therefore frequently offline)
may be configured to raise only a Warning alarm for a Down status.
Events
Events are a time-stamped record of when certain defined conditions are met. Events can trigger
from NEMS detecting a condition, or receiving a trap from a device that informs NEMS of a
condition that the device detected. By default, events are organized by the time at which they
occur, with the most recent event listed first.

Figure 5.3 Event Log Details window
NEMS monitors for two types of events:

• Device Polling Tasks: The NEMS server periodically polls every Trilliant WAN and
NAN network device to retrieve data and monitor for thresholds, and can therefore also
report if a device is down or unreachable. If NEMS detects a polling event, it generates an
event according to the type of issue. NEMS then either creates a new alarm for the event,
or associates the event with an existing alarm.
Figure 5.4 Device unreachable event example
• SNMP Traps: Unlike polling-based events, SNMP traps are generated by the device
experiencing the event, such as a WarmStart trap, which the device reports when a reboot
(warmstart) event has occurred. When NEMS receives an SNMP trap, depending on the

trap type, it then can create a new alarm for the event, associate the event with an existing
alarm, or simply update the NEMS display. See “Viewing Events” on page 139.
Figure 5.5 WarmStart trap example
While NEMS includes many preconfigured trap parsers, you can also customize and cre-
ate additional trap parser definitions.
Event Severity
NEMS categorizes events by severity:
• Info: events that are records of routine actions. These events require no further action and
are color-coded gray.
• Cleared: events that have been acknowledged (and then cleared) by a NEMS operator.
These events require no further action and are color-coded green.
• Indeterminate: events that may or may not be an issue, but do not meet enough criteria to
be labeled as a more serious event type. These events should be investigated if associated
with a particular trouble-shooting exercise, and are color-coded gray.
• Warning: events that may indicate an issue that merits investigation, especially if associ-
ated with a particular trouble-shooting exercise. These events are color-coded blue.
• Minor: events that indicate abnormal or unexpected behavior by the associated device,
but which are not preventing the device from successfully communicating with NEMS.
These events should be investigated and resolved in a timely manner, and are color-coded
yellow.

• Major: events that indicate severely abnormal or unexpected behavior by the associated
device, and which may be preventing the device from successfully communicating with
NEMS. These events should be investigated and resolved as soon as possible, and are
color-coded orange.
• Critical: events that are severe enough to prevent the device from communicating with
NEMS, or which indicate severely abnormal behavior for the device. These events should
be investigated immediately, and are color-coded red.

Viewing Alarms and Events

NEMS offers many ways to view and filter alarms and events. Some methods are available
globally, while others are accessible only from certain views.
Viewing Alarms
Alarms are visible in a number of places in the NEMS interface, as shown in the figures below:
• The Global Alarms Summary: (1) in Figure 5.6
• Tree View: (2) in Figure 5.6
Note: The Tree View is available for all major views: Unified View, WAN View, and NAN View.
Refer to Chapter 4 “The NEMS Interface” on page 79 for more information about the
different views available in NEMS.
• The Alarms Window, accessed via the Fault menu: (3) in Figure 5.6
Figure 5.6 Unified View - Alarms locations

Trilliant Viewing Alarms and Events
The Global Alarms Summary

This bar is visible at the top of the NEMS interface in all views, and shows the number of active
alarms for four alarm severities: critical, major, minor, and warning (Figure 5.7).
Figure 5.7 Global Alarms Summary bar
Clicking one of the colors in this bar opens a window showing all alarms of that type (Figure 5.8).
Note: While the Global Alarms Summary in the Unified View tracks all alarms, the Global
Alarms Summary in the WAN View tracks only WAN device alarms. Likewise, the Global
Alarms Summary in the NAN View tracks only NAN device alarms.
Figure 5.8 Alarm Details window: All major alarms
The Tree View

Alarms associated with a single WAN device are shown in the Alarm Severity column of Tree
View on the left side of the window (Figure 5.9).

Figure 5.9 WAN View: Alarms in the Alarm Severity Column of the Tree View
Double-clicking on a device’s alarm severity flag (number 1 in Figure 5.9) opens the Alarm
Details window. This window shows all alarms associated with that device (denoted by Source IP
address), with the most recent alarm on top (Figure 5.10).
Figure 5.10 Alarm Details window
The Alarm Details Window

This window displays a list of all alarms, regardless of severity, and is visible in all views. Alarms
are grouped first by severity, and then by date and time. An alarm’s timestamp is determined by
the timestamp of the most recent event associated with the alarm. Each alarm shows only the most
recent timestamp of the most recent event.

• From the Fault menu, click Alarms > View Alarms (Figure 5.11).
Figure 5.11 Fault menu with Alarms > View Alarms highlighted
NEMS displays the Alarm Details window (Figure 5.12).
Viewing Events
Events often provide illumination into issues affecting device and network performance. This
section discusses the following:
• “Viewing All Events” on page 140
• “Viewing Events Related to an Alarm” on page 141

Viewing All Events

You can see all events that NEMS is aware of in the Event Log Details window. This can be useful
for sorting by event type, searching for a specific Event Log ID, searching by source IP address,
or sorting by event severity.
To see a list of all events:

1. From Fault menu, select Events > View Events.
Figure 5.13 Fault menu with Events > View Events highlighted
NEMS displays the Event Log Details window.
Figure 5.14 Event Log Details window
2. Double-click an event to display its Event Logs - View window.

Figure 5.15 Event Logs - View window
Viewing Events Related to an Alarm

Because an alarm can be associated with more than one event, you may need to view those events
in order to gain a more granular understanding of what is causing the alarm.
View an alarm’s related events

1. Double-click an alarm from one of the following views:
• Global Alarm Summary: Double click on a severity number to open the Alarm Sum-
mary Details window showing alarms of the severity you clicked. Double click an
alarm on this screen to open the Alarm Details window.
• Fault menu > Alarms > View Alarms: Select this option to open the Alarm Details win-
dow.
• Tree View: Double click an alarm in the Alarm Severity column on this screen to open
the Alarm Summary Details window, which shows all alarms associated with a particu-
lar device. Double click an alarm on this screen to open the Alarm Details window.
2. In the Alarm Details window, double-click an alarm (number 1 in Figure 5.16). This opens
the Alarm Details tab (number 2 in Figure 5.16).
3. Click the Event Details tab (number 3 in Figure 5.16).

The Event Details tab (Figure 5.17) lists all events that are associated with a particular
alarm.
Figure 5.17 Event Details tab

Trilliant Working with Alarms, Performance Thresholds, and Event Monitoring
Working with Alarms, Performance Thresholds, and

Event Monitoring
This section covers how to acknowledge, clear, and delete alarms, and how to customize alarms,
thresholds, and event monitoring.
Alarms
Beyond simply viewing alarms, there are two main ways to monitor and interact with alarms in
NEMS:
• “Acknowledging and Clearing Alarms”: You must first acknowledge and then clear an
alarm before you can delete it.
• “Deleting Alarms”: Alarms may be deleted if the Alarm is no longer relevant and the his-
tory of the Alarm is no longer needed.
Acknowledging and Clearing Alarms

Before you can clear an alarm, you must first acknowledge it. Acknowledging an alarm indicates
to NEMS that you are aware of the issue causing the alarm. Subsequently clearing an alarm
indicates to NEMS that you have resolved the issue causing the alarm, or that the issue requires no
further action.
Note: When working in the Alarms window, the following procedures are the same in both the
WAN View and the NAN View.
Acknowledge an alarm
Note: Acknowledging an alarm is permanent and cannot be undone.
1. From the Fault menu, select Alarms > View Alarms (Figure 5.18).

NEMS opens the Alarm Details window (Figure 5.19).
2. (Optional) Using the columns on this window, search or filter for the alarm you wish to
acknowledge.
3. Right-click on the alarm and select Acknowledge (Figure 5.20).

Figure 5.20 Acknowledging an alarm
In the Ack Status column, NEMS marks the Alarm as acknowledged (Y) (Figure 5.21).
Figure 5.21 Alarm marked as acknowledged in Ack Status column
Clear an alarm
Note: You must acknowledge an alarm before you can clear it. An acknowledged alarm is
marked Y in the Ack Status column (see Figure 5.21).

Note: Clearing an alarm is permanent and cannot be undone.

clear.
3. Right-click on the alarm (1) and select Clear (2) (Figure 5.24).

Figure 5.24 Clearing an acknowledged alarm
In the Severity column, NEMS marks the Alarm as CLEARED, and changes the Severity
color to green (Figure 5.25).
Figure 5.25 Cleared alarm: Alarm severity has changed to Green and Cleared
Deleting Alarms
Note: Deleting an alarm is permanent and cannot be undone.

delete.
3. Click on the alarm to highlight it (1) and select Delete (2) (Figure 5.28).

Figure 5.28 Deleting a cleared alarm
NEMS deletes the alarm.
Performance Thresholds
To manage the health of the network, NEMS collects data from all network devices known to the
NEMS that are communicable and operating normally. While NEMS comes pre-configured to
respond to and monitor for many events, you can also create custom thresholds to notify you
when a monitored information type meets or exceeds a certain value.
New NEMS installations include default WAN threshold values that must be enabled before use,
and can be customized to meet the needs of your particular deployment. NAN thresholds must be
defined before use.
NEMS tracks three types of thresholds applicable to WAN devices (and the WAN portion of the
Extender Bridge):
• “Modulation Thresholds” on page 149
• “Modulation and RSSI Thresholds” on page 156
• “RSSI Thresholds” on page 163
The NAN View tracks thresholds applicable to Collectors, Nodes, and WAN IF. See “NAN
Threshold Monitoring” on page 169.
Modulation Thresholds
If you enable and define a threshold for device modulation rates, when NEMS detects a value that
triggers the threshold, NEMS creates an event accordingly and updates the UI (Figure 5.29).
NEMS additionally associates this event with an existing alarm (Figure 5.30), or uses it as the
basis for a new alarm.

Figure 5.29 Modulation threshold values for a Gateway device
Figure 5.30 Modulation threshold alarm details
Create New Modulation Thresholds

1. From Fault menu, select Configure WAN Thresholds, and then Modulation
(Figure 5.31).

WA
Figure 5.31 Fault menu with Configure WAN Thresholds > Modulation highlighted
NEMS opens the Modulation Threshold window (Figure 5.32).
Figure 5.32 Modulation Threshold window
2. Click New .
NEMS adds a new line to the window (Figure 5.33).

Figure 5.33 New Modulation Threshold entry
In the above example, the new threshold is applying to all devices with a modulation rate
less than 9, and will raise an alarm of Indeterminate severity. You should create thresholds
that achieve your objective using the fields described below.
3. In Field Type, select one of the following:
• All: This threshold applies to all devices, regardless of which domain it is on, the node
profile it uses, or its specific node ID.
• Domain: This threshold applies to only devices that are members of the domain speci-
fied in the Field Value column.
• Node Profile: This threshold applies to only devices using the Node Profile specified
in the Field Value column.
• Node: This threshold applies to only the device with the Node ID specified in the Field
Value column.
4. If you selected anything but All in the previous step, specify the Field Value, as appropri-
ate.
5. Select an Operator:
• less than or equal to: <=
• less than: <
6. Select the Modulation Value at which the threshold is triggered.
7. Select the Alarm Severity to associate with this threshold.
8. Click Save .
NEMS saves the new Modulation Threshold entry (Figure 5.34).

Figure 5.34 Saved new Modulation Rate Threshold
9. Repeat from step 2 as necessary for all alarm levels and field types that you want associ-
ated with a modulation rate threshold.
Edit Existing Modulation Thresholds

1. From the Fault menu, select Configure WAN Thresholds, and then Modulation
(Figure 5.35).
WA
Figure 5.35 Fault menu with Configure WAN Thresholds > Modulation highlighted

2. Double-click an existing threshold entry to make it editable (Figure 5.37).
Figure 5.37 Editable Modulation Threshold entry
3. Make changes to any of the fields, as necessary.

4. Click Save .
NEMS updates the Modulation Threshold window to display the updated value(s)
(Figure 5.38).
Figure 5.38 Updated Modulation Threshold entry

Delete an existing Modulation Threshold

Deleting a Modulation Threshold is permanent. If you delete a threshold by mistake, you must
recreate the threshold.
1. From the Fault menu, select Configure WAN Thresholds > Modulation (Figure 5.39).
WA
Figure 5.39 WAN View - Fault menu with Configure Thresholds and Modulation highlighted
2. Click to highlight an existing threshold (Figure 5.41).

Figure 5.41 Highlighted modulation threshold (to delete)
3. Click Delete .
NEMS deletes the modulation threshold entry.
Modulation and RSSI Thresholds
Create a new Modulation and RSSI Threshold

1. From the Fault menu, select Configure WAN Thresholds > Modulation and RSSI
(Figure 5.42).

WA
Figure 5.42 Fault menu with Configure WAN Thresholds > Modulation and RSSI highlighted
NEMS opens the Modulation and RSSI Threshold window (Figure 5.43).
Figure 5.43 Modulation and RSSI Threshold window
2. Click New .

Figure 5.44 New Modulation and RSSI Threshold entry

Value column.
ate.
• less than: <
6. Select the RSSI Value at which the threshold is triggered.
• less than: <
8. Select the Modulation Value at which the threshold is triggered.
10. Click Save .
NEMS saves the new Modulation and RSSI Threshold entry (Figure 5.45).

Figure 5.45 Saved new Modulation Rate and RSSI Threshold
ated with a modulation rate and RSSI threshold (Figure 5.46).
Figure 5.46 A full set of saved Modulation Rate and RSSI thresholds
Edit an existing Modulation Rate and RSSI Threshold

(Figure 5.47).

WA

Figure 5.49 Editable Modulation and RSSI Threshold entry

4. Click Save .
NEMS updates the Modulation Threshold window to display the updated value(s)
(Figure 5.50).
Figure 5.50 Updated Modulation and RSSI Threshold entry
Delete a Modulation and RSSI Threshold

Deleting a Modulation and RSSI Threshold is permanent. If you delete a threshold by mistake,
you must recreate the threshold.
(Figure 5.51).

WA

Figure 5.53 Highlighted modulation and RSSI threshold (to delete)
3. Click Delete .
NEMS deletes the Modulation and RSSI Threshold entry.
RSSI Thresholds
Create a new RSSI Threshold

1. From the Fault menu, select Configure WAN Thresholds > RSSI (Figure 5.54).

Figure 5.54 Fault menu with Configure WAN Thresholds > RSSI highlighted
NEMS opens the RSSI Threshold window (Figure 5.55).
Figure 5.55 RSSI Threshold window
2. Click New .

Figure 5.56 New RSSI Threshold entry

Value column.
ate.
• less than: <
6. Select the RSSI Value at which the threshold is triggered.
8. Click Save .
NEMS saves the new RSSI Threshold entry (Figure 5.57).

Figure 5.57 Saved new RSSI Threshold
ated with an RSSI threshold.
Edit an existing RSSI Threshold


Figure 5.60 Editable RSSI Threshold entry

4. Click Save .
NEMS updates the RSSI Threshold window to display the updated value(s) (Figure 5.50).

Figure 5.61 Updated RSSI Threshold entry
Delete an RSSI Threshold

Deleting an RSSI Threshold is permanent. If you delete an RSSI threshold by mistake, you must
recreate the threshold.

Figure 5.64 Highlighted RSSI threshold (to delete)
3. Click Delete .
NEMS deletes the RSSI Threshold entry.
NAN Threshold Monitoring

You can set thresholds to monitor for dozens of different NAN-specific metrics, including
Collector outage notifications, node transmission success rates, WAN IF active connections, and
more.

Figure 5.65 NAN Thresholds
Create a new NAN Threshold

1. From the Fault menu, select Configure NAN Threshold.
Figure 5.66 Fault menu with Configure NAN Thresholds highlighted
NEMS opens the Threshold window (Figure 5.67).

Figure 5.67 NAN Threshold window
2. Click New .
Figure 5.68 Creating a NAN Threshold - new line added to window
3. From Node Type, select one of the following:

• Collector
• Node
• WAN IF
4. From Filter Type, select one of the following:
• Device ID
• IP Address
• MAC Address
• All
5. In the Filter Value field, enter the corresponding value for the filter type you selected.
6. Select the Metric for which you want to set a threshold. The metrics listed change
depending on the node type you selected.
7. From Operator, select one of the following:

• Less than or equal to: < =

• Less than: <
• Greater than or equal to: = >
• Greater than: >
8. In the Value field, enter the value that determines the threshold.
9. From Alarm Severity, select the severity of alarm to generate when NEMS detects a
value that meets this threshold.
10. (Optional) Enter a Message to display with the threshold.
11. Click Save .
NEMS updates the Threshold window to display the new entry (Figure 5.69).
Figure 5.69 New NAN Threshold entry
Edit an existing NAN Threshold



Figure 5.72 Editable NAN Threshold entry

4. Click Save .
NEMS updates the Threshold window to display the updated value(s) (Figure 5.73).
Figure 5.73 Updated NAN Threshold entry
Delete a NAN Threshold



Figure 5.76 Highlighted threshold (to delete)
3. Click Delete .
NEMS deletes the Threshold entry.
Event Monitoring
NEMS provides three methods of event monitoring:
• “Trap Parsers” on page 176
• “Northbound Trap Receivers” on page 190
• “Email Notification of Alarms” on page 198
Trap Parsers
Trap Parsers interpret the SNMP traps sent by devices to NEMS. These traps report occurrences
at the device level, which are the basis for events, and in turn, alarms.
Trap Parsers are available in all views. NEMS comes with trap parsers already configured, so you
should only need to add traps to support non-standard equipment for this version of NEMS.
However, you may wish to edit the default trap parsers to define the alarm severity appropriate for
your needs.
Display Trap Parsers

1. From the Fault menu, select Trap Parsers (Figure 5.77).

Figure 5.77 Fault menu with Trap Parsers highlighted
NEMS displays the Fault - Trap Parsers window (Figure 5.78).

Figure 5.78 Fault - Trap Parsers window
Create a new Trap Parser



Figure 5.80 WAN View: Fault - Trap Parsers window
2. Click New .
NEMS opens the Add Trap Parser Details window (Figure 5.81).

Figure 5.81 Add Trap Parser Details window
3. Select a Version.
4. Enter the OID (object ID) to associate with this trap parser.
5. Select a Generic Type of trap parser.
6. Click Next.
The Add Trap Parser Details window updates (Figure 5.82).

Figure 5.82 Adding more Trap Parser details
7. Enter a Name.
8. Enter a Source for this trap parser. The default value is $source.
9. Enter the Category for this trap parser.
10. Select a Severity for the alarm associated with this trap parser.
11. Enter the Message to display with this trap parser.
12. If appropriate, enter the Remedy to display for this trap parser.
13. Click Finish.
NEMS displays the new Trap Parser entry (Figure 5.83).

Figure 5.83 Saved new trap parser entry
Edit an existing Trap Parser



Figure 5.85 Trap Parsers window
2. Highlight an entry, then click Edit Trap Parser .

The Edit Trap Parser Details window for that entry opens (Figure 5.86).

Figure 5.86 Editing a Trap Parser entry
3. Make any changes, as necessary, to the following fields:

• The OID (object ID) to associate with this trap parser (SNMP dotted decimal notation
that is used to identify the specific trap for the NEMS trap processor).
• The Generic Type of the trap parser.
4. Click Next.
5. The Edit Trap Parser Details window updates (Figure 5.87).

Figure 5.87 Edit Trap Parser Details window
6. Make any changes, as necessary, to the following fields:

• The Name is the name of the trap processor / parser.
• The Source for this trap parser. The default value is $source (the node that generated
the trap).
• The Category for this trap parser. Categories can be used as selection criteria when for-
warding events to an SNMP trap receiver.
• The Severity for the alarm associated with this trap parser.
• The Message to display in NEMS for the specific trap.
• The Remedy is the action that the user should take when the specific trap has been
received.
7. Click Finish.
Delete a Trap Parser

Deleting a trap parser is permanent and cannot be undone. Be sure you are deleting the correct
trap parser, and that you really want to delete the trap parser. If you delete the trap parser and later
want to restore it, you will have to manually recreate it.


Figure 5.89 WAN View: Fault - Trap Parsers window
2. Click an entry to highlight it (Figure 5.90).

Figure 5.90 Highlighting a trap parser to delete
3. Click Delete .
4. NEMS asks you to confirm that you want to delete the selected record (Figure 5.91). Click
Ok.
Figure 5.91 Trap Parser delete confirmation
NEMS deletes the Trap Parser.
Northbound Trap Receivers

Northbound Trap Receivers can be defined to forward events, alarms, and SNMP traps to another
network management system.

Display Northbound Trap Receivers

1. From the Fault menu, select Northbound Trap Receivers (Figure 5.92).
Figure 5.92 Fault menu with Northbound Trap Receivers highlighted
NEMS displays the Northbound Trap Receivers window (Figure 5.93).

Figure 5.93 Northbound Trap Receivers window
Create a new Northbound Trap Receiver


NEMS displays the Fault - Northbound Trap Receivers window (Figure 5.95).

2. Click New .
NEMS opens the Create New SNMP Listener window.
Figure 5.96 Create New SNMP Listener window
3. Select an IP Version: IPv4 or IPv6

4. Enter the IP Address to which to forward SNMP traps.
5. Enter the Port that will receive the forwarded traps.
6. Click OK.
NEMS adds the entry to the Northbound Trap Receivers window (Figure 5.97).
Figure 5.97 Updated Northbound Trap Receivers window
7. Click to highlight the new entry.

8. In the Associate Filter list on the right side of the window, select one or more filters to
associate with the trap destination.
9. Click OK.
Edit an existing Northbound Trap Receiver

NEMS displays the Fault - Northbound Trap Receivers window (Figure 5.99).

2. Select an entry, then click Edit .

NEMS opens the Edit SNMP Listener window (Figure 5.100).
Figure 5.100 Edit SNMP Listener window
3. Edit the entry as necessary, then click Save .
Delete a Northbound Trap Receiver


NEMS displays the Northbound Trap Receivers window (Figure 5.102).

2. Click to highlight the entry you want to delete.

3. Click Delete .
4. NEMS asks you to confirm that you want to delete the selected record (Figure 5.103).
Click Yes.
Figure 5.103 Northbound Trap Receivers: Delete confirmation
NEMS deletes the Northbound Trap Receiver.
Email Notification of Alarms

You can set up alarm mail notifications that only forward alarms of specific severities, or specific
devices, or a combination of the two. In order to use this functionality, you must first:
1. Configure the mail server (See “Configure the mail server” on page 198.)
2. Configure the Alarm Mail Notifications for WAN and NAN devices (See “Create a new
Alarm Mail Notification” on page 200.)
Configure the mail server

1. From the Fault menu, select Mail Server Configuration (Figure 5.104).

Figure 5.104 Fault menu with Mail Server Configuration highlighted
NEMS opens the Mail Server Configuration window (Figure 5.105).
Figure 5.105 WAN View: Mail Server Configuration window
2. In Primary SMTP Host Name, enter your email server name.

3. (Optional) In Secondary SMTP Host Name, enter the secondary email server name.
4. In SMTP Port, enter the SMTP port number of the email server.
5. (Optional) In SMTP User enter the username for the mail server.
6. (Optional) In SMTP Password, enter the password for the mail server.
7. (Optional) In SMTP Confirm Password, enter the password for the server again.

8. In Sender Name, enter the name to use in the email.

9. In Sender Mail ID, enter the email address that will be used to send the email.
10. Click Save.
Create a new Alarm Mail Notification

Before beginning, determine whether you are creating a notification for a WAN device or NAN
device. WAN device alarm mail notifications must be created from the WAN View, while NAN
device alarm mail notifications must be created from the NAN View.
1. Make sure you are in the correct view for the device type for which you want to create
alarm mail notifications: WAN View, or NAN View.
Note: You cannot create alarm mail notifications for WAN devices from the NAN View, or vice
versa.
2. From the Fault menu, select Configure > Alarm Mail Notification (Figure 5.106).
Figure 5.106 Fault menu with Alarm Mail Notification highlighted
NEMS displays the Alarm Mail Notification window (Figure 5.107).

Figure 5.107 Alarm Mail Notifications window
3. Click New .
NEMS opens the Create New Email Listener window (Figure 5.108).
Figure 5.108 Create New Email Listener window
4. Enter or select the following:

• Email: The email address to which alarm mails will be sent.
• Details: Comments about the filter.
5. Click OK.
NEMS adds the listener to the Alarm Mail Notification window (Figure 5.109).

Figure 5.109 Updated Alarm Mail Notification window
6. Click to highlight the new alarm mail notification entry.

7. In the Associate Filters section of the window, select the alarm categories to associate
with the entry.
8. Click OK.
Edit an existing Alarm Mail Notification

1. From the Fault menu, select Alarm Mail Notification (Figure 5.110).

NEMS displays the Alarm Mail Notification window (Figure 5.111).
Figure 5.111 Alarm Mail Notification window
2. Click an entry to highlight it, then click Edit .

Figure 5.112 Edit Email Listener window
3. Edit the entry, as necessary.

4. Click OK.
5. In the Associate Filters section of the window, select the alarm categories to associate
with the entry.
6. Click OK.
Delete an Alarm Mail Notification

WAN device alarm mail notifications must be deleted from the WAN View, while NAN device
alarm mail notifications must be deleted from the NAN View.
1. Make sure you are in the correct view for the device type for which you want to delete an
alarm mail notification: WAN View, or NAN View.
Note: You cannot delete alarm mail notifications for WAN devices from the NAN View, or vice
versa.
2. From the Fault menu, select Alarm Mail Notification (Figure 5.113).

NEMS displays the Fault - Alarm Mail Notification window (Figure 5.114).
Figure 5.114 Alarm Mail Notification window
3. Click an entry to highlight it, then click Delete .

4. Click Delete .

5. NEMS asks you to confirm that you want to delete the selected record (Figure 5.115).
Click Yes.
Figure 5.115 Email Listener Delete confirmation
NEMS deletes the Alarm Mail Notification entry.

Trilliant Fault-Based Alarms
Fault-Based Alarms
The following sections provide details about alarms generated by SNMP Traps (from devices)
and NEMS.
NAN SNMP Traps

Collectors send two types of traps: Inventory (see Table 5.1 on page 208) and Statistics (see
Table 5.2 on page 210).

Table 5.1 Inventory Traps

S. Alarm Category OID Severity Alarm Message
Num
1 Network exceeds MaxAssociated .1.3.6.1.4.1.25612 Major Network has exceeded
90% of its limit NodesExceeded .2.0.1 90% of its limit for the
collector $source
2 Reboot caused Cold Start .1.3.6.1.4.1.25612 Warning System Reboot: Caused
by Power up .2.0.2 by power up in the
collector $source
3 Reboot initiated Warm Start .1.3.6.1.4.1.25612 Warning System Reboot: initiated
by Command .2.0.3 by command in the
collector $source
4 Reboot caused OS Exception .1.3.6.1.4.1.25612 Major System Reboot: caused
by a fatal .2.0.4 by fatal exception in the
exception collector $source
5 Network Network .1.3.6.1.4.1.25612 Info Network configuration
configuration Configuration .2.0.5 updated: One of the
updated Updated network attributes (panId,
networkName,
macAddress, channel) has
been changed in the
collector $source
6 Collector is alive Collector Present .1.3.6.1.4.1.25612 Clear Collector $source is alive
.2.0.6
7 Configuration lost CollectorConfig .1.3.6.1.4.1.25612 Warning Configuration recovered
and recovered Recovered .2.0.7 from backup for the
collector $source
8 Collector reset its CollectorNAN .1.3.6.1.4.1.25612 Warning NAN Radio reset: on
NAN Radio after radioReset .2.0.8 collector $source
waiting for an
abnormal period
without receiving
traffic
9 Problem while NvramFailure nvramFailure Major RAM failure: Problem
accessing non- while accessing non-
volatile memory volatile memory in the
of the collector collector $source
10 Node’s test mode TestMode testMode Info Test mode status is
status is inactive Canceled Canceled inactivated in the collector
$source
11 Node’s test mode TestMode testMode Info Tests mode status is
status is active Activated Activated activated in the collector
$source
12 Collector’s ClockSyncStatus clock Minor ClockSyncStatus is
clockSyncStatus Synchronization unsynchronized in the
is set to Lost collector $source
unsynchronized


Num
13 Collector’s ClockSyncStatus clock Clear ClockSyncStatus is
clockSyncStatus Synchronization synchronized in the
is set to Established collector $source
synchronized
14 Collector’s BatteryStatus batteryPresent Clear Battery status changed to
batteryStatus is present in the collector
set to present $source
15 Battery needs BatteryStatus batteryNeed Major Battery needs
maintenance Maintenance maintenance: Battery
status is either missing or
low in the collector
$source
16 Node alive Node Status nodeAlive Clear Node Alive:
Node%.1.3.6.1.4.1.25612.
6.1.4.0% is either
associated with the
collector or
communication
reestablished with the
collector $source
17 Node is in power Node Status nodeInPower Major Power outage in node
down state Down %.1.3.6.1.4.1.25612.6.1.4.
0% - Trap from $source
18 Node stopped Node Status nodeNot Major Node%.1.3.6.1.4.1.25612.
communicating Responding 6.1.4.0% is not
communicating with the
collector $source
19 Unconfirmed Node Status unconfirmed Major Node%.1.3.6.1.4.1.25612.
power down PowerDown 6.1.4.0% is most likely to
be in power down state -
Trap from collector
$source
20 Battery Charger Charger Bad chargerBad Minor Battery Charger stop
stop working in Temperature Temperature working in collector
collector $source due to
temperature outside its
operating range
21 Unit Tamper is Tamper Detected Tamper Detected Major Unit Tamper is detected
detected from from $source
collector

Table 5.2 Statistics Traps

S. Alarm Category OID Severit Alarm Message
Num y
1 Keepalive Keepalive .1.3.6.1.4.1.25612 Major Keepalive success rate of
success rate for SuccessRateToo .2.7.0.1 the Node
the node is low Low %.1.3.6.1.4.1.25612.6.1.4.
0% is under the
MIN_KEEP_ALIVE_SUC
CESS_RATE threshold -
Trap from collector
$source
2 Transmission Transmission 1.3.6.1.4.1.25612. Major Node transmission Failure
Failure Rate of FailureRate Too 7.0.2 rate exceeds
the node is high High MAX_TRS_FAILURE_RA
TE threshold. Either Data
Frame failure rate or
Routed frame failure rate
of the node associated
with
%.1.3.6.1.4.1.25612.6.1.4.
0% exceeded
MAX_TRS_FAILURE_RA
TE threshold - Trap from
collector $source
3 Node Traffic is Traffic Too High .1.3.6.1.4.1.25612 Major Number of data frames of
high .7.0.3 the node
%.1.3.6.1.4.1.25612.6.1.4.
0% exceed the
MAX_TRAFFIC_INITIATE
D threshold - trap from
collector $source
4 Channel Access ChannelAccess .1.3.6.1.4.1.25612 Major Number of CCA failures of
Failure Rate of FailureRate Too .7.0.4 the node
the node is high High %.1.3.6.1.4.1.25612.6.1.4.
0% exceed
MAX_CHANNEL_ACCES
S_FAILURE threshold -
trap from collector $source

S. Alarm Category OID Severit Alarm Message

Num y
5 MCU Reset Rate MCUResetRate .1.3.6.1.4.1.25612 Major Number of reset exceeded
of the node is Too High .7.0.5 MAX_MCU_RESET
high threshold, Number of
resets of the node
%.1.3.6.1.4.1.25612.6.1.4.
0% exceed
MAX_MCU_RESET
threshold - trap from
collector $source
6 NAN interface NANTraffic Too .1.3.6.1.4.1.25612 Major Number of frames sent
traffic is high High .7.0.6 and received on the NAN
interface exceeded
MAX_NAN_TRAFFIC
threshold. Number of
frames sent and received
on the NAN interface
exceeded
MAX_NAN_TRAFFIC
threshold - trap from
collector $source

WAN SNMP Traps

Table 5.3 WAN SNMP Traps
Num
1 Device Rebooted Reboot .1.3.6.1.4.1.15319 Major Reboot Trap received from
.5.0.1 the device $source with
reason code $reason
2 Gateway ChangeMeshGw .1.3.6.1.4.1.15319 Minor ChangeMeshGw trap from
changed .5.0.2 $source
3 Modulation Modulation .1.3.6.1.4.1.15319 Intermediat ModulationChangeDown
Changed Change Down .5.0.3 e trap from $source
4 Modulation Modulation .1.3.6.1.4.1.15319 Intermediat ModulationChangeUp trap
Changed Change Up .5.0.4 e from $source
5 Link removed Link Down .1.3.6.1.4.1.15319 Major LinkDown trap from
.5.0.5 $source
6 Formed Link Link Up .1.3.6.1.4.1.15319 Clear LinkUp trap from $source
.5.0.6
7 Maximum Node MaxRegistered .1.3.6.1.4.1.15319 Major MaxRegisteredNodesExc
count exceeded NodesExceeded .5.0.7 eeded trap from $source
8 Radar Detected RadarDetected .1.3.6.1.4.1.15319 Major RadarDetected trap from
.5.0.8 $source
9 Reboot caused ColdStart .1.3.6.1.4.1.15319 Major ColdStart trap received
by power up .5.0.9 from the device $source
with $reason
10 Reboot initiated Warm Start .1.3.6.1.4.1.15319 Major WarmStart trap received
by command .5.0.10 from device $source with
$reason
11 Invalid Software Invalid Software .1.3.6.1.4.1.15319 Minor InvalidSoftwareSchedule
Schedule Schedule .5.0.11 trap from $source
12 SysTime is UnSynchronized .1.3.6.1.4.1.15319 Minor UnsynchronizedSysTime
unsynchro SysTime .5.0.12 trap from $source
13 IP Conflict b/w IPConflict .1.3.6.1.4.1.15319 Minor TrapIPConflict trap from
devices present .5.0.13 $source
in the same
network
14 GPS unavailable GpsUnavailable .1.3.6.1.4.1.15319 Major GpsUnavailable trap from
.5.0.14 $source
15 Same channel SameChannel .1.3.6.1.4.1.15319 Minor SameChannelDetected
detected Detected .5.0.15 trap from $source
16 Formed active- NonPreferred .1.3.6.1.4.1.15319 Minor $source forms active-path
path link with Parent .5.0.16 link with non-preferred
non-preferred parent
parenta
17 Backhaul is in Backhaul Down .1.3.6.1.4.1.15319 Major Backhaul from $source is
down stateb .5.0.17 dropped


Num
18 Backhaul is in up Backhaul Up .1.3.6.1.4.1.15319 Clear Backhaul from $source is
statec .5.0.18 in up state
19 Node Reload Node Reload .1.3.6.1.4.1.15319 Clear Node with ID
initiated .5.0.19 %.1.3.6.1.4.1.15319.1.1.1.
0% gets reloaded
20 Node Reloaded Node Reload .1.3.6.1.4.1.15319 Clear Reload success for node
with applied .5.0.20 %.1.3.6.1.4.1.15319.1.1.1.
configuration 0% with status
%.1.3.6.1.4.1.15319.1.1.2
5.0%
21 Failed to apply Node Reload .1.3.6.1.4.1.15319 Major Error in trap configuration
configuration .5.0.21 for node
%.1.3.6.1.4.1.15319.1.1.1.
0%
22 PSU Power PSU .1.3.6.1.4.1.15319 Critical PSU for node
down .5.0.22 %.1.3.6.1.4.1.15319.1.1.1.
0% reports AC power
outage
23 PSU Power up PSU .1.3.6.1.4.1.15319 Cleared PSU for node
.5.0.23 %.1.3.6.1.4.1.15319.1.1.1.
0% reports AC power
restored
24 PSU Battery PSU .1.3.6.1.4.1.15319 Major Battery state is changed to
state change .5.0.24 %.1.3.6.1.4.1.15319.1.9.6.
0% at
%.1.3.6.1.4.1.15319.1.2.4.
0% for node
%.1.3.6.1.4.1.15319.1.1.1.
0%
25 PSU Battery PSU .1.3.6.1.4.1.15319 Critical PSU for node
charge low .5.0.25 %.1.3.6.1.4.1.15319.1.1.1.
0% reports battery charge
level low
26 PSU need PSU .1.3.6.1.4.1.15319 Major PSU for node
maintenance .5.0.26 %.1.3.6.1.4.1.15319.1.1.1.
0% needs maintenance
27 Tamper Detected PSU .1.3.6.1.4.1.15319 Major PSU for node
.5.0.27 %.1.3.6.1.4.1.15319.1.1.1.
0% has a tamper alarm
28 Lost PSU .1.3.6.1.4.1.15319 Critical PSU for node
communication .5.0.28 %.1.3.6.1.4.1.15319.1.1.1.
with PSU 0% lost communications
a.Specific to non-gateway devices
b.Specific to Gateway devices only
c.Specific to Gateway devices only

NEMS-Generated Alarms
Table 5.4 NEMS-Generated Alarms
S. Alarm Status Severity Alarm Message
Num
1 Device not Down Critical Device is not reachable
reachable
2 Device reachable Agent Down Major SNMP Agent is down / SNMP Version
(ping) but SNMP is not supported
connection is not
working
3 Data Collection Agent Down Major Data collection of
(Failure) $DatacollectionStats failed for device
$source due to Request timed out
4 Device reachable Upa Clear Device is reachable
5 Data Collection b Clear Data collection of
(successful) $DatacollectionStats successful for
device $source

S. Alarm Status Severity Alarm Message

Num
6 Threshold (NAN) User Num Bytes Tx value is higher than
configured expected for device (*ipaddress)
severity
Num Bytes Tx value is lower than
expected for device (*ipaddress)
Num Bytes Tx value is normal for
device (*ipaddress)
(same for Num Bytes Rx, Num
Connections Rx, Num Connections
Tx, Num Connections Rx Active, Num
Connections Inactivity, Num
Connections Too Long, and WAN
RSSI)
7 Threshold (WAN) User RSSI Level for device (*MAC) has
configured reached the configured threshold limit
severity (*threshold value).
RSSI Level for device (*MAC) is
normal
Modulation rate for device (*MAC)
has reached the configured threshold
limit (*threshold value) Mbps.
Modulation rate for device (*MAC) is
normal.
Modulation rate (*Mod value from
device) Mbps for device (*MAC) is
lower than expected (*Mod threshold
value) Mbps for the given signal
strength (*RSSI threshold value).
Modulation rate for the device (*MAC)
is normal.
a.This status also clears any of the alarms raised for the device.
b.Clears specific data collection alarms.


6
Advanced NEMS Topics
NEMS offers many advanced features that require planning and preparation before implementing
in your network. This chapter covers some of those items.
• “Virtual Local Area Networks (VLANs)” on page 218
• “Adding VPN to Your Network” on page 231
• “Determine the Firmware Version associated with a particular Collector” on page 240
• “Changing and Upgrading Firmware on WAN Devices” on page 242
• “Pre-Provisioning Large Numbers of Devices” on page 265
• “Changing WAN Device SFTP Password” on page 270

Chapter 6 - Advanced NEMS Topics Trilliant
Virtual Local Area Networks (VLANs)

Virtual Local Area Networks (VLANs) in the SecureMesh WAN are used to separate network
traffic by creating “virtual” broadcast domains. The benefits of implementing one or more
VLANs include increased security, network segmentation, and to provide an independent logical
topology from the rest of the network.
Before implementing VLANs, you must ensure the following:
• You have analyzed your network and know how many VLANs your network requires.
• You have the necessary switching equipment. Implementation of VLANs will require at
least one 802.1q capable Ethernet switch or router to properly segment traffic on the net-
work. Depending on how your network is organized, you may need multiple switches.
• You are, or have access to, a network administrator who is aware of the configuration
requirements of VLANs.
• You have appropriate access to reconfigure all network equipment connecting the NEMS
and the SecureMesh WAN.
• (Recommended) You have Serial access to the SecureMesh Gateway(s).
The SecureMesh WAN uses VLANs to separate the three different types of traffic that may flow
to or through a SecureMesh Gateway:
• Management: Any traffic to or from the IP address of a SecureMesh WAN device (Gate-
way, Extender, Extender Bridge, or Connector), such as SNMP polling of a device, DHCP
transactions by a device, and configuration and software downloads to a device.
• Collector: Any traffic to or from the IP address of a Collector, such as SNMP polling of a
device, DHCP transactions by a device, and configuration and software downloads to a
device.
• Data: Any traffic directed toward an end-user (thereby only passing through a device),
such as a computer or DA device connected to the Ethernet port of an Extender or Con-
nector.
The SecureMesh WAN can have only one management VLAN for each Gateway and its
associated children. The Management VLAN is only configured on the Gateway1; other devices
automatically inherit the Management VLAN setting from the Gateway to which they are
connected. Because the Management VLAN is used to facilitate communication between WAN
Devices and the NEMS, this VLAN can only be configured using the Command Line Interface
(see “Configuring a Management VLAN” on page 222).
The Collector and Data VLANs may configured on a per-profile, (or via CLI, on a per-device)
basis, and therefore may be configured for a single device, a group of devices, or the entire
1. Management VLAN configuration is only configured on the Gateway in order to simplify network management. Because there
can be no communication between devices and the NEMS without a properly configured VLAN, limiting the scope to Gate-
ways means that you only have to (re)configure those devices instead of every WAN device in the deployment.

Trilliant Virtual Local Area Networks (VLANs)
network. Collector, Data, and Management VLAN configuration are independent, and the use of
one does not mandate the use of any other.
When assigning VLANs, the Management, Collector, and Data VLANs may be configured
independently to any VLAN ID, 1-4094, or Untagged. Within the SecureMesh WAN, Untagged
traffic is handled independently from VLAN tagged traffic, and both can be transported
simultaneously.
Note: Trilliant does not recommend using VLAN ID 1 as the Management, Data, or Collector
VLAN, as most Cisco switches define this VLAN as the “native VLAN” used to carry
untagged traffic. However, be aware that this setting can be changed, such that a
different VLAN ID is used as the native VLAN, although this is uncommon. Networking
equipment from other vendors may have a similar restriction, or restrictions specific to
that vendor’s equipment. Refer to the documentation for your specific switches and
routers for details.
IMPORTANT: When a non-Gateway WAN device is provisioned with a data VLAN, all
Ethernet frames received by the device will be tagged with the Data VLAN ID. Likewise, all
traffic exiting device's Ethernet port will have the VLAN tags removed. As a result, it will no
longer be possible to access the device's Management interfaces (CLI and Web Interface) using
the local Ethernet port, using either the assigned IP address, or the reserved 192.168.0.2 IP
address. Manual management configuration must instead be handled over the air or using serial
port, as appropriate.
VLANs on WAN devices

VLANs on the SecureMesh Gateway
The SecureMesh WAN Gateway's Ethernet port is a VLAN trunk port. Both tagged and untagged
frames can be accepted by the Gateway's Ethernet port. Both tagged and untagged frames may be
sent from the Gateway's Ethernet port, depending on the configuration of the Gateway and its
attached WAN devices, as well as the configuration of Ethernet-connected devices attached to the
WAN. The Gateway does not modify the VLAN tags as frames enter and exit.
No configuration is required to enable VLAN support on the Gateway. Out of the box, both
tagged and untagged traffic are supported. Optional configuration includes the Management
VLAN ID, which must be configured using the CLI, and peer-to-peer communication, which may
be configured using the NEMS. See “Configuring a Management VLAN” on page 222.
VLANs on the SecureMesh Extender
The SecureMesh Extender's Ethernet port may be used as a trunk port, or a VLAN access port.
When used as a trunk port, both tagged and untagged frames will be accepted, and all packets will
be transmitted and received as-is, with no modification to the frames, and no check of the VLAN
ID within the frames. This is the default configuration, which is also used for deployments
without VLAN.

By assigning a Data VLAN, the Extender's Ethernet port becomes a VLAN access port. All
frames received by the Extender's Ethernet port are tagged with the configured VLAN ID. All
frames sent by the Extender to Ethernet attached device(s) have the VLAN tag stripped before
sending, and are therefore sent untagged. If VLAN tagged frames are received, only frames with
the Data VLAN id are allowed, frames tagged with other VLAN IDs will be dropped.
The Extender's Data VLAN configuration affects only frames to and from the device's local
Ethernet port. Frames sent or received on behalf of other WAN devices within the mesh are not
modified.
VLANs on the SecureMesh Connector
The SecureMesh Connector's VLAN capabilities are the same as the Extender.
VLANs on the SecureMesh Extender Bridge
The SecureMesh Extender Bridge supports the same capabilities as the Extender, with the
addition of an independent Collector VLAN setting.
The Collector VLAN defines the VLAN ID that will be used for the Collector component of the
Extender Bridge. All frames originating from the Collector will be tagged with this VLAN ID,
and all frames destined for the Collector must also be tagged with this VLAN ID. As with other
settings, the Collector VLAN can be a specific VLAN ID, 1-4094, or Untagged.
A Typical VLAN Implementation
Figure 6.1 VLAN Implementation Overview

Planning Your VLAN Implementation

Before configuring VLAN on any devices, it is important to plan your implementation carefully.
Review the diagram above and determine the following:
1. Select Management VLAN ID(s).
• Determine the Management VLAN ID.
• Will the same Management VLAN ID be used for all Gateways on the network? (Typi-
cally, Yes.)
2. Select Collector VLAN ID(s) (if the deployment includes Extender Bridge devices)
• Determine the Collector VLAN ID.
• Will the same Collector VLAN ID be used for all Extender Bridge devices on the net-
work? (Typically, Yes.)
3. Select Data VLAN ID(s)
• Determine a Data VLAN ID, or a range of VLAN IDs.
• Will all devices utilize the same Data VLAN ID? (Typically, No. It is common to use a
different Data VLAN id for each application, to segregate and “partition” unrelated
applications.)
• Is there a need to trunk VLANs through the SecureMesh WAN? If so, these devices
must NOT be assigned a data VLAN.
Implementing VLANs using the SecureMesh WAN

After planning, implementation must be completed in a coordinated manner. Trilliant
recommends the following order of events:
Note: During initial implementation of the Management VLAN, the NEMS, WAN devices, and
the network infrastructure (switches and routers) may not be on the same VLAN ID, and
as a result, IP communication may not be possible. Therefore we recommend you use a
Serial interface when configuring the Gateway, as well as any necessary switches and
routers.
1. Implement the Management VLAN.
• Configure network infrastructure (switches and routers):
> Identify the port used to connect to the NEMS, and the port used to connect to the
Gateway.
> Configure the port used to connect to the Gateway as a VLAN trunk port, and allow
all VLAN IDs that will be used on the WAN.
> Configure the port used to connect to the NEMS as a VLAN access port on the Man-
agement VLAN ID.

Note: If your network includes multiple switches and/or routers between the Gateway and the
NEMS, all of these devices must be configured appropriately to allow VLAN
communication.
• Enable the Management VLAN.
> See “Configuring a Management VLAN” on page 222.
> Verify communication between the NEMS and your WAN devices by issuing a “poll
now” command via the device’s right-click menu.
2. Implement the Data and Collector VLANs.
• Configure network infrastructure (switches and routers).
• Enable the Management VLAN.
> Identify the Node Profile(s) for the device(s) to be configured.
> See “Adding a Data VLAN to a Node Profile” on page 225.
> Reload the device(s).
> Verify Data VLAN configuration via CLI or by operational verification specific to
your Data application.
Configuring a Management VLAN

This procedure requires you to have access to the Gateway’s Command Line Interface. See
“Connecting to the Command Line Interface” on page 280 for instructions.
1. At the prompt, enter the following: set prov vlan
2. Select a VLAN action: m
3. Enter the management VLAN ID (0 - 4096): X
Note: Enter the management VLAN ID that you have chosen for your VLAN design. Table 6.1
shows an example VLAN ID of 10.
4. Select a VLAN action: e
5. Select a VLAN action: q

Table 6.1 Configuring a management VLAN

000ADB1213E4> set prov vlan
-> Select VLAN action: quit, enable, disable, modify, p2p <q|e|d|m|p> : m
-> Enter management VLAN ID (0-4096) [0]: 10

VLAN ID changed: 10
-> Select VLAN action: quit, enable, disable, modify, p2p <q|e|d|m|p> : e
VLAN setting changed: enable
-> Select VLAN action: quit, enable, disable, modify, p2p <q|e|d|m|p> : q
6. Verify the setting by entering the following: show prov vlan

The CLI should show something similar to Table 6.2.
Table 6.2 Confirming a VLAN setting
000ADB1213E4> show prov vlan
Management: Enabled VLAN ID: 2

P2P (Peer 2 Peer) Enabled VLANs:
-------------------------------
None
7. Reboot the Gateway to activate the changes by using the following command: reboot
Upon startup, the Gateway will begin using the configured VLAN ID.
Defining a Data or Collector VLAN (automatic provisioning)

Data and Collector VLANs are created from the WAN Provisioning menu, and are applicable to
all non-Gateway devices. This procedure enables you to define a name for your VLAN and assign
a specific VLAN ID to the name. After you create the VLAN entry, you must assign it to one or
more Node Profiles (see “Adding a Data VLAN to a Node Profile” on page 225).
1. From the WAN Provisioning menu, select VLAN (Figure 6.2).

Figure 6.2 WAN Provisioning menu with VLAN selected
NEMS opens the Provisioning - VLAN window (Figure 6.3).
Figure 6.3 Provisioning - VLAN screen
2. Click New .
NEMS opens the Add VLAN window (Figure 6.4).

Figure 6.4 Add VLAN window
3. Enter the Name for the VLAN.

4. Enter the VLAN Tag. This tag is equivalent to the VLAN ID.
5. (Optional) Enter a comment about this entry.
6. Click Save.
NEMS saves the entry (Figure 6.5).
Figure 6.5 Saved new VLAN entry
Adding a Data VLAN to a Node Profile

IMPORTANT: When a non-Gateway WAN device is provisioned with a data VLAN, all
Ethernet frames received by the device will be tagged with the Data VLAN ID. Likewise, all
traffic exiting device's Ethernet port will have the VLAN tags removed. As a result, it will no
longer be possible to access the device's Management interfaces (CLI and Web Interface) using
the local Ethernet port, using either the assigned IP address, or the reserved 192.168.0.2 IP

address. Manual management configuration must instead be handled over the air or using serial
port, as appropriate.
Note: Extender Bridges have two VLAN tabs (Collector VLAN and Data). The Collector
VLAN tab is where you assign the VLAN for the Collector portion of the Extender
Bridge. The Data VLAN tab is used to define the Data VLAN used for the device’s
Ethernet port.
Figure 6.6 WAN View: Provisioning menu with Node Profile highlighted
Figure 6.7 Provisioning - Node Profile screen

2. Double-click a node profile to open its Attributes window (Figure 6.8).
Figure 6.8 Node Profile Attributes window
3. Click the VLAN tab.

Figure 6.9 shows the VLAN tab for all devices except the Extender Bridge. Figure 6.10
shows the VLAN tab for an Extender-bridge.

Figure 6.9 Node Profile window with VLAN and Data tabs selected
Figure 6.10 Extender Bridge’s Node Profile window with VLAN and Collector VLAN tabs selected
4. For an Extender Bridge device (all other device types, skip to step 5), on the Collector
VLAN tab, select a VLAN for Collector data. On the Data tab, select a VLAN for data.
5. On the Data tab, select a data VLAN option.
6. Click Save .
Peer-to-Peer (P2P) Switching

By default, regardless of destination, all traffic from WAN devices will be sent to the Gateway,
and then forwarded from the Ethernet port of the Gateway. Traffic will not be switched between
WAN devices. This behavior improves efficiency by limiting unneeded network traffic, and
enhances security by allowing the network operator to control exactly which traffic can flow can
control traffic between end devices. SecureMesh WAN defines traffic between end devices as

“Peer-to-Peer” (or P2P). When desired, P2P communication can be allowed by configuration on a
per-Gateway and per-VLAN basis. Thus, when using VLAN to segment network traffic, P2P
switching can be enabled only for the specific application and VLAN ID that requires P2P
communication.
P2P configuration on the Gateway allows the Gateway to switch traffic between connected child
devices, including Ethernet connected devices. Thus, the Gateway only passes traffic to the
network switch if it doesn’t have the requested MAC address in its network. This also allows
devices to communicate with each other, even if the Gateway loses its connection to the larger
WAN. This feature uses a VLAN ID to identify specific traffic for which P2P communications is
enabled.
Note: Peer-to-Peer only needs to be configured on the Gateway.
NEMS opens the Node Profile window (Figure 6.12).

Figure 6.12 Node Profile screen
2. Double-click a Gateway Node Profile to open its Attributes window.

3. Select the VLAN tab (1), then the Peer-to-Peer tab (2) (Figure 6.13).
Figure 6.13 Peer-to-Peer tab on the VLAN tab of a GW Node Profile Attributes window
4. Fill the check box of the VLAN to be made Peer-to-Peer.

5. Click Save .

Trilliant Adding VPN to Your Network
Adding VPN to Your Network

Trilliant SecureMesh WAN supports IPsec VPN functionality, which allows each WAN device to
establish a tunnel to a VPN router at the head-end of the network, and provides end-to-end
security for device management. Extender Bridge devices also support an additional IPsec tunnel
for the integrated SecureMesh Collector, providing end-to-end security for all NAN traffic.
External data traffic from Ethernet connected devices, such as DA devices, will not be
encapsulated within the tunnel. However, external devices that are VPN-capable can establish
their own tunnels, which will be transported over the SecureMesh WAN.
VPN Configuration
Some basic configuration is required to support IPsec VPN. Some VPN parameters can be
provided by the DHCP server (facilitating device roaming, and simplifying management), or can
be configured locally using the CLI. Other parameters, such as the VPN shared secret, can only be
configured on the CLI.
The configuration options required to support VPN are:
• A DHCP-provided or locally-configured outer IP address that is used to communicate
with the VPN router.
• A DHCP-provided or locally-configured inner (VPN tunnel) IP address that is used for all
communication to/from the device once the tunnel is established.
• DHCP-provided or locally-configured VPN router IP address(es), including primary and
secondary VPN routers
• A locally configured VPN shared secret that is used for mutual authentication of the VPN
router and client.
How VPN is Used

Once configured, SecureMesh WAN devices will utilize VPN as follows:
Note: This example assumes DHCP is being used.
A device, upon establishing a link with another WAN device (or in the case of a Gateway, upon
power up), will use DHCP to obtain an IP address. In addition to typical parameters, the DHCP
offer will include options for an inner (tunnel) IP address, and one or more VPN router addresses.
Using those addresses, the WAN device will (prior to provisioning) attempt to establish a tunnel
with the primary VPN router. Communication between the WAN device and the VPN router
utilizes the outer IP address. Once the VPN shared secret configured on the WAN device and the
VPN router is verified, the VPN tunnel will be established. From this point on, any and all
communications to or from the WAN device will use the inner IP address, secured within the VPN
tunnel, and provisioning will proceed as usual.

Note: While VPN is in use, NEMS will exclusively utilize the inner IP address for device
management.
Devices will continuously monitor the VPN tunnel status, and will automatically re-establish the
tunnel as necessary. In any case where the primary VPN router is unreachable, the WAN device
will attempt to establish a tunnel with the secondary VPN router, if one is configured. The
configured routers are treated as primary and backup (fail-over), rather than load balancing, and
therefore the primary VPN router is always utilized when available.
Overview of Adding VPN to your Network

Note: The following assumes you are using DHCP, as this is the most common configuration.
Note: While you can add VPN to your network at any time, Trilliant recommends doing so
during or immediately after NEMS installation, BEFORE you provision any devices.
Doing so will enable you to define inner and outer VPN IP addresses as devices are
provisioned. Adding VPN after initial deployment requires editing the properties of
every existing device to add Tunnel IP information, which can be time-consuming.
There are multiple steps to adding VPN to your network:
1. You must have a VPN router set up on your network.
Note: This guide does not include instructions on how to configure physical router equipment.
Contact Trilliant Services to select, purchase, and install a VPN router on your network.
The VPN router will typically be located within a secure area of the head-end of the net-
work, which provides end-to-end security from the VPN router to the SecureMesh WAN
devices.
When planning IP address assignment and routing, be aware of the following:
• The WAN devices will communicate with the VPN router using the device's outer IP
address.
• The WAN devices will communicate with the NEMS, and the rest of the secure area of
the network, using the device's inner (tunnel) IP address (via the VPN router).
• The VPN router will need to implement a specific rule or exception to allow DHCP
traffic to flow from the device's outer IP address to the NEMS, as normally communi-
cation is not possible between these two subnets. On Cisco routers, this is achieved via
use of the “ip helper-address” configuration directive.
2. You should configure an inner IP address range within NEMS.
NEMS should be configured to assign addresses from a range of DHCP inner IP
addresses. This simplifies management of tunnel (inner) IP addresses by allowing NEMS

to track IP address assignment. When provisioning devices, NEMS will suggest the next
available IP address automatically.
The tunnel (inner) IP address will be used for all device communication when the VPN
tunnel is established. As such, this IP address range must be able to communicate with the
NEMS server. See “Configuring a DHCP Tunnel IP range” on page 233.
3. You must decide on a VPN shared secret.
A VPN shared secret is a pass phrase that all devices must share in order to use VPN to
connect, provision, and communicate. The VPN shared secret on the devices MUST match
the VPN shared secret on the VPN router.
The VPN shared secret must be a minimum of 16 characters (maximum of 64), and must
not contain any special characters. Once entered, the shared secret is displayed as a code
that is 12 characters long in the format of letters and numbers. Thus, the operator can ver-
ify that the code is correct, however, the actual shared secret will not be revealed. For
example:
Example VPN shared secret: Trilliant Networks, Inc.
Example vpnss code: a1:1d:78:eb:37:e8
4. You must set the shared secret in the CLI on every device that will be secured by VPN.
To set the VPN shared secret, access the CLI following the instructions in “Connecting to
the Command Line Interface” on page 280. Then use the set prov vpnss command
to define the shared secret (see “WAN equipment VPN provisioning” on page 235).
5. During device provisioning, you must add a Tunnel IP address to every device that will
use VPN.
This is done on the Node Maintenance screen. See “Adding VPN Tunnel IP Addresses to
Devices” on page 236.
Note: You can configure VPN on devices post-provisioning, but you must do so to each device
one-by-one through Node Maintenance.
Configuring a DHCP Tunnel IP range

1. From the Tools menu select DHCP Tunnel IP Range (Figure 6.14).

Figure 6.14 Tools menu with DHCP Tunnel IP Range highlighted
NEMS opens the DHCP Tunnel IP Range window (Figure 6.15).
Figure 6.15 DHCP Tunnel IP Range window
2. Click New .

Figure 6.16 New line in the DHCP Tunnel IP Range
3. Enter a Name for the range.

4. Enter the Starting IP Address.
5. Enter the Ending IP Address.
6. Click Save .
NEMS saves the range (Figure 6.17).
Figure 6.17 Saved DHCP Tunnel IP Range entry
WAN equipment VPN provisioning

The following commands need to be used to set the VPN shared secret to match the shared secret
provisioned on the VPN router.

Table 6.3 set prov vpnss example

000ADB010101> set prov vpnss
-> Enter VPN shared secret : <shared secret>
-> Re-enter VPN shared secret : <shared secret>
Table 6.4 show prov vpnss example

000ADB010101> show prov vpnss
Shared Secret Key : 47:df:62:17:2f:9
Adding VPN Tunnel IP Addresses to Devices

You can add VPN Tunnel IPs either during the provisioning process, or manually via Node
Maintenance afterwards.
Adding Tunnel IPs During Provisioning

During the discovery-based provisioning process, the Node window is where you apply a node
profile to an Extender Bridge or Connector device (Figure 6.18).

Figure 6.18 Node window
1. Double-click an entry in the Node window to make it editable.

2. In the Tunnel IP field, enter the device’s VPN Tunnel IP Address.
3. Continue provisioning as appropriate for your device. For a Collector that is provisioned
at the same time as its associated Extender Bridge, you will also see this screen.

Figure 6.19 Provision Collector screen
4. For DHCP IP Assignment, select Dynamic.

5. For Tunnel IP, either enter the inner VPN Tunnel IP Address, or click the ellipsis and
select one from the displayed list.
6. Continue provisioning as appropriate.
Manually Adding VPN Tunnel IP Addresses in Node Maintenance

If you manually provision devices by creating Node Maintenance entries (instead of provisioning
using the discovery-based method), you must add the VPN Tunnel IP Address to each device
entry.
1. Open the Node Maintenance window.
2. Double-click an entry to open it.

Figure 6.21 Node Maintenance
3. In the Tunnel IP field, either enter the inner VPN Tunnel IP Address, or click the button
in the Choose Tunnel IP column and select one from the displayed list.
4. Click Save .

Determine the Firmware Version associated with a

particular Collector
The firmware version of a Collector determines how a Collector operates and interacts with both
NEMS and its associated devices. If a Collector is not behaving well or as expected, checking the
firmware version it is using may help.
1. In the Unified View or the NAN View, right-click on a Collector and select Collector
Details (Figure 6.22).
Figure 6.22 Collector Details highlighted in right-click menu
2. This opens the Collector Details window. Select the Components tab to view the firmware
version of the Collector (Figure 6.23).

Trilliant Determine the Firmware Version associated with a particular Collector
Figure 6.23 Collector Details window - viewing the Component firmware version

Changing and Upgrading Firmware on WAN Devices

This section explains how to change and upgrade firmware on WAN devices. In some cases,
performance and protocol improvements included in new firmware releases may not be
backwards-compatible, therefore you should upgrade all devices on the Trilliant network
simultaneously. This section describes the process to ensure that all devices are upgraded
simultaneously, which minimizes the possibility of leaving devices “stranded” (running
incompatible firmware). These instructions can be adapted to upgrade a single Gateway and
associated children, rather than the entire network, by proper assignment of devices to Node
Profiles, and modification of only the appropriate Node Profiles
Note: Firmware upgrades cause devices to reboot, which results in a temporary network
outage.
To perform firmware changes/upgrades on WAN devices, the devices must already exist in
NEMS and be provisioned and responding normally.
Note: Firmware changes to NAN devices use separate software. Contact Trilliant Support for
assistance performing firmware changes on NAN devices.
Before you upgrade or change device firmware, you must:
• permission to add files to /var/ftp/pub/images/ on the NEMS server
Note: When performing firmware upgrades on devices in manual mode using the Command
Line Interface, the firmware directory you specify is pub/images/, not the full
directory listed above.
• have access to an FTP or SFTP tool to transfer the firmware files to the NEMS server
• have access to all necessary firmware files
Avoiding Firmware Upgrade Issues

The two most common mistakes made when upgrading firmware are:
• Firmware is activated in some devices before all devices have loaded the new firmware.
• Both the primary and backup software in a node profile is set to the new firmware.
Although the firmware will only upgrade one image at a time, and includes many safe-
guards to avoid potential issues, the prior firmware image should always be assigned as
the backup firmware, which ensures that the previous “known good” image remains avail-
able for rollback.
• Primary software in a Node Profile is correctly defined to the new firmware, but the
backup software is not defined as the previous firmware version. As with the previous
point, the last “known good” image should be retained as backup.

Trilliant Changing and Upgrading Firmware on WAN Devices
Because NEMS offers to automatically reload associated devices every time you save a node
profile, and devices may request a new configuration file at any time due to link establishment or
the configuration lease timer, it is possible to initiate a firmware upgrade before you are ready. To
avoid doing so, Trilliant recommends that you follow one of two upgrade paths:
1. Use a Software Activation Schedule for each Node Profile to be upgraded. See “Creating a
Software Schedule” on page 248.
2. Set the new firmware image as the Backup Software in the node profile. Once all devices
have downloaded the new firmware image as backup software, use the Swap Software
button to initiate the firmware upgrade. See “Swapping Firmware Images” on page 262.
Overview of the Firmware Upgrade Process

There are many possible paths to perform a firmware upgrade. This section provides an overview
of the recommended processes.
1. Determine current firmware version(s)
2. Transfer new firmware files to the NEMS server.
3. (Option A) Scheduled upgrade (recommended)
• a. Create a Software Schedule
• b. Verify Software Schedule
• c. Update Node Profile(s)
• d. Reload devices (or) if devices have a configuration lease timer preconfigured, wait
for reloads to occur automatically.
4. (Option B) On-demand upgrade
• a. Assign new firmware as the Backup Software
• b. Reload devices
• c. Confirm firmware download status
• d. Swap Primary and Backup Software
• e. Reload devices
Viewing Current Firmware Packages

The Provisioning - Node Profile window shows the firmware packages currently associated with
WAN devices in NEMS (Figure 6.24).

Figure 6.24 WAN View - Node Profile listing devices and firmware packages
Two columns display the firmware packages to which the device has access: Primary Software
(what the device is currently using), and Backup Software (what the device will use if the
primary software is unavailable).
To view device firmware:


NEMS displays the Provisioning - Node Profile window.

2. Locate and click on the device (to highlight the row) whose firmware you want to inspect.
3. Locate the Primary Software and Backup Software columns. The entries in these col-
umns list the currently active and backup firmware packages that the device is using
(Figure 6.26).
Figure 6.26 Primary Software and Backup Software columns list a device’s current firmware

Uploading New Firmware to the NEMS Server

When you receive a new firmware package for a device, you must first add it to the NEMS server
in order to make it available for use by WAN devices. To do so, you must have:
• permission to add files to the /pub/images directory on the NEMS server
• access to an FTP or SFTP tool to transfer the firmware files to the NEMS server
• locally saved copies of all necessary firmware files
Note: For new installations of NEMS, the latest firmware packages may already be installed
on the NEMS server. In such cases, this process may not be necessary; check to make
sure that the firmware package you need is not already present on the server.
To upload a new Firmware package to the NEMS server:

Note: This procedure uses FileZilla as the SFTP program to transfer the firmware files to the
NEMS server. If you use a different FTP or SFTP program, the instructions for the
SFTP portion may no longer be accurate.
1. Open the FTP or SFTP program and connect to the NEMS server.
2. Enter the Host Name (for example, sftp://10.18.0.43), Username (root), and Password,
then press Enter (or click Quickconnect) (Figure 6.27).
Figure 6.27 Connecting through FTP to the NEMS Server
The ftp program connects to the server and displays the root directory (Figure 6.28).

Figure 6.28 Connected to the NEMS server
3. In the local site portion of the window, navigate to the location of the firmware files.
4. In the remote site portion of the window, navigate to /pub/images.
5. Drag the firmware files from the local site to /pub/images.
6. After the firmware files finish transferring, in NEMS, refresh the Node Profile screen to
ensure that the new firmware files are present.
The firmware files are available in NEMS for use by WAN devices in the Node Profile
Details window (Figure 6.29).

Figure 6.29 Firmware images available to devices on the Node Profile Details window
Creating a Software Schedule

A Software Schedule is designed to ensure that the firmware update happens at a known and
optimal time (rather than during a heavy traffic period). Because the firmware is loaded onto the
device before it is applied, the Software Schedule enables you to control when the new firmware
takes effect.
Note: The Software Schedule feature requires that your devices use the Network Time
Protocol (NTP).
Trilliant recommends scheduling the upgrade at least 24 hours in the future, to ensure ample time
for all devices to successfully complete the firmware download prior to the scheduled upgrade
time.
While this procedure is optional, if you do make a Software Schedule to aid your firmware
management process, you must create the schedule and assign it to the applicable node profile
BEFORE you select a new firmware package in the node profile.
To create a Software Schedule:

1. From the WAN Provisioning menu, select Software Schedule (Figure 6.30).

Figure 6.30 WAN Provisioning Menu with Software Schedule highlighted
NEMS opens the Provisioning - Software Schedule window (Figure 6.31).
Figure 6.31 Provisioning - Software Schedule screen
2. Click New .
NEMS opens the Add Schedule window (Figure 6.32).

Figure 6.32 Add Schedule window
3. Enter a Name for the schedule.

4. Click the ellipsis button next to the Node Profile field to open the Node Profile List
window (Figure 6.33).
Figure 6.33 Node Profile List window
5. Select one or more updated node profiles to be sent using this schedule, then click Ok.
6. Select the Schedule Date for the change.
Note: The Software Schedule feature and device firmware do not account for Daylight
Savings Time adjustments. All scheduling should be performed assuming standard time,
for example, in most areas one (1) hour must be subtracted from the selected time.
Device date/time can be verified with the show date CLI command.
7. Select a Status for the change:
• Active: The schedule is active and will be honored during upcoming firmware changes.
• Inactive: The schedule is not active and will be ignored. The device will behave as
though there is no schedule defined.
8. (Optional) Enter a Comment about this schedule.

9. Click Save .
NEMS saves the schedule and updates the Provisioning - Software Schedule window to
show the saved schedule (Figure 6.34).
Figure 6.34 Saved new Software Schedule
Now that the software schedule is defined and associated with the profile, you can update
the selected Node Profile(s) to use the new firmware packages, and reload the associated
devices. When using a software schedule, the new firmware package should be assigned
as the Primary Software, and the previous working firmware image should be assigned as
the Backup Software. When devices which are reloaded, they will download any new
firmware packages, but will wait to reboot and activate the new firmware until the targeted
date and time.
You can choose to reload devices when changing the profile (to trigger an immediate
download), or if you utilize a configuration lease timer, you can wait for the timer to
expire for devices to reload automatically. Trilliant recommends using a configuration
lease timer, as this will allow firmware downloads to occur at distributed intervals, rather
than having all devices attempt to download firmware concurrently. However, you must
ensure that the lease timer for all devices will expire prior to the scheduled time for the
software schedule. For example, if your configuration lease timer is 24 hours, you should
schedule your upgrade at least 25 hours in the future.
Verifying a Software Schedule

Once a Software Schedule has been defined, and the device has been reloaded, you can confirm
the schedule is selected for a device using the Device's CLI. You may choose to verify the
schedule by manually issuing a reload for a single device, before reloading all devices on the
Profile.
1. Telnet or SSH to the device.
2. Use the show config sw command to verify schedule status (Table 6.5).

Table 6.5 show config sw example

000ADB010101> show config sw
Primary : SMGateway_2.3.1.bin
Backup : SMGateway_2.3.0.bin
Software schedule : SUN JAN 03 01:00:00 2015
Software schedule valid : true
Note: The Software Schedule feature requires that your devices use the Network Time
Protocol (NTP). Device date and time can be confirmed using the 'show date' CLI
command.
Selecting Firmware in a WAN Device Node Profile

Device firmware is defined during creation of a Node Profile. To change the firmware associated
with a Node Profile (for example, to facilitate a firmware upgrade), you can edit the Node Profile.
After you save new firmware configuration, you must also tell the device when to download the
configuration file using one of two options:
• Reloading a Device: This option is best for downloading the configuration file immedi-
ately. See “Reloading a Device” on page 258.
• Waiting for a Config Lease Time to Expire: This option is best when there is a defined
Config Lease Time setting, but downloading the configuration file has no other timing
restraints. See “Waiting for a Device’s Config Lease Time to Expire” on page 259.
When the device receives the new configuration, behavior will depend on the current firmware
available on the device, and the configuration of the Software Schedule (if any). The possible
scenarios are as follows:
1. No change.
No action is taken.
2. Primary and Backup Software have been swapped. (Recommended)
• In this case, the device already has the correct firmware images; however, the Primary
Software becomes the backup and the Backup Software becomes the primary.
• If there is a valid software schedule defined, the device will take no action until the
schedule date and time. At the scheduled date and time, the device will continue to the
next step.
• If there is no valid software schedule defined, or the schedule date and time has been
reached, the device will change the active firmware image bank and reboot.
• Upon completion of the process, both the Primary Software and the Backup Software
are Accepted (known good) firmware.
3. Backup Software image has changed to a new image. (Recommended)

• In this case, the device has the correct Primary Software, and only the Backup Software
image has changed.
• Regardless of software schedule, the device will immediately begin a FTP or SFTP
transfer to download the new Backup Software.
• Upon completion of the transfer, no action will be taken as the device already has the
correct Primary Software
• Upon completion of the process, the Primary Software is Accepted, and the Backup
Software is Trial.
4. Primary Software has changed to the previous Backup Software, and the Backup Software
has changed to a new image.
• In this case, the device has the correct Primary Software already downloaded, but the
Backup Software image has changed.
• If there is a valid software schedule defined, the device will take no action until the
schedule date and time. At the scheduled date and time, the device will continue to the
next step.
• If there is no valid software schedule defined, or the schedule date and time has been
reached, the device will change the active firmware image bank and reboot.
• Upon successful reconnect, the device will begin a FTP or SFTP transfer to download
the new Backup Software. This firmware image will replace the current Backup Soft-
ware (which is the previous Primary Software).
• Upon completion of the transfer, no additional action is taken.
Software is Trial.
5. Primary Software image has changed to a new image. (Not recommended)
• In this case, the device has the correct Backup Software, but the Primary Software
image has changed.
transfer to download the new Primary Software. This firmware image will replace the
previous Backup Software.
• Upon completion of the transfer, if there is a valid software schedule defined, the
device will take no action until the schedule date and time. At the scheduled date and
time, the device will continue to the next step.
• Upon completion of the transfer, if there is no valid software schedule defined, or the
schedule date and time has been reached, the device will change the active firmware
image bank and reboot using the new Primary Software image.

Software is Trial.
6. Both primary and backup firmware images have changed to new images. (Not recom-
mended)
• In this case, the device does not have either of the firmware images defined in the Pro-
file.
transfer to download the new Primary Software. This firmware image will replace the
previous backup firmware.
• Upon completion of the transfer, if there is a valid software schedule defined, the
device will take no action until the schedule date and time. At the scheduled date and
time, the device will continue to the next step.
• Upon completion of the transfer, if there is no valid software schedule defined, or the
schedule date and time has been reached, the device will change the active firmware
image bank and reboot using the new Primary Software image.
Software is Trial.
Note: Downloading firmware to a device does not necessarily mean that the device will use
the newly downloaded firmware right away. New firmware can be scheduled to take
effect at a specific time (see “Creating a Software Schedule” on page 248), or can also
be set as Backup Software, which must be manually swapped to Primary Software (see
“Swapping Firmware Images” on page 262). For more information about avoiding
issues when applying upgraded firmware to your devices, see “Avoiding Firmware
Upgrade Issues” on page 242.
To select a device’s firmware:

Note: To make the device apply the new firmware selected in this procedure, you must set a
software schedule, wait for the device’s Config Lease Time to expire (if configured with
one), manually swap the firmware images (if the new firmware is set as the backup
image), or command the device to Reload.

Figure 6.35 Provisioning menu: Node Profile option
2. Double-click on a profile open the attributes window (Figure 6.37).

Figure 6.37 Editable Node Profile entry
3. In the Primary Software column, select a firmware image name from the drop-down list
(Figure 6.38).
In a Firmware Upgrade scenario, Trilliant recommends that the primary software be set to
the currently used firmware image (not the upgraded firmware image).

Figure 6.38 Selecting a primary software image name
4. If necessary, in the Backup Software column, select a firmware image name from the
drop-down list (Figure 6.39).
In a Firmware Upgrade scenario, Trilliant recommends that the backup software be set to
the upgraded firmware image (you can swap the images later once all images have been
downloaded).
Figure 6.39 Selecting a backup software image name
5. Click Save .
6. NEMS offers to automatically reload associated devices.
• To make the devices download and/or apply the new firmware, click Yes.
• To wait for the device’s Config Lease Time to expire, click No. For more details, see
“Waiting for a Device’s Config Lease Time to Expire” on page 259.

Reloading a Device
Every time you save a node profile or a node maintenance entry, NEMS offers to automatically
reload all associated devices (you can accept or decline this offer). However, you can manually
reload a device without making changes to its node profile or node maintenance entry.
Reloading a device causes the device to apply firmware changes immediately. Reloading is not
required if you are using a lease time to trigger the reload, or if you accepted the offer to
automatically reload all associated devices when saving a node profile or node maintenance entry.
To Reload a Device:
1. From the WAN View Tree View, right click on the device whose firmware you want to
upgrade by reloading its node profile (Figure 6.40).
Figure 6.40 Right-click menu on a WAN device with Reload highlighted
2. From the menu that appears, select Reload.

NEMS sends a command to the device to immediately reload its Node Profile, and
refreshes the display.
This causes all changes in the Node Profile, including new Firmware choices, to take
effect immediately.

Waiting for a Device’s Config Lease Time to Expire

When you know that a device has a defined Config Lease Time value that is not 0 (for example,
60 minutes), you can wait for the device to query for new profile settings (including new firmware
packages). When the Config Lease Time value is reached, the device will download and apply
new settings. This option is best if the new firmware choice doesn’t need to be applied
immediately, or at any particular time, as well as when using a scheduled software upgrade.
Note: If the Config Lease Time value is set to 0, the device will not automatically check for
new profile changes. If you plan to use this option, make sure that the Config Lease
Time value is set to something other than 0.
Profile changes (configurations) are automatically loaded every time a WAN device forms a new
link, and (optionally) when a change is made to a node profile or node maintenance entry. This
feature is most useful when, after changing a node profile or node maintenance entry, you decline
NEMS’ offer to reload all associated devices.
To set a device’s Config Lease Time Value:


Figure 6.42 WAN View: Node Profile screen
2. Scroll to the right until you see the Config Lease Time column (Figure 6.43).
Figure 6.43 Node Profile: Config Lease Time column
3. Double-click on a node profile line to open the Node Profile Attributes window.
4. Enter a new Config Lease Time value (Figure 6.44).
Figure 6.44 Entering a new Config Lease Time value
5. Click Save .


• To make the devices download and/or apply the new firmware, click Yes. This is espe-
cially important when the device previously had a Config Lease Time value of 0,
which means it wouldn’t check for node profile changes on its own.
Upgrading Firmware using the CLI

WAN Firmware upgrades are typically managed through NEMS, but you can also make use of
each device’s CLI as part of the process for devices in Manual Mode.
Note: Devices that are in manual mode are shown in NEMS with a Manual Mode icon next
to their device icon in the tree view.
Upgrade Procedure (Manual Mode)

This section describes the procedure for upgrading nodes that are configured in “manual”
provisioning mode. If you use “auto” mode, follow “Overview of the Firmware Upgrade Process”
on page 243 instead.
1. Use the ftpimage CLI command to download the new firmware into all devices’
backup partition (including Connectors). See “ftpimage Command Reference” on
page 333 for command details.
2. Verify the downloads were successful using the show version CLI command. Make
note of which partition the image is on, and make sure that you specify this partition in the
next step; see step 6 of “ftpimage Command Reference” on page 334 for details about the
show version command.
3. Once all devices have the new firmware as the backup image, use the set activeim-
age and reboot commands to initiate the switch to new firmware. See step 10 of
“ftpimage Command Reference” on page 335 for details on specifying which partition to
start from.
IMPORTANT: Some firmware releases may not be fully backward compatible. To
ensure a successful upgrade, reboots should occur in the proper sequence, starting from
the outer edge of the network and working back toward the Gateway. For example,
Connectors should be rebooted first, followed by Extenders and Extender Bridges, and
finally the Gateways. This ensures that no device is left stranded on an older release.
4. Monitor devices as they re-establish links.

5. If for any reason it is necessary to revert to the previous firmware release, use the show
version command to see if the load is listed as unbootable. If the load is unbootable,
repeat step 1.
6. Otherwise, return to step 3. Ensure that you follow the same “outside-in” procedure when
switching to an earlier firmware release.
Swapping Firmware Images

If you need to swap firmware images for a device type (for instance, as a method of upgrading
firmware), you can do so from the Node Profile window.
To Swap Device Firmware Images


2. Double-click on a profile open the attributes window (Figure 6.37).
Figure 6.47 Editable Node Profile entry
3. In the Software section, check to make sure that Backup Software shows the upgraded
firmware image.

4. Click Swap Software.

NEMS swaps the primary and backup software field contents (Figure 6.48).
Figure 6.48 Swapped primary and backup software contents
5. Click Save .
• To make the devices apply the new primary software, click Yes.

Trilliant Pre-Provisioning Large Numbers of Devices
Pre-Provisioning Large Numbers of Devices

If you are provisioning large numbers of WAN devices, you may want to pre-provision them in
Node Maintenance, rather than using device discovery to provision devices one-by-one. Pre-
provisioned nodes will show up in the WAN Mesh Backhaul View automatically with red icons.
When a pre-provisioned device is installed in the field and it contacts the provisioning server, it
will receive the device type settings specified in its device type’s Node Profile, as well as the
specific settings for that device defined in its Node Maintenance entry. Assuming there are no
errors or issues downloading this information, the device will automatically provision and its icon
will turn green in the WAN Mesh Backhaul View.
Pre-provisioning entails working in both node profile and node maintenance to set up devices in
advance. You need to set up:
• A node profile for every type of device you want to pre-provision. See “Creating Node
Profiles” on page 57 for instructions.
• A node maintenance entry for every actual device you want to pre-provision. See “Creat-
ing a Node Maintenance Entry” on page 265 for instructions.
Creating a Node Maintenance Entry

1. From the WAN Provisioning menu, select Node Maintenance (Figure 6.49).

Figure 6.49 WAN Provisioning menu with Node Maintenance highlighted
NEMS opens the Node Maintenance window (Figure 6.50).
2. Click Add .
NEMS opens a new Node Maintenance entry window (Figure 6.51).

Figure 6.51 New Node Maintenance entry window
3. In the MAC Address field, enter the new device’s MAC address.
Note: When entering the MAC address, do not enter any colons, For example, if the MAC
Address is listed as 00:0A:DB:xx:xx:xx, enter 000ADBxxxxxx.
The MAC address is printed on the asset tag on the bottom of the device.
Note: If you cannot read or do not have easy access to the asset tag, you can connect to the
device via the serial console, and determine the device’s MAC address via the “show
version” CLI command (see “Connecting Using the Serial Port” on page 283 for
more information).
4. From the Node Type drop-down list, select the appropriate node type.
5. From the Node Profile drop-down list, select the Node Profile to use.
6. Select the appropriate DHCP IP Assignment mode for this device:

• Fixed: The device will use specific IP address in the DHCP subnet range.
• Dynamic: The device will use any available IP address in the subnet range.
Note: This option is not available for Gateway devices. Gateway devices using DHCP must
use a fixed IP address.
• Non-DHCP: The device will not use DHCP, and instead will use a statically assigned
address configured through the CLI.
Note: To avoid IP conflicts, the statically assigned IP address should not be within the
dynamic range selected for the subnet (if any).
7. In the IP Address column, enter the IP address for the device (if you are using Dynamic
IP assignment, you can leave this field blank).
Note: When specifying an IP address, if you are using Dynamic IP assignment and if you
leave the IP address blank, NEMS will select an IP address from the defined dynamic
range. Otherwise, you must enter an IP address.
Note: Leave the Tunnel (inner) IP address empty unless your network is using VPN. Refer to
“Adding VPN to Your Network” on page 231 for instructions on how to provision VPN
inner IP tunnel addresses.
In the below example of a Gateway Node Maintenance entry, the Gateway’s IP address is:
10.18.71.100 (Figure 6.52).

Figure 6.52 A Gateway’s Node Maintenance entry
8. Click Save .
9. NEMS prompts you to configure the device’s Profile Attributes. Either select Yes to con-
figure profile attributes (such as Data Collection Intervals), or No to close the window.

Changing WAN Device SFTP Password

You can change WAN devices’ SFTP password in NEMS. The SFTP user account and password
are typically set up during NEMS installation
• For more information about how SSH and SFTP usernames appear in NEMS, see “Default
versus Custom SFTP User Name” on page 270.
• To change a single device’s SSH and/or SFTP password(s), see “Changing a single WAN
device’s username / password from Node Maintenance” on page 271.
• To change the SSH and/or SFTP password(s) for all devices that use a certain Node Pro-
file, see “Changing the WAN device username / passwords using a Node Profile” on
page 273.
• To change the SSH and/or SFTP password(s) back to the default (the credentials specified
during NEMS installation), see “Resetting the device passwords to default” on page 276.
Default versus Custom SFTP User Name

When you install NEMS, you have the option to accept the default username and password
combination for SFTP, or to specify a new combination.
If a device’s user name shows up as “Default” (see number 1 in Figure 6.53) in NEMS, then the
user name is the default suggested during installation. The default SFTP user name is
“trilliantsftp”.
If a device’s user name shows up as anything other than Default (see number 2 in Figure 6.53),
then the user name and password for was customized during installation. The user name is as
shown.
Figure 6.53 Default and custom device usernames
If you change the username and/or password in a Node Maintenance entry such that it no longer
matches what is defined in the device type’s Node Profile, the mismatched username and/or
password will display in bold blue text (see Figure 6.54).

Trilliant Changing WAN Device SFTP Password
Figure 6.54 Node Maintenance entry with customized usernames and passwords that do not match the Node
Profile
Changing a single WAN device’s username / password from Node

Maintenance
Note: If you decide to change the SFTP user name and password after installing NEMS, you
must create an account in Linux with that user name and password, or update the
password for any existing account; NEMS will not do it for you. Further, if you change
the password for an SFTP username in Linux, you must also change the password in
NEMS.
You can change a single WAN device’s username and/or password from its Node Maintenance
record, under the Device Management heading.
This procedure is to change the username and/or password only for this specific device. To
change them for all devices of this type, see “Changing the WAN device username / passwords
using a Node Profile” on page 273.

Figure 6.55 Connector device Node Maintenance window
To change a single device’s username / password

1. Open the Node Maintenance window.
2. Double-click an entry.
NEMS opens the device’s Node Maintenance window (Figure 6.57).

Figure 6.57 Connector’s Node Maintenance window
3. In the Device Management section, adjust either/both of the following, as necessary:

• SFTP User Name: This changes the SFTP username used. Enter the new username.
Ensure that an SFTP account with the new username (and associated password) exists
in Linux (NEMS will not do this for you).
• SFTP Password: This changes the SFTP password on the device. Enter the new pass-
word in both SFTP Password and Re-enter SFTP Password fields. Ensure that the
account to which this password belongs is also updated in Linux.
Note: If you change the username and/or password in a Node Maintenance entry such that it
no longer matches what is defined in the device type’s Node Profile, the mismatched
username and/or password will display in bold blue text.
4. Click Save .
Changing the WAN device username / passwords using a Node Profile

Note: If you decide to change the SFTP user name and password after installing NEMS, you
must create an account in Linux with that user name and password, or update the
password for any existing account; NEMS will not do it for you. Further, if you change
the password for an SFTP username in Linux, you must also change the password in
NEMS.
You can change the username and/or password for multiple WAN devices of the same class using
the Node Profile window, under the Device Management heading.

This procedure is for all devices using this Node Profile. To make change for a single WAN
device, see “Changing a single WAN device’s username / password from Node Maintenance” on
page 271.
Figure 6.58 Connector device Node Profile
To change a device class’ password(s)


2. Double-click an entry to open its details window (Figure 6.61).

Figure 6.61 Gateway’s Node Details window with the Provisioning > Node Maintenance > General tab shown
3. In the Device Management section, adjust either/both of the following, as necessary:

• SFTP User Name: This changes the SFTP username used. Enter the new username.
Ensure that an SFTP account with the new username (and associated password) exists
in Linux (NEMS will not do this for you).
• SFTP Password: This changes the SFTP password on the device. Enter the new pass-
word in both SFTP Password and Re-enter SFTP Password fields. Ensure that the
account to which this password belongs is also updated in Linux.
4. Click Save .
Resetting the device passwords to default

The default password matches the password set during NEMS installation. If you change the
password to something other than the default, you can return it to the default password.
To reset a device’s password(s)

1. Depending on if you are resetting the password for one device or all devices using a par-
ticular Node Profile, follow the instructions in either:
• “Changing a single WAN device’s username / password from Node Maintenance” on
page 271: Stop at step 2.
• “Changing the WAN device username / passwords using a Node Profile” on page 273:
Stop at step 3.
2. Clear the Password and Re-Enter Password fields.

3. Click Save .


7
The CLI and

Troubleshooting
This chapter covers how to access the Trilliant Command Line Interface, and troubleshooting
topics for any issues you may encounter with provisioning/discovering devices in NEMS:
• “Connecting to the Command Line Interface” on page 280
• “Troubleshooting with Basic CLI Commands” on page 286
• “Common Problems and Solutions” on page 304
• “Common Software Problems and Solutions” on page 304
• “Common Device Problems and Solutions” on page 308

Chapter 7 - The CLI and Troubleshooting Trilliant
Connecting to the Command Line Interface

The command-line interface is a text-based interactive application built into all Trilliant
SecureMesh WAN devices. It enables you to manually provision a device, monitor and manage a
device, and perform real-time logging.
There are multiple methods you can use to access a device’s CLI (Command Line Interface):
• Telnet or SSH to the device over Ethernet: Use an Ethernet cable to connect the com-
munications terminal, the power injector, and the device
• Telnet or SSH to the device over the wireless mesh: Use a system on the Gateway side
of the network to reach the device (only possible if the device is fully online)
• Connect to the device via RS-232 serial Console: Use an RJ45 Ethernet cable, with the
included RJ45-DB9 adapter, to connect the serial port on a computer to a Gateway,
Extender, or Extender Bridge’s console port
Note: For Ethernet access, Trilliant recommends that you use a separate machine as the
communications terminal on a specific IP subnet (192.168.0.6–192.168.0.254), which
will allow you to communicate with the device using a fixed IP address (192.168.0.2)
independent from any DHCP-assigned or configured IP address.
Note: For networks using VLAN, if the Management VLAN is on a different VLAN ID than the
Data VLAN, you cannot access the 192.168.0.2 address from the local Ethernet port.
Instead, you can access the CLI by starting a telnet or SSH session from a computer on
the same Management VLAN, over the wireless mesh, or by using the Serial interface.
Whichever method you use, the CLI commands are the same (though some commands are device-
specific). This section covers some common CLI commands and how you can use them to
monitor provisioning and operating activities.
Note: For a complete listing of all CLI commands, use the following commands: “help”
“show prov help” and “set prov help”.
Connecting Using the Ethernet Port

This method uses an Ethernet cable to connect the communications terminal, the power injector,
and the device. This section assumes you will use the device's default IP address for
communication, which allows you to use the same IP address for any device, independent from
any DHCP-assigned or configured IP address. However, the same procedure can be used to
connect to the DHCP-assigned or configured IP address, as long as your communications terminal
is on the correct subnet.

Trilliant Connecting to the Command Line Interface
Connecting using the Ethernet port:

1. The computer you are using as a terminal must have an assigned IP address in the range
from 192.168.0.6 to 192.168.0.254, with a subnet mask of 255.255.255.0.
Note: All devices except Gateways retain their default IP address of 192.168.0.2 for CLI-
purposes, even after being assigned a new IP address during provisioning. However,
once you provision a Gateway device, you must use its new IP address or the Serial
interface to connect to the CLI.
2. Connect the computer to the POE power injector using an Ethernet crossover cable for
Gateway or Extender devices, or an Ethernet straight-through (standard) cable for Con-
nector devices, and the device to the POE power injector using the Ethernet straight-
through (standard) cable, as shown in Figure 7.1. The crossover cable is required for Gate-
way and Extender devices as they are designed to attach to an Ethernet switch, rather than
connecting directly to a computer.
Note: If your computer has Gigabit Ethernet, you do not need to use a crossover cable, and
can instead use a regular Ethernet cable, as Gigabit Ethernet includes automatic MDI/
MDIX (auto-crossover) capability.
Note: If you are connecting to a SecureMesh Connector, you do not need to use a crossover
cable, and can instead use a regular Ethernet cable, as the SecureMesh Connector
includes automatic MDI/MDIX (auto-crossover) capability

Figure 7.1 Connecting using the Ethernet port
3. Start a Telnet or SSH session.

Note: How you accomplish this depends on the operating system of the machine you are using
as the communications terminal and the communications software available on that
machine. Most versions of Windows include a telnet client, which you can access via the
command prompt (for example, enter the command “telnet 192.168.0.2”.)
4. From the Telnet or SSH session, connect to the device’s IP address, for example, the per-
sistent default IP address of 192.168.0.2.
5. For SSH sessions only, you must complete SSH authentication. The default username is
trilliant and the default SSH password is secret.

6. At the login prompt, enter the device’s password and then press [ENTER]. The default
password is public.
The CLI is now ready for commands. See “Troubleshooting with Basic CLI Commands”
on page 286 for more information.
Connecting Using the Serial Port

This method uses an RJ45 Ethernet cable, with the included RJ45-DB9 adapter, to connect the
serial port on a computer to a Gateway, Extender, or Extender Bridge’s console port.
Note: Trilliant Connector devices do not have a serial console port. Use the Ethernet
connection method for those devices instead.
Connecting using the serial port:

1. Connect the computer to the device, as shown in Figure 7.2.

Figure 7.2 Connecting using the serial port
2. Start a communication session by selecting the COM port you used to physically connect
the computer to the device, using the following serial communication settings:
• 38400 bps
• 8 data bits
• no parity
• one stop bit
• no flow control

Note: How you accomplish this depends on the operating system of the machine you are using
as the communications terminal and the communications software available on that
machine.
3. Enter the device’s password and then press [ENTER]. The default password is public.
The CLI is now ready for commands. See “Troubleshooting with Basic CLI Commands”
on page 286 for more information.

Troubleshooting with Basic CLI Commands

In most cases provisioning devices doesn’t require you to use the CLI. However, the following
commands are most likely to help you resolve or refine the cause of any issues you may
encounter. They are organized by the stage at which they are likely to be most useful. For details
on all CLI commands, use the following commands: “help” “help show prov” and “help
set prov ”.
Note: For a complete listing of all CLI commands, use the following commands: “help”
“help show prov” and “help set prov”.
Configuring a Device
• Verifying Provisioning Mode: “show prov node” on page 287
• Verifying Provisioning Parameters:
• “show prov IP” on page 288
• “show freq” on page 289
• “show netkey” on page 290
• Basic Device Configuration:
• “set netkey” on page 290
• “set prov auto” on page 291
• “set prov IP” on page 291
• “set prov manual” on page 293
• Resetting a Device to Factory Defaults: “!!!trilliantfactory!!!” on page 294
Verifying Device Status
• “show link” on page 294
• “show link all” on page 295
• “show prov node” on page 295
• “show dhcp” on page 296
• “show gps” on page 297
Monitoring and Troubleshooting
• Monitoring link establishment and the device provisioning process:
• “show link all” on page 299
• “show prov node” on page 300
• “debug on” on page 300
• “set log link 2” on page 301
• “set log prov 2” on page 303
• Common problems and solutions

Trilliant Troubleshooting with Basic CLI Commands
• “Device will not come online, “show link” shows the link in 'auth fail' status” on
page 310
• “Device will not come online, “show link” shows the link in 'prov fail' status” on
page 310
• “Device rebooted unexpectedly” on page 312
Configuring a Device
There are a number of CLI commands that are useful during device configuration. The
configuration mode (auto or manual) and specific provisioning parameters determine how
provisioning will occur. You can also reset a device to its factory defaults in order to reset any
customizations that may have been made (though this isn’t necessary for new devices, as they are
already using factory defaults).
Verifying Provisioning Mode

The provisioning mode that a device is in will affect how the device provisions. For automatic
provisioning with the Trilliant NEMS, the device should be in auto mode (see “set prov auto” on
page 291).
Use show prov node to see what mode the device is currently in.
show prov node

This command shows a shorter subset of information of the show prov command.

Table 7.1 show prov node example (manual mode)

000ADB16E714> show prov node
Provisioning state : manual
Domain : 12
Power mode : Quarter power (-6db)
Radar detection : Disable
Preferred parent : 00:00:00:00:00:00
Preferred gateway : 00:00:00:00:00:00
Auto save : Disabled
Table 7.2 show prov node example (auto mode)

Provisioning state : auto
Domain : 10
Power mode : Low power
Verifying Provisioning Parameters

Double-checking a device’s provisioning parameters will often help you troubleshoot a
provisioning issue.
show prov IP
Use this command to display the default IP address of the device, as well as its DHCP state. This
command is useful for ensuring that DHCP is enabled on the device.
Note: To enable or disable DHCP, use the set prov ip (see page 291) command.
Expected Result:
For most networks, the DHCP state of a properly-functioning and provisionable/discoverable
device is Enabled (which is also the default state).
Because all devices except Gateways retain their default IP address, the most pertinent line in
Table 7.3 is the DHCP state. Enabled means that the device is able to receive an IP address from
NEMS.

Table 7.3 show prov IP example

000ADB16E714> show prov ip
DHCP State : Enabled
show freq
Use this command to see which frequency a device is currently using. If a device is taking longer
than you expect to provision, it could be because the device is still cycling through its available
frequencies and is looking for the proper provisioning frequency.
Expected Result:
In response to this command, the device will list the following frequency information:
• Current country code: the country code configured for this device. The configured coun-
try code restricts the available frequency regions.
• Flash frequency region setting: the frequency region it was originally programmed to
use. The frequency region defines the available frequencies, transmit power, and radar
detection mode.
• Current frequency region setting: the frequency region it has been assigned to use. In
most cases, this will match the flash frequency region setting.
• Current valid frequencies: the frequencies that are available within the current frequency
region
• Current frequency: the frequency that it is currently using
• Current allowed frequencies: the frequencies it is allowed to connect on, which is deter-
mined by CLI or NEMS configuration. The factory default is to allow all frequencies, but
once a device obtains configuration from NEMS, only the primary frequency is allowed
(unless the profile attributes have been edited to allow other frequencies).
• Dwell time (minutes): How long it will spend searching the primary frequency before
checking other frequencies for a connection
• Channel width: Channel width determines the amount of bandwidth that is used for oper-
ations. The channel width must match on all WAN devices in order for them to communi-
cate.

Table 7.4 show freq example

000ADB16E714> show freq
Current country code : US (USA)

Flash frequency region setting : FCC-HI - FCC High Band 5735-5760 42dBm EIRP
Current frequency region setting : FCC-HI - FCC High Band 5735-5760 42dBm EIRP
Current valid frequencies : 5735 5740 5745 5750 5755 5760
Current frequency : 5755
Current allowed frequencies : 5735 5740 5745 5750 5755 5760
Dwell time (minutes) : 1
Channel width : 20 MHz
show netkey
Use this command to see a device’s netkey code. Netkeys are a shared key used for mutual
authentication of devices. If your network uses netkeys, use this command to verify that the
netkey on your Gateway and other devices match. If the netkeys do not match, devices will not be
able to link. See “set netkey” on page 290 for details on how to set the netkey on a device.
Expected Result:
After submitting this command, the device will display the netkey code it is currently using. This
code should match the netkey code on the Gateway that the device is using to provision.
Table 7.5 show netkey example
000ADB1213E4> show netkey
43:17:30:9f:30:af
The factory default netkey for all SecureMesh WAN devices is “Trilliant Networks, Inc.” which
has a code of 43:17:30:9f:30:af. If a different key is displayed, the netkey has been
changed
Basic Device Configuration

Changing a device’s configuration may resolve an issue with device provisioning and/or
operation. The following are the most commonly used commands.
set netkey
Use this command to set a device’s netkey to a custom value. Netkeys are a shared key used for
mutual authentication of devices. The netkey should always be set to a non-default value for
production networks.
Expected Result:

After entering the command, the device will ask you to enter a new netkey, and again to confirm it
(Table 7.6). If the two entries match, the new netkey is saved. To see the new netkey code (not the
netkey itself), use the show netkey command (see “show netkey” on page 290).
Table 7.6 set netkey example
000ADB1213E4> set netkey
-> Enter network key: ********
-> Re-enter network key: ********
Successfully set network key.
set prov auto

If the device is in a manual provisioning mode, use set prov auto to change it to the
automatic provisioning mode.
Expected Result:
After entering the command, the CLI will respond that the device is now in auto mode, with
DHCP enabled.
Table 7.7 set prov auto example
000ADB1213E4> set prov auto
Changed provisioning state to auto. DHCP enabled.
set prov IP
This command allows granular control of a device’s IP-related provisioning parameters.
Expected Result:
After entering the command, the CLI will ask you to specify the device’s IP-related provisioning
parameters, beginning with whether or not to enable DHCP. How you answer determines
questions that follow.

Table 7.8 set prov IP example (disabling DHCP, auto mode)

000ADB1213E4> set prov ip
-> Use DHCP to obtain IP <y|n> [y]: n
DHCP disabled.
-> Enter IP address [192.168.168.10]:

IP address not changed: 192.168.168.10
-> Enter subnet mask [255.255.255.0]:

Subnet mask not changed: 255.255.255.0
-> Enter default gateway [192.168.168.2]:

Default gateway not changed: 192.168.168.2
-> Enter primary FTP server address [192.168.4.2]:

Primary server address not changed: 192.168.4.2
-> Enter secondary FTP server address [0.0.0.0]:

Secondary FTP server address not changed: 0.0.0.0
-> Enter primary Provisioning server address [192.168.4.2]:

Primary Provisioning server address not changed: 192.168.4.2
-> Enter secondary Provisioning server address [0.0.0.0]:

Secondary Provisioning server address not changed: 0.0.0.0
-> Enter VPN inner IP address [0.0.0.0]:

VPN inner IP address not changed: 0.0.0.0
-> Enter primary VPN server address [0.0.0.0]:

Primary VPN server address not changed: 0.0.0.0
-> Enter secondary VPN server address [0.0.0.0]:

Secondary VPN server address not changed: 0.0.0.0
Table 7.9 set prov IP example (disabling DHCP, manual mode)

-> Use DHCP to obtain IP <y|n> [n]: n
DHCP disabled.
-> Enter IP address [192.168.168.12]:


-> Enter VPN inner IP address [0.0.0.0]:

VPN inner IP address not changed: 0.0.0.0
-> Enter primary VPN server address [0.0.0.0]:

Primary VPN server address not changed: 0.0.0.0
-> Enter secondary VPN server address [0.0.0.0]:

Secondary VPN server address not changed: 0.0.0.0

Table 7.10 set prov IP example (enabling DHCP)

-> Use DHCP to obtain IP <y|n> [n]: y
DHCP enabled.
set prov manual

If you want to configure a device locally, rather than controlling configuration from the NEMS,
you can change the provisioning mode to manual. This will also prompt you to set the device’s
primary frequency, whether or not it should use DHCP, and set other IP-related parameters.
Note: Putting a device in manual provisioning mode will result in the device ignoring any
configuration you set through NEMS (though you can still use NEMS to monitor the
device). The device will ONLY use local “set prov xxxx” configuration settings.
Table 7.11 set prov manual example
000ADB1213E4> set prov manual
Changed provisioning state to manual.
-> Enter primary frequency [5735]:
-> Use DHCP to obtain IP <y|n> [n]:

DHCP state not changed.
-> Enter IP address [192.168.168.10]:



Resetting a device to factory defaults

You can also reset a device to its factory defaults in order to reset any customizations that have
been made (though this isn't necessary for new devices, as they are already using factory
defaults).
Note: Resetting a device to factory defaults does not downgrade firmware.
Note: Resetting a device to the factory default will clear all settings, including the netkey. If
you are using a custom netkey, you will have to set it again. See “set netkey” on
page 290.
Note: For Connector devices, you can reset to factory defaults by pressing the Reset button on
the device.

!!!trilliantfactory!!!
Use this command to reset the device to its factory settings.
Note: If the firmware on the device has already been updated to a newer version, resetting the
device to factory settings will NOT downgrade the firmware.
Expected Result:
At the device’s password prompt, rather than entering the password, enter
!!!trilliantfactory!!! and press [ENTER]. The device will respond asking if you
want to proceed with resetting the device. Press Y and then [ENTER] (Table 7.12). The device
will then reset and restart.
Table 7.12 !!!trilliantfactory!!! example
Welcome to Trilliant, Inc.
Copyright (C) 2010 Trilliant, Inc. All Rights Reserved.
Password: !!!trilliantfactory!!!
-> Resetting to factory defaults. Proceed? yes, no <y | n>: y
Note: This example shows the command, but the CLI obscures all entries into the password
field, and will show on the screen as **********************.
Verifying Device Status

The following commands are useful for determining a device’s current status.
show link
Use this command to see what links, if any, a device has formed during the link establishment
process.
Expected Result:
The three most pertinent results of this command are the MAC address and Node Type of the
node(s) to which the device is linked, and the type of link (state) that has been formed. In Table
7.13, the Extender Bridge is linked to a SecureMesh Gateway, and has currently formed a pre-
authorization link. This means that provisioning is in progress (or is being attempted). The signal
strength, modulation rate, and antenna combination are also shown.

Table 7.13 show link example

000ADB16E714> show link
MAC Address NType State LRSSI RRSSI LTxMod RTxMod LAnt RAnt
----------------- -------- -------- -------- -------- -------- -------- -------- --------
00:0a:db:12:13:e4 smgw pre-auth 51 0 54 54 1 1
show link all

Use this command to reveal inactive links, which are devices that have been heard but for which
there is no active or standby link. Inactive links are hidden to improve readability in the standard
“show link” output.
Expected Result:
This will show the same information as the show link command, but with the addition of
inactive devices.
Table 7.14 show link all example
000ADB16E4B3> show link all
----------------- -------- -------- -------- -------- -------- -------- -------- --------
00:0a:db:da:01:03 gw inactive 62 56 6 54 0 0
show prov node



Domain : 12

Domain : 10
show dhcp
Use this command to display the device’s current DHCP settings. This command is useful for
monitoring provisioning progress.
Expected Result:
A device that has DHCP enabled, but not yet assigned by NEMS will show a result of “No DHCP
lease options” similar to Table 7.17.
Table 7.17 show dhcp example (dhcp enabled but not assigned)
000ADB16E714> show dhcp
No DHCP lease options
A device that has DHCP enabled and assigned will show a result similar to Table 7.18.
Table 7.18 show dhcp example (dhcp enabled and assigned)
000ADB16E714> show dhcp
IP address : 172.16.1.6
Subnet mask : 255.255.255.0
Default gateway : 172.16.1.1
Lease duration : 172800 seconds
Lease rebinding : 64800 sec
Lease remaining : 86386 sec
DHCP server : 172.16.1.1
FTP server : 172.16.1.1, 0.0.0.0
HTTP server : 172.16.1.1, 0.0.0.0
Hostname :
Note: To verify that DHCP is enabled, use the show prov ip command (see page 288).

show gps
Use this command to verify that GPS is enabled and locked on a Gateway. If a Gateway cannot
obtain a GPS lock, it will not be able to provision, or form any wireless links. By default,
Extender and Extender Bridge devices also require a GPS lock in order to form wireless links.
Note: If you are in an environment where the device cannot get a GPS signal, see “Device
GPS Bypass” on page 321.
Expected Result:
The Gateway should show that GPS is both enabled and locked.
Table 7.19 show gps example
000ADB16E714> show gps
GPS timing is enabled. Node will use GPS module for timing
Active GPS : Copernicus (38400 bps)

Latitude : 37.536707 degrees
Longitude : -122.256021
Altitude : -10.795897
Hardware GPS Satellite Signal to Noise

---------------------------------------
Is GPS locked: Yes
Number of Satellites: 12
show psu
Use this command to verify the status of an Extender or Extender Bridge’s PSU.
Note: Not all Extender or Extender Bridge devices include a PSU.
Expected Result:
The PSU, if present, should show that the PSU’s ID, serial number, MAC address, battery status,
firmware information, and build information.

Table 7.20 show psu example

ExtBRPSU> show psu
PSU Information
---------------
Last acquisition time: THU APR 09 12:47:28 2015
Unique ID: 36570343314E3931D80534FF
Serial Number: NDFC0000278
MAC Address: 00:14:77:07:a2:36
Battery Status: charging
Firmware Information
model: PSU-1024-Generic
version: 1.2.3.13297
Build type
type: release
trace: none
CCS: standard/-/auto test
control options: 27V
show collector
Use this command to verify the status of a Collector device.
Expected Result:
The Collector should show its serial number, MAC address, image version, last response time,
whether or not a PSU is present, and other information.

Table 7.21 show collector example

000ADB16E714> show collector
Collector Information
---------------
Serial no. : NDHA0001501
Ethernet MAC Address : 00:14:77:16:E9:3D
Image Version : 4.251
Last heartbeat response : 21 seconds ago
Rebooted by watchdog : 0 times
Device uptime : 0 days, 3 hours, 51 minutes, 36 seconds
Last reboot reason : Firmware Upgrade Reboot
DHCP state : DHCP
IP Address : 192.1687.150
Inner IP Address : 0.0.0.0
Netmask : 255.255.255.0
Default Gateway : 192.168.7.6
VPN Server Primary : 0.0.0.0
VPN Server Secondary : 0.0.0.0
Lease Duration Remaining : 1 days, 20 hours, 9 minutes
VPN State : Disabled
PSU Information
---------------
PSU is not present.
Monitoring link establishment and the device provisioning process

If a device is having issues with link establishment or the provisioning process, these commands
can help you narrow down the problem.
show link all

Use this command to reveal what links, if any, a device has formed during the provisioning
process. This command also reveals inactive links, which are devices that have been heard but for
which there is no active or standby link.
Expected Result:
The three most pertinent results of this command are the MAC address and Node Type of the
node(s) to which the device is linked, and the type of link (state) that has been formed. In Table
7.22, the device is linked to a SecureMesh Gateway, and has currently formed a pre-authorization
link, which means that provisioning has started through that link. There is also an inactive link to
an Extender Bridge listed.

Table 7.22 show link all example

000ADB16E4B3> show link all
----------------- -------- -------- -------- -------- -------- -------- -------- --------
00:0a:db:12:13:e4 smgw pre-auth 51 0 54 54 1 1
00:0a:db:da:01:03 extbr inactive 62 56 6 54 0 0
show prov node

Domain : 12

Domain : 10
debug on
This command enables debug logging on the device, and will help you gather information to aid
in troubleshooting issues or behavior. When connected to the CLI via telnet or SSH, you must set
“debug on” in order to see any debug logging using the commands below. When connected to
the CLI via serial, debug mode is always enabled.

Table 7.25 debug on example

000ADB16E714> debug on
Debug logging enabled.
set log link 2

This command sets the logging of links to level 2, which means that the CLI will show messages
as wireless links are discovered and activated.

Table 7.26 set log link 2 example

000ADB16E714> set log link 2
Log level changed: link at 2
Table 7.27 example failed link output (due to failed provisioning)

0x119ec8 (spLinkMgr): TS: 00:00:08:14
0x119ec8 (spLinkMgr): spLinkMgr.c:9315 (SP_LINK_COMPONENT_ID#2) createLink ..da:01:03, type 1
0x119ec8 (spLinkMgr): TS: 00:00:08:47
0x119ec8 (spLinkMgr): spLinkMgr.c:7777 (SP_LINK_COMPONENT_ID#2) State change for peer =
..da:01:03
old state = LINK_INACTIVE, new state = LINK_HELLO_CHILD
0x119ec8 (spLinkMgr): TS: 00:00:08:47
0x119ec8 (spLinkMgr): spLinkMgr.c:6966 (SP_LINK_COMPONENT_ID#2)
link changed to unoptimized state while not in discovery!
0x119ec8 (spLinkMgr): TS: 00:00:08:47
..da:01:03
old state = LINK_HELLO_CHILD, new state = LINK_UNOPTIMIZED
0x119ec8 (spLinkMgr): TS: 00:00:09:16
..da:01:03
old state = LINK_UNOPTIMIZED, new state = LINK_PREAUTH
0x732320 (spProvisionAgent): TS: 00:00:09:28
0x732320 (spProvisionAgent): spHttpSocketConn.cpp:377 (SP_PROVISION_AGENT_COMPONENT_ID#2)
TCP-IP socket connection to (0xc0a8a8b6) failed.
0x732320 (spProvisionAgent): spProvisionAgent.cpp:4491 (SP_PROVISION_AGENT_COMPONENT_ID#1)
Fail to load config file. Sleeping for 4 secs...
Failed to handle init prov message.
0x732320 (spProvisionAgent): spLinkMgr.c:18067 (SP_LINK_COMPONENT_ID#2)
Result = 0x2, DomainId = 0, freqlist = NULL
0x732320 (spProvisionAgent): spLinkMgr.c:7777 (SP_LINK_COMPONENT_ID#2) State change for peer
= ..da:01:03
old state = LINK_PREAUTH, new state = LINK_PROV_FAILED

set log prov 2

This commands sets the logging of provisioning messages to level 2, which means that the CLI
will show messages as provisioning occurs.
Table 7.28 set log prov 2 example
000ADB16E714> set log prov 2
Log level changed: prov at 2
Table 7.29 example successful provisioning output

000ADBDA0103> 0x733328 (spProvisionAgent): TS: 00:00:02:22
0x733328 (spProvisionAgent): spLinkMgr.c:19686 (SP_LINK_COMPONENT_ID#2) Invalid
power level specified (0), setting to default.
0x733328 (spProvisionAgent): spProvisionAgent.cpp:4834
(SP_PROVISION_AGENT_COMPONENT_ID#2) Finish checking software versions.
0x733328 (spProvisionAgent): spProvisionAgent.cpp:8650
(SP_PROVISION_AGENT_COMPONENT_ID#2) reload region = 1, flash region = 1
0x1176f8 (spLinkMgr): TS: 00:00:02:22
0x1176f8 (spLinkMgr): spLinkMgr.c:4710 (SP_LINK_COMPONENT_ID#2)
Delete existing links due to DomainID change!!!!
0x5d8e8 (spSystem): TS: 15825:11:24:59
0x5d8e8 (spSystem): spProvisionAgent.cpp:10910 (SP_PROVISION_AGENT_COMPONENT_ID#2)
Clock set successful.

Common Problems and Solutions

There are a few common problems that you may encounter when attempting to access the NEMS
(“Common Software Problems and Solutions” on page 304) or provision a device (“Common
Device Problems and Solutions” on page 308). This section covers those issues and how to
resolve them.
Common Software Problems and Solutions

The two most common reasons you may have trouble accessing the NEMS are:
• One or more NEMS service is stopped. See “Starting and Stopping NEMS services” on
page 304.
• The firewall is enabled. See “Cannot access the NEMS” on page 306.
Starting and Stopping NEMS services

If you cannot access the NEMS, it could be because a NEMS service is stopped. Check to see if
any services are stopped (Step 1), determine why they are stopped (Step 2), then restart them as
necessary (Step 6).
To start and stop NEMS services:

1. Check to make sure NEMS services are running. In a terminal window on the server, as
the root user, enter the following command: trilliant_check.

Trilliant Common Problems and Solutions
Table 7.30 All services running example

[root@softnems ~]# trilliant_check
Trilliant NEMS server [ Processes status ]
vsftpd (pid 3515) is running...

dhcpd (pid 4268) is running...
nems server (java, PID 3691 ) is running
MySQL (pid 3552) is running
Table 7.31 Some services stopped example

[root@softnems ~]# trilliant_check
Trilliant NEMS server [ Processes status ]
vsftpd (pid 3515) is running...

dhcpd is stopped
nems server (java) is stopped
MySQL (pid 3552) is running
2. If any of the services are not running (see Table 7.30), enter the following commands:
• cd /var/log/trilliant
• cat service.log
If your results are similar to Table 7.31, your server’s MAC address may not match the
address in the license files.
Table 7.32 Incorrect license example
[root@softnems ~]# cd /var/log/trilliant/
[root@softnems trilliant]# cat service.log
License Verification Started
Invalid Licensing Information
NEMS Server Shutting down...
3. Obtain the correct MAC address by entering the ifconfig command (Table 7.32). Send
the listed HWaddr to Trilliant Support to obtain updated license files.

Table 7.33 ifconfig example

[root@softnems trilliant]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:72:53:A1

inet addr:172.17.100.236 Bcast:172.17.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe72:53a1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1414122 errors:0 dropped:0 overruns:0 frame:0
TX packets:201249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:469777294 (448.0 MiB) TX bytes:17382005 (16.5 MiB)
lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:69402 errors:0 dropped:0 overruns:0 frame:0
TX packets:69402 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:49033627 (46.7 MiB) TX bytes:49033627 (46.7 MiB)
4. When you get the updated license files, transfer the license files to the server’s /root
directory.
5. In a terminal window from the /root directory, enter the following commands:
Table 7.34 Copy updated license files
[root@softnems ~]# cp License.dat /opt/product/TrilliantNetworks/NEMS/server/ems/conf/License.dat
6. Restart the services by entering the following command: trilliant_start nems.

7. Wait 30 seconds for NEMS to start.
8. Verify the server status by entering the following command: trilliant_check.
You should now be able to access your NEMS in a web browser.
Cannot access the NEMS

Another common reason you may not be able to access the NEMS is if the firewall is enabled, but
is not configured with the appropriate rules to allow access.
To check firewall status:

1. Check to make sure that the server firewall is disabled by entering service iptables
status in a terminal window on the server:

Table 7.35 Firewall is disabled example 1

[root@softnems ~]# service iptables status
Firewall is stopped.
Table 7.36 Firewall is disabled example 2

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCPET)

Chain OUTPUT (policy ACCEPT)
Table 7.37 Firewall is enabled example

Table: filter
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
state NEW tcp multiport dports 5901:5903,
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 6001:6003
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCPET)

1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)

2. If the result is like Table 7.35, try checking to see if any NEMS services are stopped
(“Starting and Stopping NEMS services” on page 304). Otherwise, disable the firewall by
entering the following command: service iptables stop
Table 7.38 Disabling the firewall example
[root@softnems ~]# service iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]

Firewall is stopped.
Note: The command “service iptables stop” will only temporarily shut off the
firewall (it will return after a reboot). If you wish to permanently disable the firewall,
use the command “chkconfig iptables off”.

Common Device Problems and Solutions

There are several common problems related to NEMS and devices:
• A device is in the wrong provisioning mode
• A device has previously been provisioned/configured, and needs to be reset to factory
defaults
• A device has the wrong netkey and can’t connect to a Gateway
• A device can’t provision
• A device isn’t coming online
• A device is rebooting unexpectedly
One of the most common problems occurs when you try to reuse a device that has been previously
configured for use. In such a case, the device may be in a different provisioning mode (See
“Verifying Provisioning Mode” on page 308), or using a different netkey, and need to be reset to
factory defaults (See “Resetting a device to factory defaults” on page 309).
Note: If the firmware on a device has already been updated to a newer version, resetting the
Verifying Provisioning Mode

The provisioning mode that a device is in will affect how the device provisions. For automatic
provisioning with the Trilliant NEMS, the device should be in auto mode (see “set prov auto” on
page 291).
Use show prov node to see what mode the device is currently in.
show prov node



Domain : 12

Domain : 10
Resetting a device to factory defaults

defaults).
Note: Resetting a device to the factory default will clear all settings, including the netkey. If
you are using a custom netkey, you will have to set it again. See “set netkey” on
page 290.
the device.
!!!trilliantfactory!!!
Use this command to reset the device to its factory settings.
Note: If the firmware on the device has already been updated to a newer version, resetting the
Expected Result:
At the device’s password prompt, rather than entering the password, enter
!!!trilliantfactory!!! and press [ENTER]. The device will respond asking if you
want to proceed with resetting the device. Press Y and then [ENTER] (Table 7.41). The device
will then reset and restart.

Table 7.41 !!!trilliantfactory!!! example

Welcome to Trilliant, Inc.
Copyright (C) 2010 Trilliant, Inc. All Rights Reserved.
Password: !!!trilliantfactory!!!
-> Resetting to factory defaults. Proceed? yes, no <y | n>: y
Note: This example shows the command, but the CLI obscures all entries into the password
field, and will show on the screen as **********************.
defaults).
Note: Resetting a device to the factory default will clear the netkey. If you are using a custom
netkey, you will have to set it again. See “set netkey” on page 290.
the device.
Device will not come online, “show link” shows the link in 'auth fail' status
This status means that device authorization has failed, typically because the netkeys on the
devices don’t match. A netkey is a shared secret that all devices must share in order to securely
connect, provision, and communicate. All Trilliant SecureMesh WAN devices come with a
default netkey already programmed (see below); if you do not change to a custom netkey, all new
devices will still be able to successfully use the default netkey. However, if you are using a device
that has had its netkey changed, or is not new, try resetting it to the default netkey:
Default Trilliant netkey: Trilliant Networks, Inc.
Default Trilliant netkey code: 43:17:30:9f:30:af
Note: The netkey is case sensitive and must include spaces and punctuation as shown.
• Use the CLI command show netkey (see “show netkey” on page 290) to verify that the
netkeys of the failing device and the Gateway match.
• Use the CLI command set netkey (see “set netkey” on page 290) to change the netkey
on a device.
Device will not come online, “show link” shows the link in 'prov fail' status
Device provisioning has failed. This indicates the device has either failed to obtain an IP address
with DHCP, or failed to successfully obtain a configuration file from the NEMS. Try the
following to determine the cause of the prov fail status:

To determine the cause of prov fail status:

1. Enable logging (see “debug on” on page 300, “set log link 2” on page 301, and “set log
prov 2” on page 303) and look for specific failure messages:
• DHCP fails due to no DHCP response:
Fail DHCP negotiation. Retrying...
Fail DHCP negotiation. Retrying...
• DHCP failure due to incorrect/missing information:

Missing TFTP server option from IP 192.168.168.2.
Missing TFTP server option from IP 192.168.168.2.
• Provisioning failure due to inaccessible NEMS or device not entered into

node maintenance
or
• Once you determine the source of the failure, you can fix the issue.
2. Verify DHCP configuration as described in “Configuring DHCP” on page 37.
3. Inspect the device’s node maintenance entry. From the NEMS WAN View, click Provi-
sioning > Node Maintenance. Confirm the following:
• the device’s MAC address is correct
• the device is using the correct node profile
• the DHCP IP Assignment is set to Dynamic
4. Verify that the device’s node profile is correctly configured:
• For Extender Bridges, see “Creating an Extender Bridge Profile” on page 57
• For Connectors, see “Creating a Connector Profile” on page 59

5. If you do not see any log output after enabling set log prov 2, enter the command
show logevents search with the keyword “prov”.
Device will not come online, “show link” shows nothing.

If a device will not come online, and the show link command shows no results:
• use the show freq command to verify the device’s frequency configuration: “show
freq” on page 289
• Verify that the Gateway is online (“Gateway Troubleshooting” on page 55) and has no
issues preventing the device from provisioning through it.
Device rebooted unexpectedly

If a device rebooted unexpectedly, use the show reboot command to display the log of why
the device most recently rebooted.
show reboot
Use the show reboot command to determine why a device most recently rebooted.
Expected Result:
After entering this command, the CLI will display the reason and how long the device was “up”
before rebooting.
Table 7.42 show reboot example
000ADBDA0103> show reboot
Reboot reason: CLI Reboot
Previous Up Time: 1 day 20:15:11
show uptime
Use the show uptime command to determine how long a device has been running since its last
reboot.
Expected Result:
After entering this command, the CLI will display how long the device has been “up” since
rebooting.

Table 7.43 show uptime example

000ADBDA0103> show uptime
18 days 20:47:30


A
Optional Settings
This appendix covers optional settings and parameters for setting up a network using NEMS:
• “Changing the Frequency Region and Country Code” on page 316
• “Changing the Channel Width” on page 318
• “Device GPS Bypass” on page 321
• “Configuring a Custom Netkey” on page 323
• “Advanced Firewall Settings” on page 324
• “Advanced GPS Settings” on page 327
• “ftpimage Command Reference” on page 333

Chapter A - Trilliant
Changing the Frequency Region and Country Code

To configure the country code, first gain access to the CLI following the instructions in section
“Connecting to the Command Line Interface” on page 280. Then use the set prov freq
command using option c (see Table A.1) to set your country code. Reboot the device once
finished.
This procedure is required for international (non-US) devices and optional for US devices.
Note: The list of available countries will vary by location. See the document DP-1309
SecureMesh WAN Frequency Region Selection for more information.
1. Gain access to the CLI following the instructions in “Connecting to the Command Line
Interface” on page 280.
2. Use the set prov freq command (Table A.1).
3. Reboot the device to activate the new configuration.
Table A.1 set prov freq example
Password: ******
Login successful
Country code required - Use ‘set prov freq’ to configure> set prov freq
21 available frequencies are the following:

5735 5740 5745 5750 5755 5760 5765 5770 5775
5780 5785 5790 5795 5800 5805 5810 5815 5820
5825 5830 5835
-> Select a Frequency action: quit, allow, country code, deny, list, primary,
region <q|a|c|d|l|p|r>: c
Available country codes:

ANGUILA : AI
ARGENTINA : AR
DOMINICA : DM
DOMINICAN REPUBLIC : DO
GRENADA : GD
JAMAICA : JM
ST KITTS AND NEVIS : KN
CAYMEN ISLANDS : KY
ST LUCIA : LC
MONTSERRAT : MS
MEXICO : MX
MALAYSIA : MY
NICARAGUA : NI
PANAMA : PA
ST VINCENT AND THE GRENADINES : VC
VIETNAM : VN
-> Enter two-letter country code [??]: JM

1) ISM27-HI - ISM27 High Band 5735-5815 36dBm EIRP
2) ISM-LOWMID - ISM Lower Mid Band 5260-5320 30dBm EIRP
-> Enter a number for the frequency region or press Enter to quit: 2
continued on next page...

Trilliant Changing the Frequency Region and Country Code
Table A.2 set prov freq example (continued)

The previous primary frequency (0) is not valid for this region.
13 available frequencies are the following:
5260 5265 5270 5275 5280 5285 5290 5295 5300 5305
5310 5315 5320
-> Please enter a new primary frequency or press ENTER to quit: 5260
Please make sure to reboot for the new frequency region settings to take effect.
-> Select a Frequency action: quit, allow, country code, deny, list, primary,
region <q|a|c|d|l|p|r>: q
Country code required - Use ‘set prof freq’ to configure> reboot

Rebooting...

Changing the Channel Width

The Channel Width value must match on all WAN devices, otherwise they will not be able to link
to each other. This value can be set in the CLI of each device (“Changing Channel Width through
the CLI” on page 318), or in the NEMS interface (“Changing Channel Width through NEMS” on
page 319).
Channel Width determines the amount of bandwidth that is used for radio communications. The
10Mhz channel width also reduces available throughput, and increases latency, compared to the
20Mhz channel width.
When changing the channel width of a device, be aware that this change will cause the device to
reboot to switch to the new setting. Once changed, the device will no longer be able to form links
with devices using the previous channel width. Therefore, it is critical that all devices are
changed concurrently, and in a manner that does not cut off access to other devices. For this
reason, Trilliant recommends that you do not use the automatic reload option to apply this
configuration change. Instead, reconfigure all appropriate Node Profiles without issuing reloads,
and then manually reload each device (using either the CLI or the WAN Tree view), starting from
the leaf nodes (Connectors) and working back toward the Gateway (so that the Gateway is the last
device changed). If devices are loaded out-of-order, this may leave one or more devices unable to
connect to the WAN, and require a site visit to reconfigure the device using local Serial or
Ethernet access.
Changing Channel Width through the CLI

To configure the Channel Width value through the CLI, first gain access to the CLI following the
instructions in section “Connecting to the Command Line Interface” on page 280. Then use the
set prov chanwidth command to set your channel width value.
2. Use the set prov chanwidth command (Table A.3).
3. Reboot the device.
Table A.3 show prov chanwidth example
000ADB010101> show prov chanwidth
Table A.4 set prov chanwidth example

000ADB010101> set prov chanwidth
-> Enter channel width <10/20>: 10

Trilliant Changing the Channel Width
Changing Channel Width through NEMS

In NEMS, you configure the Channel Width value through Node Profiles.
1. From the WAN Provisioning menu, select Node Profile.
NEMS opens the Node Profile window.
Figure A.1 Node Profile window
2. Double-click to open the appropriate Node Profile.

3. In the Frequency section, from the Channel Width drop-down, select the appropriate
value:
• Full (20 MHz)
• Half (10 MHz)
Figure A.2 Node Profile details window, Frequency section
4. Click Save .
NEMS displays a warning that saving your changes will cause the devices to reboot in
order to apply the new value(s).
Figure A.3 Save change warning

5. Click Save to proceed with the changes and reboots.

Trilliant Device GPS Bypass
Device GPS Bypass

where they will have an unobstructed view of the sky. Extender device types also support derived-
timing mode, which allows them to operate without a GPS signal. Connector devices always
utilized derived-timing mode and do not include a GPS receiver.
To enable derived timing mode:
2. Use the set prov gps command using option t to enable derived timing operation
(Table A.5).
3. Reboot the device.
Table A.5 set prov gps example (non-gateway)
000ADB010101> set prov gps
-> Select user GPS action: quit, coordinates, timing, auto-gps <q|c|t|a>: t
GPS timing is enabled. Node is using GPS Timing.
-> Select GPS timing action: quit, enable, disable <q|e|d>: d
GPS timing is disabled. Node will use Derived Timing (GPS-less mode).
You must reboot for this change to take effect.
-> Select GPS timing action: quit, enable, disable <q|e|d>: q
-> Select user GPS action: quit, coordinates, timing, auto-gps <q|c|t|a>: q
000ADB010101>
For configuration and indoor demo purposes, Gateway devices can also be configured for
operation without a GPS signal (see Table A.6).
Note: However, network performance and latency may be negatively impacted. For best
performance, Trilliant recommends that Gateway devices should always use GPS
timing.
Table A.6 set prov gps example (gateway)
000ADB010102> set prov gps
-> Select user GPS action: quit, coordinates, timing, auto-gps <q|c|t|a>: t
GPS timing is enabled. Node is using GPS Timing.
-> Select GPS timing action: quit, enable, disable <q|e|d>: d
continued on next page...

Table A.7 set prov gps example (gateway) (continued)

WARNING!! This node is a Gateway. For proper network operation, the Gateway must
operate in GPS timing mode. This setting should be used for testing purposes only.
-> Do you want to continue? <y|n> [n]: y
GPS timing is disabled. Node will use Derived Timing (GPS-less mode).
You must reboot for this change to take effect.
-> Select GPS timing action: quit, enable, disable <q|e|d>: q
-> Select user GPS action: quit, coordinates, timing, auto-gps <q|c|t|a>: q
000ADB010102>

Trilliant Configuring a Custom Netkey
Configuring a Custom Netkey

A netkey is a shared secret that all devices must share in order to securely connect, provision, and
communicate. All Trilliant SecureMesh WAN devices come with a default netkey already
programmed into them (see below); if you do not change to a custom netkey, all new devices will
still be able to successfully use the default netkey.
If you change the netkey on a Gateway, other devices will not be able to link to and provision
from that Gateway unless they share the Gateway’s netkey.
Default Trilliant netkey: Trilliant Networks, Inc.
Default Trilliant netkey code: 43:17:30:9f:30:af
Note: The netkey is case sensitive and must include spaces and punctuation as shown.
• Use the CLI command show netkey (see “show netkey” on page 290) to verify that the
netkeys of the failing device and the Gateway match.
• Use the CLI command set netkey (see “set netkey” on page 290) to change the netkey
on a device.

Advanced Firewall Settings

While Trilliant recommends disabling the OS firewall entirely, if you are required to use a
firewall, the below settings will enable NEMS to operate.
Note: These instructions apply to CentOS 5.9. The instructions for accessing firewall settings
in the OS you are using may differ.
To apply advanced firewall settings to CentOS:

1. From the CentOS desktop, click System > Administration > Security Level & Firewall.
CentOS opens the Security Level Configuration window (Figure A.4).
Figure A.4 CentOS Security Level Configuration window
2. For Firewall, select Enabled.

3. In the Trusted Sources window, click the following items:
• FTP
• SSH (optional but recommended for management)
• Secure WWW (HTTPS) (if installing NEMS with https) or WWW (HTTP) (if
installing NEMS without https)

Trilliant Advanced Firewall Settings
4. Next to the Other Ports window, click Add.

CentOS opens the Add Port window (Figure A.5).
Figure A.5 Add Port window - TCP setting
5. In Port(s), enter 8000. This setting allows devices to obtain configuration files.
6. In Protocol, select tcp.
7. Click OK.
8. Next to the Other Ports window, click Add.
CentOS opens the Add Port window (Figure A.6).
Figure A.6 Add Port window - UDP setting
9. In Port(s), enter 162. This setting allows SNMP traps.

10. In Protocol, select udp.
11. Click OK.
12. In the Security Level Configuration window, click OK.

Ports and Protocols for External Firewall Devices

The following table provides port and protocol information that will allow you to configure
external firewall devices appropriately to work with NEMS.
Table A.8 Ports and Protocols for External Firewall Devices
Transport Source Host Destination UDP Traffic
Port Number Protocol Name Host Name Flow Purpose
21 TCP WAN NEMS bidirectional FTP firmware upgrades,
control connection
22 TCP Network/NOC NEMS bidirectional SSH for server shell
access
22 TCP Network/NOC WAN bidirectional SSH for device CLI
access
23 TCP Network/NOC WAN bidirectional Telnet for device CLI
access
67, 68 UDP WAN NEMS bidirectional DCHP
80 TCP Network/NOC NEMS bidirectional HTTP for NEMS UI
access
123 UDP WAN NTP Server bidirectional NTP time sync
161 UDP NEMS WAN bidirectional SNMP polling
162 UDP WAN NEMS unidirectional SNMP traps
443 TCP Network/NOC NEMS bidirectional HTTPS for NEMS UI
access
8000 TCP WAN NEMS bidirectional HTTP for device configu-
ration
dynamic TCP WAN NEMS bidirectional FTP firmware upgrades,
data connection
ping ICMP NEMS WAN bidirectional PING

Trilliant Advanced GPS Settings
Advanced GPS Settings

Gateways and extender bridges have GPS functionality built into them, and unless they are
prevented from acquiring GPS coordinates (due to location or having GPS disabled), will acquire
GPS location data without manual intervention.
WAN Connectors, NAN Collectors, and other NAN devices do not include a GPS receiver, but
may be configured with location coordinates through a CVS import process or individually
through the Device Details screen or Node Maintenance entry. Supplying coordinates for these
devices will enable correct positioning within the Map View useful for mapping events like power
outages, troubleshooting network performance, and so on.
Figure A.7 Sample Map View of devices showing location and RSSI strength between nodes
In Figure A.7, the Map View shows how a variety of devices (B, C, D, and E) connect to the
Collector (A). The green lines show that the links between each of these devices is of good
quality, and also demonstrate how many hops a device has between itself and the Collector.
Devices C and E each have two hops to get back to the Collector (A), while devices D and B have
only one hop.
Without GPS coordinates for the Collector and other devices, the above Map View would not be
possible.

Importing GPS data

GPS Data Import is most suited for updating GPS coordinates for many devices at once. If you
need to update a single or small number of devices, use “Manually setting GPS data” on page 329
instead.
Note: Using the import feature to edit the GPS data for a device changes its GPS mode to
Manual. A device in manual GPS mode will no longer automatically change its GPS
data based on new information received from associated devices or from internal GPS
reception.
All GPS data import files must:
be saved in comma-delimited CSV format
•
• contain either WAN devices or NAN devices (not both)
• contain the following columns (headers are shown here for illustration only):
Table A.9 GPS data import file format for a NAN end-point
Node ID or Street
MAC address Latitude Longitude Elevation Address City State Country Zipcode
NDKC0006529 43.83072 -79.48267 0 20 Floral Concord ON CA L4K 4R 1
Parkway
When creating an import file for WAN devices, use MAC Addresses. For NAN devices,
use Node IDs.
1. From the Tools menu, select GPS Data Import.
Figure A.8 Tools menu with GPS Data Import highlighted
NEMS opens the GPS Data Import window.

Figure A.9 GPS Data Import window
2. Click Browse.
3. Navigate to the location of the file and select it.
Figure A.10 GPS Data Import window with selected data file
4. Click Load.
5. NEMS loads the file and edits the GPS data for the given devices.
Note: Using the import feature to edit the GPS data for a device changes its GPS mode to
Manual. A device in manual GPS mode will no longer automatically change its GPS
data based on new information received from associated devices or from internal GPS
reception.
Manually setting GPS data

Manually setting GPS data is best suited for single or small numbers of devices. If you need to
edit the GPS data of more than a few devices, use “Importing GPS data” on page 328 instead.
Setting GPS data from Node Maintenance

1. From the WAN Provisioning menu, select Node Maintenance.
NEMS opens the Node Maintenance screen.

Figure A.11 WAN View - Node Maintenance screen
2. Double-click a device to open the device’s Node Attributes window (Figure A.12).
Figure A.12 WAN - A device’s Node Attributes window
3. In the GPS Coordinates field, select Manual.

4. Enter the device’s GPS coordinates into the Latitude (degrees), Longitude (degrees),
and Altitude (meters) fields.

5. Click Save .
Setting GPS data from the Tree View

1. For a Collector device: right-click on the Collector in its subnet and select Collector
Details.
or
For a WAN device: right-click on the device and select Node Details, then click the Pro-
visioning tab.
NEMS opens either the Collector Details or Node Details window, depending on the
device type.
Figure A.13 A Collector device’s Node Details window
2. In the Location Details section, in the GPS Coordinates field, select Manual.

3. Enter the device’s GPS coordinates into the Latitude (degrees), Longitude (degrees),
and Altitude (meters) fields.
4. Click Save .

Trilliant ftpimage Command Reference
ftpimage Command Reference

This section describes the procedure for using the CLI’s “ftpimage” command. You can use
this command to manually initiate a firmware download using FTP or Secure FTP (SFTP). NEMS
is configured to perform software downloads using SFTP.
This command requires:
• An available active FTP or SFTP server. When performing an over-the-air upgrade, you
can use any FTP or SFTP server that is reachable from the Trilliant device. When upgrad-
ing a device that is unable to link to the Trilliant network, the FTP/SFTP server must be
attached to the device's local Ethernet port, and the FTP/SFTP server must be on the same
subnet as the Trilliant device, or on the default IP subnet 192.168.0.x.
• A computer with an IP address and netmask that can connect to the device. For more
information on connecting locally to devices, see “Connecting to the Command Line
• Access to the device’s CLI. For more information about using the CLI, see “Trouble-
shooting with Basic CLI Commands” on page 286.
1. Download the updated firmware and place it on your FTP/SFTP server (see “Uploading
New Firmware to the NEMS Server” on page 246) in the following FTP/SFTP directory:
pub/images/. Be sure to set proper file and directory permissions, allowing read
access.
2. Prior to upgrading the Trilliant device, verify proper operation of the FTP/SFTP server by
connecting with a standard FTP/SFTP client and performing a test download. For exam-
ple, in Windows or Unix, you can open a command prompt/terminal and issue the ftp
192.168.0.5 command. This will start the FTP client and connect to the FTP server at
192.168.0.5. You can then log in as 'anonymous' with any password. Test FTP server func-
tionality with the dir and get filename.bin commands.
3. Telnet to the Trilliant device on the default IP address, 192.168.0.2.
4. Test IP connectivity to the FTP/SFTP server using the ping command:
> ping 192.168.0.5
PING 192.168.0.5: 56 data bytes
64 bytes from 192.168.0.5: icmp_seq=0. time=16. Ms
64 bytes from 192.168.0.5: icmp_seq=1. time=0. Ms
----192.168.0.5 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/8/16
5. Prior to performing any ftpimage commands, Trilliant recommends that you enable
debugging so that the FTP/SFTP process can be monitored in real time:
> set log all 1
Log level changed: all at 1
> set log prov 2
Log level changed: prov at 2

> set log ftp 2

Log level changed: ftp at 2
> debug on
Debug logging enabled.
6. Use the show version sw command to determine the current active and backup
image:
> show version sw
Active Software Image : B
Image A Name : SMConn.2.2.0.bin
Image A MD5 : 8b:49:9f:99:1c:9f:52:c0:fd:43:59:26:ff:9b:6a:ff
Image A State : Accepted
Image A Counter : 1000
Image B Name : SMConn.2.2.0.bin
Image B MD5 : 8b:49:9f:99:1c:9f:52:c0:fd:43:59:26:ff:9b:6a:ff
Image B State : Accepted
Image B Counter : 1000
7. Use the ftpimage command to initiate the firmware download to the backup (non-
active) partition:
> ftpimage
-> Enter FTP server IP address: 192.168.0.5
-> Enter FTP server login [anonymous]:
-> Enter FTP server password:
-> Enter directory: pub/images/
-> Enter filename: SMConn.2.3.0.bin
-> Enter destination partition <A|B>: a
FTP server IP address: 192.168.0.5
FTP server login: anonymous
Directory: pub/images/
Filename: SMConn.2.3.0.bin
Destination partition: A
-> Are these settings correct? no, yes <n|y>: y
0x883240 (spCliTelnet): spProvisionAgent.cpp:3298 (SP_PROVISION_AGENT_COMPO-
NENT_ID#2)
Initiating FTP download.
NENT_ID#3)
Trying to connect to IP address 192.168.0.5.
NENT_ID#3) Login successful. Downloading file name SMConn.1.2.bin.
0x883240 (spCliTelnet): 4194304
NENT_ID#3)
FTP Successfully completed in 1 Minutes 0 Seconds
FTP successful.
8. Use the show version command to verify the image was successfully downloaded.
Specifically, check for a nonzero MD5:
> show version sw
Active Software Image : B
Image A Name : SMConn.2.3.0.bin
Image A MD5 : 35:9a:b0:9b:8e:95:e5:af:00:66:27:f3:0d:6c:65:1f

Trilliant ftpimage Command Reference
Image A State : Trial

Image A Counter : 10
Image B Name : SMConn.2.2.0.bin
Image B MD5 : 8b:49:9f:99:1c:9f:52:c0:fd:43:59:26:ff:9b:6a:ff
Image B State : Accepted
Image B Counter : 1000
9. If the image did not download successfully; repeat steps 7 and 8.

10. When appropriate, use the set activeimage command to change the active image.
For example, if the new image is image A:
> set activeimage a
Active image set to A.
The next time the node boots, it will use the new image.


Curso 5 Capacitación 1921 NEMS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Curso 5 Capacitación 1921 NEMS

Uploaded by

Copyright:

Available Formats

Administrator Guide for

SecureMesh WAN and NEMS

Item Number: DP-1388

Chapter 2 - Installing the OS and NEMS ...................................................................................................................5

Chapter 3 - Getting Started with NEMS...................................................................................................................35

Chapter 4 - The NEMS Interface ..............................................................................................................................79

Administrator Guide for SecureMesh WAN and NEMS iv

Searching in NEMS ........................................................................................................................................94

Chapter 5 - Alarms and Events in NEMS...............................................................................................................129

v Administrator Guide for SecureMesh WAN and NEMS

Chapter 6 - Advanced NEMS Topics ......................................................................................................................217

Administrator Guide for SecureMesh WAN and NEMS vi

Overview of Adding VPN to your Network.................................................................................................232

Chapter 7 - The CLI and Troubleshooting .............................................................................................................279

vii Administrator Guide for SecureMesh WAN and NEMS

show prov IP .....................................................................................................................................288

Appendix A - Optional Settings ...............................................................................................................................315

Administrator Guide for SecureMesh WAN and NEMS viii

Advanced Firewall Settings .................................................................................................................................324

ix Administrator Guide for SecureMesh WAN and NEMS

About this Guide

Administrator Guide for SecureMesh WAN and NEMS 1

Audience and Purpose

2 Administrator Guide for SecureMesh WAN and NEMS

How This Guide Is Organized

Administrator Guide for SecureMesh WAN and NEMS 3

Conventions Used in This Guide

4 Administrator Guide for SecureMesh WAN and NEMS

Installing the OS and NEMS

Administrator Guide for SecureMesh WAN and NEMS 5

Required Hardware and Software

6 Administrator Guide for SecureMesh WAN and NEMS

Administrator Guide for SecureMesh WAN and NEMS 7

Design Your Simple Network

Figure 2.1 Basic SecureMesh WAN network design

8 Administrator Guide for SecureMesh WAN and NEMS

Administrator Guide for SecureMesh WAN and NEMS 9

Figure 2.2 CentOS Installation splash screen

3. Press [ENTER] to begin installing.

10 Administrator Guide for SecureMesh WAN and NEMS

Figure 2.3 CentOS media testing screen

Figure 2.4 The CentOS installer screen

Administrator Guide for SecureMesh WAN and NEMS 11

Figure 2.5 Selecting partition options

Figure 2.6 Removing all partitions warning

12 Administrator Guide for SecureMesh WAN and NEMS

Figure 2.7 Network Devices screen

Figure 2.8 Editing the network interface

Administrator Guide for SecureMesh WAN and NEMS 13

Figure 2.9 Updated Network Devices screen

14 Administrator Guide for SecureMesh WAN and NEMS

Figure 2.10 Creating a Root Password

Figure 2.11 Selecting a desktop version

19. Click Next to begin installing CentOS. (See Figure 2.12.)

Administrator Guide for SecureMesh WAN and NEMS 15

Figure 2.12 CentOS ready to begin installing

Figure 2.13 CentOS Installation complete

20. Click Reboot to finish.

16 Administrator Guide for SecureMesh WAN and NEMS

Figure 2.14 Setting the firewall options in CentOS

Figure 2.15 Confirming firewall selection

Administrator Guide for SecureMesh WAN and NEMS 17

Figure 2.16 Selecting a Security Enhanced Linux level

Figure 2.17 Date and time settings