Industrial Router Configurations

Requirements for configuring IR1101 devices

To successfully configure your IR routers, ensure you meet the following requirements:

Ensure that your IR1101 device has IOx container keys programmed.

  • Run this command:
    Router# show software authenticity keys | i Name

  • In the output, look for lines containing "Product Name: Cisco Services Containers". If the lines are present, the device has IOx container keys programmed.

  • If the lines are missing:

    • Devices shipped before January 2020: Either disable signature verification or upgrade the device.

    • Devices shipped after January 1, 2020: No action is required, the device should have the container keys programmed by default.

  • Do not proceed with SEA installation if the device has neither container keys nor signature verification enabled, as installation will fail with a signature verification error.

Configuring industrial routers

Summary

Configuring industrial routers to communicate with Cisco IoT Operations Dashboard involves several stages. The key components or participants involved in the process are:

  • Administrator: Configures and manages the industrial routers throughout the process.

  • Industrial router: The device that is being prepared and connected to the Cisco IoT Operations Dashboard

  • Cisco IoT Operations Dashboard: The cloud-based platform used to manage registered devices and confirm successful connectivity.

Workflow

These are the stages of configuring industrial routers to establish connection with Cisco IoT OD.

  1. Prepare the device: The administrator ensures the device is powered on, connected to the network, and accessible for configuration. For more information, see Prepare the device.

  2. Configure and enable IOx: The administrator enables IOx on the device, preparing it to support IoT application deployment. For more information, see Configure and enable IOx on industrial routers.

  3. Configure the device to connect to Cisco IoT Operations Dashboard: Using the IOS commands, the administrator configures the device to communicate with the IoT Operations Dashboard. For more information, see Configure industrial routers to connect to IoT OD.

  4. Verify the configuration on the device: The administrator checks the connection status on the device using IOS commands. For more information, see Verify configuration on the device terminal.

  5. Verify the device status in Cisco IoT Operations Dashboard: The administrator confirms that the device appears as “registered” in the Operations Dashboard. For more information, see Verify the device status on the Operations Dashboard.

Result

The industrial router is securely connected to Cisco IoT Operations Dashboard, ready for remote management.

What’s next

Configure remote sessions to manage OT assets.

Prepare industrial routers

Use this task to prepare your industrial routers before configuring them for SEA.

Get your devices ready for SEA configuration.

Procedure

Step 1

Attach the necessary networking cables.

Step 2

Power up the device.

Your industrial routers are ready for SEA configuration.

Configure and enable IOx on industrial routers

Enable IOx so that containerized applications and services can be deployed and managed on Cisco industrial routers.

IOx provides a container hosting environment on Cisco IOS XE-based industrial routers, allowing you to run edge applications such as Secure Equipment Access (SEA), Cisco Cyber Vision (CCV), and Edge Intelligence (EI). Proper network configuration is required to ensure these applications have connectivity and the necessary IP resources to function effectively.

Before you begin

  • Verify that your industrial router is running a Cisco IOS XE version compatible with IOx.

  • Ensure you have access to the router’s CLI with the necessary administrative privileges.

Procedure

Step 1

Configure the virtual interface, DHCP pool, and NAT rules on the router to enable network connectivity for IOx applications.

  1. Configure the VirtualPortGroup (VPG) interface.

    VirtualPortGroup0 is the virtual interface that connects IOx applications to IOS XE. IOx applications need IP connectivity through VirtualPortGroup0, including assignment of an IP address. An example configuration is given in the next line. You can change the IP address to suit your requirements. Enter these configuration commands on the router console, in the config mode.
    ! Example
  conf t    
  interface VirtualPortGroup0
  description IOx Interface
  ip address 192.168.16.1 255.255.255.0
  ip nat inside
  ipv6 enable
  end

  2. Configure the DHCP pool.

    When the IOx applications start, they will request an IP address via DHCP. Therefore, you need to configure a DHCP pool for IOx applications. An example configuration of IP pool and DNS server is given in the next line. You can customize this configuration to suit your requirements. Ensure that the default router IP address is the same as the IP address previously configured for the VirtualPortGroup0 interface. 

    ! Example
  conf t
  ip dhcp pool ioxpool
  network 192.168.16.0 255.255.255.0
  default-router 192.168.16.1
  dns-server 192.168.16.1 8.8.8.8 
  end

  3. Configure NAT (Network Access Translation).

    IOx apps use private IP addresses obtained from DHCP. They need NAT to access the Internet. Add NAT rules for the DHCP pool to enable IOx App traffic to access the internet.

    In the example below, assume that the connection to the Internet will be through Cellular 0/1/0. Make sure to change or adjust the interface if it is not Cellular 0/1/0. For example, it could be GigabitEthernet 0/0/0 or Cellular 0/3/0. 

    ! Example of a NAT rule for using Cellular0/1/0 as an uplink:
  conf t       
  interface Cellular0/1/0
  ip nat outside
  ip access-list extended NAT_ACL
  10 permit ip 192.168.16.0 0.0.0.255 any
  route-map RM_WAN_ACL2 permit 10
  match ip address NAT_ACL
  match interface Cellular0/1/0
  ip nat inside source route-map RM_WAN_ACL2 interface Cellular0/1/0 overload
  end

Step 2

Enable IOx.

conf t
iox
end

Step 3

Verify that IOx is running correctly by running this command in exec mode:

show iox-service
! Example 1: When IOx is up and running, both the “IOx service (CAF)” and “dockerd” will be running.
Router#sh iox-service
IOx Infrastructure Summary:
---------------------------
IOx service (CAF)         : Running
IOx service (HA)          : Not Supported
IOx service (IOxman)      : Running
IOx service (Sec storage) : Running
Libvirtd 5.5.0            : Running
Dockerd v19.03.13-ce      : Running

IOx services are running on the router.

What to do next

Configure industrial routers to communicate with the Cisco IoT Operations Dashboard.

Configure industrial routers to connect to IoT OD

This task guides you through configuring Industrial Ethernet (IE) devices so that they can securely connect and register with the Cisco IoT Operations Dashboard (IoT OD).

Enable IE devices to connect securely to the Cisco IoT Operations Dashboard (IoT OD).

Before you begin

  • Ensure you have access to the device CLI.

  • Have an appropriate device profile with validated credentials ready on IoT OD.

Procedure

Step 1

Create a privilege 15 user by applying the following configuration. The credentials should match the values configured in the Device Profile on the Cisco IoT Operations Dashboard:

Example:

conf t
username <DEVICE PROFILE USERNAME> privilege 15 algorithm-type scrypt secret <DEVICE PROFILE PASSWORD>
end

Step 2

Configure the authentication-related settings and Web Services Management Agent (WSMA) settings.

conf t 
aaa new-model
aaa authentication login default local
aaa authorization exec default local
ip http server
ip http authentication local
ip http secure-server
wsma agent exec
profile exec
wsma profile listener exec
transport http path /wsma/exec
cgna gzip
end

Step 3

Configure the Intelligent Device Agent (IDA) transport profile: Enable a secure TLS connection using WebSocket to Cisco IoT Operations Dashboard using TLS with port TCP 443.

Fo the US cluster: 

  conf t
  ida transport-profile wst
   callhome-url wss://device-us.ciscoiot.com/wst/cgna
   active
  end
Fo the EU cluster:

  conf t
  ida transport-profile wst
   callhome-url wss://device-eu.ciscoiot.com/wst/cgna
   active
  end

Step 4

Configure the Connected Grid NMS Agent (CGNA) registration profile.

conf t
  cgna profile cg-nms-register
   transport-profile wst
   add-command show version | format flash:/managed/odm/cg-nms.odm
   add-command show inventory | format flash:/managed/odm/cg-nms.odm
   interval 3
   active
   url https://localhost/cgna/ios/registration
   gzip
  end

Note

 

Once the the configuration is done, the device connects to IoT OD and triggers the registration process.

Step 5

(Optional) Enable DNS on the router if it’s not already acquired through the DHCP server.

This is important if the router is configured with a static IP and a static default gateway, and no DNS server is explicitly specified. In this example, we use a Cisco DNS. You can use any DNS server.
conf t
ip name-server 208.67.222.222
end
The device securely connects to Cisco IoT Operations Dashboard and completes registration.

What to do next

Verify device registration on the IoT Operations Dashboard and optionally on the device's terminal.

Verify configuration on the device terminal

This task helps you confirm that the device’s transport profile is properly configured and able to establish a secure connection with the Cisco IoT Operations Dashboard.

After configuring the device, you must ensure that that device is able to communicate with the Operations Dashboard.

Before you begin

  • Ensure you have access to the device terminal as an administrator or a user with sufficient privileges.

  • Make sure the transport profile has already been configured on the device.

Procedure

Step 1

Run this command to verify the network connectivity:

Example:

Router# show ida transport-profile-state all 
! Verify that IDA status is connected for the "wst" transport profile
 ! Notice the line "IDA Status: Connected" in the show command output below for the "wst" transport profile. 
 Router#sh ida transport-profile-state all
 Transport Profile 1:
 Profile Name: wst
 Activated at: Fri Jun  7 07:26:42 2024
 Reconnect Interval: 30 seconds
 keepalive timer Interval: 50 seconds
 Source interface: [not configured]
 callhome-url: wss://device-us.ciscoiot.com/wst/cgna
 Local TrustPoint: CISCO_IDEVID_SUDI
 Remote TrustPoint: [not configured]
 Execution-url: http://192.168.16.1  
 Proxy-Addr: [not configured]
 IDA Status: Connected
 State: Wait for activation
 Last successful response at Fri Jun  7 08:25:29 2024
 Last failed response:
 Last failed reason:

Step 2

Notice the line "IDA Status: Connected" in the show command output.

What to do next

If the IDA status is connected, proceed with remote session configurations.

Verify the device status on the Operations Dashboard

Confirm that a device has successfully moved from the Staged status to the Registered status in your IoT OD Organization after a registration attempt.

When a device submits a registration request to IoT OD and its configuration is validated, the device automatically moves from Devices > Staged to Devices > Registered. If no registration attempt occurs, the device remains listed as Staged.

Before you begin

  • Ensure you have configured the device to communicate with IoT OD.

  • Verify that the device has attempted registration, if applicable.

Procedure

Step 1

Log in to the IoT Operations Dashboard.

Step 2

From the Sevices pane, select Application Manager.

Step 3

Click Devices > Registered tab.

The device you added appears in the Registered tab, indicating successful registration.

What to do next

Configure your industrial routers to enable IOx application deployment.