A100K12107-Exigo PAGA System - Network Guideline

Exigo PA/GA System
Network Guideline
Maritime & Energy Applications
TECHNICAL MANUAL A100K12107

Contents
1 Introduction ......................................................................................................... 3
1.1 Document Scope ................................................................................................................... 3
1.2 Publication Log ...................................................................................................................... 3
1.3 Related Documentation ......................................................................................................... 3
1.4 Terminology ........................................................................................................................... 3
2 System Overview................................................................................................. 5
3 Data Network Overview....................................................................................... 7

3.1 General Requirement for Data Networks for Maritime and Offshore Applications................ 7
3.1.1 Maritime Requirements ....................................................................................................................... 7
3.1.2 Offshore Requirements ....................................................................................................................... 9
3.1.3 Security Requirements ........................................................................................................................ 10
3.2 High Level Network View....................................................................................................... 11
3.2.1 Routing to/from Automation & SCADA systems .................................................................................. 13
3.2.2 Routing to/from IT Management .......................................................................................................... 13
3.2.3 Routing to/from External networks and systems.................................................................................. 13
3.3 Layer 2 Network Overview .................................................................................................... 14
3.4 Layer 3 Network Overview .................................................................................................... 15
3.5 Communication with EX Call Panels ..................................................................................... 16
3.6 Networked Systems ............................................................................................................... 16
3.6.1 Call Cases ........................................................................................................................................... 17
3.7 Non Redundant PA System................................................................................................... 18
4 Guideline for Data Network................................................................................. 19

4.1 Layer 3 – Network Configuration ........................................................................................... 19
4.1.1 IP address assignment for Exigo equipment ....................................................................................... 19
4.2 Layer 2 Switch Configuration................................................................................................. 20
4.3 Connection diagram and cable reference list ........................................................................ 20
4.4 General Configuration ........................................................................................................... 21
4.5 Switchports and Profile Configuration ................................................................................... 25
4.6 Flowire Configuration ............................................................................................................. 28
4.7 Router Configuration ............................................................................................................. 31
4.8 NTP Server ............................................................................................................................ 36
4.9 Network Monitoring ................................................................................................................ 37
4.10 Backup & Restore .................................................................................................................. 39
ANNEX Onboard Secure Network ............................................................................... 44

1 Introduction
1.1 Document Scope
This guide describes the network setup of Vingtor-Stentofon Exigo platform for Energy, Offshore &
Marine Applications.
Exigo PA/GA system is an advanced IP PA/GA system, capable of delivering critical communication
in demanding environments, and is certified for the most stringent safety standards for Public
Address and General Alarm.
This guide includes descriptions of network setup, configuration and best practices for critical
communication.
This guide assumes that the reader is familiar with the setup of Exigo, network terms and topology.
1.2 Publication Log

Revision Date Author Status
1.0 12.04.2021 SRN Draft
1.1 29.04.2021 SRN Draft
1.2 21.05.2021 SRN Draft
2.0 31.05.2021 SRN Final Version
1.3 Related Documentation

Doc. no. Documentation
A100K11460 Exigo Technical Manual
A100K11510 Exigo System Description
A100K11471 Exigo User Guide for Call Panels
A100K11706 Flowire Guidelines for Exigo
A100K11499 Exigo Ex Call Panels & Turbine Ex Intercoms – Installation & Maintenance
A100K11579 Exigo Alarm Call Panels Mounting Manual
A100K11523 Exigo Ex Call Panels Mounting Manual
ExigoWiki articles on https://exigo.zenitel.com
1.4 Terminology
Acronym Description
AMP Amplifier
DIP Display-data over IP is the control protocol used devices and central equipment.
ESC Exigo System Controller
GA General Alarm
A100K12107 Data Network Guideline for Exigo PA/GA System 3

PA/GA Public Address / General Alarm
ZAP Zenitel Application Protocol, used for configuration and monitoring.
LAN Local Area Network
SW Switch, connects devices by using packet switching to receive and forward data to destination.
MAC Media Access Control address.
ACL Access-control list, list of permissions associated with a system resource.
STP Spanning Tree Protocol, network protocol that builds a loop-free logical topology.
VLAN Virtual Local Area Networks, configured to separate the broadcast domain in a switch.
RIP Routing Information Protocol, a distance-vector routing protocol.
Simple Network Management Protocol, protocol for collecting and organizing information about
SNMP
managed devices on IP networks.

2 System Overview
The Exigo system is specially designed to meet the demands of PA/GA for energy, offshore and
marine installations. The main type of components of the Exigo system connected to the IP network
are:
Equipment Type Item Number Item Name Description

102 3000 000 ESC1 Exigo System Controller
102 3102 200 ENA2200 Exigo Network Amplifier, 2x200W
Central Equipment 102 3102 400 ENA2400-DC Exigo Network Amplifier, 2x400W
102 3102 410 ENA2400-AC Exigo Network Amplifier, 2x400W
100 8080 110 FCDC1 Flowire – Ethernet Converter, DC Voltage
102 3697 006 EPIPR-6 Exigo Power Injector, 6 Ports
Network Equipment 102 3601 008 ENSER-8 Exigo Managed Network Switch, 8 Ports
102 3607 008 ESEER-8 Port Expansion Module for ENSER-8
222 0012 068 2960+24PC-L Cisco 2960+24PC-L Ethernet Switch – IEC60945
222 0012 150 GLC-SX-MMD Cisco SFP Transceiver Module, 1000Base-SX
222 0012 340 ISR4331-V/K9 Cisco ISR4331-V/K9 Voice Bundle
102 3200 030 ECPIR-P Exigo Call Panel, PTT Key, For Pluggable Mic
102 3200 033 ECPIR-3P Exigo Call Panel, PTT + 3 Keys, for Pluggable Mic
102 3201 008 EAPIR-8 Exigo Alarm Panel, 8 Keys
102 3201 201 EAPII-1 Exigo Alarm Call Panel, 1 Key
102 3201 206 EAPII-6 Exigo Alarm Call Panel, 6 Keys
Call Panels
102 3221 511 EAPFX-1 Exigo Alarm Ex Call Panel, 1 Key
102 3221 516 EAPFX-6 Exigo Alarm Ex Call Panel, 6 Keys
100 8132 020 TKIE-2 Turbine Kit IP Extended
100 8095 201 IP-LCM-A IP Line Connection Module with Inputs/Outputs
100 8131 020 TKIS-2 VoIP Intercom Module for integration with passive speakers
Table 1: Exigo System Components

Figure 1: A-B Exigo System Components

3 Data Network Overview
3.1 General Requirement for Data Networks for Maritime and
Offshore Applications
The data network solution for Exigo has to comply to general PA/GA requirements defined in SOLAS
as well as specific data nework requirements defined by IMO and DNV.
3.1.1 Maritime Requirements
SOLAS has specified the following requirements for PA/GA systems:
▪ Operate 30 minutes after a mains power failure using the ship’s 24 VDC emergency supply
or UPS (230 VAC) with battery backup.
▪ Remain viable and be able to complete calls when part of the network infrastructure is down
▪ Systems providing integrated PA/GA shall provide no single point of failure for broadcasting
PA/GA in cabins and public areas
▪ Always have sufficient bandwidth to provide emergency services
▪ Protected from unauthorized use and interference
▪ Cabling infrastructure shall be approved for marine use
In addition to the general requirement for PA/GA systems, DNV has defined a new class notation for
Cyber Secure. The new class notation includes requirements to cyber security for a vessel, intended
to protect the safety of the vessel, crew and passengers.
The class notation consider critical systems which collectively makes up a vessles functions subject
for cyber security assesments. The following functions are considered:
▪ Functions needed for propulsion and steering

▪ Functions needed for maintaining safety
▪ Functions needed for vessels communication and navigation capabilities
▪ Functions needed for vessels industrial purposes
It is recommended that network layout and network control should be planned for all new buildings:
Physical layout
It is important to consider the physical location of essential network devices, including servers,
switches, firewalls and cabling.
▪ Always have a clear understanding of the entire network’s infrastructure, for instance the
vendor/model, location, and basic configuration.
▪ Control of removable physical media like hard drives or USBs.

▪ Control physical entry points and monitor everyone who comes and goes into the Data Center
or where the network devices are located.
▪ Physical access to critical networks should be protected with physical barriers e.g. locked
cabinets, locked equipment rooms. Exception is the access to VoIP terminals used for
communication networks where PA access panels may be put in public areas.
▪ The onboard IT/OT team should have a complete list of everyone who is allowed access, and
privileges should be revoked immediately when no longer necessary.
▪ Create a temporary user and password if support is needed from a external company and
disable the user/password after support is done.
▪ A member of your team should be always present if external personnel is needed to perform
any kind of work on the location.
▪ It is always recommended to install a PC or laptop for management purpouses on the rack.
Network management
The network design will need to include an infrastructure for administering the IT and a clear
guideline for IT management.
▪ Few trained individuals should have access to network devices, and their activities on devices
should be authorized and logged.
▪ Use managed switches. These provide key network services suchas segmentation,
prioritization, time synchronization, multicast management and security.
▪ The network device must not have any default manufacturer passwords.
▪ Change frequently the passwords.
▪ Only secure protocols can be used to access network devices for management.
▪ Logs from network devices should be collected, analyzed, and correlated in a central location
for preventive measures as well as incidence response.
Network segmentation
Onboard networks should accommodate the necessary communication between OT equipment, the
onboard administrative and business tasks (IT networks) and recreational internet access for crew
and/or passengers/visitors. For this reason, onboard networks shall be segmented.
▪ Virtual Networks (VLANs) to assign separate subnets to critical departments. That way,
attackers will not be able to penetrate them, even if they connect to your local network.
▪ Logical access to the critical networks should be protected by a barrier, either air-gapping or
by a firewall router.

o Air Gap: The air gap consists of physically separating the connections of two
networks.
o Firewalls: Firewalls are the most common elements to carry out segmentation. Its
operation is based on allowing or denying traffic between different networks or
computers based on filtering rules.
▪ IPS sensors for horizontal segmentation. IPS sensors are designed to analyze networking
activities that have potential to damage the security of the network and allow blocking certain
information packets according to certain predefined rules.
Figure 2: Onboard Networks
For reference see DNV Doc. “Rules for Classification Ships. July 2018 Pt. 6 Ch. 5 Sec. 21”
3.1.2 Offshore Requirements
Chapter 11 of NORSOK T101 “Telecom Systems” outlines specific requirements for the data network
equipment. It is stated that “Critical data networks should be segregated into several networks (e.g.
office data network, technical network and critical/PCSS data network) and integrated as part of the
LAN/WAN infrastructure”.
On the aspect of cyber security, chapter 6 of NORSOK T101 refers to DNVGL-RP-G108, NOG 104,
NEK IEC 27001, and NEK IEC 27002, for the minimum requirements, and in addition outlines some
specific requirements for data networks.

3.1.3 Security Requirements
Cybersecurity risk assessment
Even though Exigo system is not directly connected to internet and to remote networks, it is a good
practice to do a cybersecurity risk assessment. The objective of the cybersecurity risk assessment
is to reduce cyber risk to acceptable levels for the company and vessels.
Typical threats and risks to be considered are:
▪ An attacker get access to PAGA system to broadcast mis-leading information.

▪ An attacker get access to system to hinder important broadcasts to go out.
▪ An attacker use Exigo system as gateway to reach other critical systems onboard.
Figure 3: Exigo System
The figure above give an high level view of how Exigo system can be used for doing a risk
accessment. Mitigation of threats is about minimizing attach surface to minimize likelyhood of
successful attacks. You typically minimize the attack surface in the following dimensions:
▪ Physical e.g. equipment in locked rooms or cabinets.

▪ Logical e.g. systems are segmented in dedicated network that are either air-gapped or
protected by firewalls.
▪ Time e.g. alarms event if someone disconnects a PA panel in public area or limited time
remote access to a PAGA network.
The objective of risk assessment is establishing a starting point and a strategy for the management
of cyber threats. This evaluation can have common aspects for all ships of a company, but it must
be individualized in each case since it can depend on several factors.

Cyber security assessment is the responsibility of the operator of the vessel or offshore installation.
This document is to help and advice. If you need guidance and counseling for carrying out the Risk
Assessment Evaluation on your vessel, please read the following guidelines or contact an
international accredited registrar and classification society like DNV:
IMO Guidelines on maritime cyber risk management, MSC-FAL.1/Circ.3

DNV, Maritime cyber security services and solutions
3.2 High Level Network View
Figure 4: High Level Network Topology
Both maritime and offshore require establishment of barriers between main systems to prevent,
mitigate and respond to un-intended network issues as well as intentional cyber attacks.
For a PA/GA solution the following main systems must be considered:
▪ PA/GA system
▪ IT management system
▪ Automation / SCADA
▪ Other external systems

Each of the above systems shall be allocated to their own network segment with a router managing
the communication flow between the systems.
Table 2 gives a list of protocols and ports the Exigo system supports, along with a description of use.
Protocol Protocol Port Description

HTTP TCP 80 Web interface for configuration of the Exigo system
HTTPS TCP 443 Web interface for configuration of the Exigo system with TLS
Zenitel Application Protocol web interface. Protocol to read live feed
ZAP-Web TCP 8080
og configuration and status.
Device1
TCP 50001 Communication between devices and controller
Protocol (DIP)
Zenitel Application Protocol, used for transfer of configuration data
ZAP TCP 50004
between ESC to/from EMT and devices
Modbus TCP 502 Device management for automation/SCADA system
SSH TCP 22 For remote access to controller terminal on Exigo system
TFTP UDP 69 Trivial File Transfer Protocol, used for software updates
NTP UDP 123 Network Time Protocol, for clock syncing
SNMP UDP 161 Simple Network Management Protocol
SNMP Trap UDP 162 Asynchronous notification from agent to manager
SIP UDP 5060 Connect to external VoIP networks
VoIP UDP2 61000-62000 Voice channels for devices
Table 2: Exigo Protocols and Ports
The Exigo system support two levels of barriers. These are:
▪ Internal firewall in Exigo systems

▪ The router managing communication flow to other systems
The table below provide recommendation on settings to use for the internal firewall and router.
▪ X: Mandatory protocol
▪ (X): Optional protocol
The 2nd column shows recommended settings for the internal firewall, while the 3 last columns show
recommended settings for the router.
Protocol Internal Firewall Automation/SCADA IT-Management External

HTTP X (X)
HTTPS (X) (X)
ZAP-Web (X)
1 A device in this instance refers to call panels

2 Unicast and multicast

Device Protocol (DIP) X
SSH (X) (X)
Modbus (X) (X)
TFTP (X) (X)
NTP X (X)
SNMP (X) (X) (X)
SNMP Trap (X) (X) (X)
SIP X (X)
VoIP X (X)
ZAP X
Table 3: Exigo Recommended Subnet Routing
3.2.1 Routing to/from Automation & SCADA systems
Exigo supports integration into automation system. This may include:
▪ SNMP
▪ SNMP trap
▪ MODBUS
3.2.2 Routing to/from IT Management
IT management might want more hands-on control of the PA/GA system. This may include:
▪ Sync time (NTP)

▪ Software update (TFTP)
▪ Configure system (HTTP/HTTPS/ZAP)
▪ Monitor system (SNMP/SNMP trap)
▪ Remote access (SSH)
3.2.3 Routing to/from External networks and systems
Exigo can be connected to following external systems:
▪ PBX systems
▪ Other SIP systems
This will require that the SIP and VoIP ports are enabled in the router between the subnets.

3.3 Layer 2 Network Overview
Figure 5: Layer 2 Network Overview for a Exigo A-B System
Figure 5 shows the layer 2 network setup for the Exigo system. The network solution for a single site
A-B system is a redundant network based on 2 Cisco switches. The switches are interconnected
directly and the call panel have redundant connections to each switch.
The switches utilize Rapid Spanning Tree Protocol (RSTP) for protecting against network loops,
redundant links will be in blocking mode unless there is a failure in the network. In addition to using
a modern and robust protocol, the proposed solution utilizes a set of additional switch features,
discussed in chapter 4.3, to decrease risk even further.
The solution provides the required redundancy for the network and control-plane of the network,
there is no single point of failure in the hardware or software, and the potential negative failure mode
of STP is mitigated by utilizing the relevant features.
It is important to note that the call panel only uses one link at a time due to RSTP blocking loops in
the system. Messages from ESC-A to AMP-B needs to travel through the redundant links between
the switches, and can not be passed trough the call panel.

3.4 Layer 3 Network Overview
Figure 6: Layer 3 Network Overview
• Public Address
Public address service is initiated by a person using a call panel, and the live speech is sent
to both A and B controller as illustrated in Figure 6.
1. Step 1 Call panels to system controller
a. When call is initiated, the call panel signals to both controllers as DIP data
messages
b. Media is sent to both controllers as RTP/UDP unicast data
2. Step 2 System controller to amplifiers
a. Both controllers accept the RTP/UDP audio stream from the call panel
b. Both controllers then send separate RTP/UDP multicast streams to the
amplifiers of both the A and B system. The A-system stream will have priority
over B-controllers stream.
3. Step 3 Amplifier to speakers
a. The amplifier receives both RTP/UDP streams, both from A controller and B
controller. By default, the amplifiers listens to the A controllers stream, but in
case of A system failiure, the B stream is used instead.
• General Alarm
General Alarm audio will follow the same path as in Figure 6, with the exception of step 1
since the sound is generated in the controller.
1. Step 1 Event to system controller
Different event can trigger an alarm, such as a relay closing, a push button sending
a DIP message to the Exigo system, or a third-party integration causing a software
triggered event. The exact cause of a triggered alarm, and the protocol it propagates
by, depends on the system design.
a. The signal (analog, DIP, SIP etc.) or activating the alarm is received by both
controllers
b. Behaves in the same manner as for live speech

Behaves in the same manner as for live speech (with parallel wired config)
3.5 Communication with EX Call Panels

For some systems, it is convenient to enable ethernet to run on the same two wires as power, this
feature is called Flowire. Flowire enables single-paired cables, that can both distribute power and
data to call panels. In addition, the maximum length of a Cat 6 cable is approximately 100 meters,
while a Flowire system can reach up to the 500 meters range.
Flowire must be used together with EX panels instead of ethernet cables with PoE.
Figure 7 show an example system where Flowire is used in an EX and industrial system.
Figure 7: Example of Flowire Cabling in Ex & Industrial Zones
The flowire system has some special requirements for the switch configuration and setup, for a more
technical view on the Flowire system, please refer to A100K11422 “Flowire Configuration Manual”
and A100K11706 “Flowire Guidelines for Exigo”.
3.6 Networked Systems

With the use of a SIP-trunk it is possible to make integration between different Exigo system.
Up to 8 Exigo systems can be connected in ExigoNet. This allows for very large and distributed
systems.

Figure 8: ExigoNet
In case of ExigoNet, both controllers have a SIP connection to all other controllers in the system.
3.6.1 Call Cases
• Public Address
In the case of live announcement, audio will be sent from the call panel to both controllers on
the same site. The controllers will then distribute the message by SIP to all other controllers,
who in turn will route the audio to the required zones, as illustrated in Figure 8.
1. Step 1 Call panel to system controller
a. When call is initiated, the call panel signals as DIP data messages
b. Media is sent to both controllers on the same network as RTP/UDP unicast
data
2. Step 2 The call panel will have dual data cabling, where one interface is connected
to A-System and the other is connected to B-System (Ref. Figure 5)
a. Both controllers accept the RTP/UDP audio stream from the call panel
b. SIP session is set up between the local controllers and all other controllers on
the ExigoNet
a. Receives the SIP RTP/UPD packages
b. Both controllers then send separate RTP/UDP streams to the amplifiers of
both the A and B system. The A-system stream will have priority over B-
controllers stream.

The RTP/UDP stream gets converted to 100V audio signal and distributed to the
speakers.
• General Alarm
In case of an alarm, the input may vary (relay, event etc.). The sound will be generated in the
controllers and distributed in the same way as live speech.
1. Step 1 Event to system controller
As in a single site A-B system, different event can trigger an alarm. The exact cause
of a triggered alarm, and the protocol it propagates by, depends on the system design.
2. Step 2 System controller to ExigoNet
a. The signal (analog, DIP, SIP etc.) or activating the alarm is received by both
controllers
b. Behaves in the same manner as for live speech
Behaves in the same manner as for live speech
Behaves in the same manner as for live speech
3.7 Non Redundant PA System

Most vessels will require a redundant A-B system, but a simpler nonredundant solution could be
implemented if there is no strict need for redundancy.
The network configuration examples and guidelines shown in this document, will also apply for a non
redundant PA System.

4 Guideline for Data Network
4.1 Layer 3 – Network Configuration
Figure 9: High Level Network Topology
The main parts for the layer 3 configuration are:

1. IP address assignment for Exigo equipment
2. Configuration of internal firewall in Exigo equipment
3. Configuration of router and routing rules
Note! Please see chapter 3.2 “High Level Network View” for information for setting up internal firewall
and router.
4.1.1 IP address assignment for Exigo equipment
The Exigo System Controller (ESC1) must be setup with a static IP address. The other Exigo
equipment support both dynamic (DHCP) and static address assignment.
It is a good practice to keep an overview of the different Exigo IP equipment and accociated IP
address’ . Zenitel has also found it useful to allocate sub-ranges of IP address’ to different equipment
types. This will make analysis of Wireshark traces easier to do in case network traffic should be
analysed.

4.2 Layer 2 Switch Configuration
The main parts for the layer 2 switch configuration are:
▪ Connection diagram and cable reference list

▪ General switch configuration
▪ Define switch port profiles
▪ Assign switch port to profiles
To have type approval it is required that the network switches are bought via Zenitel.
4.3 Connection diagram and cable reference list

The Connection diagram and cable reference list defines how the ports on the network switches and
Exigo equipment connects to the cabling infrastructure.
Figure 10: Exigo Cabling Infrastructure
A redundant network will need switches for routing traffic and provide proper segregation of systems.
There exist several methods to improve robustness and stability for a redundant data network.
▪ Rapid Spanning Tree Protocol (RSTP) is a link management protocol, defined in the IEEE
802.1D, for bridged networks. RSTP provides path redundancy while preventing undesirable
loops in networks consisting of multiple active paths. RSTP uses the Bridge Protocol Data
Unit (BPDU), a data message, to detect loops in network topologies.
▪ STP Loop Guard – This feature will shut down a local switch-to-switch port if the remote switch
experiences a STP protocol failure, or the link is unidirectional (A common failure in fiber

networks). This feature protects the network from RSTP failing negatively and looping, by
introducing a positive failure mode on established inter-switch links.
▪ Storm Control – This feature is implemented on all ports, limiting the amount of allowed
broadcast/multicast packets, to protect the control-plane of the network and applications
running over the network. This feature protects the network from external sources of errors,
like failing NIC, failing protocol stacks or processes creating erroneous traffic.
▪ STP Portfast – This feature will prevent STP TCN BPDU flooding when an end-host port flap,
protecting the control-plane of the network from extra processing of unneeded change
notifications.
▪ BPDU Guard – This feature is configured on all ports except inter-switch ports and will shut
down a port if it receives a STP BPDU, typically from a mis-cabling. This feature protects
against mis-cabling in case of maintenance or work in cabinets where the equipment is
located.
These features can be configured in the switches and should be considered when designing the
system to ensure a security and robustness.
4.4 General Configuration

The switch can be reached via a serial line to the console port. Use a terminal emulator and
configure it with baud rate = 9600 Data bits = 8; Stop bits = 1; Parity = None, and Flow control =
None.
The following picture will be used as an example to ilustrate and explain the network configuration
needed for an Exigo A-B System:

Figure 11: Example of Exigo A-B System
IP table for this network setup. This is an example, IP Addresses and Fast ethernet ports (Fa) can
be changed and modified as needed:1
Exigo Rack A SW port IP Subnet

Switch A - 172.32.1.10 /16
Exigo Controller A Fa0/1 172.32.1.20 /16
Exigo Amplifier A
Fa0/2 172.32.1.30 /16
Fa0/5-Fa0/10
Unused Ports - -
Fa0/12-Fa0/22
SW A to SW B Fa0/23 - -
SW A to Central SW Fa0/24 - -
Exigo Rack B SW port IP Subnet

Switch B - 172.32.2.10 /16
Exigo Controler B Fa0/1 172.32.2.20 /16
Exigo Amplifier B Fa0/2 172.32.2.30 /16
Fa0/5-Fa0/10
Unused Ports - -
Fa0/12-Fa0/22
SW A to SW B Fa0/23 - -
SW B to Central SW Fa0/24 - -
Call Panels SW port IP Subnet

Redundant Panel AB - 1 Fa0/3 172.32.1.40 /16
Redundant Panel AB - 2 Fa0/11 172.32.1.101 /16
Non Redundant Panel A Fa0/4 172.32.1.50 /16

Central Equipment SW port IP Subnet
Router Fa0/48 172.32.0.1 /16
Management Computer - 10.0.0.60 /24
Central SW - 172.32.0.10 /16
Table 4: Example of Equipment and IP list for an A-B system
Once we have a clear idea of the network setup and a list of the desired IPs, we can start configuring
the system.
The Table 5 below contains the general switch configuration needed to achieve the functionality and
security requirements for an Exigo A-B system, which are mainly:
▪ Management loggin: secure passwords, encryption enabled.

▪ Vlan Trunk Protocol (VTP) in transparent mode does not advertise the VLAN configuration
and does not synchronize the VLAN configuration based on received advertisements. It is
very useful in secure data centre environments.
▪ Access List or ACLs (called FilterIn, in following examples): This access-list configuration
will block any attempt to start a www, telnet, ftp or ssh session from a switchport. It will allow
ping only from the management PC (10.0.0.60).
▪ Port Security will enable access only for the MAC addresses of known devices. It will block
and shutdown a switchport if an unknown device connects to an unauthorized port.
▪ “Parking” VLAN for unused ports: As example, we have created the VLAN 999 without
DHCP, Inter-VLAN routing or management. This VLAN is assigned to all the unused LAN
ports on the switch. Administratively shutdown unused ports.
▪ Spanning Tree (STP) is needed to provide path redundancy while preventing undesirable
loops in the network, but it has absolutely no security built into it and can be exploited in
multiple ways. There are three methods to mitigate the risk on Cisco switches, included in the
configuration example below: Disabling Dynamic Trunking Protocol, Enabling BPDU Guard
and Enabling BPDU Filter.
The configuration marked in red should be changed according to preferences and which switch is
being configured.
General Switch Config Configuration Commands

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Exigo-SW-A
!
boot-start-marker
boot-end-marker
!
enable secret level 15 Y0urS3cur3P@ssw0rd
!
no aaa new-model
system mtu routing 1500
vtp domain test.exigo

vtp mode transparent
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1 priority 0
spanning-tree vlan 1 hello-time 1
spanning-tree vlan 1 forward-time 4
!
vlan internal allocation policy ascending
!
template mon
!
vlan 999
name Parking_for_Unused_Ports
!
interface Vlan1
ip address 172.32.1.10 255.255.0.0
no ip proxy-arp
no shutdown
!
interface Vlan999
description Parking_VLAN
no ip address
no ip proxy-arp
shutdown
!
ip default-gateway 172.32.0.1
ip http server
ip http secure-server
!
ip access-list extended FilterIn
remark -Allow only necessary traffic from Exigo equipment
deny tcp any any eq www
deny tcp any any eq telnet
deny tcp any any eq ftp
deny tcp any any eq 22
permit tcp any any
permit udp any any
permit icmp any host 10.0.0.60
permit igmp any host 239.192.0.199
permit igmp any 239.192.1.0 0.0.0.31
permit igmp any 239.192.2.0 0.0.0.31
!
line con 0
exec-timeout 320 0
password Y0urS3cur3P@ssw0rd
line vty 0 4
exec-timeout 320 0
password Y0urS3cur3P@ssw0rd
login
line vty 0 15
login
!
end
Table 5: Switch A – Main Config Example
There are different ways to configure the switches, the config above it is just one of multiple choices
available. For example:
Management options:
▪ SSH v2 enabled, Telnet disabled:

Remote Management Config Configuration Commands
ip ssh version 2
crypto key generate rsa modulus 2048
ip ssh time-out 60
ip ssh authentication-retries 3
!
line vty 0 15
transport input ssh
login local
!
▪ All SSH and Telnet disabled. The only way to connect to the switch is with direct console
access:
Remote Management Config Configuration Commands

line vty 0 4
transport input none
!
line vty 0 15
transport input none
▪ To avoid brute force password attacks to the devices, you can configure maximum number of
failed login attempts so that a user will be locked out after this threshold, using the command
aaa local authentication attempts max-fail {value}
Also, It is possible to configure an external AAA server for authentication and easily
change/enable/disable account passwords, enforce strong password policies, monitor account
usage and user access.
Port Security options:

▪ You can define a different action to take when a violation occurs on a port. The command to
configure this is as follows switch port-security violation {protect | restrict | shutdown}
o Protect: discards the traffic but keeps the port up. Does not send a SNMP message.
o Restrict: discards the traffic but keeps the port up. It sends a SNMP message.
o Shutdown: discards the traffic, disables the port and sends a SNMP message.
▪ You can specify the MAC address that is allowed to access the network resources manually
or dynamically by using the commands switchport port-security mac-address {value} or
switchport port-security mac-address sticky.
4.5 Switchports and Profile Configuration

The different network ports on the switches will need to be specifically configured for the services
and equipment the port shall connect. To do this, you need to define, create and apply different port
profiles on these switchports.
Table 6 shows the Central Equipment that can be connected to the IP network:

102 3000 000 ESC1 Exigo System Controller
102 3102 200 ENA2200 Exigo Network Amplifier, 2x200W
Central 102 3102 400 ENA2400-DC Exigo Network Amplifier, 2x400W
Equipment
Table 6: Exigo Central Equipment
Table 7 below shows the configuration for the different port profiles to be used on our network
example of an A-B system, when we have a network component or a Exigo Central device connected
to the Switches.
It includes the configuration of port security and ACLs needed in each port depending on the device
connected to it, in order to protect and prevent unauthorized access to the network.
The configuration marked in red can be changed according to preferences and which port is being
configured.
Port Device Comments Profile Name Configuration

SW A SW A
Fa0/1 Exigo SW A port to ACCESS_CONTROLLER interface FastEthernet0/1
Controller Controller A description Access_Controller
A switchport mode access
switchport nonegotiate
switchport port-security violation shutdown
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security
ip arp inspection trust
ip access-group FilterIn in
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
ip dhcp snooping trust
Fa0/2 Exigo SW A port to ACCESS_AMPLIFIER interface FastEthernet0/2
Amplifier A an Amplifier description Access_Amplifier
A switchport mode access
Fa0/5- Unused Unsued ACCESS_PARKING interface range FastEthernet0/5-10
Fa0/10 Ports ports on the description Access_Parking
SW A switchport access vlan 999
switchport mode access
storm-control broadcast level 0
no cdp enable
shutdown

Fa0/23 SW A to Between TRUNK_SW interface range FastEthernet0/23-24
SW B Switches description Trunk_SW
Fa0/24 SW A to switchport mode trunk
Central switchport nonegotiate
SW
Port SW B Device Comments Profile Name Configuration

SW B
Fa0/1 Exigo SW B port to ACCESS_CONTROLLER interface FastEthernet0/1
Controller a Controller description Access_Controller
B B switchport mode access
Fa0/2 Exigo SW B port to ACCESS_AMPLIFIER interface FastEthernet0/2
Amplifier B an Amplifier description Access_Amplifier
B switchport mode access
Fa0/5- Unused Unsued ACCESS_PARKING interface range FastEthernet0/5-10
Fa0/10 Ports ports on the description Access_Parking
SW B switchport access vlan 999
switchport mode access
storm-control broadcast level 0
no cdp enable
shutdown
Fa0/23 SW B to Between TRUNK_SW interface range FastEthernet0/23-24
SW A Switches description Trunk_SW
Fa0/24 SW B to switchport mode trunk
Central switchport nonegotiate
SW
Table 7: SW Port Profiles for Central Equipment
Table 8 below is a list of Call Panels that can be connected to the IP network:

102 3200 030 ECPIR-P Exigo Call Panel, PTT Key, For Pluggable Mic
Call Panels
102 3200 033 ECPIR-3P Exigo Call Panel, PTT + 3 Keys, for Pluggable Mic

102 3201 008 EAPIR-8 Exigo Alarm Panel, 8 Keys
102 3201 201 EAPII-1 Exigo Alarm Call Panel, 1 Key
102 3201 206 EAPII-6 Exigo Alarm Call Panel, 6 Keys
102 3221 511 EAPFX-1 Exigo Alarm Ex Call Panel, 1 Key
102 3221 516 EAPFX-6 Exigo Alarm Ex Call Panel, 6 Keys
Table 8: Exigo Call Panels
Table 9 below shows the configuration for the different port profiles to be used on our network
example of an A-B system, when we have a Exigo Call Panel connected to the Switches.
It includes the configuration of port security and ACLs needed in each port depending on the device
connected to it, in order to protect and prevent unautorized access to the network.
The configuration marked in red can be changed according preferences and which port is being
configured.
Port SW Call Panels Comments Profile Name Configuration

Fa/11 Redundant Panels TRUNK_PANEL_AB interface FastEthernet0/11
(SW A and Panel A-B connected description Trunk_Panel_AB
SW B) both to SW switchport mode trunk
A and SW B switchport nonegotiate
systems ip arp inspection trust
Fa0/4 Non End device ACCESS_NON_AB interface FastEthernet0/4
(SW A or Redundant connected to description Access_NON_AB
SW B) Panel A only one switchport mode access
switch switchport nonegotiate
Table 9: SW Port Profiles for Exigo Call Panels
4.6 Flowire Configuration

The Flowire Converters, FCDC1, FCDC2 and FCDC3 enable Ethernet to run on the same two wires
as power, providing simpler cabling and opening up for longer cable hauls. The FCDC1 is capable
of powering Ethernet devices attached to it, such as Call panels with PoE Mode B. FCDC2 does not
forward power to its Ethernet port. Flowire can be used to support redundant connections, such as
a Call panel connected to both main switches in an AB system, as shown in figure 12. This requires
a one-to-one connection to each switch.

Figure 12: Redundant Connections Ex Panel - 2 Flowire Units
Table 10 below shows the configuration for the different port profiles to be used if we have flowires
connected to our A-B system. It includes the configuration of port security and ACLs needed in each
port, in order to protect and prevent unautorized access to the network.
configured.
SW Flowire Comments Profile Name Configuration

ports
Fa/22 Redundant Flowire units in TRUNK_AB_FLOWIRE interface FastEthernet0/22
Flowire redundant description Trunk_AB_Flowire
configurations, switchport mode trunk
connected to switchport nonegotiate
both A and B ip arp inspection trust
SWs ip access-group FilterIn in
Fa0/21 Non Flowire units ACCESS_NON_AB interface FastEthernet0/21
Redundant without a FLOWIRE description Access_NON_AB_Flowire
Flowire redundant link, switchport mode access
connected only switchport nonegotiate
to one SW switchport port-security violation shutdown
Table 10: Port Profiles for Flowire
All flowires report two MAC addresses to the switch, so we would need to take this into account in
all scenarios using flowire, especially regarding Port Security configuration.

▪ If we have a point to point link with Flowire. Then, Max addresses = 2FW*2 MAC + 1 Call
Panel*1 MAC = 5 addresses
Description Configuration Commands

interface FastEthernet0/10
switchport port-security aging time 10
!
Table 11: Port Security Flowire – Point to Point
▪ If we have one central Flowire going to several Flowires connected to 1 Turbine we will have
number of Flowires*2Mac + Number of Turbines. In this case, 4FW*2MAC + 3 Call
Panels*1MAC = 4*2 + 3 = 11 Mac-addresses
Description Configuration Commands

interface FastEthernet0/11
switchport port-security aging time 10
!
Table 12: Port Security Flowire – Cascade

A more in-depth approach of setup and network configuration is given in A100K11706 “Flowire
Guidelines for Exigo”.
4.7 Router Configuration

Routing is the process of selecting a path for traffic in a network or between or across multiple
networks. Static routing is a routing type in which a network administrator configures the routes into
the routing table to be used by the router to send packets to a destination network. Using Dynamic
routing protocols, routing tables or paths will be constructed automatically, based on information
carried by the configuration, allowing the network to act nearly autonomously in avoiding network
failures and blockages.
Static routing provides some advantages over dynamic routing, including:
▪ Static routes are not advertised over the network, resulting in better security.
▪ Static routes use less bandwidth than dynamic routing protocols, as routers do not exchange
routes.
▪ No CPU cycles are used to calculate and communicate routes.
▪ The path a static route uses to send data is known.
Static routing has the following disadvantages:
▪ Initial configuration and maintenance is time-consuming.

▪ Configuration can be error-prone, especially in large networks.
▪ Administrator intervention is required to maintain changing route information.
▪ Does not scale well with growing networks; maintenance becomes cumbersome.
▪ Requires complete knowledge of the whole network for proper implementation.
▪
Often an Exigo Call Panel or an Exigo accessory needs to be installed and connected in a different
part of the building or ship that belongs to a different IP network than Exigo. In order to solve this
situation and to allow the communication between Exigo system and these end devices or call
panels, we will need a router with a proper routing configuration.
The following examples illustrate an end device connected to the network in different ways. These
are only examples and the configuration and routing protocols will most likely need to be adapted to
your environment and platform.
▪ For example, if we need to communicate one or several end devices belonging to the same
IP network range, that are installed on different part of the network than Exigo, we would need
the following configuration if we choose Dynamic Routing protocol RIP v2 :

Figure 13: Call Panels - One Router
configured.
General Router Config Configuration Commands

interface GigabitEthernet0/0
ip address 172.32.0.1 255.255.0.0
duplex auto
speed auto
!
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 172.32.0.0
network 192.168.1.0
!
Table 13: Router Config for remote Call Panels
If we need to communicate several end devices belonging to different IP network ranges, and
installed on different part of the network than Exigo, we would need the following configuration:

Figure 14 Call Panels - Several Routers
Table 14 shows the routing configuration needed in Router 1, Router 2 and Router 3, using static
routes. This is an example, routing can be done using several static routes or different dynamic
routing protocols.
configured.
General Router Config Configuration Commands

Router 1 Router1#config t
Router1(config)#ip route 172.16.30.0 255.255.255.0 172.16.20.2
Router1(config)#exit
Router2(config)#ip route 172.16.10.0 255.255.255.0 s1
Table 14: Router Configs for remote Call Panels
The more we open the Exigo network and the more we give access to it from other network
segments, the more efficient and precise security mechanisms we need in order to prevent
unathorized access or attacks.

Access Control Lists (ACL) are always a good mechanism to prevent undesired access to the
Exigo network, by setting the rules to filter the network traffic. The following example will show how
to config the ACLs for remote Exigo System management and to enable access of call panels from
remote networks.
Figure 15: Example of Exigo A-B System
First, in order to simplify the access-list, the ip addresses of different kind of equipment are placed
in object-groups:
▪ Controllers, IP addresses of the PSC (AMC-IP card) in the Exigo controller(s) in the system.
▪ EquipmentIn, Addresses of the equipment on the “inside” (Exigo system network)
▪ MngmtIn, address(es) of management computer placed on the “inside.
▪ MngmtOut, address(es) of management computer placed on the “ouside” (Not directly on
Exigo Broadcast Domain)
▪ StationOut, address(es) of Exigo equipment on the “outside”.
configured.
Object-Group Config Configuration Commands

object-group network Controllers
host 172.32.1.50
host 172.32.2.50
!
object-group network EquipmentIn
172.32.1.0 255.255.255.0
172.32.2.0 255.255.255.0
host 172.32.0.1

host 172.32.0.10
!
object-group network MngmtIn
host 172.32.5.1
!
object-group network MngmtOut
host 10.0.0.60
!
object-group network StationOut
host 10.0.0.180
host 10.0.0.181
!
Table 15:ACLs and Object-Groups Config
Then, we can create the ACLs that will allow only:
▪ Live speech from outside

▪ Alarm/message initiated from outside, sounds on both sides
▪ Alarm/message initiated from inside, sounds on both sides
▪ Save configuration from EMT from outside management PC
▪ Monitor system via EMT 1.5
▪ Upgrade via web from outside management PC
▪ Upgrade via IMT from outside management PC
▪ Upgrade via web from inside management PC (to outside unit)
▪ Upgrade via IMT from inside management PC (to outside unit)
▪ Access Exigo equipment via http from outside management PC
▪ Access Exigo equipment via https from outside management PC
▪ Access Cisco network equipment via telnet from outside management PC
▪ Access Cisco network equipment via ssh from outside management PC
▪ SNMP-read outside management PC read from system
▪ SNMP-traps to outside management/monitoring PC (or other monitoring system)
configured.
ACL Config Configuration Commands

line 1 permit tcp object-group MngmtOut object-group EquipmentIn eq www
line 2 permit tcp object-group StationOut object-group Controllers range 50000 50004
line 3 permit tcp object-group StationOut range 50000 50004 object-group Controllers
line 4 permit tcp object-group MngmtOut object-group Controllers range 50000 50004
line 5 permit udp object-group StationOut object-group EquipmentIn
line 6 permit udp object-group MngmtOut object-group EquipmentIn
line 7 permit tcp object-group StationOut eq www object-group MngmtIn
line 8 permit icmp object-group StationOut object-group EquipmentIn
line 9 permit icmp object-group MngmtOut any
line 10 permit tcp object-group MngmtOut object-group EquipmentIn eq telnet
line 11 permit tcp object-group MngmtOut object-group EquipmentIn eq 22

line 12 permit tcp object-group MngmtOut object-group EquipmentIn eq 443
line 13 permit udp object-group StationOut object-group MngmtIn
line 14 permit icmp object-group StationOut object-group MngmtIn
line 15 !
Table 16: “Router – Out” ACL. Configuration Example
Line# Description
1 Permit the management PC web access to the components in the system (configuration and upgrade
via IMT)
2 Permit outside equipment normal communication with the controllers
3 Permit outside equipment normal communication with the controllers
4 Permit the outside management computer to communicate with the controllers for EMT monitoring
5 Permit TFTP traffic for upgrade of stations
6 Permit TFTP traffic for upgrade of stations
7 Permit inside management PC to access outside Exigo equipment.
8 Permit PING from remote stations
9 Permit management PC to ping local stations (this has any destination so the management computer
can ping any device in the network)
10 Permit management PC to have telnet access to the Exigo equipment (not necessary for normal
operation)
11 Permit management PC to have ssh access to the Exigo equipment (not necessary for normal
operation)
12 Permit the management PC web access to the components in the system (configuration and upgrade)
13 Permit an inside management PC to upgrade outside stations via VS-IMT
14 Ping from outside station to inside management PC
Table 17: Explanation of lines in ACL
And now, we can apply the access-list called “Router-out”, to the router interfaces.
The configuration marked in red shall be changed according to preferences and which port is being
configured:
Interface Config Configuration Commands

ip address 10.0.0.172 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
!
ip address 172.32.0.1 255.255.0.0
ip access-group Router-out
ip pim sparse-dense-mode
duplex auto
speed auto
!
Table 18: Apply the ACLs on Interface
4.8 NTP Server

Accurate and uniform clock settings on all network devices are also important. This will help in
incident handling and proper log monitoring. You can either configure an internal or external NTP
server.
In the following example, the external NTP server will have IP address 10.1.200.90. The
configuration marked in red shall be changed according to preferences:

NTP Config Configuration Commands
config terminal
!Example NTP server IP 10.1.200.90
ntp server 10.1.200.90
!Enable ntp authentication nd config password
ntp authentication-key 42 md5 password1
ntp trusted-key 42
ntp server 10.1.200.90 key 42 prefer
!
Table 19: External NTP Server Config
4.9 Network Monitoring

Many Network and IT infrastructure monitoring tools include log correlation and log analysis, and
make easier the monitoring network activity. Tools like Kiwi Syslog or PRTG Network Monitor can
also send emails or SMS notifications to the IT network management team, when a predefined event
has occurred on the network.
Configure a Cisco Catalyst Switch to send messages to a Syslog Server

Syslog is a standard protocol used to send system log or event messages to a specific server, called
a syslog server. It is primarily used to collect various device logs from several different machines in
a central location for monitoring and review.
The configurable priority levels are:
▪ emergencies
▪ alerts
▪ critical
▪ errors
▪ warnings
▪ notifications
▪ informational (default level)
▪ debugging
In the following example, our external syslog server will have IP address 10.1.200.80. The
configuration marked in red can be changed according to preferences:
Syslog Config Configuration Commands

config terminal
!Enable logging
logging on
!Example, syslog server 10.1.200.80
logging 10.1.200.80
!Limit the messages sent based on priority levels
logging trap warnings
end
Table 20: Syslog Configuration

The Switch will send messages with the specified priority level and above. For example, the level
warnings sends messages with priority levels of warnings, errors, critical, alerts, and emergencies.
Configure a Cisco Catalyst Switch to send traps to a SNMP Server

Simple Network Management Protocol (SNMP) is a standard protocol for collecting and organizing
information about managed devices on IP networks and for modifying that information to change
device behavior.
Several examples of relevant traps:
▪ The "Link Up" or "Link Down" SNMP Trap monitors the port operating status of a Switch. If an
Ethernet cable is plugged into a port, or a cable is removed, then the SNMP Client will send
a corresponding "Link Up" or "Link Down" notification to a network management station
(SNMP Manager).
The following example, shows how to enable link down and link up traps. The configuration marked
in red can be changed according preferences:
SNMP - Port Configuration Commands

Status Config
config terminal
snmp-server enable traps snmp linkdown
linkup
snmp-server enable traps transceiver all
snmp-server host 10.0.0.61 version 2c public
!
Table 21: SNMP Port Status Traps Config
When a call panel disconnects from the port on a switch, it sends a notification to the SNMP Manager
(IP address 10.0.0.61 in this example), indicating that the Operational status of FastEthernet0/23 is
down as shown in the following screenshot.
Figure 16: Trap message showing Fa0/23 status

▪ Port Security is a layer two traffic control feature on Cisco Catalyst switches. It enables to
configure individual switch ports to allow only a specified number of source MAC addresses
or hosts ingressing the port. The "port-security” SNMP Trap monitors if any port security
violation occurs on a switch port.
The following example show how to enable Port Security Traps. The SW will send a trap for every
port security violation able to detect. The configuration marked in red can be changed according
preferences:
SNMP - Port Security Configuration Commands

config terminal
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 0
snmp-server host 10.0.0.61 version 2c public
end
Table 22: SNMP Port Security Traps Config
If we disconnect the authorized host from the port FastEthernet0/4 and connect an unknown host,
the port security violation forces the interface into the shutdown state and the switch sends a trap to
inform about this event.
Figure 17: Trap message showing Security issue on Fa0/4
4.10 Backup & Restore

Network backup is one of the most important parts of the network security plan. It is the process of
identifying what network components need to be backed up and copying data from all call panels
and network nodes within the IT infrastructure onto another server or network backup device. This
is typically done using network backup software or network configuration managers, but it can be
also done manually.
Configure Cisco Switch to Backup Config

▪ Setup a TFTP server
▪ Connect to the device, either via console cable or SSH
The configuration marked in red can be changed according to preferences:
Backup Config Configuration Commands

config terminal
enable
copy running-config tftp
!Example TFTP Server 10.10.0.1
Address or name of remote host []? 10.10.0.1
Destination filename [Switch-confg]? SW_A_Backup
!!
7400 bytes copied in 0.548 secs (13504 bytes/sec)
Table 23: Cisco Backup Config Example
Restore Config Configuration Commands

config terminal
enable
copy tftp running-config
!Example TFTP Server 10.10.0.1
Address or name of remote host []? 10.10.0.1
Source filename []? SW_A_Backup
Destination filename [running-config]? {Enter}
Accessing tftp://10.10.0.1/SW_A_Backup...
Loading SW_A_Backup from 10.10.0.1 (via GigabitEthernet0/0): !
[OK - 7400 bytes]
7400 bytes copied in 0.440 secs (16818 bytes/sec)
!
copy run start
Table 24: Cisco Restore Config Example
Configure Exigo to Backup Config
The Exigo Management Tool (EMT) is a modern and easy to use configuration tool, which enables
configuration of the system with drag and drop features. Through EMT it is possible to:
▪ Browse to all the projects available

▪ Generate backup of the projects or restore the project
▪ Add zones to the system
▪ Add devices to the system
▪ Assign amplifiers to the system

▪ Get an easy overview of the components used in the system
▪ Change the names of zones
▪ Add functions to control inputs and buttons
▪ Assign priority and destination of actions
The following example shows how to back up or restore a project database to/from the hard disk.
▪ Select Projects
Backup Now
This will back up the project database to the hard disk under: \Documents\Exigo\1.4\Projects\
Restore
This will restore the project database from the hard disk under: \Documents\Exigo\1.4\Projects\
If desired, it is possible to import database files from existing projects, also.

To import files from an existing project:
▪ Select Projects > New

▪ Click the Import from existing Project files tab
▪ Click the right-arrow icon at the bottom of the window
▪ Click Browse to select the files under the directory \Documents\Exigo\Projects\

▪ Click Finish to complete the project file import procedure
To connect to the system controller and to download the project database:
▪ Select Projects > New

• Click the Connect and Get tab
• Click the right-arrow icon at the bottom of the window
▪ Enter the Project name

▪ Enter the Controller IP Address
▪ Click Finish
The system controller project database will now be downloaded as a new Exigo project file.

ANNEX Onboard Secure Network
The advice and information given in this chapter is intended purely as guidance. It is the responsibility
of the asset owner/asset operator of the vessel to make a cyber security threat analysis and
implement the necessary improvements needed on the network.
The onboard networks have grown gradually as the needs grew, without an order or a clear
infrastructure in some cases. The different network cells or zones, originally without communication
between each other, have been putting together without taking too much into account the priorities,
requirements and security levels of each of these layers and the related processes.
In addition, the increasing interrelationship between OT and IT systems has not helped adequate
growth either, establishing simple connections according to information needs.
Over the years, the most common configuration errors and bad practices that we can find in a ship’s
network are:
▪ No management interfaces
▪ Default passwords.
▪ No isolation between IT and OT networks.
▪ A flat network, without any type of segmentation and/or VLAN segregation that separates the
equipment by levels of criticality or functionality.
▪ Poorly configured firewalls
▪ Direct connection to the Internet, which exposes the onboard network system to unwanted
access and attacks.
With the constant increase of cyber attacks on ships, it is vitally important to secure the onboard
networks and systems. To protect environments where IT (Information Technologies) and OT
(Operational Technologies) are combined, at least the following list of good practices at network
level should be applied:
Separate IT and OT Networks

The first step for securing the OT environment is to separate it from the IT network, establishing a
border between them with a perimeter security device. The most popular device for this type of task
is the firewall.

Figure 18: OT and IT Networks
Both environments are based on their own topology and by not having shared network components
such as switches or routers, all incoming and outgoing communications between the IT network, and
the OT networks, are controlled by a single point of connection security and traffic will be subject to
the rules that we configure in it.
Network Segmentation
Once separated both OT and IT environments, the next step will be to apply the concept of
Segmentation. Segmentation consists of subdividing the network or networks, of the OT and IT
environments into what it’s called “zones”.
We will define "zones" as the set of devices, applications, services and other assets grouped
according to their functionality, assigned security level, operational function, physical location,
network connection and systems access. The way we do it is by introducing a perimeter security
element or security application point, normally a Firewall, whose mission is to filter all
communications to, from or between the different zones. In this way, we reduce the degree of
exposure that a zone will have, and on the other, in case of a security event, it remains confined to
its zone.
Remote access possibilities for the vessel shall be grouped into a separate zone, providing the asset
owner/asset operator full control of any cyber related access external to the vessel.

Figure 19: Example of Network Segmentation and Zones
Depending on the level of criticality of the system or the level of security to be achieved, different
strategies and/or tools that can be used to carry out a correct segmentation:
▪ Air Gap: The air gap consists of physically separating the connections of two networks.
▪ IPS: Allows blocking certain information packets according to certain predefined rules.
▪ Virtual networks (VLANs); Separate systems and devices into logical networks within the
same physical network.
▪ Firewalls: Firewalls are the most common elements to carry out segmentation. Its operation
is based on allowing or denying traffic between different networks based on filtering rules.
▪ Data diodes or Unidirectional Gateways: Unlike a firewall, in a data diode there is no channel
in one of the two directions and are used when we only want to get information from a network
but not receive it, ensuring the availability and integrity of the information.
Network Management
Any network design will need to include an infrastructure for administering and managing the
network. This may include installing network management software on dedicated workstations and
servers providing file sharing, log and event management, and other services.
On network devices, the management communications can be In-Band, throught the networked
ports or Out-of-Band (OOBM), through a dedicated management ports separated from the data

ports. Out-of-band ports have typically been serial console ports but some recent switches have
added networked OOBM ports.
▪ If the network switches on your network have out-of-band networked management ports, use
them as only point of access for Management.
▪ You can also use only the Console port as access for Management and leave the networked
ports only for data traffic.
▪ You can also configure VLANS to separate Management and Data traftic. In this case, enable
only one port for management with port security/mac filtering and other security features
properly configured.
▪ Make sure that the auxiliary port on the switch is disabled
Authentication, Authorization and Accounting: Ideally, the network device must be configured to use
802.1x authentication on host facing access switch ports and for administrative local and remote
access to switch.
Remote Access
VPN is a service that allows remote access to the ships's internal network and resources, creating a
tunnel through internet using secure encryption.
Most organizations that use VPNs implement a multi-layer line of defense to protect their network
and assets through a combination of endpoint security measures, user authentication, and network
security policy enforcement.
Advantages of implementing a VPN:
▪ Secure remote access. An encrypted communication is established between the client or

headquarters and the office VPN server.
▪ Publishing a single service (VPN) instead of several that can be a target for brute force attacks
(FTP, Web Login, etc.)
▪ Access control: Knowing at all times who and from where has connected and what they have
done.
Routers and Gateways

In case of routers and gateways, static routes are considered more secure because there is no
chance that an incorrect or unsecured route will be learned by the router.
ACLs, Access Control Lists

An Access Control List is a set of statements that allow or deny specific traffic. It is a simple way to
filter the traffic that passes through a layer 3 network device and It is useful for enforcing certain
security policies.
The benefits of using access lists are as follows:

▪ Access lists save network resources by reducing unnecessary traffic.
▪ Access lists can control access to a network based on source addresses, destination
addresses, or user authentication.
▪ Access lists on a slow link can prevent excess traffic on a network.
▪ Access lists can control which addresses are translated by Network Address Translation.
▪ Access lists reduce the chance of denial-of-service (DoS) attacks.
Centralized logs
In the event of a security breach, centralized logs play a crucial role:
▪ Collecting information and logs from various sources across the network ecosystem, including
audit, authentication, intrusion detection system (IDS), and intrusion prevention system (IPS)
logs.
▪ Correlating events/logs in real-time. It is the relationship that is defined between two or more
events or operations generated in the same or in different devices in an interval of time and
that is used to detect actions.
▪ Allow to compress and save the events protecting that they are not modified.

www.zenitel.com
Zenitel Norway AS
The WEEE Directive does not legislate that Zenitel, as a ‘producer’, shall collect ‘end
of life’ WEEE.
This ‘end of life’ WEEE should be recycled appropriately by the owner who should use proper
treatment and recycling measures. It should not be disposed to landfill.
Many electrical items that we throw away can be repaired or recycled. Recycling items helps to save
our natural finite resources and also reduces the environmental and health risks associated with
sending electrical goods to landfill.
Under the WEEE Regulations, all new electrical goods should now be marked with
the crossed-out wheeled bin symbol shown.
Goods are marked with this symbol to show that they were produced after 13th August
2005, and should be disposed of separately from normal household waste so that they
can be recycled.
DOC NO.
A100K12107 customer.service@zenitel.com
Zenitel and its subsidiaries assume no responsibility for any errors that may appear in this publication, or for damages arising from the information therein. Vingtor-Stentofon products are developed and
marketed by Zenitel. The company’s Quality Assurance System is certified to meet the requirements in NS-EN ISO 9001. Zenitel reserves the right to modify designs and alter specifications without notice.
ZENITEL PROPRIETARY. This document and its supplementing elements, contain Zenitel or third party information which is proprietary and confidential. Any disclosure, copying, distribution or use is
prohibited, if not otherwise explicitly agreed in writing with Zenitel. Any authorized reproduction, in part or in whole, must include this legend: Zenitel – All rights reserved.

A100K12107-Exigo PAGA System - Network Guideline

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A100K12107-Exigo PAGA System - Network Guideline

Uploaded by

Copyright:

Available Formats

Exigo PA/GA System

Maritime & Energy Applications

TECHNICAL MANUAL A100K12107

3 Data Network Overview....................................................................................... 7

4 Guideline for Data Network................................................................................. 19

ANNEX Onboard Secure Network ............................................................................... 44

1.2 Publication Log

1.3 Related Documentation

A100K12107 Data Network Guideline for Exigo PA/GA System 3

A100K12107 Data Network Guideline for Exigo PA/GA System 4

Equipment Type Item Number Item Name Description

Table 1: Exigo System Components

A100K12107 Data Network Guideline for Exigo PA/GA System 5

A100K12107 Data Network Guideline for Exigo PA/GA System 6

3.1.1 Maritime Requirements

SOLAS has specified the following requirements for PA/GA systems:

▪ Functions needed for propulsion and steering

A100K12107 Data Network Guideline for Exigo PA/GA System 7

A100K12107 Data Network Guideline for Exigo PA/GA System 8

Figure 2: Onboard Networks

3.1.2 Offshore Requirements

A100K12107 Data Network Guideline for Exigo PA/GA System 9

Cybersecurity risk assessment

Typical threats and risks to be considered are:

▪ An attacker get access to PAGA system to broadcast mis-leading information.

Figure 3: Exigo System

▪ Physical e.g. equipment in locked rooms or cabinets.

A100K12107 Data Network Guideline for Exigo PA/GA System 10

IMO Guidelines on maritime cyber risk management, MSC-FAL.1/Circ.3

3.2 High Level Network View

Figure 4: High Level Network Topology

A100K12107 Data Network Guideline for Exigo PA/GA System 11

Protocol Protocol Port Description

Table 2: Exigo Protocols and Ports

The Exigo system support two levels of barriers. These are:

▪ Internal firewall in Exigo systems

Protocol Internal Firewall Automation/SCADA IT-Management External

1 A device in this instance refers to call panels

A100K12107 Data Network Guideline for Exigo PA/GA System 12

Table 3: Exigo Recommended Subnet Routing

3.2.1 Routing to/from Automation & SCADA systems

Exigo supports integration into automation system. This may include:

3.2.2 Routing to/from IT Management

▪ Sync time (NTP)

3.2.3 Routing to/from External networks and systems

Exigo can be connected to following external systems:

A100K12107 Data Network Guideline for Exigo PA/GA System 13

Figure 5: Layer 2 Network Overview for a Exigo A-B System

A100K12107 Data Network Guideline for Exigo PA/GA System 14

Figure 6: Layer 3 Network Overview

A100K12107 Data Network Guideline for Exigo PA/GA System 15

3.5 Communication with EX Call Panels

Figure 7: Example of Flowire Cabling in Ex & Industrial Zones

3.6 Networked Systems

A100K12107 Data Network Guideline for Exigo PA/GA System 16

3.6.1 Call Cases

A100K12107 Data Network Guideline for Exigo PA/GA System 17

3.7 Non Redundant PA System

A100K12107 Data Network Guideline for Exigo PA/GA System 18

4.1 Layer 3 – Network Configuration

Figure 9: High Level Network Topology

The main parts for the layer 3 configuration are:

4.1.1 IP address assignment for Exigo equipment

A100K12107 Data Network Guideline for Exigo PA/GA System 19