Release Notes for IoT Field Network Director, Release 4.7.x

These release notes contain the latest information about using the user interface for IoT Field Network Director (FND), Release 4.7 to configure and manage IPv6 mesh endpoints, Cisco 1000 Series Connected Grid Routers (CGR1120 or CGR1240), Cisco 800 Series Integrated Services Routers (C800), Cisco LoRaWAN IXM Gateway, Cisco 500 WPAN Industrial Routers (IR500), Cisco 5921 (ESR5921) Embedded Service Routers, and Cisco 800 Series Industrial Integrated Services Routers (IR807, IR809, and IR829), Cisco Industrial Compute Gateway IC3000, and Cisco 1101 Integrated Services Router.

IoT FND is a software platform that helps to enable a clear separation between communications network management and operational applications such as distribution management systems, outage management systems, and meter data management in utilities. Use the software to manage a multi-service network of routers or a combination of routers and endpoint devices deployed with end-to-end security for your specific use case.

IoT FND is highly secure, scalable, and modular. Its pluggable architecture can enable network connectivity to a multi-vendor ecosystem of legacy and next-generation IoT devices.


Note


The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product.

Cisco IoT FND Documentation

Conventions

This document uses the following conventions.

Conventions Indication
bold

font

Commands and keywords and user-entered text appear in bold font.

italic font

Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.

[ ]

Elements in square brackets are optional.

{x | y | z }

Required alternative keywords are grouped in braces and separated by vertical bars.

[ x | y | z ]

Optional alternative keywords are grouped in brackets and separated by vertical bars.

string

A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

courier font

Terminal sessions and information the system displays appear in courier font.

< >

Nonprinting characters such as passwords are in angle brackets.

[ ]

Default responses to system prompts are in square brackets.

!, #

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.


Note


Means reader take note . Notes contain helpful suggestions or references to material not covered in the manual.

Caution


Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.



Warning


IMPORTANT SAFETY INSTRUCTIONS Means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its transaltion in the translated safety warnings that accompanied this device. SAVE THESE INSTRUCTIONS.


About Cisco IoT FND

The IoT Field Network Director (IoT FND) is a software platform that helps to enable a clear separation between communications network management and operational applications such as distribution management systems, outage management systems, and meter data management in utilities.

Through the browser-based interface, use the software to manage a multi-service network of routers or a combination of routers and endpoint devices such as:

  • Cisco 1101 Series Integrated Services Routers (ISRs) with Cisco IOS XE Software combine Internet access, comprehensive security, and wireless services (LTE Advanced 3.0 wireless WAN and 802.11ac wireless LAN) in a single, high-performance device. The Cisco 1101 Series ISRs are well-suited for deployment as Customer Premises Equipment (CPE) in enterprise branch offices, in service provider managed environments as well as smaller form factor and M2M use cases.

  • Cisco 800 Series Industrial Integrated Services Routers (IR800s) are ruggedized small-form factor cellular routers for mobile/vehicle applications. IR829 includes Wi-Fi providing connectivity in non-carpeted IT spaces, industrials, utilities, transportation, infrastructure, industrial M2M application, asset monitoring, Smart Grid, and utility applications. These devices are referred to as FARs in this document and identified by product ID (for example, IR800) on the Field Devices page. You can use IoT FND to manage the following IR800 models: IR809 and IR829.

  • Cisco 800 Series Integrated Services Routers (C800s) are used in most networks as edge routers or gateways to provide WAN connectivity (cellular, satellite over Ethernet, and Wi-Fi) to an end device (energy-distribution automation devices, other verticals such as ATMs, and mobile deployments). These devices are referred to as FARs in this document and identified by product ID (for example, C800 or C819) on the Field Devices page.

  • Cisco 500 Series Wireless Personal Area Network (WPAN) Industrial Routers (IR500) supply RF mesh connectivity to IPv6 and serial Internet of Things (IoT) devices (for example, recloser control, cap bank control, voltage regulator controls, and other remote terminal units).

  • The Cisco Wireless Gateway for LoRaWAN (IXM-LPWA-800, IXM-LPWA-900) can be a standalone product that connects to Ethernet switches or routers or connects to LAN ports of the Cisco 800 Series Industrial Integrated Services Routers. This gateway can be configured as a radio interface of the Cisco Industrial Routers 809 and 829. One or multiple gateways are connected to the LAN port(s) of the IR809 or IR829 via Ethernet or VLANs with encrypted links. Through this configuration, it provides LoRaWAN radio access while the IR809 or IR829 offer backhaul support for Gigabit Ethernet (electrical or fiber), 4G/LTE, or Wi-Fi.

  • Cisco Interface Module for LoRaWAN is an extension module for the industrial routers, Cisco IR809 and IR829, and serves as a carrier-grade gateway for outdoor deployments. The module provides unlicensed low-power wide area (LPWA) wireless connectivity for a range of Internet of Things (IoT) use cases such as asset tracking, water and gas metering, street lighting, smart parking/building/agriculture, and environment monitoring. There are two models supported, which are differentiated by their band support (863-870 MHz ISM or 902-928 MHz ISM). The module is identified by product ID (for example, IXM-LORA-800-H-V2).

  • Cisco 800 Series Access Points are integrated with C800 and IR829 platforms. These access points are referred to as FARs in this document and identified by product ID (for example, AP800).

  • Cisco ASR 1000 Series Aggregation Services Routers (ASRs) and Cisco 4000 Series Integrated Service Routers (ISRs) are referred to as head-end routers or HERs in this document.

  • Cisco IPv6 RF mesh endpoints (smart meters and range extenders).


Note


CGRs, C800, IR800s, IR500s, and other types of mesh endpoint devices can coexist on a network, but cannot be in the same device group or firmware management group. Refer to the following sections in the IoT Field Network Director User Guide for more information: Creating Device Groups, Working with Resilient Mesh Endpoint Firmware Images, and Configuring Firmware Group Settings.

The software features enterprise-class fault, configuration, accounting, performance, and security (FCAPS) functionality, as defined in the OSI Network Management reference model.

Cisco IoT FND Features and Capabilities

  • Configuration Management– Cisco IoT FND facilitates configuration of large numbers of Cisco FAR, HER, gateways, and endpoints. Use Cisco IoT FND to bulk-configure devices by placing them into configuration groups, editing settings in a configuration template, and then pushing the configuration to all devices in the group.

  • Device Management– Cisco IoT FND displays easy-to-read tabular views of extensive information generated by devices, allowing you to monitor your network for errors. Cisco IoT FND provides integrated Geographic Information System (GIS) map-based visualization of FAN devices such as routers and smart meters.

  • Firmware Management – Cisco IoT FND serves as a repository for Cisco CGR, Cisco C800s, Cisco IR800, IR500, and mesh endpoint firmware images. Use Cisco IoT FND to upgrade the firmware on groups of similar devices by loading the firmware image file onto the Cisco IoT FND server, and then uploading the image to the devices in the group. Once uploaded, use IoT FND to install the firmware image directly on the devices.

  • Zero Touch Deployment – Ease of deployment at scale with Zero-Touch Deployment (ZTD) of gateways and routers.

  • Tunnel Provisioning– Protects data exchanged between Cisco ASRs and Cisco CGRs and C800s, and prevents unauthorized access to Cisco CGRs to provide secure communication between devices. Cisco IoT FND can execute CLI commands to provision secure tunnels between Cisco CGRs, Cisco C800s, Cisco IR800s and Cisco ASRs. Use Cisco IoT FND to bulk-configure tunnel provisioning using groups.

  • IPv6 RPL Tree Polling – The IPv6 Routing Protocol for Low-power and Lossy Networks (RPL) finds neighbors and establishes routes using ICMPv6 message exchanges. RPL manages routes based on the relative position of the endpoint to the CGR that is the root of the routing tree. RPL tree polling is available through the mesh nodes and CGR periodic updates. The RPL tree represents the mesh topology, which is useful for troubleshooting. IoT FND maintains a periodically updated snapshot of the RPL tree.

  • Dynamic Multipoint VPN and Flex VPN– For Cisco C800 devices and Cisco IR800 devices, DMVPN and Flex VPN do not require IoT FND to apply device-specific tunnel configuration to the HER during tunnel provisioning. HER tunnel provisioning is only required for site-to-site VPN tunnels.

  • Dual PHY Support – IoT FND can communicate with devices that support Dual PHY (RF and PLC) traffic. IoT FND identifies CGRs running Dual PHY, enables configuration to masters and slaves, and collects metrics from masters. IoT FND also manages security keys for Dual PHY CGRs. On the mesh side, IoT FND identifies Dual PHY nodes using unique hardware IDs, enables configuration pushes and firmware updates, and collects metrics, including RF and PLC traffic ratios.

  • Device Location Tracking – IoT FND displays real-time location and device location history for CGR1000, C800, IR1101, IR8100, and IR800 devices.

  • Diagnostics and Troubleshooting – The IoT FND rule engine infrastructure provides effective monitoring of triage-based troubleshooting. Device troubleshooting runs on-demand device path trace and ping on any CGR, Cisco C800, Cisco IR800, range extender, or meter (mesh endpoints).

  • High Availability – To ensure uninterrupted network management and monitoring, you can deploy the Cisco IoT FND solution in a High Availability (HA) configuration. By using clusters of load-balanced IoT FND servers and primary and standby IoT FND databases, Cisco IoT FND constantly monitors the health of the system, including connectivity within clusters and server resource usage. If a server cluster member or database becomes unavailable or a tunnel fails, another takes its place seamlessly. Additionally, you can add reliability to your IoT FND solution by configuring redundant tunnels between a Cisco CGR and multiple Cisco ASRs.

  • Power Outage Notifications – Cisco Resilient Mesh Endpoints (RMEs) implement a power outage notification service to support timely and efficient reporting of power outages. In the event of a power outage, CGEs perform the necessary functions to conserve energy and notify neighboring nodes of the outage. FARs relay the power outage notification to IoT FND, which then issues push notifications to customers to relate information on the outage.

  • Audit Logging – Logs access information for user activity for audit, regulatory compliance, and Security Event and Incident Management (SEIM) integration. This simplifies management and enhances compliance by integrated monitoring, reporting, and troubleshooting capabilities.

  • North Bound APIs – Eases integration of existing utility applications such as outage management system (OMS), meter data management (MDM), trouble-ticketing systems, and manager-of-managers.

  • Role-Based Access Controls– Integrates with enterprise security policies and role-based access control for AMI network devices.

  • Event and Issue Management– Fault event collection, filtering, and correlation for communication network monitoring. IoT FND supports a variety of fault-event mechanisms for threshold-based rule processing, custom alarm generation, and alarm event processing. Faults display on a color-coded GIS-map view for various endpoints in the utility network. This allows operator-level custom, fault-event generation, processing, and forwarding to various utility applications such as an outage management system. Automatic issue tracking is based on the events collected.

New Features


Note


Do not use an underscore (_) in the FND hostname or OVA template name.

Note


For optimal performance, ensure that the network ping latency between the FND Application Server and Database Server is < 1ms.

The following table lists new platforms and features that are managed in IoT FND 4.7.x.

Feature Description First IoT FND Release Support Related Documentation

Enhanced Tunnel Reprovisioning and DHCP Addresses

The Tunnel Provisioning workflow has been modified so that DHCP addresses are released during decommissioning of the Field Area Router (FAR) device rather than during Tunnel Provisioning.

To improve Tunnel Provisioning, we have introduced a new property: optimizeTunnelProv

By default, tunnel creation and deletion will lock the Head-end Router (HER). However, if the optimizeTunnelProv property is set to ‘true’ either through CSV or cgms.properties, then tunnel creation and deletion will not lock the HER during the operation

Note

 

Configuring the optimizeTunnelProv property in CSV is done at the Device level and configuring cgms.properties is done at the Global level.

This change applies to the management of the followingCisco IOS and Cisco IOS XE Routers:

  • Connected Grid Routers: CGR1120 and CGR1240

  • Cisco Industrial Integrated Services Routers: IR800 (IR807, IR809 and IR829)

  • Cisco 5900 Series Embedded Services Routers(ESR 5900)

  • Cisco SBR (C5921)

This change applies to the management of the followingCisco IOS XE Routers:

  • Cisco IR1101 Integrated Services Routers

4.7.2-8

Cisco IoT Field Network Director User Guide, Release 4.7.x

Support Expired Cisco SUDI Certificate

The expiration date for a limited number of Cisco Secure Unique Device Identifier (SUDI) certificates for a limited number of Internet of Things (IoT) products will expire on:

Date of Manufacture plus 10 years or 2029-05-14, whichever is earlier.

The following Cisco devices are affected by this change:

  • Connected Grid Routers: CGR1120 and CGR1240

  • Cisco IR1101 Integrated Services Router

  • Cisco Industrial Integrated Services Routers: IR807, IR809 and IR829

  • Cisco Wireless Gateway for LoRaWAN: IXM

Note: A previously enrolled device will not be affected by an expired Cisco SUDI certificate.

Devices with expired SUDI certificate will not have any authentication issues with FND from now on.

4.7.1-60

Cisco IoT Field Network Director User Guide, Release 4.7.x

Improved Usability for File Management

You can modify the width of the Open Issues column that displays for a Field Device when two or more open issues exist by selecting the column and moving the cursor to the left to minimize the size of the column.

Additionally, this feature reduces the Open Issues display to a single line of content versus multiple lines and displays three periods (...) to indicate that additional content is available to view by expanding the column to the right.

DEVICES > FIELD DEVICES > Browse Devices > Inventory

4.7.1-60

Cisco IoT Field Network Director User Guide, Release 4.7.x

Device Search Field added to the Device File Management page to Search for a Specific Router

You can perform partial or full search for a router on the Upload File to Routers page using a router name such as:

CGR1120/K9+JAF1641648BBCT

CONFIG > DEVICE FILE MANAGEMENT > Actions

4.7.1-60

Cisco IoT Field Network Director User Guide, Release 4.7.x

Number of Devices that Display on the Upload File to Routers Page Increased to 200

By default, a minimum of ten routers display. You can select up to 200 devices to display.

CONFIG > DEVICE FILE MANAGEMENT > Actions

4.7.1-60

Cisco IoT Field Network Director User Guide, Release 4.7.x

Set Time Range and Page Preferences for Events

On the Events tab for a device, you can define values for Time Range and Page View settings for a device type and apply those same settings to a device of the same type.

DEVICES > FIELD DEVICES > {Router | Switch | Endpoint | Gateway]

4.7.1-60

Cisco IoT Field Network Director User Guide, Release 4.7.x

New Browser Support for FND 4.7.1

Microsoft Edge browser Microsoft EdgeHTML: 88.0.705.68

4.7.1-60

Troubleshooting Page for On Demand Statistics

A new Troubleshooting tab is available for CG-MESH and IR500 endpoint ‘s on the Device Details page.

This new page, allows you to generate the following predefined system reports for the CG-MESH and IR500 endpoints:- All TLVs, Connectivity, General, Registration, and Routing.

DEVICES > FIELD DEVICES > ENDPOINT > Troubleshoot tab

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Itron Bridge Meter, ITRON30 Support and Management

An Endpoint Operator can now manage Itron Bridge Meters (such as ITRON30) using IoT FND as a cg-mesh device type (METER-CGMESH). This meter was previously run in RFLAN mode. Only Root and Endpoint operators can see and perform the endpoint operations and scheduling for the channel notch feature.

To manage an Itron Bridge Meter in cg-mesh node, an Endpoint Operator (RBAC) must convert the RFLAN meter to a cg-mesh device type and upgrade all CG-mesh firmware to CG-mesh 5.6.x.

After successful registration, the channel notch settings (in the bootstrap config.bin file) should be pushed to all nodes by the Endpoint operator.

Two new properties:

channelNotchMaxAttempts = 20: The maximum attempts to try to send the configuration and schedule info to all the endpoints.

channelNotchSettingEnabled=true. Allows you to enable or disable the channel notch feature.

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Channel Notch Settings

You can define up to four pairs of Notch Range Start and End Channels in the Channel Notch Settings page:

CONFIG > CHANNEL NOTCH SETTINGS

The above page only appears when the cgmesh.properties has the following setting: channelNotchSettingEnabled=true

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Channel Notch Configuration page

You can push and schedule the Channel Notch Configuration Settings in the following new page:

CONFIG > CHANNEL NOTCH CONFIG

You can initiate the following two actions for those routers whose endpoints have been successfully updated with the channel notch configuration:

+ button on the router group displays the router name and the corresponding cg-mesh endpoints.

  • Push Channel Notch Config button - When you select the Router group and click the Push Channel Notch Config button, FND initiates a push of the channel notch settings to the endpoints.

  • Schedule Channel Config button - This operation is only allowed for those router config groups that have routers with endpoints that have received a channel notch config successfully. When applicable, the panel allows you to set a schedule channel config date and time for the devices.

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

ITRON30, IR500 and CG-Mesh Device Configuration

On the ENDPOINT > Default-cgmesh page, you can now perform the additional actions at the Push Configuration tab page found in the right-pane:

Select the ‘Push ENDPOINT Re-Enrollment’ option in the drop-down menu on the page, along with the Certificate Re-enrollment Type. Supported certificate re-enrollment options are:

  • Get NMS Cert and NPSA/AAA Cert

  • LDevID Certificate

  • IDevID Certificate

Messages are sent in unicast form.

CONFIG > DEVICE CONFIGURATION > Groups > ENDPOINT > Desired Group (Default-ir500 or Meter) > Push CONFIG

Select ‘Push Endpoint Re-enrollment’

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Endpoint Re-Enrollment Option for ITRON30 and IR500 Endpoints

You can now re-enroll a certificate for cg-mesh endpoints by selecting the Re-Enrollment tab on the Device info page of the CGMESH and IR500 endpoints.

When you click the Re-enrollment button on the cgmesh or IR500 device details page, it will open a popup window with three options. Select one of the certificates and click Submit.

DEVICES > FIELD DEVICES > Browse Devices > ENDPOINT > METER-CGMESH (left pane)

Newly added endpoint appears on the Device Config page

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

DTLS Relay and Certificate Auto Renew Settings for ITRON30 and IR500 Endpoints

New options are available on the Edit Configuration Template page.

  • You can enable or disable the DTLS Relay Settings.

  • You can enter the Certificate Auto Renew Settings percentage, range of 0 to 100.

CONFIG > DEVICE CONFIGURATION > Groups > ENDPOINT > Default-CGMesh > Edit Configuration Template

CONFIG > DEVICE CONFIGURATION > Groups > ENDPOINT > Default-ir500 > Edit Configuration Template

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Certificate Information page for Gateway IR500 Endpoints

The following certificate information is reported for IR500 endpoints managed by IoT FND on the Certificate Info page (right-pane):

  • Manufacturer IDevID

  • LDevID

  • NMS Cert

DEVICE > FIELD DEVICES > ENDPOINT > GATEWAY-IR500 Certificate Info

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

New Device Events for Gateway IR500 Endpoints

Name of new events supported:

MAJOR: Authentication Failure

INFO: Authentication Success, CAcert Request, CAcert Response, Email Success, Enroll Request, Enroll Success, SSL Error

DEVICE > FIELD DEVICES > Browse Devices > GATEWAY-IR500 > Events

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Audit Trail for Re-Enrollment for Gateway-IR500 Endpoints

The following new Operation will be recorded for Re-Enrollment of the Group:

Operation: Re-Enrollment (Get NMS Cert and NPS/AAA Cert)

Status: Initiated

Details: Group default-cg-mesh, Device category: endpoint

ADMIN > SYSTEM MANAGEMENT > AUDIT TRAIL

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

WiSUN Configuration for IR500 and Itron30

Note

 
Note: In Mesh software 6.1, the WiSUN 1.0 protocol is supported for all IR500 platforms. The mesh protocol setting between CG-Mesh or WiSUN 1.0 can only be set in the bootstrap configuration.

Note

 
In Mesh software 6.3, only the WiSUN 1.x protocol will be supported for all mesh endpoints. It will display Wi-SUN 1.0 from mesh 6.3 firmware onward under the Mesh Protocol heading on theDEVICES > FIELD DEVICES > ENDPOINT > Inventory page.

Note

 
The WiSUN settings have been removed from the IR500 Config Group template. CONFIG > DEVICE CONFIGURATION > Default-ir500 > Edit Configuration Template

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

TLS Version Settings for Default-cgmesh Endpoints

The available settings for the TLS version are:

  • 1.2

  • 1.0 and 1.2

  • N/A

CONFIG > DEVICE CONFIGURATION > Groups > Endpoint > default-ir500 > Edit Configuration Template

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Mesh WiSUN 1.x Power Outage Notifications (PON) and Power Restoration Notifications (PRN) for IR510

This feature is supported on IR510 from Mesh Release 6.2 and onward. IR510 can send the WiSUN Outage and Restoration notification when running in WiSUN mode.

Note

 

IR509, IR529 and IR530 running in WiSUN mode can relay the WiSUN Outage and Restoration notification message but cannot send the message.

OPERATIONS > EVENTS

OPERATIONS > ISSUES

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Mesh 6.3: Configure Rate Limits for LoWPAN interfaces and IR5xx Ethernet Interfaces and meters (ITRON30, CGREF3) to Defend Against Denial of Service (DoS) Attacks

You can define a Default Access Control List (ACL) Profile for each protocol (UDP, TCP, ICMP) to control the rate of the traffic sent or received. The rate limit is set in kbits/unit. A configuration push will fail if the rate exceeds the configured limit.

CONFIG > DEVICE CONFIGURATION> Config Profiles > ACL Profile > Default ACL Profile

4.7.0-100

Release Notes for Cisco Resilient Mesh,Release 6.3

Interface ACL Settings for Lowpan in the Config Push Template

You can now define an ACL rule in the configuration profile for Lowpan interfaces as well as define rate limits for lowpan interfaces.

CONFIG > DEVICE CONFIGURATION> Config Profiles > ACL Profile > Interface ACL Settings

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

ACL Deny Messages

A new section on the Device Details page for IR510, IR529 and IR530, shows ITRON30 and CGREF3 meters, displays ACL Deny Message Detail for LoWPAN Interfaces.

DEVICES > FIELD DEVICES > ENDPOINT > GATEWAY-IR500

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Bandwidth Efficient Software Transfer (BEST)

When updating an existing installed software base for IR510, IR530, IR509, IR529 and CGMESH (Itron, CGEREF2, CGEREF3) devices, you have the option to upload only the new FND 4.7 software updates, rather than the full image, by using bspatch and bsdiff version 4.3. The platform image on IR510, IR509, IR530, IR529 and CGMESH (ITRON, CGEREF2, CGEREF3) must be running Mesh 6.3 or greater for this feature to work.

To make use of this feature in the FND 4.7 user interface at the CONFIG > FIRMWARE UPDATE > Firmware Management > Upload Image page of your system, you must enable the feature by checking the Install Patch option on that page before you select the Upload Image button.

CONFIG > FIRMWARE UPDATE

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Enforcing Wi-SUN Firmware Upgrade Rules

All endpoints in the subnet that are moved to WiSUN mode must have a mesh firmware software version of Mesh 6.3 or greater.

IoT FND 4.7 will not allow a software upgrade to proceed if the mesh firmware software version requirement is not met.

Additionally, you will not be able to downgrade endpoints from a WiSUN firmware version to a non-WiSUN version.

Pop-up messages will appear when an invalid firmware upload or scheduled firmware upload is detected.

Note

 

The NB-API has been enhanced to handle the validation check in both the upload and reload phase.

Note

 

The feature is not applicable to all IR500s.

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Management of Cisco Wireless Gateway for LoRAWAN (IXM), Release 2.1.0.1

IoT FND now manages the following IXM components:

  • Plug and Play (PNP) support

  • Configuring the Common Packet Forwarder (CPF) during registration

  • Display of CPF properties (Info and Status) in the FND Device Details page

Prerequisite to managing the IXM: Add the following property to cgms.properties and set it to ‘true’ and restart the FND service:

trust-ixm-server-cert=true

Note

 

After you enter the above command, you will need to add the Gateway Bootstrap Configuration template to LoRAWAN in the Tunnel Provisioning Page before triggering PnP on the device.

See Gateway Bootstrap Configuration Template in these release notes.

4.7.0-100

Cisco IoT Field Network Director User Guide, Release 4.7.x

Oracle 19C Support

FND 4.7.0 Oracle OVA will have Oracle19C installed in the virtual machine.

4.7.0-100

Oracle Database 19c

IoT Field Network Director Oracle Upgrade from 18c to 19c

Update LDevID for Greenfield and Brownfield deployment

FND now has tcl scripts, autorenewal_update.tcl, which activates the CLIs, and LDevID-update.tcl, which does file manipulation to update the new certificate information in the before-* config files whenever the LDevID certificate is renewed.

  • In greenfield deployments these scripts are pushed as part of Registration flow.

  • In brownfield deployments, these scripts are pushed during periodic refresh metrics.

Formerly, when a FAR device renewed its LDevID certificate, the before-* config files were not updated with the new certificate information. As a result, if FND rolled back a FAR device because of a new tunnel or device config push, then the FAR device would reload with its previous certificate information which might have been expired at that time and break any communication with FND.

Note

 
By default this feature is enabled. You can manage it through the "enable_ldevid_renewal_tcl" property.

4.7.1-60

LDevID: Auto-Renewal of Certs and Saving Configuration

Figure 1. Enhanced Tunnel Provisioning in FND 4.7.1
Table 1. Description of Steps
Step Activity

1

When the Field Area Router (FAR) reboots, it executes the tunnel-provision-template profile.

2

FAR connects to the Tunnel Provisioning Server (TPS).

3

TPS forwards the request to FND.

4

FND initiates the Tunnel Provisioning workflow including removing any older Head-end Router (HER) tunnel configuration.

5

FND initiates the Tunnel Addition Template and checks if the IP address is in the Database (DB). If the address is not in the DB, FND will contact the DHCP server to get the address which the FAR will use as the FAR endpoint address while creating the Tunnel.

6

The DHCP address is stored on the FND Database.

7

FND will then push the processed Tunnel template to the TPS as config commands.

8

The Tunnel config commands are then pushed to the FAR.

9

FND then pushes the Tunnel Addition template to the Head-end Router (HER)

10

A tunnel is then formed between ASR and the FAR with the IP address generated by the DHCP at the FAR side. Note: With release of the DHCP leases for every tunnel reprovisioning, the address which was bound to the FAR Tunnel gets replaced with a new one. This results in the communication to break between the third-party services such as SCADA and FAR since these services might be using the older IP address to connect to the FAR.

System Requirements

The following table lists the hardware and software versions associated with this release.


Note


For a large scale system, refer the Table 1 and Table 2 for scale requirements.
Component Minimum Hardware Requirement Software Release Requirements

Cisco IoT FND application server (or comparable system that meets the hardware and software requirements)

  • Processor:

    • 2.27 GHz (64-bit)

    • 4 CPUs

  • RAM: 16 GB

  • Disk space: 100 GB

  • Red Hat Enterprise Linux (RHEL) 7.7, 64-bit with all packages installed (software development and web server)

    See Table 2 for suggested application server resource allocation profiles.

    Note

     

    End of Support (EOS) for RHEL 7.5 in April 2020

  • Internet connection

    When you access IoT FND from a client browser, the browser connects to the Internet to download the necessary data files from the GIS maps provider.

  • A license to use SafeNet for mesh endpoint security

    Note

     
    IoT FND software bundle includes required Java version.

Cisco IoT FND TPS proxy

  • Processor:

    • 2.27 GHz (64-bit)

    • 2 CPUs

  • RAM: 4 GB

  • Disk space: 25 GB

  • Red Hat Enterprise Linux 7.7 and above with all packages installed (software development and web server)

  • Internet connection

    Note

     
    IoT FND software bundle includes required Java version.

Database server for IoT FND

Scalable to 25 routers/10,000 endpoints with minimum hardware requirement. See Resource Management Guidelines for additional scale sizes.

  • Processor: 3.33 GHz (64-bit)

  • 2 CPUs

  • RAM: 16 GB

  • Disk space: 100 GB

Note

 
IoT FND 4.7 and above supports the Oracle releases listed below.
  • Oracle Database 19c Enterprise Edition

  • Oracle Database 18c Enterprise Edition (formerly named 12.2c)

  • Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64-bit Production (with Patch 20830993)

    Note

     
    Before installing Oracle, install the Linux packages referenced in “Table 1: Minimum Hardware and Software Requirements for Oracle Install” in the following guide:

    Cisco IoT Field Network Director Installation Guide-Oracle Deployment, Releases 4.3.x, 4.4.x, 4.5.x and 4.6.x

    See Table 1 of these release notes for suggested Oracle Database server resource allocation profiles.

  • Red Hat Enterprise Linux (RHEL) 7.7, 64-bit with all packages installed (software development and web server)

Note

 

End of Support in April 2020 for Red Hat Linux 7.5, 64-bit with all packages installed (software development and web server)

Cisco IoT FND Client

The client must meet the following minimum requirements to connect to the IoT FND application server and view IoT FND. It displays:

  • Windows 10

  • RAM: 8 GB

  • Processor: 2 GHz

  • Resolution: 1024 x 768

Supported browsers:

  • Microsoft EdgeHTML: 42.17134.1098.0

  • Mozilla Firefox: 88 or later

Cisco Prime Network Registrar (used as a DHCP server)

Server must have the following minimum requirements:

  • Free disk space: 146 GB

  • RAM: 4 GB (small network), 8 GB (average network), 16 GB (large network)

  • Hard drives:

    • SATA drives with 7500 RPM drive > 500 leases/second or

    • SAS drives with 15K RPM drive > 1000 leases/second

The following software environment must exist before installing Prime Network Registrar:

  • Operating System: Windows Server 2008

  • Development Kit (JDK) Java SE Runtime Environment (JRE)8.0 (1.8.0_65-b17) or equivalent Java Development Kit (JDK).

  • User interfaces: Web browser (Microsoft Edge 42.17134.1098.0) and command-line interface (CLI)

  • For Prime Network Registrar license, contact your Cisco partner.

Hardware Security Module (HSM)

Luna SA appliance, with client software installed on the IoT FND application servers

Luna SA appliance:

  • Release 7.4 firmware

Note

 
Contact SafeNet to determine if you can run a higher version.
  • Release 7.4 software, plus security patches

Luna SA client software:

  • Release 7.4 software

Software Security Module (SSM)

  • RAM: 8 GB

  • Processor: 2 GHz

  • 2 CPUs

  • Red Hat Enterprise Linux (RHEL) 7.7, 64-bit with all packages installed (software development and web server)


Note


If deploying a IoT FND server cluster, all nodes in the cluster should run on similar hardware. Additionally, all nodes must run the same version of IoT FND.

Supported Device Types in IoT FND

The following device types are supported in the IoT FND:
Device Types Software Release Requirements

FAR

1. Cisco 1101 Series Industrial Integrated Services Routers (IR1101)

Cisco IOS-XE 17.4.1

2. Cisco CGR1000 Series Connected Grid Router (CGR1120 or CGR1240)

Cisco IOS Release 15.9(3)M3b

3. Cisco 5921 (ESR5921) Embedded Service Routers

Cisco IOS Release 15.8(3)M2

4. Cisco 800 Series Industrial Integrated Services Router (IR800)

Cisco IOS Release 15.9(3)M3

5. Cisco 800 Series Integrated Services Router (C800)

Cisco IOS Release 15.8(3)M2

6. Cisco 800 Series Access Points (AP800) are integrated with C800 and IR829 platforms.

  • AP802: ap802-k9w7-tar.153-3.JD.tar

  • AP803: ap1g3-k9w7-tar.153-3.JD.tar

HER

1. Cisco ASR 1001 or 1002 Aggregation Services Router (ASR) serving as a head-end router

Cisco IOS XE Release 16.9.3 for Flex tunnels (IOS)

2. Cisco 4000 Series Integrated Service Router (ISR)

  • Cisco IOS Release 15.4(3)M

  • Cisco IOS Release 15.4(2)T

Note

 
ASRs and ISRs with different releases can coexist on the network.
Compute Gateway

Cisco IC3000 Industrial Compute Gateway

Firmware version —1.4.1

Cisco Resilient Mesh Module and supported endpoints

  • Firmware version 6.4 when communicating with CGR 1000s or Cisco ASRs and the minimum Cisco IOS software versions recommended for these routers in this release notes

  • Firmware version 5.6.42

Cisco RF Mesh endpoints

  • Firmware version 6.4 when communicating with IR500

  • Firmware 5.6.42

Cisco 500 Series Wireless Personal Area Network (WPAN) Industrial Routers (IR500)

  • Cisco IR509 and Cisco IR510, DA Gateway device: Firmware version 6.2.19

  • Cisco IR529 and Cisco IR530 Range Extender: Firmware version 6.2.19

LoRaWAN

Long Range Wide Area Network (LoRaWAN) Interface Module for Cisco 800 Series Industrial Integrated Services Routers (IR800)

LoRa/IXM-LPWA—Firmware version is 2.0.32

Resource Management Guidelines

Virtual machine (VM) configuration workload characterization is important. When using multiple VMs on the same physical host, allocate resources so that individual VMs do not impact the performance of other VMs. For example, to allocate 4 VMs on a 8-CPU host, do not allocate all 8 CPUs to ensure that one (or more) VM does not use all resources.

The following table lists example Oracle database server usage profiles for important resource parameters such as CPU, memory, and disk space.

Table 2. Oracle DB Server Hardware Requirements Example Profiles
Nodes (Routers/Endpoints) CPU(Virtual Cores) Memory(RAM GB) Disk Space (GB)

25/10,000

2

16

100

50/50,000

4

16

200

500/500,000

8

32

500

1,000/1,000,000

12

48

1000

2,000/2,000,000

16

64

1000

6,000/6,000,000

20

96

1000

The following table lists example IoT FND Application server usage profiles for important resource parameters such as CPU, memory, and disk space.

Table 3. Application Server Hardware Requirements Example Profile for Routers and Endpoints
Nodes(Routers/Endpoints) CPU(Virtual Cores) Memory(RAM GB) Disk Space (GB)

25/10,000

2

16

100

50/50,000

4

16

200

500/500,000

4

16

250

1,000/1,000,000

8

16

250

2,000/2,000,000 1

8

16

500

5,000/5,000,000 1

8

16

500

6,000/6,000,000

8

16

500

  1. Clustered installations.


Note


RAID 10 is mandatory for deployments of 2 million endpoints and above.

For Router Only Deployments

Information in the following tables is relevant to Router Only deployments.

Nodes(IR800/LoRa modules) CPU(Virtual Cores) Memory (RAM GB) Disk Space (GB)

10,000/30,000

4

24

100

Nodes(IR800/LoRa modules) CPU(Virtual Cores) Memory(RAM GB) Disk Space (GB)

10,000/30,000

6

32

500

OpenSSH Version

Since IoT FND is supported on a variety of Red Hat Enterprise Linux (RHEL) 5 Update releases, the OpenSSH version that comes with a given release might be an older version with known security holes. Consequently, we recommend ensuring that OpenSSH on the RHEL IoT FND server is up to date. On initial installation, upgrade the OpenSSH package in the IoT FND server to version (7.7).

IoT FND Release 4.x Upgrade Matrix Table

This section provides IoT FND upgrade information based on the current and target releases.

Target Release You Can Upgrade to the Target Release (Left column) from the Following Releases (Right Column)

4.7.2-xx

4.7.1-60

4.7.0-100

4.6.1-61

4.7.1-60

4.7.0-100

4.6.1-61

4.7.0-100

4.6.1-61

4.5.1-11

4.6.1-61

4.5.1-11

4.4.4-9

4.4.3-4

4.4.2-11

4.4.1-10

4.4.0-79

4.5.1-11

4.4.2-11

4.4.1-10

4.4.0-79

4.3.2-7

4.3.1-7

4.3.0-133

4.4.x

4.3.1-7

4.3.0-133

4.2.0-123

4.3.x

4.2.0-123

4.1.1-64.1.0-257

4.2.0-123

4.1.0-257

4.0.0-299


Note


Target Release versions allow upgrades from the two prior major releases and its maintenance releases unless the maintenance release was released after the Target version.

If the current version is not within the two prior versions of the target release, then multiple upgrade hops will be required to get to the target release. Use the table above to plan the upgrade paths.

The system must be upgraded to each intermediate version(s) followed by starting the FND application and allowing it to stabilize. This allows the FND application to perform necessary modifications of databases during startup. The ability to log on to FND is the best indication of completion of these startup modifications.

EXAMPLE:

If your network is running FND 4.4.0-79 and your Target Release is 4.7.0-100, then your best upgrade path would be:

  • Upgrade 4.4.0-79 to 4.6.1-61 and then upgrade to 4.7.0-100

Recommended steps for the multi-hop upgrade noted above are:

  1. Backup FND 4.4.0-79 database.

  2. Perform an upgrade to FND 4.6.1-61 using the upgrade instructions in the Install Guide.

  3. Start FND 4.6.1-61 and login to the FND user interface and perform a quick sanity check.

  4. Stop FND 4.6.1-61 services.

  5. Backup FND 4.6.1-61 database.

  6. Upgrade to FND 4.7.0-100 using the upgrade instructions in the Install Guide.

  7. Start FND 4.7.0-100 and login to the GUI.

Hardware Security Module (HSM) Upgrade Table

For IoT-FND Release 4.6.2 and greater, within the IoT-FND image bundle, there are new sub-folders for the jar and API files: /opt/cgms/safenet/LunaX, so, there is no need to backup the software.


Note


LunaProvider.jar and libLunaAPI files contain the HSM library patch for the defect CSCvs83557.


The table below lists the HSM client versions that are tested and recommended for the corresponding Cisco IoT FND software versions. However, FND application software is backward compatible with HSM client versions. For example, FND version 4.7.1 is compatible with older versions of HSM client such as 5.4, 6.3.

Table 4. HSM Upgrade Table
FND Software Release HSM Client HSM Hardware

4.7.1

10.2

7.4

4.6

7.3 with software patch

7.4

4.5

7.3 with software patch

7.3

4.4

7.3 with software patch

7.0

Gateway Bootstrap Configuration Template

Add the following Gateway Bootstrap Configuration template to LoRAWAN in Tunnel Provisioning Page before triggering PNP on the device.

Enter the following commands:


hostname <hostname>
!crypto ipsec profile primary
   ipaddr <ipaddr> iketime 86000 keytime 86000 aes 256
  subnet <subnet> ip>/24
  exit
ip domain lookup
ip domain name cisco.com
ip host fnd.iot.cisco.com <fnd ip address>
!
interface Fast Ethernet 0/1
  ipaddress dhcp
  exit
!
ip default-gateway <default gateway ip>
!
username <username> password <password>
!
ip ssh authenticaton-retires 3
radio off
ip ssh admin-access
ip ssh port 22
!
ntp server ip <ntp server ip>
ipsec isakmp admin <password> group 19 <password>
ipsec enable
!
igma secure enable
!
igms event destination <FND IP> 5683
!
igma profile iot-fnd-register
  active
  add-command show fpga
  add-command show inventory
  add-command show ip interface FastEthernet 0/1
  add-command show ipsec status info
  add-command show platform status
  add-command show radio
  add-command show version
  interval 2
  url https://fnd.iot.cisco.com:9121/igma/register
  exit
!
igma local-trustpoint sudi

Install Sudi Certificate with 2099 expiry in FND and TPS keystore

Sudi 2099 has to be installed in FND and TPS for compatibility with newer versions of images for devices.

Limitations and Restrictions

Cisco recommends that you review this section before you begin working with IoT FND. These are known limitations, and there is not always a workaround for these issues. Some features might not work as documented, and some features might be affected by recent changes to the software.

Feature

IoT FND Releases

Upgrade Impact

Firmware Upgrade during PnP

4.4 onwards

The PnP work flow supports device upgrade only if the target image version is higher than the running (current) image version.

If the target image runs the same or lower version, then the device upgrade is skipped during the PnP work flow.

External DHCP support for tunnel provisioning

Applicable for all IoT FND releases

External DHCP is not supported for tunnel provisioning in the Postgres-OVA deployment.

Caveats

This section presents open and resolved caveats in this release and information on using the Bug Search Tool to view details on those caveats. Section topics are:

Open Caveats

There are no known Open Caveats.

Resolved Caveats

Caveat Number

Description

CSCvt38501

FND CGMS setup script corrupts RAC setup (SF# 889732)

CSCvv02183

Need to revisit tunnel repro and DHCP addresses release workflows (enhancement) (Resolved in FND 4.7.2)

CSCvv44554

Upgrade status stuck as 35% for a few IR829 during bulk IOS installation with FND instance in GMM

CSCvx41566

FND keeps sending the same outage and restore events repeatedly to outage event subscribes

CSCvx41677

Data import of devices causing CPU and Memory spikes

CSCvw07363

Unable to move devices within domain’s firmware groups

CSCvw27421

FND: Push status shows “ERROR” when [you] do re-enrollment on Itron30

CSCvw27368

ZTD provisioning settings - no verification and cgnms.propoerties check

CSCvw28528

Nullpointer exception when processing IR500 periodic

CSCvy55237

[Fw_upload] FW upgrade for IR1101 failing in 4.7.1 postgres ova (Resolved in FND 4.7.2)

CSCvz18999

Endpoints States Over Time and Router States Over Time Dashboard UI error for non-root users (Resolved in FND 4.7.2)

Accessing the Bug Search Tool

You can use the Bug Search Tool to find information about caveats for this release, including a description of the problems and available workarounds. The Bug Search Tool lists both open and resolved caveats.

To access the Bug Search Tool, you need the following items:

  • Internet connection

  • Web browser

  • Cisco.com user ID and password

To access the Bug Search Tool, use the following URL: https://tools.cisco.com/bugsearch/search

To search using a specific bug ID, use the following URL: https://tools.cisco.com/bugsearch/bug/<BUGID>.

Related Products

In addition to Cisco IoT FND, you can use the following tools to manage the Cisco 1000 Series Connected Grid Routers (CGR1000), the Cisco 800 Series Industrial Integrated Routers (IR800), and the Cisco 500 Series WPAN Industrial Routers (IR500):

Command Line Interface

Use the command line interface (CLI) to configure, manage, and monitor the routers noted above.

Cisco IoT Device Manager

The Cisco IoT Device Manager (IoT-DM or Device Manager) is a Windows-based application for field management of a single router at a time. IoT-DM uses a local Ethernet or WiFi link to connect to the routers noted above.

Related Documentation