0% found this document useful (0 votes)
209 views1,553 pages

ManualCollection GRS1040 HiOS-2A-07000 en

Uploaded by

Mohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
209 views1,553 pages

ManualCollection GRS1040 HiOS-2A-07000 en

Uploaded by

Mohan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1553

Hirschmann Automation and Control GmbH

GRS1040 HiOS-2A Rel. 07000

Reference Manuals
Graphical User Interface
Command Line Interface

User Manual
Configuration
Reference Manual
Graphical User Interface
HiOS-2A GRS1040 (Greyhound Switch)

RM GUI HiOS-2A GRS1040 Technical support


Release 7.0 11/2017 https://hirschmann-support.belden.eu.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.

© 2017 Hirschmann Automation and Control GmbH

Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.

The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.

Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.

You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).

Hirschmann Automation and Control GmbH


Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

Rel. 7.0 - 11/2017 – 10.01.2018


Contents

Contents

Safety instructions 9

About this Manual 11

Key 13

Notes on the graphical user interface 15

1 Basic Settings 19
1.1 System 20
1.2 Modules 24
1.3 Network 26
1.4 Out of Band 29
1.5 Software 31
1.6 Load/Save 33
1.7 External Memory 42
1.8 Port 44
Configuration 45
Statistics 49
Utilization 51
1.9 Power over Ethernet 52
1.9.1 PoE Global 53
1.9.2 PoE Port 55
1.10 Restart 57

2 Time 59
2.1 Basic Settings 60
Global 61
Daylight saving time 62
2.2 SNTP 65
2.2.1 SNTP Client 66
2.2.2 SNTP Server 69
2.3 PTP 71
2.3.1 PTP Global 72
2.3.2 PTP Boundary Clock 74
2.3.2.1 PTP Boundary Clock Global 75
2.3.2.2 PTP Boundary Clock Port 78
2.3.3 PTP Transparent Clock 81
2.3.3.1 PTP Transparent Clock Global 82
2.3.3.2 PTP Transparent Clock Port 85

3 Device Security 87

RM GUI HiOS-2A GRS1040 3


Release 7.0 11/2017
Contents

3.1 User Management 88


3.2 Authentication List 92
3.3 LDAP 95
3.3.1 LDAP Configuration 96
3.3.2 LDAP Role Mapping 100
3.4 Management Access 102
3.4.1 Server 103
Information 104
SNMP 106
Telnet 108
SSH 109
HTTP 112
HTTPS 113
3.4.2 IP Access Restriction 116
3.4.3 Web 119
3.4.4 Command Line Interface 120
Global 121
Login banner 122
3.4.5 SNMPv1/v2 Community 123
3.5 Pre-login Banner 124

4 Network Security 125


4.1 Network Security Overview 126
4.2 Port Security 127
Wizard : Port security 130
4.3 802.1X Port Authentication 132
4.3.1 802.1X Global 133
4.3.2 802.1X Port Configuration 135
4.3.3 802.1X Port Clients 139
4.3.4 802.1X EAPOL Port Statistics 140
4.3.5 802.1X Port Authentication History 141
4.3.6 802.1X Integrated Authentication Server 143
4.4 RADIUS 144
4.4.1 RADIUS Global 145
4.4.2 RADIUS Authentication Server 146
4.4.3 RADIUS Accounting Server 148
4.4.4 RADIUS Authentication Statistics 149
4.4.5 RADIUS Accounting Statistics 150
4.5 DoS 151
4.5.1 DoS Global 152
4.6 DHCP Snooping 155
4.6.1 DHCP Snooping Global 156

4 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Contents

4.6.2 DHCP Snooping Configuration 158


Port 159
VLAN ID 161
4.6.3 DHCP Snooping Statistics 162
4.6.4 DHCP Snooping Bindings 163
4.7 IP Source Guard 165
4.7.1 IP Source Guard Port 166
4.7.2 IP Source Guard Bindings 167
4.8 Dynamic ARP Inspection 168
4.8.1 Dynamic ARP Inspection Global 169
4.8.2 Dynamic ARP Inspection Configuration 170
Port 171
VLAN ID 172
4.8.3 Dynamic ARP Inspection ARP Rules 173
4.8.4 Dynamic ARP Inspection Statistics 174
4.9 ACL 175
4.9.1 ACL IPv4 Rule 176
4.9.2 ACL MAC Rule 182
4.9.3 ACL Assignment 186
4.9.4 ACL Time Profile 188

5 Switching 191
5.1 Switching Global 192
5.2 Rate Limiter 194
5.3 Filter for MAC Addresses 196
5.4 IGMP Snooping 198
5.4.1 IGMP Snooping Global 199
5.4.2 IGMP Snooping Configuration 200
VLAN ID 201
Port 202
5.4.3 IGMP Snooping Enhancements 204
Wizard : Selection VLAN/Port 206
5.4.4 IGMP Snooping Querier 207
5.4.5 IGMP Snooping Multicasts 209
5.5 MRP-IEEE 210
5.5.1 MRP-IEEE Configuration 211
5.5.2 MRP-IEEE Multiple MAC Registration Protocol 212
Configuration 213
Service requirement 215
Statistics 216
5.5.3 MRP-IEEE Multiple VLAN Registration Protocol 217
Configuration 218

RM GUI HiOS-2A GRS1040 5


Release 7.0 11/2017
Contents

Statistics 220
5.6 GARP 221
5.6.1 GMRP 222
5.6.2 GVRP 224
5.7 QoS/Priority 225
5.7.1 QoS/Priority Global 226
5.7.2 QoS/Priority Port Configuration 227
5.7.3 802.1D/p Mapping 228
5.7.4 IP DSCP Mapping 229
5.7.5 Queue Management 231
5.7.6 DiffServ 233
5.7.6.1 DiffServ Overview 234
5.7.6.2 DiffServ Global 235
5.7.6.3 DiffServ Class 236
5.7.6.4 DiffServ Policy 241
5.7.6.5 DiffServ Assignment 247
5.8 VLAN 249
5.8.1 VLAN Global 250
5.8.2 VLAN Configuration 251
5.8.3 VLAN Port 253
5.8.4 VLAN Voice 254
5.8.5 MAC Based VLAN 256
5.8.6 Subnet Based VLAN 257
5.8.7 Protocol Based VLAN 258
5.9 L2-Redundancy 259
5.9.1 MRP 260
5.9.2 HIPER Ring 263
5.9.3 Spanning Tree 265
5.9.3.1 Spanning Tree Global 266
5.9.3.2 Spanning Tree MSTP 271
5.9.3.3 Spanning Tree Port 274
CIST 275
Guards 278
MSTI <MSTI > 280
5.9.4 Link Aggregation 282
5.9.5 Link Backup 288
5.9.6 FuseNet ™ 290
5.9.6.1 Sub Ring 291
5.9.6.2 Ring/Network Coupling 294
5.9.6.3 Redundant Coupling Protocol 300

6 Diagnostics 303

6 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Contents

6.1 Status Configuration 304


6.1.1 Device Status 305
Global 306
Port 309
Status 310
6.1.2 Security Status 311
Global 312
Port 316
Status 317
6.1.3 Signal Contact 318
6.1.3.1 Signal Contact 1 / Signal Contact 2 319
Global 320
Port 323
Status 324
6.1.4 MAC Notification 325
6.1.5 Alarms (Traps) 327
6.2 System 328
6.2.1 System Information 329
6.2.2 Hardware State 330
6.2.3 Configuration Check 331
6.2.4 IP Address Conflict Detection 333
6.2.5 ARP 336
6.2.6 Selftest 337
6.3 Email Notification 339
6.3.1 Email Notification Global 340
6.3.2 Email Notification Recipients 343
6.3.3 Email Notification Mail Server 344
6.4 Syslog 346
6.5 Ports 349
6.5.1 SFP 350
6.5.2 TP cable diagnosis 351
6.5.3 Port Monitor 353
Global 353
Auto-disable 356
Link flap 357
CRC/Fragments 358
Overload detection 359
Link speed/Duplex mode detection 361
6.5.4 Auto-Disable 363
Port 363
Status 365
6.5.5 Port Mirroring 366

RM GUI HiOS-2A GRS1040 7


Release 7.0 11/2017
Contents

6.6 LLDP 370


6.6.1 LLDP Configuration 371
6.6.2 LLDP Topology Discovery 374
LLDP 375
LLDP-MED 376
6.7 SFlow 377
6.7.1 SFlow Configuration 378
Global 379
Sampler 380
Poller 381
6.7.2 SFlow Receiver 382
6.8 Report 383
6.8.1 Report Global 384
6.8.2 Persistent Logging 388
6.8.3 System Log 390
6.8.4 Audit Trail 391

7 Advanced 393
7.1 DHCP L2 Relay 394
7.1.1 DHCP L2 Relay Configuration 395
Interface 396
VLAN ID 397
7.1.2 DHCP L2 Relay Statistics 398
7.2 DHCP Server 399
7.2.1 DHCP Server Global 400
7.2.2 DHCP Server Pool 401
7.2.3 DHCP Server Lease Table 404
7.3 DNS 405
7.3.1 DNS Client 406
7.3.1.1 DNS Client Global 407
7.3.1.2 DNS Client Current 408
7.3.1.3 DNS Client Static 409
7.3.1.4 DNS Client Static Hosts 411
7.4 Industrial Protocols 412
7.4.1 IEC61850-MMS 413
7.4.2 Modbus TCP 415
7.4.3 PROFINET 417
7.4.4 EtherNet/IP 419

A Index 421

B Further support 423

C Readers’ Comments 424

8 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Safety instructions

Safety instructions

WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

RM GUI HiOS-2A GRS1040 9


Release 7.0 11/2017
Safety instructions

10 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
About this Manual

About this Manual

The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.

The “Configuration” user manual contains the information you need to start operating the device. It takes
you step by step from the first startup operation through to the basic settings for operation in your
environment.

The “Graphical User Interface” reference manual contains detailed information on using the graphical
user interface to operate the individual functions of the device.

The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.

The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
 Auto-topology discovery
 Browser interface
 Client/server structure
 Event handling
 Event log
 Simultaneous configuration of multiple devices
 Graphical user interface with network layout
 SNMP/OPC gateway

RM GUI HiOS-2A GRS1040 11


Release 7.0 11/2017
About this Manual

12 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Key

Key

The designations used in this manual have the following meanings:


 List
 Work step
 Subheading
Link Cross-reference with link
Note: A note emphasizes an important fact or draws your attention to a dependency.
Courier ASCII representation in the graphical user interface

RM GUI HiOS-2A GRS1040 13


Release 7.0 11/2017
Key

14 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Notes on the graphical user interface

Notes on the graphical user interface

The graphical user interface of the device is divided as follows:


 Navigation area
 Dialog area
 Buttons

Navigation area

The Navigation area is located on the left side of the graphical user interface.
The Navigation area contains the following elements:
 Toolbar
 Filter
 Menu
You have the option of collapsing the entire Navigation area, for example when displaying the graphical
user interface on small screens. To collapse or expand, you click the small arrow at the top of the
navigation area.

 Toolbar
The toolbar at the top of the navigation area contains several buttons.
– When you position the mouse pointer over a button, a tooltip displays further information.
– If the connection to the device is lost, the toolbar is grayed out.

Button Meaning
The device automatically refreshes the toolbar information every 5 seconds.
Clicking the button refreshes the toolbar manually.
When you position the mouse pointer over the button, a tooltip displays the following information:
 User:
Name of the logged in user
 Device name:
Name of the device
Clicking the button opens the Device Security > User Management dialog.
When you position the mouse pointer over the button, a tooltip displays the summary of the
Diagnostics > System > Configuration Check dialog.
Clicking the button opens the Diagnostics > System > Configuration Check dialog.
Clicking the button logs out the current user and displays the login page.

Displays the remaining time in seconds until the device automatically logs out an inactive user.
Clicking the button opens the Device Security > Management Access > Web dialog. There you
can specify the timeout.

RM GUI HiOS-2A GRS1040 15


Release 7.0 11/2017
Notes on the graphical user interface

Button Meaning
This button is visible if the configuration profile in the volatile memory (RAM ) differs from the
"Selected" configuration profile in the non-volatile memory (NVM ). Otherwise, the button is hidden.
Clicking the button opens the Basic Settings > Load/Save dialog.
By right-clicking the button you can save the current settings in the non-volatile memory (NVM ).
When you position the mouse pointer over the button, a tooltip displays the following information:
 Device Status: This section displays a compressed view of the Device status frame in
the Basic Settings > System dialog. The section displays the alarm that is currently active
and whose occurrence was recorded first.
 Security Status: This section displays a compressed view of the Security status
frame in the Basic Settings > System dialog. The section displays the alarm that is currently
active and whose occurrence was recorded first.
 Boot Parameter: If you permanently save changes to the settings and at least one boot
parameter differs from the configuration profile used during the last restart, then this section
displays a note.
The following settings cause the boot parameters to change:
– Basic Settings > External Memory dialog, Software auto update parameter
– Basic Settings > External Memory dialog, Config priority parameter
– Device Security > Management Access > Server dialog, SNMP tab, UDP port
parameter
– Diagnostics > System > Selftest dialog, RAM test parameter
– Diagnostics > System > Selftest dialog, SysMon1 is available parameter
– Diagnostics > System > Selftest dialog, Load default config on error parameter
Clicking the button opens the Diagnostics > Status Configuration > Device Status dialog.

 Filter
The filter enables you to reduce the number of menu items in the menu. When filtering, the menu
displays only menu items matching the search string entered in the filter field.

 Menu
The menu displays the menu items.
You have the option of filtering the menu items. See section “Filter”.
To display the corresponding dialog in the dialog area, you click the desired menu item. If the
selected menu item is a node containing sub-items, then the node expands or collapses while
clicking. The dialog area keeps the previously displayed dialog.
You have the option of expanding or collapsing every node in the menu at the same time. When you
right-click anywhere in the menu, a context menu displays the following entries:
 Expand
Expands every node in the menu at the same time. The menu displays the menu items for every
level.
 Collapse
Collapses every node in the menu at the same time. The menu displays the top level menu items.

16 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Notes on the graphical user interface

Dialog area

The Dialog area is located on the rigth side of the graphical user interface. When you click a menu item
in the Navigation area, the Dialog area displays the corresponding dialog.

 Updating the display


If a dialog remains opened for a longer time, then the values in the device have possibly changed in
the meantime.

 To update the display in the dialog, click the button. Unsaved information in the dialog is lost.

 Saving the settings

 To transfer the changed settings to the volatile memory (RAM ) of the device, click the button.
 To keep the changed settings, even after restarting the device, proceed as follows:
 Open the Basic Settings > Load/Save dialog.
 In the table, highlight the desired configuration profile.
 If in the Selected column the checkbox is unmarked, click the button and then the Select
item.
 Click the button and then the Save item.

Note: Unintentional changes to the settings may terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function
in the Basic Settings > Load/Save dialog, before changing any settings. Using the function, the
device continuously checks whether it can still be reached from the IP address of the user’s PC. If
the connection is lost, the device loads the configuration profile saved in the non-volatile memory
(NVM ) after the specified time. Afterwards, the device can be accessed again.

 Working with tables


The dialogs display numerous settings in table form.
When you modify a table cell, the table cell displays a red mark in its top-left corner. The red mark
indicates that your modifications are not yet transfered to the volatile memory (RAM ) of the device.
You have the option of customizing the look of the tables to fit your needs. When you position the
mouse pointer over a column header, the column header displays a drop-down list button. When you
click this button, the drop-down list displays the following entries:
 Sort ascending
Sorts the table entries in ascending order based on the entries of the selected column.
You recognize sorted table entries by an arrow in the column header.
 Sort descending
Sorts the table entries in descending order based on the entries of the selected column.
You recognize sorted table entries by an arrow in the column header.

RM GUI HiOS-2A GRS1040 17


Release 7.0 11/2017
Notes on the graphical user interface

 Columns
Displays or hides columns.
You recognize hidden columns by an unmarked checkbox in the drop-down list.
 Filters
The table only displays the entries whose content matches the specified filter criteria of the
selected column.
You recognize filtered table entries by an emphasized column header.

You have the option of selecting multiple table entries simultaneously and subsequently applying an
action to them. This is useful when you are going to remove multiple table entries at the same time.
 Select several consecutive table entries:
 Click the first desired table entry to highlight it.
 Press and hold the <SHIFT> key.
 Click the last desired table entry to highlight every desired table entry.
 Select multiple individual table entries:
 Click the first desired table entry to highlight it.
 Press and hold the <CTRL> key.
 Click the next desired table entry to highlight it.
Repeat until every desired table entry is highlighted.

Buttons

Here you find the description of the standard buttons. The special dialog-specific buttons are described
in the corresponding dialog help text.

Button Meaning
Transfers the changes to the volatile memory (RAM ) of the device and applies them to the device.
To save the changes in the non-volatile memory, proceed as follows:
 Open the Basic Settings > Load/Save dialog.
 In the table, highlight the desired configuration profile.
 If in the Selected column the checkbox is unmarked, click the button and then the
Select item.
 Click the button and then the Save item.
Updates the fields with the values that are saved in the volatile memory (RAM ) of the device.

Adds a new table entry.

Removes the highlighted table entry.

Opens the online help.

18 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings

1 Basic Settings

The menu contains the following dialogs:


 System
 Modules
 Network
 Out of Band
 Software
 Load/Save
 External Memory
 Port
 Power over Ethernet
 Restart

RM GUI HiOS-2A GRS1040 19


Release 7.0 11/2017
Basic Settings
Basic Settings > System

Basic Settings > System

1.1 System

In this dialog, you monitor individual operating statuses.

 Device status
The fields in this frame display the device status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status
Configuration > Device Status dialog.
Parameters Meaning
Alarm counter Displays the number of currently existing alarms.
The icon is visible if there is at least one currently existing alarm.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
The device triggers an alarm if a monitored parameter differs from the desired status. The
Diagnostics > Status Configuration > Device Status dialog, Status tab displays an
overview of the alarms.

Note: The device reports an alarm if you connect one power supply unit exclusively for the supply
voltage to a device with a redundant power supply unit. To avoid this alarm, you deactivate the
monitoring of the missing power supply units in the Diagnostics > Status Configuration >
Device Status dialog.

 Security status
The fields in this frame display the security status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status
Configuration > Security Status dialog.
Parameters Meaning
Alarm counter Displays the number of currently existing alarms.
The icon is visible if there is at least one currently existing alarm.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
The device triggers an alarm if a monitored parameter differs from the desired status. The
Diagnostics > Status Configuration > Security Status dialog, Status tab displays an
overview of the alarms.

20 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > System

 Signal contact status


The fields in this frame display the signal contact status and inform you about alarms that have
occurred. When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status
Configuration > Signal Contact > Signal Contact 1/Signal Contact 2 dialog.
Parameters Meaning
Alarm counter Displays the number of currently existing alarms.
The icon is visible if there is at least one currently existing alarm.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
The device triggers an alarm if a monitored parameter differs from the desired status. The
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1/Signal
Contact 2 dialog, Status tab displays an overview of the alarms.

 System data
The fields in this frame display operating data and information on the location of the device.

Parameters Meaning
System name Specifies the name for which the device is known in the network.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
The following characters are allowed:
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~
– <device name>-<MAC address> (default setting)
When creating HTTPS X.509 certificates, the application generating the certificate uses the
specified value as the domain name and common name.
The following functions use the specified value as a host name or FQDN (Fully Qualified Domain
Name). For compatibility, it is recommended to use only small letters, since not every system
compares the case in the FQDN. Verify that this name is unique in the whole network.
 DHCP client
 Syslog
 IEC61850-MMS
 PROFINET

Note: For compatibility in PROFINET environments, specify the PROFINET device name. In
PROFINET the name is limited to a maximum of 240 characters. Do not begin the name with a
number. Programs read the device name using SNMP and PROFINET DCP.
Location Specifies the location of the device.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Contact person Specifies the contact person for this device.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Device type Displays the product name of the basic device.

RM GUI HiOS-2A GRS1040 21


Release 7.0 11/2017
Basic Settings
Basic Settings > System

Parameters Meaning
Power supply 1 Displays the status of the power supply unit on the relevant voltage supply connection.
Power supply 2
Possible values:
 present
 defective
 notInstalled
 unknown
When you position the mouse pointer over the field, a tooltip displays the serial number and the
product code of the power supply.
Uptime Displays the time that has elapsed since this device was last restarted.
Possible values:
 Time in the format day(s), ...h ...m ...s
Temperature [°C] Displays the current temperature in the device in °C.
You activate the monitoring of the temperature thresholds in the Diagnostics > Status
Configuration > Device Status dialog.
Upper temp. limit Specifies the upper temperature threshold in °C.
[°C]
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
 -99..99 (integer)
If the temperature in the device exceeds this value, the device generates an alarm.
Lower temp. limit Specifies the lower temperature threshold in °C.
[°C]
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
 -99..99 (integer)
If the temperature in the device falls below this value, the device generates an alarm.

 LED status
This frame displays the states of the device status LEDs at the time of the last update. The
“Installation” user manual contains detailed information about the device status LEDs.

Parameters Color Meaning


Status There is currently no device status alarm. The device status is OK.

There is currently at least one device status alarm. Therefore, see the Device status
frame above.
Power Device variant with 2 power supply units:
Only one supply voltage is active.
Device variant with 1 power supply unit:
The supply voltage is active.
Device variant with 2 power supply units:
Both supply voltages are active.
RM The device is neither operating as a MRP ring manager nor as a DLR supervisor.

Loss of redundancy reserve.


The device is operating as a MRP ring manager.
Redundancy reserve is available.
The device is operating as a MRP ring manager.

22 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > System

Parameters Color Meaning


ACA No external memory connected.

The external memory is connected, but not ready for operation.

The external memory is connected and ready for operation.

 Port status
This frame displays a simplified view of the ports of the device at the time of the last update.
The icons represent the status of the individual ports. In some situations, the following icons interfere
with one another. When you position the mouse pointer over the appropriate port icon, a tooltip
displays a detailed information about the port state.

Parameters Status Meaning


<Port number> The port is inactive.
The port does not send or receive any data.
The port is inactive.
The cable is connected. Active link.
The port is active.
No cable connected or no active link.
The port is active.
The cable is connected. Connection okay. Active link. Full-duplex mode
The half-duplex mode is enabled.
Verify the settings in the Basic Settings > Ports dialog, Configuration tab.
The port is in a blocking state due to a redundancy function.

The port operates as a router interface.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 23


Release 7.0 11/2017
Basic Settings
Basic Settings > Modules

Basic Settings > Modules

1.2 Modules

The device offers you the possibility of inserting or removing the modules during operation (hot plug).
To deny network access, disable a slot. On a disabled slot, a module is recognized and port
configuration is possible. However, the module establishes no network connections as long the slot is
disabled.

Instruction to install a module


Perform the following steps:
 Plug the module in the slot.
The device automatically configures the module with the default settings, and detects the module
parameters.

 Click the button to update the graphical user interface.


The Module status column displays the value physical for the installed module.
 In the table, highlight the installed module.
 To allow network access through the slot, activate the slot:
Unmark the Active checkbox.

 To temporarily save the changes, click the button.

Instruction to remove a module


Removing a module from a slot helps to deny network access using an empty slot.
Perform the following steps:
 Remove the module from the slot.

 Click the button to update the graphical user interface.


The Module status column displays the value configurable for the removed module.
 In the table, highlight the removed module.

 Click the button and then the Remove module item.


The Module status column displays the value remove for the removed module. Additionally, the
Type column and some other columns display the value n/a.
The marked Active checkbox indicates that the slot is still active.
 To deny further network access through the unused slot, deactivate the slot:
Unmark the Active checkbox.

 To temporarily save the changes, click the button.

24 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Modules

As long the Module status column displays the value configurable you can configure the module
and save its preferences.
 If you replace the module with an identical module, then the device applies the settings to the new
module immediately.
 If you replace the module with a different type of module, then the device applies the factory settings
to the new module.
 If you plug a module in an empty slot, then the device configures the module with the its default
settings. If the slot is inactive, then it remains inactive until you mark the checkbox in the Active
column. With the port default settings loaded on the module, access to the network is possible.

 Table

Button Meaning
Module Displays the number of the slot to which the entry refers.
Active Activates/deactivates the slot.
Possible values:
 marked (default setting)
The slot is active. The device recognizes a module installed in this slot.
 unmarked
The slot is inactive.
Type Displays the type of module installed in the slot.
A value of n/a indicates that the slot is empty.
Description Specifies a short description of the installed module.
Version Displays the module version.
Ports Displays how many ports are available on the module.
Serial number Displays the serial number of the module.
A value of n/a indicates that the slot is empty.
Module status Displays the status of the slot.
Possible values:
 physical
Indicates that a module is present and active in the slot.
 configurable
Indicates that the slot is empty and available for configuration.
 remove
Indicates that the slot is empty and deactivated.
 fix
Indicates that the module cannot be removed.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Remove module Removes the module from the table.

RM GUI HiOS-2A GRS1040 25


Release 7.0 11/2017
Basic Settings
Basic Settings > Network

Basic Settings > Network

1.3 Network

This dialog allows you to specify the IP, VLAN and HiDiscovery settings required for the access to the
device management through the network.

 Management interface
This frame allows you to specify the following settings:
 The source from which the device management receives its IP parameters
 VLAN in which the management can be accessed

Parameters Meaning
IP address Specifies the source from which the device receives its IP parameters after starting:
assignment
Possible values:
 Local
The device uses the IP parameters from the internal memory. You specify the settings for this
in the IP parameter frame.
 BOOTP
The device receives its IP parameters from a BOOTP or DHCP server.
The server evaluates the MAC address of the device, then assigns the IP parameters.
 DHCP (default setting)
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.
If the server also provides the addresses of DNS servers, the device displays these addresses
in the Advanced > DNS > Cache > Current dialog.

Note: If there is no response from the BOOTP or DHCP server, the device sets the IP address to
0.0.0.0 and makes another attempt to obtain a valid IP address.
VLAN ID Specifies the VLAN in which the device management is accessible through the network. The
device management is accessible through ports that are members of this VLAN.
Possible values:
 1..4042 (default setting: 1)
The prerequisite is that the VLAN is already configured. See the Switching > VLAN >
Configuration dialog.

When you click the button after changing the value, the Information window opens. Select
the port, over which you connect to the device in the future. After clicking the Ok button, the new
management VLAN settings are assigned to the port.
– After that the port is a member of the VLAN and transmits the data packets without a VLAN tag
(untagged). See the Switching > VLAN > Configuration dialog.
– The device assigns the port VLAN ID of the management VLAN to the port. See the
Switching > VLAN > Port dialog.
After a short time the device is reachable over the new port in the new management VLAN.
MAC address Displays the MAC address of the device. The device management is accessible via the network
using the MAC address.

26 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Network

 BOOTP/DHCP

Parameters Meaning
Client ID Displays the DHCP client ID that the device sends to the BOOTP or DHCP server. If the server is
configured accordingly, it reserves an IP address for this DHCP client ID. Therefore, the device
receives the same IP from the server every time it requests it.
The DHCP client ID that the device sends is the device name specified in the System name field
in the Basic Settings > System dialog.

 HiDiscovery protocol v1/v2


This frame allows you to specify settings for the access to the device using the HiDiscovery protocol.
On a PC, the HiDiscovery software displays the Hirschmann devices that can be accessed in the
network on which the HiDiscovery function is enabled. You can access these devices even if they
have invalid or no IP parameters assigned. The HiDiscovery software allows you to assign or change
the IP parameters in the device.

Parameters Meaning
Operation Enables/disables the HiDiscovery function on the device.
Possible values:
 On (default setting)
HiDiscovery is enabled.
You can use the HiDiscovery software to access the device from your PC.
 Off
HiDiscovery is disabled.
Access Enables/disables the write access to the device using HiDiscovery.
Possible values:
 readWrite (default setting)
The HiDiscovery software is given write access to the device.
With this setting you can change the IP parameters in the device.
 readOnly
The HiDiscovery software is given read-only access to the device.
With this setting you can view the IP parameters in the device.
Recommendation: Change the setting to readOnly exclusively after putting the device into
operation.
Signal Activates/deactivates the flashing of the port LEDs as does the function of the same name in the
HiDiscovery software. The function allows you to identify the device in the field.
Possible values:
 marked
The flashing of the port LEDs is active.
The port LEDs flash until you disable the function again.
 unmarked (default setting)
The flashing of the port LEDs is inactive.

Note: With the HiDiscovery software you access the device through ports that are members of the
same VLAN as the device management exclusively. You specify which VLAN a certain port is
assigned to in the Switching > VLAN > Configuration dialog.

RM GUI HiOS-2A GRS1040 27


Release 7.0 11/2017
Basic Settings
Basic Settings > Network

 IP parameter
This frame allows you to assign the IP parameters manually. These fields can be edited if you have
selected the Local radio button in the Management interface frame, IP address assignment
option list.

Parameters Meaning
IP address Specifies the IP address under which the device management can be accessed through the
network.
Possible values:
 Valid IPv4 address
Netmask Specifies the netmask.
The netmask identifies the network prefix and the host address of the device in the IP address.
Possible values:
 Valid IPv4 netmask
Gateway address Specifies the IP address of a router through which the device accesses other devices outside its
own network.
Possible values:
 Valid IPv4 address

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

28 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Out of Band

Basic Settings > Out of Band

1.4 Out of Band

This dialog allows you to specify the IP address, subnet mask and the IP address assignment method
for accessing to the device management through the Out of Band management port.
The Out of Band management port allows you manage the device and upload configurations using the
following protocols:
 SNMP
 SSH
 Telnet
 FTP
 SCP
 Web Browser

 Operation

Parameters Meaning
Operation Enables/disables the Out of Band management port.
Possible values:
 On (default setting)
The management port is enabled.
 Off
The management port is disabled.

 Management interface

Parameters Meaning
IP address Specifies the source from which the device receives its IP parameters after starting:
assignment
Possible values:
 Local (default setting)
The device uses the IP parameters from the internal memory.
You specify the settings for this in the IP parameter frame.
 DHCP
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.
If the server also provides the addresses of DNS servers, the device displays these addresses
in the Advanced > DNS > Client > Current dialog.

Note: If there is no response from the DHCP server, the device sets the IP address to 0.0.0.0
and makes another attempt to obtain a valid IP address.
MAC address Displays the MAC address of the Out of Band port on the device. This MAC address is different
from the network management MAC address.
Status Displays the status of the Out of Band port.

RM GUI HiOS-2A GRS1040 29


Release 7.0 11/2017
Basic Settings
Basic Settings > Out of Band

 IP parameter

Parameters Meaning
IP address Specifies the IP address under which the device management can be accessed using the Out of
Band management port.
Possible values:
 Valid IPv4 address
(default setting: 192.168.1.1)
Netmask Specifies the netmask. The netmask identifies the network prefix and the host address of the
device in the IP address.

Note: Verify that the netmask of the Out of Band management port is different from the
management port or any router interface subnets.
Possible values:
 Valid IPv4 netmask
(default setting: 255.255.255.0)
Gateway address Specifies the IP address of a router through which the device accesses other devices outside its
own network.
Possible values:
 Valid IPv4 address
(default setting: 0.0.0.0)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

30 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Software

Basic Settings > Software

1.5 Software

This dialog allows you to update the device software and display information about the device software.
You also have the option to restore a backup of the device software saved in the device.

Note: Before updating the device software, follow the version-specific notes in the Readme text file.

 Version

Parameters Meaning
Stored version Displays the version number and creation date of the device software stored in the flash memory.
The device loads the device software during the next restart.
Running version Displays the version number and creation date of the device software that the device loaded
during the last restart and is currently running.
Backup version Displays the version number and creation date of the device software saved as a backup in the
flash memory. The device copied this device software into the backup memory during the last
software update or after you clicked the Restore button.
Restore Restores the device software saved as a backup. In the process, the device changes the Stored
version and the Backup version of the device software.
Upon restart, the device loads the Stored version .
Bootcode Displays the version number and creation date of the boot code.

 Software update

Parameters Meaning
URL Specifies the path and the file name of the image file with which you update the device software.
The device gives you the following options for updating the device software:
 Software update from the PC
If the file is located on your PC or on a network drive, drag and drop the file in the area.
Alternatively click in the area to select the file.
 Software update from an FTP server
If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
 Software update from a TFTP server
If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Software update from an SCP or SFTP server
If the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Updates the device software.
The device installs the selected file in the flash memory, replacing the previously saved device
software. Upon restart, the device loads the installed device software.
The device copies the existing software into the backup memory.
To remain logged in to the device during the software update, move the mouse pointer
occasionally. Alternatively, specify a sufficiently high value in the Device Security >
Management Access > Web dialog, field Web interface session timeout [min] before the
software update.

RM GUI HiOS-2A GRS1040 31


Release 7.0 11/2017
Basic Settings
Basic Settings > Software

Alternatively, the device allows you to update the device software by right-clicking in the table if the
image file is located in the external memory.

 Table

Parameters Meaning
File location Displays the storage location of the device software.
Possible values:
 ram
Volatile memory of the device
 flash
Non-volatile memory (NVM ) of the device
 sd-card
External SD memory (ACA31)
 usb
External USB memory (ACA22)
Index Displays the index of the device software.
For the device software in the flash memory, the index has the following meaning:
 1
Upon restart, the device loads this device software.
 2
The device copied this device software into the backup area during the last software update.
File name Displays the device-internal file name of the device software.
Firmware Displays the version number and creation date of the device software.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

32 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Basic Settings > Load/Save

1.6 Load/Save

This dialog allows you to save the device settings permanently in a configuration profile.
The device can hold several configuration profiles. When you activate an alternative configuration
profile, you change to other device settings. You have the option of exporting the configuration profiles
to your PC or to a server. You also have the option of importing the configuration profiles from your PC
or from a server to the device.
In the default setting, the device saves the configuration profiles unencrypted. When you enter a
password in the Configuration encryption frame, the device saves both the current and the future
configuration profiles in an encrypted format.
Unintentional changes to the settings may terminate the connection between your PC and the device.
To keep the device accessible, enable the Undo configuration modifications function before
changing any settings. If the connection is lost, the device loads the configuration profile saved in the
non-volatile memory (NVM ) after the specified time.

 External memory

Parameters Meaning
Selected external Specifies the external memory that the device uses for file operations. On this external memory,
memory the device stores for example copies of the device configuration.
Possible values:
 sd
External SD memory (ACA31)
 usb
External USB memory (ACA22)
Status Displays the operating state of the selected external memory.
Possible values:
 notPresent
No external memory connected.
 removed
Someone has removed the external memory from the device during operation.
 ok
The external memory is connected and ready for operation.
 outOfMemory
The memory space is occupied on the external memory.
 genericErr
The device has detected an error.

RM GUI HiOS-2A GRS1040 33


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

 Configuration encryption

Parameters Meaning
Active Displays whether the configuration encryption is active/inactive on the device.
Possible values:
 marked
The configuration encryption is active.
The device loads a configuration profile from the non-volatile memory (NVM ) if it is encrypted
and the password matches the password stored in the device.
 unmarked
The configuration encryption is inactive.
The device loads a configuration profile from the non-volatile memory solely (NVM ) if it is
unencrypted.
If in the Basic Settings > External Memory dialog, the Config priority column has the
value first or second and the configuration profile is unencrypted, the Security status frame
in the Basic Settings > System dialog displays an alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab,
Monitor column you specify whether the device monitors the Load unencrypted config from
external memory parameter.
Set password Opens the Set password window that helps you to enter the password needed for the
configuration profile encryption. Encrypting the configuration profiles makes unauthorized access
more difficult.
 When you are changing an existing password, enter the existing password in the Old
password field. To display the password in plain text instead of ***** (asterisks), mark the
Display content checkbox.
 In the New password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
 Mark the Save configuration afterwards checkbox to use encryption also for the Selected
configuration profile in the non-volatile memory (NVM ) and in the external memory.

Note: Use this function solely if a maximum of 1 configuration profile is stored in the non-volatile
memory (NVM ) of the device. Before creating additional configuration profiles, decide for or against
permanently activated configuration encryption in the device. Save additional configuration
profiles either unencrypted or encrypted with the same password.
If you are replacing a device with an encrypted configuration profile, for example due to a defect,
you proceed as follows:
 Restart the new device and assign the IP parameters.
 Open the Basic Settings > Load/Save dialog on the new device.
 Encrypt the configuration profile in the new device. See above. Enter the same password you
used in the defective device.
 Install the external memory from the defective device in the new device.
 Restart the new device.
When it is restarted, the device loads the configuration profile with the settings of the defective
device from the external memory. The device copies the settings into the volatile memory
(RAM ) and into the non-volatile memory (NVM ).

Note: The prerequisite for loading a configuration profile from the external memory is that in the
Basic Settings > External Memory dialog the Config priority column displays the value
first or second. This value is set as the default setting.
Delete Opens the Delete window which helps you to cancel the configuration encryption in the device.
 In the Old password field, enter the existing password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
 Mark the Save configuration afterwards checkbox to remove the encryption also for the
Selected configuration profile in the non-volatile memory (NVM ) and in the external memory.

Note: If you keep additional encrypted configuration profiles in the memory, the device prevents
you from activating or designating these configuration profiles as "Selected".

34 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

 Information

Parameters Meaning
NVM in sync with Displays whether the configuration profile in the volatile memory (RAM ) and the "Selected"
running config configuration profile in the non-volatile memory (NVM ) are the same.
Possible values:
 marked
The configuration profiles are the same.
 unmarked
The configuration profiles differ.
External memory in Displays whether the "Selected" configuration profile in the external memory and the "Selected"
sync with NVM configuration profile in the non-volatile memory (NVM ) are the same.
Possible values:
 marked
The configuration profiles are the same.
 unmarked
The configuration profiles differ.
Possible causes:
– No external memory is connected to the device.
– In the Basic Settings > External Memory dialog, the Backup config when saving
function is disabled.

 Backup config on a remote server when saving

Parameters Meaning
Operation Enables/disables the Backup config on a remote server when saving function.
Possible values:
 Enabled
The Backup config on a remote server when saving function is enabled.
When you save the configuration profile in the non-volatile memory (NVM ), the device
automatically backs up the configuration profile on the remote server specified in the URL field.
 Disabled (default setting)
The Backup config on a remote server when saving function is disabled.
URL Specifies path and file name of the backed up configuration profile on the remote server.
Possible values:
 Alphanumeric ASCII character string with 0..128 characters
Example: tftp://192.9.200.1/cfg/config.xml
The device supports the following wildcards:
– %d
System date in the format YYYY-mm-dd
– %t
System time in the format HH_MM_SS
– %i
IP address of the device
– %m
MAC address of the device in the format AA-BB-CC-DD-EE-FF
– %p
Product name of the device

RM GUI HiOS-2A GRS1040 35


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Parameters Meaning
Set credentials Opens the Credentials window which helps you to enter the credentials needed to authenticate
on the remote server.
 In the User name field, enter the user name.
To display the user name in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters
 In the Password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
a..z
A..Z
0..9
#$%&'()*+,-./:;<=>?@_`

 Undo configuration modifications

Parameters Meaning
Operation Enables/disables the Undo configuration modifications function. Using the function, the
device continuously checks whether it can still be reached from the IP address of the user’s PC.
If the connection is lost, after a specified time period the device loads the “Selected” configuration
profile from the non-volatile memory (NVM ). Afterwards, the device can be accessed again.
Possible values:
 On
The function is enabled.
– You specify the time period between the loss of the connection and the loading of the
configuration profile in the field Timeout [s] to recover after connection loss .
– If the non-volatile memory (NVM ) contains multiple configuration profiles, the device loads
the configuration profile designated as “Selected”.
 Off (default setting)
The function is disabled.
Disable the function again before you close the graphical user interface. You thus prevent the
device from restoring the configuration profile designated as “Selected”.

Note: Before you enable the function, save the settings in the configuration profile. Current
changes, that are saved temporarily, are therefore maintained in the device.
Timeout [s] to Specifies the time in seconds after which the device loads the “Selected” configuration profile from
recover after the non-volatile memory (NVM ) if the connection is lost.
connection loss
Possible values:
 30..600 (default setting: 600)
Specify a sufficiently large value. Take into account the time when you are viewing the dialogs of
the graphical user interface without changing or updating them.
Watchdog IP Displays the IP address of the PC on which you have enabled the function.
address
Possible values:
 IPv4 address (default setting: 0.0.0.0)

36 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

 Table

Parameters Meaning
Storage type Displays the storage location of the configuration profile.
Possible values:
 RAM (volatile memory of the device)
In the volatile memory, the device stores the settings for the current operation.
 NVM (non-volatile memory of the device)
From the non-volatile memory, the device loads the “Selected” configuration profile during a
restart or when applying the function Undo configuration modifications .
The non-volatile memory provides space for multiple configuration profiles, depending on the
number of settings saved in the configuration profile. The device manages a maximum of 20
configuration profiles in the non-volatile memory.
You can load a configuration profile into the volatile memory (RAM ):
 In the table, highlight the configuration profile.
 Click the button and then the Activate item.
 ENVM (external memory)
On the external memory, the device saves a backup copy of the “Selected” configuration
profile.
The prerequisite is that in the Basic Settings > External Memory dialog you mark the
Backup config when saving checkbox.
Profile name Displays the name of the configuration profile.
Possible values:
 running-config
Name of the configuration profile in the volatile memory (RAM ).
 config
Name of the factory setting configuration profile in the non-volatile memory (NVM ).
 User-defined name
The device allows you to save a configuration profile with a user-specified name by highlighting
an existing configuration profile in the table, clicking the button and then the Save As...
item.
To export the configuration profile as an XML file on your PC, click the link. Then you select the
storage location and specify the file name.
To save the file on a remote server, click the button and then the Export... item.
Modification date Displays the time (UTC) at which a user last saved the configuration profile.
(UTC)
Selected Displays whether the configuration profile is designated as “Selected”.
Possible values:
 marked
The configuration profile is designated as “Selected”.
– The device loads the configuration profile into the volatile memory (RAM ) during a restart or
when applying the function Undo configuration modifications .
– When you click the button, the device saves the temporarily saved settings in this
configuration profile.
 unmarked
Another configuration profile is designated as “Selected”.
To designate another configuration profile as “Selected”, you highlight the desired configuration
profile in the table, click the button and then the Activate item.
Encrypted Displays whether the configuration profile is encrypted.
Possible values:
 marked
The configuration profile is encrypted.
 unmarked
The configuration profile is unencrypted.
You activate/deactivate the encryption of the configuration profile in the Configuration
encryption frame.

RM GUI HiOS-2A GRS1040 37


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Parameters Meaning
Encryption verified Displays whether the password of the encrypted configuration profile matches the password
stored in the device.
Possible values:
 marked
The passwords match. The device is able to unencrypt the configuration profile.
 unmarked
The passwords are different. The device is unable to unencrypt the configuration profile.
Software version Displays the version number of the device software that the device ran when it saved the
configuration profile.
Fingerprint Displays the checksum saved in the configuration profile.
The device calculates the checksum when saving the settings and inserts it into the configuration
profile.
Fingerprint verified Displays whether the checksum saved in the configuration profile is valid.
The device calculates the checksum of the configuration profile marked as “Selected” and
compares it with the checksum saved in this configuration profile.
Possible values:
 marked
The calculated and the saved checksum match.
The saved settings are consistent.
 unmarked
For the configuration profile marked as “Selected” applies:
The calculated and the saved checksum are different.
The configuration profile contains modified settings.
Possible causes:
– The file is damaged.
– The file system on the external memory is inconsistent.
– A user has exported the configuration profile and changed the XML file outside the device.
For the other configuration profiles the device has not calculated the checksum.
The device verifies the checksum correctly only if the configuration profile has been saved before
as follows:
– on an identical device
– with the same software version, which the device is running
– with a lower or the same level of the device software
such as OS-SwLevel-2A or OS-SwLevel-3S on a device which runs OS-SwLevel-3S

Note: This function identifies changes to the settings in the configuration profile. The function does
not provide protection against operating the device with modified settings.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Removes the configuration profile highlighted in the table from the non-volatile memory (NVM ) or
from the external memory.
If the configuration profile is designated as "Selected", the device prevents you from removing the
configuration profile.
Transfers the settings from the volatile memory (RAM ) into the configuration profile designated as
“Selected” in the non-volatile memory (NVM ).
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked , the device generates a copy of the configuration profile on the external
memory.

38 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Button Meaning
Displays a sub menu with the following items.

Save As... Copies the configuration profile highlighted in the table and saves it with a user-specified name in
the non-volatile memory (NVM ). The device designates the new configuration profile as “Selected”.

Note: Before creating additional configuration profiles, decide for or against permanently activated
configuration encryption in the device. Save additional configuration profiles either unencrypted or
encrypted with the same password.
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked, the device designates the configuration profile of the same name on
the external memory as “Selected”.
Activate Loads the settings of the configuration profile highlighted in the table to the volatile memory (RAM ).
 The device terminates the connection to the graphical user interface.
 Reload the graphical user interface.
 Login again.
 The device immediately uses the settings of the configuration profile on the fly.
Enable the Undo configuration modifications function before you activate another
configuration profile. If the connection is lost afterwards, the device loads the last configuration
profile designated as “Selected” from the non-volatile memory (NVM ). The device can then be
accessed again.
If the configuration encryption is inactive, the device loads the configuration profile if it is
unencrypted. If the configuration encryption is active, the device loads the configuration profile if
it is encrypted and the password matches the password stored in the device.
When you activate an older configuration profile, the device takes over the settings of the functions
contained in this software version. The device sets the values of new functions to their default
value.
Select Designates the configuration profile highlighted in the table as “Selected”. In the Selected
column, the checkbox is then marked.
The device loads the settings of this configuration profile to the volatile memory (RAM ) during a
restart or when applying the function Undo configuration modifications .
 Designate an unencrypted configuration profile only as “Selected” when the configuration
encryption in the device is disabled.
 Designate an encrypted configuration profile only as “Selected” when the following
prerequisites are fulfilled:
– The configuration encryption in the device is enabled.
– The password of the configuration profile matches the password saved in the device.
Otherwise, the device is unable to load and encrypt the settings in the configuration profile the next
time it restarts. For this case you specify in the Diagnostics > System > Selftest dialog
whether the device starts with the default settings or terminates the restart and stops.

Note: You only mark the configuration profiles saved in the non-volatile memory (NVM ).
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked, the device designates the configuration profile of the same name on
the external memory as “Selected”.

RM GUI HiOS-2A GRS1040 39


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Button Meaning
Import... Opens the Import... window to import a configuration profile.
The prerequisite is that you have exported the configuration profile using the Export... button
or using the link in the Profile name column.
 In the Select source drop-down list, select from where the device imports the configuration
profile.
 PC/URL
The device imports the configuration profile from the local PC or from a remote server.
 External memory
The device imports the configuration profile from the selected external memory. See the
External memory frame.
 If PC/URL is selected above, then in the Import profile from PC/URL frame you specify the
configuration profile file to be imported.
– Import from the PC
If the file is located on your PC or on a network drive, drag and drop the file in the area.
Alternatively click in the area to select the file.
– Import from an FTP server
If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
– Import from a TFTP server
If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
– Import from an SCP or SFTP server
If the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
 If External memory is selected above, then in the Import profile from external memory
frame you specify the configuration profile file to be imported.
In the Profile name drop-down list, select the name of the configuration profile to be
imported.
 In the Destination frame you specify where the device saves the imported configuration
profile.
In the Profile name field you specify the name under which the device saves the
configuration profile.
In the Storage type field you specify the storage location for the configuration profile. The
prerequisite is that in the Select source drop-down list you have selected the value PC/URL .
 RAM
The device saves the configuration profile in the volatile memory (RAM ) of the device. This
replaces the running-config, the device uses the settings of the imported configuration
profile immediately. The device terminates the connection to the graphical user interface.
Reload the graphical user interface. Login again.
 NVM
The device saves the configuration profile in the non-volatile memory (NVM ) of the device.
When you import a configuration profile, the device takes over the settings as follows:
– If the configuration profile was exported on the same device or on an identically equipped
device of the same type:
The device takes over the settings completely.
If the device uses modules, also read the help text of the Basic Settings > Modules dialog.
– If the configuration profile was exported on an other device:
The device takes over the settings which it can interpret based on its hardware equipment and
software level.
The remaining settings the device takes over from its running-config configuration profile.
Regarding configuration profile encryption, also read the help text of the Configuration
encryption frame. The device imports a configuration profile under the following conditions:
– The configuration encryption of the device is inactive. The configuration profile is unencrypted.
– The configuration encryption of the device is active. The configuration profile is encrypted with
the same password that the device currently uses.

40 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Load/Save

Button Meaning
Export... Exports the configuration profile highlighted in the table and saves it as an XML file on a remote
server.
To save the file on your PC, click the link in the Profile name column to select the storage
location and specify the file name.
The device gives you the following options for exporting a configuration profile:
 Export to an FTP server
To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
 Export to a TFTP server
To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Export to an SCP or SFTP server
To save the file on an SCP or SFTP server, specify the URL for the file in one of the following
forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Ok button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Back to factory... Resets the settings in the device to the default values.
 The device deletes the saved configuration profiles from the volatile memory (RAM ) and from
the non-volatile memory (NVM ).
 The device deletes the HTTPS certificate used by the web server in the device.
 The device deletes the DSA/RSA key (Host Key) used by the SSH server in the device.
 If an external memory is connected, the device deletes the configuration profiles saved on the
external memory.
 After a brief period, the device reboots and loads the default values.
Back to default Deletes the current operating (running config) settings from the volatile memory (RAM ) .

RM GUI HiOS-2A GRS1040 41


Release 7.0 11/2017
Basic Settings
Basic Settings > External Memory

Basic Settings > External Memory

1.7 External Memory

This dialog allows you to activate functions that the device automatically executes in combination with
the external memory. The dialog also displays the operating state and identifying characteristics of the
external memory.

 Table

Parameters Meaning
Type Displays the type of the external memory.
Possible values:
 sd
External SD memory (ACA31)
 usb
External USB memory (ACA22)
Status Displays the operating state of the external memory.
Possible values:
 notPresent
No external memory connected.
 removed
Someone has removed the external memory from the device during operation.
 ok
The external memory is connected and ready for operation.
 outOfMemory
The memory space is occupied on the external memory.
 genericErr
The device has detected an error.
Writable Displays whether the device has write access to the external memory.
Possible values:
 marked
The device has write access to the external memory.
 unmarked
The device has read-only access to the external memory. Possibly the write protection is
activated on the external memory.
Software auto Activates/deactivates the automatic device software update during the restart.
update
Possible values:
 marked (default setting)
The automatic device software update during the restart is activated. The device updates the
device software when the following files are located in the external memory:
– the image file of the device software
– a text file "startup.txt" with the content autoUpdate=<image_file_name>.bin
 unmarked
The automatic device software update during the restart is deactivated.

42 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > External Memory

Parameters Meaning
SSH key auto Activates/deactivates the loading of the DSA/RSA key from an external memory upon restart.
upload
Possible values:
 marked (default setting)
The loading of the DSA/RSA key is activated.
During a restart, the device loads the DSA/RSA key from the external memory when the
following files are located on the external memory:
– SSH RSA key file
– SSH DSA key file
– a text file “startup.txt” with the content
autoUpdateRSA=<filename_of_the_SSH_RSA_key>
autoUpdateDSA=<filename_of_the_SSH_DSA_key>
The device displays messages on the system console of the V.24 interface.
 unmarked
The loading of the DSA/RSA key is deactivated.

Note: When loading the DSA/RSA key from the external memory (ENVM ), the device overwrites
the existing keys in the non-volatile memory (NVM ).
Config priority Specifies the memory from which the device loads the configuration profile upon reboot.
Possible values:
 disable
The device loads the configuration profile from the non-volatile memory (NVM ).
 first, second
The device loads the configuration profile from the external memory designated as first. If
the device does not find a configuration profile there, it loads the configuration profile from the
external memory designated as second, and so on.
If the device does not find a configuration profile on the external memory, it loads the
configuration profile from the non-volatile memory (NVM ).

Note: When loading the configuration profile from the external memory (ENVM ), the device
overwrites the settings of the Selected configuration profile in the non-volatile memory (NVM ).
If the Config priority column has the value first or second and the configuration profile is
unencrypted, the Security status frame in the Basic Settings > System dialog displays an
alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab,
Monitor column you specify whether the device monitors the Load unencrypted config from
external memory parameter.
Backup config when Activates/deactivates creating a copy of the configuration profile on the external memory.
saving
Possible values:
 marked (default setting)
Creating a copy is activated. If you click in the Basic Settings > Load/Save dialog the Save
button, the device generates a copy of the configuration profile on the active external memory.
 unmarked
Creating a copy is deactivated. The device does not generate a copy of the configuration
profile.
Manufacturer ID Displays the name of the memory manufacturer.
Revision Displays the revision number specified by the memory manufacturer.
Version Displays the version number specified by the memory manufacturer.
Name Displays the product name specified by the memory manufacturer.
Serial number Displays the serial number specified by the memory manufacturer.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 43


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

Basic Settings > Port

1.8 Port

This dialog allows you to specify settings for the individual ports. The dialog also displays the operating
mode, connection status, bit rate and duplex mode for every port.

The dialog contains the following tabs:


 [Configuration ]
 [Statistics ]
 [Utilization ]

44 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

[Configuration ]

 Table

Parameters Meaning
Port Displays the port number.
Name Name of the port.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
The following characters are allowed:
– <space>
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~
Port on Activates/deactivates the port.
Possible values:
 marked (default setting)
The port is active.
 unmarked
The port is inactive. The port does not send or receive any data.
State Displays whether the port is currently physically enabled or disabled.
Possible values:
 marked
The port is physically enabled.
 unmarked
The port is physically disabled.
If the Port on function is active, the Auto-Disable function has disabled the port.
You specify the settings of the Auto-Disable function in the Diagnostics > Ports > Auto-
Disable dialog.
Power state (port Specifies, whether the port is physically switched on or off when you deactivate the port with the
off) Port on function.
Possible values:
 marked
The port remains physically enabled. A connected device receives an active link.
 unmarked (default setting)
The port is physically disabled.
Auto power down Specifies how the port behaves when no cable is connected.
Possible values:
 no-power-save (default setting)
The port remains activated.
 auto-power-down
The port changes to the energy-saving mode.
 unsupported
The port does not support this function and remains activated.

RM GUI HiOS-2A GRS1040 45


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

Parameters Meaning
Automatic Activates/deactivates the automatic selection of the operating mode for the port.
configuration
Possible values:
 marked (default setting)
The automatic selection of the operating mode is active.
The port negotiates the operating mode independently using autonegotiation and detects the
devices connected to the TP port automatically (Auto Cable Crossing). This setting has priority
over the manual setting of the port.
Elapse several seconds until the port has set the operating mode.
 unmarked
The automatic selection of the operating mode is inactive.
The port operates with the values you specify in the Manual configuration column and in
the Manual cable crossing (Auto. conf. off) column.
 Grayed-out display
No automatic selection of the operating mode.
Manual Specifies the operating mode of the ports when the Automatic configuration function is
configuration disabled.
Possible values:
 10 Mbit/s HDX
Half duplex connection
 10 Mbit/s FDX
Full duplex connection
 100 Mbit/s HDX
Half duplex connection
 100 Mbit/s FDX
Full duplex connection
 1000 Mbit/s FDX
Full duplex connection
 2500 Mbit/s FDX
Full duplex connection

Note: The operating modes of the port actually available depend on the device configuration and
the media module used.
Link/Current Displays the operating mode which the port currently uses.
settings
Possible values:
 –
No cable connected, no link.
 10 Mbit/s HDX
Half duplex connection
 10 Mbit/s FDX
Full duplex connection
 100 Mbit/s HDX
Half duplex connection
 100 Mbit/s FDX
Full duplex connection
 1000 Mbit/s FDX
Full duplex connection
 2500 Mbit/s FDX
Full duplex connection

Note: The operating modes of the port actually available depend on the device configuration and
the media module used.

46 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

Parameters Meaning
Manual cable Specifies the devices connected to a TP port.
crossing (Auto. The prerequisite is that the Automatic configuration function is disabled.
conf. off)
Possible values:
 mdi
The device interchanges the send- and receive-line pairs on the port.
 mdix (default setting on TP ports)
The device prevents the interchange of the send- and receive-line pairs on the port.
 auto-mdix
The device detects the send and receive line pairs of the connected device and automatically
adapts to them.
Example: When you connect an end device with a crossed cable, the device automatically
resets the port from mdix to mdi .
 unsupported (default setting on optical ports or TP-SFP ports)
The port does not support this function.
Flow control Activates/deactivates the flow control on the port.
Possible values:
 marked (default setting)
The Flow control on the port is active.
The sending and evaluating of pause packets (full-duplex operation) or collisions (half-duplex
operation) is activated on the port.
 To enable the flow control in the device, also activate the Flow control function in the
Switching > Global dialog.
 Activate the flow control also on the port of the device that is connected to this port.
On an uplink port, activating the flow control can possibly cause undesired sending breaks in
the higher-level network segment (“wandering backpressure”).
 unmarked
The Flow control on the port is inactive.
When you are using a redundancy function, you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function will not operate as intended.
Send trap (Link up/ Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/
down) down status for this port.
Possible values:
 marked (default setting)
The sending of SNMP traps is active.
The device sends an SNMP trap when it detects a link up/down status change.
 unmarked
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
MTU Specifies the maximum allowed size of Ethernet packets on the port in bytes.
Possible values:
 1518..12288 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting allows you to increase the size of the Ethernet packets for specific applications. The
following list contains possible applications:
 If you use the device in the transfer network with double VLAN tagging, you may require an
MTU that is larger by 4 bytes.
On other interfaces, you specify the maximum permissible size of the Ethernet packets as follows:
– Link Aggregation interfaces
Switching > L2-Redundancy > Link Aggregation dialog, MTU column

RM GUI HiOS-2A GRS1040 47


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

Parameters Meaning
Signal Activates/deactivates the port LED flashing. This function allows you to identify the port in the field.
Possible values:
 marked
The flashing of the port LED is active.
The port LED flashes until you disable the function again.
 unmarked (default setting)
The flashing of the port LED is inactive.
Link monitoring Activates/deactivates the Link monitoring function on the interface.
Use the Link monitoring function for end devices that do not support Far End Fault Indication
(FEFI) on optical links.
Possible values:
 marked
The Link monitoring function is active.
If the device recognizes an established link, the port LED illuminates. When the device
recognizes that a link has been lost, the port LED extinguishes.
 unmarked (default setting)
The Link monitoring function is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Clear port statistics Resets the counter for the port statistics to 0.

48 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

[Statistics ]
This tab displays the following overview per port:

 Number of data packets/bytes received on the device


– Received packets
– Received octets
– Received unicast packets
– Received multicast packets
– Received broadcast packets

 Number of data packets/bytes sent from the device


– Transmitted packets
– Transmitted octets
– Transmitted unicast packets
– Transmitted multicast packets
– Transmitted broadcast packets

 Number of errors detected by the device


– Received fragments
– Detected CRC errors
– Detected collisions

 Number of data packets per size category received on and sent from the device
– Packets 64 bytes
– Packets 65 to 127 bytes
– Packets 128 to 255 bytes
– Packets 256 to 511 bytes
– Packets 512 to 1023 bytes
– Packets 1024 to 1518 bytes

 Number of data packets discarded by the device


– Received discards
– Transmitted discards
To sort the table by a specific criterion click the header of the corresponding row.
For example, to sort the table based on the number of received bytes in ascending order, click the
header of the Received octets column once. To sort in descending order, click the header again.
To reset the counter for the port statistics in the table to 0, proceed as follows:
 In the Basic Settings > Port dialog, click the button and then the Clear port statistics
item.
or
 In the Basic Settings > Restart dialog, click the Clear port statistics button.

RM GUI HiOS-2A GRS1040 49


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Clear port statistics Resets the counter for the port statistics to 0.

50 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Port

[Utilization ]
This tab displays the utilization (network load) for the individual ports.

 Table

Parameters Meaning
Port Displays the port number.
Utilization [%] Displays the current utilization in percent in relation to the time interval specified in the Control
interval [s] column.
The utilization is the relationship of the received data quantity to the maximum possible data
quantity at the currently configured data rate.
Lower threshold [%] Specifies a lower threshold for the utilization. If the utilization of the port falls below this value, the
Alarm column displays an alarm.
Possible values:
 0.00..100.00 (default setting: 0.00)
The value 0 deactivates the lower threshold.
Upper threshold [%] Specifies an upper threshold for the utilization. If the utilization of the port exceeds this value, the
Alarm column displays an alarm.
Possible values:
 0.00..100.00 (default setting: 0.00)
The value 0 deactivates the upper threshold.
Control interval [s] Specifies the interval in seconds.
Possible values:
 1..3600 (default setting: 30)
Alarm Displays the utilization alarm status.
Possible values:
 marked
The utilization of the port is below the value specified in the Lower threshold [%] column or
above the value specified in the Upper threshold [%] column. The device sends an SNMP
trap.
 unmarked
The utilization of the port is above the value specified in the Lower threshold [%] column
and below the value specified in the Upper threshold [%] column.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Clear port statistics Resets the counter for the port statistics to 0.

RM GUI HiOS-2A GRS1040 51


Release 7.0 11/2017
Basic Settings
Basic Settings > Power over Ethernet

Basic Settings > Power over Ethernet

1.9 Power over Ethernet

In Power over Ethernet (PoE), the Power Source Equipment (PSE) supplies current to powered devices
(PD) such as IP phones through the twisted pair cable.
The product code and the PoE-specific labeling on the PSE device housing indicates whether your
device supports Power over Ethernet . The PoE ports of the device support Power over Ethernet
according to IEEE 802.3at.
The system provides an internal maximum power budget for the ports. The ports reserve power
according to the detected class of a connected powered device. The real delivered power is equal to or
less than the reserved power.
You manage the power output with the Priority parameter. When the sum of the power required by
the connected devices exceeds the power available, the device turns off power supplied to the ports
according to configured priority. The device turns off power supplied to the ports starting with ports
configured as a low priority first. When several ports have a low priority, the device turns off power
starting with the higher numbered ports.
The menu contains the following dialogs:
 PoE Global
 PoE Port

52 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Power over Ethernet > Global

Basic Settings > Power over Ethernet > Global

1.9.1 PoE Global

Based on the settings specified in this dialog, the device provides power to the end-user devices. If the
power consumption reaches the user-specified threshold, the device sends an SNMP trap.

 Operation

Parameters Meaning
Operation Enables/disables the Power over Ethernet function.
Possible values:
 On (default setting)
The Power over Ethernet function is enabled.
 Off
The Power over Ethernet function is disabled.

 Configuration

Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps.
The device sends an SNMP trap when the power consumption exceeds the user-specified
threshold.
Possible values:
 marked (default setting)
The device sends SNMP traps.
 unmarked
The device does not send any SNMP traps.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Threshold [%] Specifies the threshold value for the power consumption in percent.
The device measures the total output power and sends an SNMP trap, if the power output exceeds
this threshold.
Possible values:
 0..99 (default setting: 90)

 System power

Parameters Meaning
Budget [W] Displays the sum of the power available for the global budget.
Reserved [W] Displays the global reserved power. The device reserves power according to the detected classes
of connected powered devices. Reserved power is equal to or less than the actual delivered
power.
Delivered [W] Displays the actual power delivered to the modules.

RM GUI HiOS-2A GRS1040 53


Release 7.0 11/2017
Basic Settings
Basic Settings > Power over Ethernet > Global

 Table

Parameters Meaning
Module Device module to which the table entries relate.
Configured power Specifies the power of the modules for the distribution at the ports.
budget [W]
Possible values:
 0..n (default setting: n)
Here, n corresponds to the value in the Max. power budget [W] column.
Max. power budget Displays the maximum power available for this module.
[W]
Reserved power Displays the power reserved for the module according to the detected classes of the connected
[W] powered devices.
Delivered power Displays the actual power delivered to powered devices connected to this port.
[W]
Power source Displays the power sourcing equipment for the device.
Possible values:
 internal
Internal power source
 external
External power source
Threshold [%] Specifies the threshold value for the power consumption of the module in percent. The device
measures the total output power and sends an SNMP trap, if the power output exceeds this
threshold.
Possible values:
 0..99 (default setting: 90)
Send trap Activates/deactivates the sending of SNMP traps when the device detects that the threshold value
for the power consumption exceeds.
Possible values:
 marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the power consumption of the module exceeds the
user-defined threshold.
 unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

54 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Power over Ethernet > Port

Basic Settings > Power over Ethernet > Port

1.9.2 PoE Port

When power consumption is higher than deliverable power, then the device turns off power to the
powered devices (PD) according to the priority levels and port numbers. Should the PDs connected
require more power than the device provides, then the device deactivates the Power over Ethernet
function on the ports. The device disables the Power over Ethernet function on the ports with the
lowest priority first. If multiple ports have the same priority, the device first disables the Power over
Ethernet function on the ports with the higher port number. The device also turns off power to powered
devices (PD) for a specified time period.

 Table

Parameters Meaning
Port Displays the port number.
PoE enable Activates/deactivates the PoE power provided to the port.
When the function is activated or deactivated, the device logs an event in the log file (System Log).
Possible values:
 marked (default setting)
Providing PoE power to the port is active.
 unmarked
Providing PoE power to the port is inactive.
Fast startup Activates/deactivates the Power over Ethernet Fast Startup function on the port.
The prerequisite is that the checkbox in the PoE enable column is marked.
Possible values:
 marked
The fast start up function is active. The device sends power to the powered devices (PD)
immediately after turning the power to the device on.
 unmarked (default setting)
The fast start up function is inactive. The device sends power to the powered devices (PD)
after loading its own configuration.
Priority Specifies the port priority.
To prevent current overloads, the device disables ports with low priority first. To prevent that the
device disables the ports supplying important devices, specify a high priority for these ports.
Possible values:
 critical
 high
 low (default setting)
Status Displays the status of the port Powered Device (PD) detection.
Possible values:
 disabled
The device is in the DISABLED state and is not delivering power to the powered devices.
 deliveringPower
The device identified the class of the connected PD and is in the POWER ON state.
 fault
The device is in the TEST ERROR state.
 otherFault
The device is in the IDLE state.
 searching
The device is in a state other than the listed states.
 test
The device is in the TEST MODE.

RM GUI HiOS-2A GRS1040 55


Release 7.0 11/2017
Basic Settings
Basic Settings > Power over Ethernet > Port

Parameters Meaning
Detected class Displays the power class of the powered device connected to the port.
Possible values:
 Class 0
 Class 1
 Class 2
 Class 3
 Class 4
Class 0 Activates/deactivates the current of the classes 0 to 4 on the port.
Class 1
Possible values:
Class 2
 marked (default setting)
Class 3
 unmarked
Class 4
Consumption [W] Displays the current power consumption of the port in watts.
Possible values:
 0,0..30,0
Power limit [W] Specifies the maximum power in watts that the port outputs.
This function allows you to distribute the power budget available among the PoE ports as required.
For example, for a connected device not providing a “Power Class”, the port reserves a fixed
amount of 15.4 W (class 0) even if the device requires less power. The surplus power is not
available to any other port.
By specifying the power limit, you reduce the reserved power to the actual requirement of the
connected device. The unused power is available to other ports.
If the exact power consumption of the connected powered device is unknown, then the device
displays the value in the Max. consumption [W] column. The power limit must be greater than
the value in the Max. consumption [W] column.
If the maximum observed power is greater than the set power limit, the device sees the power limit
as invalid. In this case, the device uses the PoE class for the calculation.
Possible values:
 0,0..30,0 (default setting: 0)
Max. consumption Displays the maximum power in watts that the device has consumed so far.
[W] You reset the value when you disable PoE on the port or terminate the connection to the
connected device.
Name Specifies the name of the port.
Specify the name of your choice.
Possible values:
 Alphanumeric ASCII character string with 0..32 characters
Auto-shutdown Activates/deactivates the Auto-shutdown power function according to the settings.
power
Possible values:
 marked
 unmarked (default setting)
Disable power at Specifies the time at which the device disables the power for the port upon activation of the Auto-
[hh:mm] shutdown power function.
Possible values:
 00:00..23:59 (default setting: 00:00)
Re-enable power at Specifies the time at which the device enables the power for the port upon activation of the Auto-
[hh:mm] shutdown power function.
Possible values:
 00:00..23:59 (default setting: 00:00)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

56 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Basic Settings
Basic Settings > Restart

Basic Settings > Restart

1.10 Restart

This dialog allows you to restart the device, reset port counters and address tables, and delete log files.

 Restart

Parameters Meaning
Restart in Displays the remaining time until the device restarts.
To update the display of the remaining time, click the button.
Cancel Aborts a delayed restart.
Cold start... Opens the Restart dialog to initiate an immediate or delayed restart of the device.
If the configuration profile in the volatile memory (RAM ) and the "Selected" configuration profile in
the non-volatile memory (NVM ) differ, the device displays the Warning dialog.
 To permanently save the changes, click the Yes button in the Warning dialog.
 To discard the changes, click No in the Warning dialog.
 In the Restart in field you specify the delay time for the delayed restart.
Possible values:
– 00:00:00..596:31:23 (default setting: 00:00:00)
When the delay time elapsed, the device restarts and goes through the following phases:
 The device performs a RAM test if this function is activated in the Diagnostics > System >
Selftest dialog.
 The device starts the device software that the Stored version field displays in the Basic
Settings > Software dialog.
 The device loads the settings from the "Selected" configuration profile. See the Basic
Settings > Load/Save dialog.

Note: During the restart, the device does not transfer any data. During this time, the device cannot
be accessed by the graphical user interface or other management systems.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Reset MAC address Removes the MAC addresses from the forwarding table that have in the Switching > Filter
table for MAC Addresses dialog the value learned in the Status column.
Reset ARP table Removes the dynamically set up addresses from the ARP table.
See the Diagnostics > System > ARP dialog.
Clear port statistics Resets the counter for the port statistics to 0.
See the Basic Settings > Port dialog, Statistics tab.
Reset IGMP Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
snooping data See the Switching > IGMP Snooping > Global dialog.
Delete log file Removes the logged events from the log file.
See the Diagnostics > Report > System Log dialog.
Delete persistent Removes the log files from the external memory.
log file See the Diagnostics > Report > Persistent Logging dialog.
Clear email Resets the counters in the Information frame to 0.
notification See the Diagnostics > Email Notification > Global dialog.
statistics

RM GUI HiOS-2A GRS1040 57


Release 7.0 11/2017
Basic Settings
Basic Settings > Restart

58 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time

2 Time

The menu contains the following dialogs:


 Basic Settings
 SNTP
 PTP

RM GUI HiOS-2A GRS1040 59


Release 7.0 11/2017
Time
Time > Basic Settings

Time > Basic Settings

2.1 Basic Settings

The device is equipped with a buffered hardware clock. This clock maintains the correct time if the power
supply fails or you disconnect the device from the power supply. After the device is started, the current
time is available to you, for example for log entries.
The hardware clock bridges a power supply downtime of 3 hours. The prerequisite is that the power
supply of the device has been connected continually for at least 5 minutes beforehand.
In this dialog, you specify time-related settings independently of the time synchronization protocol
specified.

The dialog contains the following tabs:


 [Global ]
 [Daylight saving time ]

60 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > Basic Settings

[Global ]
In this tab, you specify the system time in the device and the time zone.

 Configuration

Parameters Meaning
System time (UTC) Displays the current date and time with reference to Universal Time Coordinated (UTC).
Set time from PC The device uses the time on the PC as the system time.
System time Displays the current date and time with reference to the local time: System time = System time
(UTC) + Local offset [min] + Daylight saving time
Time source Displays the time source from which the device gets the time information.
The device automatically selects the available time source with the greatest accuracy.
Possible values:
 local
System clock of the device.
 sntp
The SNTP client is activated and the device is synchronized by an SNTP server.
 ptp
PTP is activated and the clock of the device is synchronized with a PTP master clock.
Local offset [min] Specifies the difference between the local time and System time (UTC) in minutes: Local
offset [min] = System time − System time (UTC)
Possible values:
 -780..840 (default setting: 60)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 61


Release 7.0 11/2017
Time
Time > Basic Settings

[Daylight saving time ]


In this tab, you activate the automatic daylight saving time function. You specify the beginning and the
end of summertime using a pre-defined profile, or you specify these settings individually. During
summertime, the device puts the local time forward by 1 hour.

 Operation

Parameters Meaning
Daylight saving Enables/disables the Daylight saving time mode.
time
Possible values:
 On
The Daylight saving time mode is enabled.
The device automatically changes between summertime and wintertime.
 Off (default setting)
The Daylight saving time mode is disabled.
The times at which the device changes between summertime and wintertime are specified in the
Summertime begin and Summertime end frames.
Profile... Displays the Profile... dialog. There you select a pre-defined profile for the beginning and the
end of summertime. This profile overwrites the settings in the Summertime begin and
Summertime end frames.

 Summertime begin
In the first 3 fields you specify the day for the beginning of summertime, and in the last field the time.
The devices switches to summertime when the time in the System time field reaches the value
entered here.

Parameters Meaning
Week Specifies the week in the current month.
Possible values:
 none (default setting)
 first
 second
 third
 fourth
 last
Day Specifies the day of the week.
Possible values:
 none (default setting)
 Sunday
 Monday
 Tuesday
 Wednesday
 Thursday
 Friday
 Saturday

62 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > Basic Settings

Parameters Meaning
Month Specifies the month.
Possible values:
 none (default setting)
 January
 February
 March
 April
 May
 June
 July
 August
 September
 October
 November
 December
System time Specifies the time.
Possible values:
 <HH:MM> (default setting: 00:00)

 Summertime end
In the first 3 fields you specify the day for the end of summertime, and in the last field the time.
The devices switches to wintertime when the time in the System time field reaches the value entered
here.

Parameters Meaning
Week Specifies the week in the current month.
Possible values:
 none (default setting)
 first
 second
 third
 fourth
 last
Day Specifies the day of the week.
Possible values:
 none (default setting)
 Sunday
 Monday
 Tuesday
 Wednesday
 Thursday
 Friday
 Saturday

RM GUI HiOS-2A GRS1040 63


Release 7.0 11/2017
Time
Time > Basic Settings

Parameters Meaning
Month Specifies the month.
Possible values:
 none (default setting)
 January
 February
 March
 April
 May
 June
 July
 August
 September
 October
 November
 December
System time Specifies the time.
Possible values:
 <HH:MM> (default setting: 00:00)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

64 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > SNTP

Time > SNTP

2.2 SNTP

The Simple Network Time Protocol (SNTP) is a procedure described in the RFC 4330 for time
synchronization in the network.
The device allows you to synchronize the system time in the device as an SNTP client. As the SNTP
server, the device makes the time information available to other devices.
The menu contains the following dialogs:
 SNTP Client
 SNTP Server

RM GUI HiOS-2A GRS1040 65


Release 7.0 11/2017
Time
Time > SNTP > Client

Time > SNTP > Client

2.2.1 SNTP Client

In this dialog, you specify the settings with which the device operates as an SNTP client.
As an SNTP client the device obtains the time information from both SNTP servers and NTP servers
and synchronizes the local clock with the time of the time server.

 Operation

Parameters Meaning
Operation Enables/disables the SNTP Client function of the device.
Possible values:
 On
The SNTP Client function is enabled.
The device operates as an SNTP client.
 Off (default setting)
The SNTP Client function is disabled.

 Configuration

Parameters Meaning
Mode Specifies whether the device actively requests the time information from an SNTP server known
and configured in the network (Unicast mode) or passively waits for the time information from a
random SNTP server (Broadcast mode).
Possible values:
 unicast (default setting)
The device takes the time information from the configured SNTP server exclusively. The
device sends Unicast requests to the SNTP server and evaluates its responses.
 broadcast
The device obtains the time information from one or more SNTP or NTP servers. The device
evaluates the Broadcasts or Multicasts from these servers exclusively.
Request interval [s] Specifies the interval in seconds at which the device requests time information from the SNTP
server.
Possible values:
 5..3600 (default setting: 30)
Broadcast recv Specifies the time in seconds a client in broadcast client mode waits before changing the value in
timeout [s] the field from syncToRemoteServer to notSynchronized when the client receives no broadcast
packets.
Possible values:
 128..2048 (default setting: 320)
Disable client after Activates/deactivates the disabling of the SNTP client after the device has successfully
successful sync synchronized the time.
Possible values:
 marked
The disabling of the SNTP client is active.
The device deactivates the SNTP client after successful time synchronization.
 unmarked (default setting)
The disabling of the SNTP client is inactive.
The SNTP client remains active after successful time synchronization.

66 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > SNTP > Client

 State

Parameters Meaning
State Displays the status of the SNTP client.
Possible values:
 disabled
The SNTP client is disabled.
 notSynchronized
The SNTP client is not synchronized with any SNTP or NTP server.
 synchronizedToRemoteServer
The SNTP client is synchronized with an SNTP or NTP server.

 Table
In the table you specify the settings for up to 4 SNTP servers.

Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
 1..4
The device automatically assigns this number.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
After starting, the device sends requests to the SNTP server configured in the first table entry. If
the server does not reply, the device sends its requests to the SNTP server configured in the next
table entry.
If none of the configured SNTP servers responds in the meantime, the SNTP client loses its
synchronization. The device cyclically sends requests to each SNTP server until a server delivers
a valid time. The device synchronizes itself with this SNTP server, even if the other servers can
be reached again later.
Name Specifies the name of the SNTP server.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
Address Specifies the IP address of the SNTP server.
Possible values:
 Valid IPv4 address or Hostname (default setting: 0.0.0.0)
Destination UDP Specifies the UDP Port on which the SNTP server expects the time information.
port
Possible values:
 1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.

RM GUI HiOS-2A GRS1040 67


Release 7.0 11/2017
Time
Time > SNTP > Client

Parameters Meaning
Status Displays the connection status between the SNTP client and the SNTP server.
Possible values:
 success
The device has successfully synchronized the time with the SNTP server.
 badDateEncoded
The time information received contains protocol errors - synchronization failed.
 other
– The value 0.0.0.0 is entered for the IP address of the SNTP server - synchronization
failed.
or
– The SNTP client is using a different SNTP server.
 requestTimedOut
The device has not received a reply from the SNTP server - synchronization failed.
 serverKissOfDeath
The SNTP server is overloaded. The device is requested to synchronize itself with another
SNTP server. If no other SNTP server is available, the device asks at intervals longer than the
setting in the Request interval [s] field, whether the server is still overloaded.
 serverUnsychronized
The SNTP server is not synchronized with either a local or an external reference clock -
synchronization failed.
 versionNotSupported
The SNTP versions on the client and the server are incompatible with each other -
synchronization failed.
Active Activates/deactivates the connection to the SNTP server.
Possible values:
 marked
The connection to the SNTP server is activated.
The SNTP client has access to the SNTP server.
 unmarked (default setting)
The connection to the SNTP server is deactivated.
The SNTP client has no access to the SNTP server.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

68 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > SNTP > Server

Time > SNTP > Server

2.2.2 SNTP Server

In this dialog, you specify the settings with which the device operates as an SNTP server.
The SNTP server provides the Universal Time Coordinated (UTC) without considering local time
differences.
If the setting is appropriate, the SNTP server operates in the broadcast mode: In broadcast mode, the
SNTP server automatically sends broadcast messages or multicast messages according to the
broadcast send interval.

 Operation

Parameters Meaning
Operation Enables/disables the SNTP Server function of the device.
Possible values:
 On
The SNTP Server function is enabled.
The device operates as an SNTP server.
 Off (default setting)
The SNTP Server function is disabled.
Note the setting in the Disable server at local time source checkbox in the Configuration
frame.

 Configuration

Parameters Meaning
UDP port Specifies the number of the UDP port on which the SNTP server of the device receives requests
from other clients.
Possible values:
 1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Broadcast admin Activates/deactivates the Broadcast mode:
mode  marked
The SNTP server replies to requests from SNTP clients in Unicast mode and also sends SNTP
packets in Broadcast mode as Broadcasts or Multicasts.
 unmarked (default setting)
The SNTP server replies to requests from SNTP clients in the Unicast mode.
Broadcast Specifies the IP address to which the SNTP server of the device sends the SNTP packets in
destination address Broadcast mode.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Broadcast and Multicast addresses are permitted.
Broadcast UDP Specifies the number of the UDP port on which the SNTP server sends the SNTP packets in
port Broadcast mode.
Possible values:
 1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.

RM GUI HiOS-2A GRS1040 69


Release 7.0 11/2017
Time
Time > SNTP > Server

Parameters Meaning
Broadcast VLAN ID Specifies the ID of the VLAN in which the SNTP server of the device sends the SNTP packets in
Broadcast mode.
Possible values:
 0
The SNTP server sends the SNTP packets in the same VLAN in which the management
access to the device is possible. See the Basic Settings > Network dialog.
 1..4042 (default setting: 1)
Broadcast send Specifies the time interval at which the SNTP server of the device sends SNTP broadcast packets.
interval [s]
Possible values:
 64..1024 (default setting: 128)
Disable server at Activates/deactivates the disabling of the SNTP Broadcast server when the device is
local time source synchronized to the local clock.
Possible values:
 marked
The disabling of the SNTP Broadcast server is active.
The device disables the SNTP Broadcast server when the device is synchronized to the local
clock. The SNTP server continues to reply to requests from SNTP clients. In the SNTP packet,
the SNTP server informs the clients that it is synchronized locally.
 unmarked (default setting)
The disabling of the SNTP Broadcast server is inactive.
The SNTP Broadcast server remains active when the device is synchronized to the local clock.

 State

Parameters Meaning
State Displays the state of the SNTP server.
Possible values:
 disabled
The SNTP server is disabled.
 notSynchronized
The SNTP server is not synchronized with either a local or an external reference clock.
 syncToLocal
The SNTP server is synchronized with the hardware clock of the device.
 syncToRefclock
The SNTP server is synchronized with an external reference clock, for example PTP.
 syncToRemoteServer
The SNTP server is synchronized with an SNTP server that is higher than the device in a
cascade.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

70 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP

Time > PTP

2.3 PTP

The menu contains the following dialogs:


 PTP Global
 PTP Boundary Clock
 PTP Transparent Clock

RM GUI HiOS-2A GRS1040 71


Release 7.0 11/2017
Time
Time > PTP > Global

Time > PTP > Global

2.3.1 PTP Global

The Precision Time Protocol (PTP) is a procedure described in the IEEE 1588-2008 standard that
supplies the devices in the network with a precise time. The procedure enables the clocks in the network
to be synchronized to a degree of precision of just a few 100 ns. The protocol uses Multicast
communication, so the load on the network due to the PTP synchronization messages is negligible.
PTP is significantly more accurate than SNTP. If SNTP and PTP are enabled in the device at the same
time, then PTP has priority.
Using the “Best Master Clock” algorithm, the devices determine the devices in the network with the most
accurate time which are to be used as a reference time source (Grandmaster). Subsequently the
participating devices synchronize themselves with this reference time source.
If you want to transport PTP time accurately through your network, use devices with PTP hardware
support exclusively on the transport paths.
The protocol differentiates between the following clocks:
 Boundary Clock (BC)
This clock has any number of PTP ports and operates as both PTP master and PTP slave. In its
respective network segment, the clock operates as an Ordinary Clock.
– As PTP slave, the clock synchronizes itself with a PTP master that is higher than the device in the
cascade.
– As PTP master, the clock forwards the time information via the network to PTP slaves that are
higher than the device in the cascade.
 Transparent Clock (TC)
This clock has any number of PTP ports. In contrast to the Boundary Clock, this clock corrects the
time information before forwarding it, without synchronizing itself.
In this dialog, you specify basic settings for PTP.

 Operation IEEE1588/PTP

Parameters Meaning
Operation Enables/disables the PTP function.
IEEE1588/PTP
Possible values:
 On
The PTP function is enabled.
The device synchronizes its clock with PTP.
If SNTP is enabled in the device at the same time, PTP has priority.
 Off (default setting)
The PTP function is disabled.
The device transmits the PTP synchronization messages without any correction at every port.

 Configuration IEEE1588/PTP

Parameters Meaning
PTP mode Specifies the PTP version and mode of the local clock.
Possible values:
 v2-transparent-clock (default setting)
 v2-boundary-clock

72 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Global

Parameters Meaning
Sync lower bound Specifies the lower threshold value in nanoseconds for the path difference between the local clock
[ns] and the reference time source (Grandmaster). If the path difference falls below this value one time,
then the local clock is classed as synchronized.
Possible values:
 0..999999999 (default setting: 30)
Sync upper bound Specifies the upper threshold in nanoseconds for the path difference between the local clock and
[ns] the reference time source (Grandmaster). If the path difference exceeds this value one time, then
the local clock is classed as unsynchronized.
Possible values:
 31..1000000000 (default setting: 5000)
PTP management Activates/deactivates the PTP management defined in the PTP standard.
Possible values:
 marked
PTP management is activated.
 unmarked (default setting)
PTP management is deactivated.

 Status

Parameters Meaning
Is synchronized Displays whether the local clock is synchronized with the reference clock (Grandmaster).
The local clock is synchronized when the path difference between the local clock and the
reference clock (Grandmaster) falls below the synchronization lower threshold one time. This
status is kept until the path difference exceeds the synchronization upper threshold one time.
You specify the synchronization thresholds in the Configuration IEEE1588/PTP frame.
Max. offset absolute Displays the maximum path difference in nanoseconds that has occurred since the local clock was
[ns] synchronized with the reference clock (Grandmaster).
PTP time Displays the date and time for the PTP time scale when the local clock is synchronized with the
reference clock (Grandmaster). Format: Month Day, Year hh:mm:ss AM/PM

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 73


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock

Time > PTP > Boundary Clock

2.3.2 PTP Boundary Clock

With this menu you can configure the Boundary Clock mode for the local clock.
The menu contains the following dialogs:
 PTP Boundary Clock Global
 PTP Boundary Clock Port

74 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Global

Time > PTP > Boundary Clock > Global

2.3.2.1 PTP Boundary Clock Global

In this dialog, you enter general, cross-port settings for the Boundary Clock mode for the local clock.
The Boundary Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select
in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock .

 Operation IEEE1588/PTPv2 BC

Parameters Meaning
Priority 1 Specifies priority 1 for the port.
Possible values:
 0..255 (default setting: 128)
The “Best Master Clock” algorithm first evaluates priority 1 of the participating devices in order to
determine the reference time source (Grandmaster).
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Priority 2 Specifies priority 2 for the port.
Possible values:
 0..255 (default setting: 128)
The “Best Master Clock” algorithm evaluates priority 2 of the participating devices if the previously
evaluated criteria are the same for multiple devices.
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Domain number Assigns the device to a PTP domain.
Possible values:
 0..255 (default setting: 0)
The device transmits time information from and to devices in the same domain exclusively.

 Status IEEE1588/PTPv2 BC

Parameters Meaning
Two step Displays that the clock is operating in Two-Step mode.
Steps removed Displays the number of communication paths passed through between the local clock of the
device and the reference clock (Grandmaster).
For a PTP slave, the value 1 means that the clock is connected with the reference time source
(Grandmaster) directly via 1 communication path.
Offset to master Displays the measured difference (offset) between the local clock and the reference clock
[ns] (Grandmaster) in nanoseconds. The PTP slave calculates the difference from the time information
received.
In Two-Step mode the time information consists of 2 PTP synchronization messages each, which
the PTP master sends cyclically:
 The first synchronization message (sync message) contains an estimated value for the exact
sending time of the message.
 The second synchronization message (follow-up message) contains the exact sending time of
the first message.
The PTP slave uses the two PTP synchronization messages to calculate the difference (offset)
from the master and corrects its clock by this difference. Here the PTP slave also considers the
Delay to master [ns] .

RM GUI HiOS-2A GRS1040 75


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Global

Parameters Meaning
Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
The PTP slave sends a “Delay Request” packet to the PTP master and thus determines the exact
sending time of the packet. When it receives the packet, the PTP master generates a time stamp
and sends this in a “Delay Response” packet back to the PTP slave. The PTP slave uses the two
packets to calculate the delay, and considers this starting from the next offset measurement.
The prerequisite is that the delay mechanism value of the slave ports is specified as e2e .

 Grandmaster
This frame displays the criteria that the “Best Master Clock” algorithm evaluates when determining the
reference clock (Grandmaster).
The algorithm first evaluates priority 1 of the participating devices. The device with the smallest value
for priority 1 becomes the reference time source (Grandmaster). If the value is the same for multiple
devices, the algorithm takes the next criterion, and if this is also the same, it takes the next criterion after
this one. If every value is the same for multiple devices, the smallest value in the Clock identity field
decides which device becomes the reference time source (Grandmaster).
The device allows you to influence which device in the network becomes the reference clock
(Grandmaster). To do this, you go to the Operation IEEE1588/PTPv2 BC frame and modify the value
in the Priority 1 field or the Priority 2 field.

Parameters Meaning
Priority 1 Displays priority 1 for the device that is currently the reference time source (Grandmaster).
Clock class Class of the reference clock (Grandmaster).
Parameter for the Best Master Clock algorithm.
Clock accuracy Estimated accuracy of the reference clock (Grandmaster).
Parameter for the Best Master Clock algorithm.
Clock variance Variance of the reference clock, also known as the “offset scaled log variance”.
Parameter for the Best Master Clock algorithm.
Priority 2 Displays priority 2 for the device that is currently the reference time source (Grandmaster).

 Local time properties

Parameters Meaning
Time source Specifies the time source from which the local clock gets its time information.
Possible values:
 atomicClock
 gps
 terrestrialRadio
 ptp
 ntp
 handSet
 other
 internalOscillator (default setting)
UTC offset [s] Specifies the difference between the PTP time scale and the UTC.
See the PTP timescale checkbox.
Possible values:
 -32768..32767

Note: The default setting is the value valid on the creation date of the device software.
You can find further information in the "Bulletin C" of the Earth Rotation and Reference Systems
Service (IERS): http://www.iers.org/IERS/EN/Publications/Bulletins/bulletins.html

76 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Global

Parameters Meaning
UTC offset valid Specifies whether the value specified in the UTC offset [s] field is correct.
Possible values:
 marked
 unmarked (default setting)
Time traceable Displays whether the device gets the time from a primary UTC reference, for example from an
NTP server.
Possible values:
 marked
 unmarked
Frequency Displays whether the device gets the frequency from a primary UTC reference, for example from
traceable an NTP server.
Possible values:
 marked
 unmarked
PTP timescale Displays whether the device uses the PTP time scale.
Possible values:
 marked
 unmarked
According to IEEE 1588, the PTP time scale is the TAI atomic time started on 01.01.1970.
In contrast to UTC, TAI does not use leap seconds.
On 01.01.2011, the difference between TAI and UTC was +34 seconds.

 Identities

Parameters Meaning
Clock identity Displays the device’s own identification number (UUID).
Parent port identity Displays the port identification number (UUID) of the directly superior master device.
Grandmaster Displays the identification number (UUID) of the reference clock device.
identity

The device displays the identities as byte sequences in hexadecimal notation.


The identification numbers (UUID) are made up as follows:
 The device identification number consists of the MAC address of the device, with the values ff and
fe added between byte 3 and byte 4.
 The port UUID consists of the device identification number followed by a 16-bit port ID.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 77


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Port

Time > PTP > Boundary Clock > Port

2.3.2.2 PTP Boundary Clock Port

In this dialog, you specify the Boundary Clock (BC) settings on each individual port.
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select
in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock .

 Table

Parameters Meaning
Port Displays the port number.
PTP enable Activates/deactivates PTP synchronization message transmission on the port.
Possible values:
 marked (default setting)
The transmission is activated. The port sends and receives PTP synchronization messages.
 unmarked
The transmission is deactivated. The port blocks PTP synchronization messages.
PTP status Displays the current status of the port.
Possible values:
 initializing
Initialization phase
 faulty
Faulty mode: error in the PTP protocol.
 disabled
PTP is disabled on the port.
 listening
Device port is waiting for PTP synchronization messages.
 pre-master
PTP pre-master mode
 master
PTP master mode
 passive
PTP passive mode
 uncalibrated
PTP uncalibrated mode
 slave
PTP slave mode
Sync interval Specifies the interval in seconds at which the port transmits PTP synchronization messages.
Possible values:
 0.25
 0.5
 1 (default setting)
 2

78 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Port

Parameters Meaning
Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
 disabled
The measurement of the delay for the PTP synchronization messages for the connected PTP
devices is inactive.
 e2e (default setting)
End-to-end: As the PTP slave, the port measures the delay for the PTP synchronization
messages to the PTP master.
The device displays the measured value in the Time > PTP > Boundary Clock > Global
dialog.
 p2p
Peer-to-peer: The device measures the delay for the PTP synchronization messages for the
connected PTP devices, provided that these devices support P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select the value p2p in the Delay mechanism column.
P2P delay interval Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
[s] The prerequisite is that you have specified the value p2p on this port and on the port of the remote
terminal.
Possible values:
 1 (default setting)
 2
 4
 8
 16
 32
Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages.
Possible values:
 IEEE 802.3 (default setting)
 UDP/IPv4
Announce interval Specifies the interval in seconds at which the port transmits messages for the PTP topology
[s] discovery.
Assign the same value to every device of a PTP domain.
Possible values:
 1
 2 (default setting)
 4
 8
 16
Announce timeout Specifies the number of announce intervals.
Example:
For the default setting (Announce interval [s] = 2 and Announce timeout = 3), the timeout is
3 x 2 s = 6 s.
Possible values:
 2..10 (default setting: 3)
Assign the same value to every device of a PTP domain.
E2E delay interval Displays the interval in seconds at which the port measures the End-to-End delay:
[s]  If the port is operating as the PTP master, the device assigns the port the value 8.
 If the port is operating as the PTP slave, the value is specified by the PTP master connected
to the port.

RM GUI HiOS-2A GRS1040 79


Release 7.0 11/2017
Time
Time > PTP > Boundary Clock > Port

Parameters Meaning
V1 hardware Specifies whether the port adjusts the length of the PTP synchronization messages when you
compatibility have set in the Network protocol column the value udpIpv4 .
It is possible that other devices in the network expect the PTP synchronization messages to be
the same length as PTPv1 messages.
Possible values:
 auto (default setting)
The device automatically detects whether other devices in the network expect the PTP
synchronization messages to be the same length as PTPv1 messages. If this is the case, the
device extends the length of the PTP synchronization messages before transmitting them.
 on
The device extends the length of the PTP synchronization messages before transmitting them.
 off
The device transmits PTP synchronization messages without changing the length.
Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths.
Possible values:
 -2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x·2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the
opposite direction.
VLAN Specifies the VLAN ID with which the device marks the PTP synchronization messages on this
port.
Possible values:
 none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
 0..4042
You specify VLANs that you have already set up in the device from the list.
Verify that that the port is a member of the VLAN.
See the Switching > VLAN > Configuration dialog.
VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
 0..7 (default setting: 4)
If you have specified in the VLAN column the value none , the device ignores the VLAN priority.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

80 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock

Time > PTP > Transparent Clock

2.3.3 PTP Transparent Clock

With this menu you can configure the Transparent Clock mode for the local clock.
The menu contains the following dialogs:
 PTP Transparent Clock Global
 PTP Transparent Clock Port

RM GUI HiOS-2A GRS1040 81


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock > Global

Time > PTP > Transparent Clock > Global

2.3.3.1 PTP Transparent Clock Global

In this dialog, you enter general, cross-port settings for the Transparent Clock mode for the local clock.
The Transparent Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock .

 Operation IEEE1588/PTPv2 TC

Parameters Meaning
Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
 e2e (default setting)
As the PTP slave, the port measures the delay for the PTP synchronization messages to the
PTP master.
The device displays the measured value in the Time > PTP > Transparent Clock > Global
dialog.
 p2p
The device measures the delay for the PTP synchronization messages for every connected
PTP device, provided that the device supports P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
If you specify this value, the value IEEE 802.3 is exclusively available in the Network
protocol field.
 e2e-optimized
Like e2e , with the following special characteristics:
– The device transmits the delay requests of the PTP slaves solely to the PTP master, even
though these requests are multicast messages. The device thus spares the other devices
from unnecessary multicast requests.
– If the master-slave topology changes, the device relearns the port for the PTP master as
soon as it receives a synchronization message from another PTP master.
– If the device does not know a PTP master, it transmits delay requests to the ports.
 disabled
The delay measuring is disabled on the port. The device discards messages for the delay
measuring.
Primary domain Assigns the device to a PTP domain.
Possible values:
 0..255 (default setting: 0)
The device transmits time information from and to devices in the same domain exclusively.
Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages.
Possible values:
 ieee8023 (default setting)
 udpIpv4
Multi domain mode Activates/deactivates the PTP synchronization message correction in every PTP domain.
Possible values:
 marked
The device corrects PTP synchronization messages in every PTP domain.
 unmarked (default setting)
The device corrects PTP synchronization messages in the primary PTP domain exclusively.
See the Primary domain field.

82 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock > Global

Parameters Meaning
VLAN ID Specifies the VLAN ID with which the device marks the PTP synchronization messages on this
port.
Possible values:
 none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
 0..4042
You specify VLANs that you have already set up in the device from the list.
VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
 0..7 (default setting: 4)
If you have specified the value none in the VLAN ID field the device ignores the specified value.

 Local synchronization

Parameters Meaning
Syntonize Activates/deactivates the frequency synchronization of the Transparent Clock with the PTP
master.
Possible values:
 marked (default setting)
The frequency synchronization is active.
The device synchronizes the frequency.
 unmarked
The frequency synchronization is inactive.
The frequency remains constant.
Synchronize local Activates/deactivates the synchronization of the local system time.
clock
Possible values:
 marked
The synchronization is active.
The device synchronizes the local system time with the time received via PTP. The
prerequisite is that the Syntonize checkbox is marked.
 unmarked (default setting)
The synchronization is inactive.
The local system time remains constant.
Current master Displays the port identification number (UUID) of the master device on which the device
synchronizes its frequency.
If the value contains zeros exclusively, this is because:
 The Syntonize function is disabled.
or
 The device cannot find a PTP master.
Offset to master Displays the measured difference (offset) between the local clock and the PTP master in
[ns] nanoseconds. The device calculates the difference from the time information received.
The prerequisite is that the Synchronize local clock function is enabled.
Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
Prerequisite:
 The Synchronize local clock function is enabled.
 In the Delay mechanism field, the value e2e is selected.

RM GUI HiOS-2A GRS1040 83


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock > Global

 Status IEEE1588/PTPv2 TC

Parameters Meaning
Clock identity Displays the device’s own identification number (UUID).
The device displays the identities as byte sequences in hexadecimal notation.
The device identification number consists of the MAC address of the device, with the values ff
and fe added between byte 3 and byte 4.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

84 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock > Port

Time > PTP > Transparent Clock > Port

2.3.3.2 PTP Transparent Clock Port

In this dialog, you specify the Transparent Clock (TC) settings on each individual port.
The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock .

 Table

Parameters Meaning
Port Displays the port number.
PTP enable Activates/deactivates the transmitting of PTP synchronization messages on the port.
Possible values:
 marked (default setting)
The transmitting is active.
The port sends and receives PTP synchronization messages.
 unmarked
The transmitting is inactive.
The port blocks PTP synchronization messages.
P2P delay interval Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
[s] The prerequisite is that you specify the value p2p on this port and on the port of the remote
terminal. See the Delay mechanism option list in the Time > PTP > Transparent Clock >
Global dialog.
Possible values:
 1 (default setting)
 2
 4
 8
 16
 32
P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select in the Delay mechanism option list the radio button p2p . See
the Delay mechanism field in the Time > PTP > Transparent Clock > Global dialog.
Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths.
Possible values:
 -2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x·2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the
opposite direction.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 85


Release 7.0 11/2017
Time
Time > PTP > Transparent Clock > Port

86 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security

3 Device Security

The menu contains the following dialogs:


 User Management
 Authentication List
 LDAP
 Management Access
 Pre-login Banner

RM GUI HiOS-2A GRS1040 87


Release 7.0 11/2017
Device Security
Device Security > User Management

Device Security > User Management

3.1 User Management

The device allows users to access its management exclusively when they log in with valid login data.
In this dialog you manage the users of the local user management. You also specify the following
settings here:
 Settings for the login
 Settings for saving the passwords
 Specify policy for valid passwords
The methods that the device uses for the authentication you specify in the Device Security >
Authentication List dialog.

 Configuration
This frame allows you to specify settings for the login.

Parameters Meaning
Login attempts Number of login attempts possible.
Possible values:
 0..5 (default setting: 0)
If the user makes one more unsuccessful login attempt, the device locks access for the user.
The device allows users with the administrator authorization to remove the lock exclusively.
The value 0 deactivates the lock. The user has unlimited attempts to login.
Min. password The device accepts the password if it contains at least the number of characters specified here.
length The device checks the password according to this setting, regardless of the setting for the Policy
check checkbox.
Possible values:
 1..64 (default setting: 6)

 Password policy
This frame allows you to specify the policy for valid passwords. The device checks every new
password and password change according to this policy.
The settings effect the Password column. The prerequisite is that you mark the checkbox in the
Policy check column.
Parameters Meaning
Upper-case The device accepts the password if it contains at least as many upper-case letters as specified
characters (min.) here.
Possible values:
 0..16 (default setting: 1)
The value 0 deactivates this setting.
Lower-case The device accepts the password if it contains at least as many lower-case letters as specified
characters (min.) here.
Possible values:
 0..16 (default setting: 1)
The value 0 deactivates this setting.

88 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > User Management

Parameters Meaning
Digits (min.) The device accepts the password if it contains at least as many numbers as specified here.
Possible values:
 0..16 (default setting: 1)
The value 0 deactivates this setting.
Special characters The device accepts the password if it contains at least as many special characters as specified
(min.) here.
Possible values:
 0..16 (default setting: 1)
The value 0 deactivates this setting.

 Table
Every user requires an active user account to gain management access to the device. The table
allows you to set up and manage user accounts.
To change settings, click the desired parameter in the table and modify the value.

Parameters Meaning
User name Displays the name of the user account.
To create a new user account, click the button.
Active Activates/deactivates the user account.
Possible values:
 marked
The user account is active. The device accepts the login of a user with this user name.
 unmarked (default setting)
The user account is inactive. The device rejects the login of a user with this user name.
When one user account exists with the administrator access role, this user account is always
active.
Password Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
– a..z
– A..Z
– 0..9
– #$%&'()*+,-./:;<=>?@_`
The minimum length of the password is specified in the Configuration frame. The device
differentiates between upper and lower case.
If the checkbox in the Policy check column is marked, the device checks the password
according to the policy specified in the Password policy frame.
The device always checks the minimum length of the password, even if the checkbox in the
Policy check column is unmarked.

RM GUI HiOS-2A GRS1040 89


Release 7.0 11/2017
Device Security
Device Security > User Management

Parameters Meaning
Role Specifies the user role that regulates the access of the user to the individual functions of the
device.
Possible values:
 unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If an error occurs when another role is
being assigned, the device assigns this role to the user account.
 guest (default setting)
The user is authorized to monitor the device.
 auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics >
Report > Audit Trail dialog.
 operator
The user is authorized to monitor the device and to change the settings – with the exception
of security settings for device access.
 administrator
The user is authorized to monitor the device and to change the settings.
The device assigns the Service Type transferred in the response of a RADIUS server as follows
to a user role:
– Administrative-User: administrator
– Login-User: operator
– NAS-Prompt-User: guest
User locked Unlocks the user account.
Possible values:
 marked
The user account is locked. The user has no management access to the device.
The device automatically locks a user if the user makes too many unsuccessful log in attempts.
 unmarked (grayed out) (default setting)
The user account is unlocked. The user has management access to the device.
Policy check Activates/deactivates the password check.
Possible values:
 marked
The password check is activated.
When you set up or change the password, the device checks the password according to the
policy specified in the Password policy frame.
 unmarked (default setting)
The password check is deactivated.
SNMP auth type Specifies the authentication protocol that the device applies for user access via SNMPv3.
Possible values:
 hmacmd5 (default value)
For this user account, the device uses protocol HMACMD5.
 hmacsha
For this user account, the device uses protocol HMACSHA.
SNMP encryption Specifies the encryption protocol that the device applies for user access via SNMPv3.
type
Possible values:
 none
No encryption
 des (default value)
DES encryption
 aesCfb128
AES128 encryption

90 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > User Management

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the User name field, you specify the name of the user account.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters

RM GUI HiOS-2A GRS1040 91


Release 7.0 11/2017
Device Security
Device Security > Authentication List

Device Security > Authentication List

3.2 Authentication List

In this dialog you manage the authentication lists. In a authentication list you specify which method the
device uses for the authentication. You also have the option to assign pre-defined applications to the
authentication lists.
The device allows users to access its management exclusively when they log in with valid login data.
The device authenticates the users using the following methods:
 User management of the device
 LDAP
 RADIUS
With the port-based access control according to IEEE 802.1X, the device allows connected end devices
to access the network if they log in with valid login data. The device authenticates the end devices using
the following methods:
 RADIUS
 IAS (Integrated Authentication Server)
In the default setting the following authentication lists are available:
 defaultDot1x8021AuthList
 defaultLoginAuthList
 defaultV24AuthList

 Table

Parameters Meaning
Name Displays the name of the list.
To create a new list, click the button.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters

92 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Authentication List

Parameters Meaning
Policy 1 Specifies the authentication policy that the device uses for access using the application specified
Policy 2 in the Dedicated applications column.
Policy 3
Policy 4 The device gives you the option of a fall-back solution. For this, you specify another policy in each
Policy 5 of the policy fields. Depending on the order of the values entered in each policy, if the
authentication with the specified policy is unsuccessful, the device can use the next policy.
Possible values:
 local (default setting)
The device authenticates the users by using the local user management. See the Device
Security > User Management dialog.
You cannot assign this value to the authentication list defaultDot1x8021AuthList.
 radius
The device authenticates the users with a RADIUS server in the network. You specify the
RADIUS server in the Network Security > RADIUS > Authentication Server dialog.
 reject
The device accepts or rejects the authentication depending on which policy you try first. The
following list contains authentication scenarios:
– If the first policy in the authentication list is local and the device accepts the credentials
of the user, then it logs the user in without attempting the other polices.
– If the first policy in the authentication list is local and the device denies the credentials of
the user, then it attempts to log the user in using the other polices in the order specified.
– If the first policy in the authentication list is radius or ldap and the device rejects a login,
then the login is immediately rejected without attempting to login the user using another
policy.
If there is no response from the RADIUS or LDAP server, the device attempts to
authentication the user with the next policy.
– If the first policy in the authentication list is reject , then the devices immediately rejects
the user login without attempting another policy.
– Verify that the authentication list defaultV24AuthList contains at least one policy
different from reject .
 ias
The device authenticates the end devices logging in via 802.1X with the integrated
authentication server (IAS). The integrated authentication server manages the log in data in a
separate database. See the Network Security > 802.1X Port Authentication >
Integrated Authentication Server dialog.
You can only assign this value to the authentication list defaultDot1x8021AuthList.
 ldap
The device authenticates the users with authentication data and access role saved in a central
location. You specify the Active Directory server that the device uses in the Network
Security > LDAP > Configuration dialog.
Dedicated Displays the dedicated applications. When users access the device with the relevant application,
applications the device uses the specified policies for the authentication.

To allocate another application to the list or remove the allocation, click the button and then
the Allocate applications item. Allocate one application solely to one list.
Active Activates/deactivates the list.
Possible values:
 marked
The list is activated. The device uses the policies in this list when users access the device with
the relevant application.
 unmarked (default setting)
The list is deactivated.

Note: If the table does not contain a list, the management access is possible using CLI through the
V.24 interface of the device exclusively. In this case, the device authenticates the user by using the
local user management. See the Device Security > User Management dialog.

RM GUI HiOS-2A GRS1040 93


Release 7.0 11/2017
Device Security
Device Security > Authentication List

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Allocate Opens the Allocate applications window.


applications  The left field displays the applications that can be allocated to the highlighted list.
 The right field displays the applications that are allocated to the highlighted list.
 Buttons:
Moves every entry to the right field.
Moves the highlighted entries from the left field to the right field.
Moves the highlighted entries from the right field to the left field.
Moves every entry to the left field.

Do not move the entry WebInterface to the left field. Otherwise the connection to the device is
lost, after you click the Ok button.

94 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > LDAP

Device Security > LDAP

3.3 LDAP

The Lightweight Directory Access Protocol (LDAP) allows you to authenticate and authorize the users
at a central point in the network. A widely used directory service accessible through LDAP is Active
Directory®.
The device forwards the log in data of the user to the authentication server using the LDAP protocol.
The authentication server decides whether the login data is valid and transfers the user’s authorizations
to the device.
Upon successful log on, the device saves the log on data temporarily in the cache. This speeds up the
logon process when users logon again. In this case, no complex LDAP search operation is necessary.
The menu contains the following dialogs:
 LDAP Configuration
 LDAP Role Mapping

RM GUI HiOS-2A GRS1040 95


Release 7.0 11/2017
Device Security
Device Security > LDAP > Configuration

Device Security > LDAP > Configuration

3.3.1 LDAP Configuration

This dialog allows you to specify up to 4 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the log on data to the first authentication server. If no response comes from this
server, the device contacts the next server in the table.

 Operation

Parameters Meaning
Operation Enables/disables the LDAP client.
The device uses the LDAP client, if in the Device Security > Authentication List dialog you
specify the value ldap in 1 of the rows Policy 1 to Policy 5 . Prior to this, specify in the Device
Security > LDAP > Role Mapping dialog at least 1 Mapping for this role administrator . This
provides you access to the device as administrator after logging on through LDAP.
Possible values:
 On
The LDAP client is enabled.
 Off (default setting)
The LDAP client is disabled.

 Configuration

Parameters Meaning
Client cache Specifies for how many minutes after successfully logging on the logon data of a user remain valid.
timeout [min] When a user logs on again within this time, no complex LDAP search operation is necessary. The
logon process is much faster.
Possible values:
 1..1440 (default setting: 10)
Bind user Specifies the user ID in the form of the “Distinguished Name” (DN) with which the device logs on
to the LDAP server.
This information is necessary if the LDAP server requires a user ID in the form of the
“Distinguished Name” (DN) for the log on. In Active Directory environments, this information is
unnecessary.
The device logs on to the LDAP server with the user ID to find the “Distinguished Name” (DN) for
the users logging on. The device conducts the search according to the settings in the fields Base
DN and User name attribute .
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
Bind user password Specifies the password which the device uses together with the user ID specified in the Bind user
field when logging on to the LDAP server.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
Base DN Specifies the starting point for the search in the directory tree in the form of the “Distinguished
Name” (DN).
Possible values:
 Alphanumeric ASCII character string with 0..255 characters

96 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > LDAP > Configuration

Parameters Meaning
User name attribute Specifies the LDAP attribute which contains a biunique user name. Afterwards, the user uses the
user name contained in this attribute to log on.
Often the LDAP attributes userPrincipalName, mail, sAMAccountName and uid contain a unique
user name.
The device adds the character string specified in the Default domain field to the user name
under the following condition:
– The user name contained in the attribute does not contain the @ character.
– In the Default domain field, a domain name is specified.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
(default setting: userPrincipalName)
Default domain Specifies the character string which the device adds to user name of users logging on if the user
name does not contain the @ character.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters

 CA certificate

Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
 Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
 Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
 Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.

RM GUI HiOS-2A GRS1040 97


Release 7.0 11/2017
Device Security
Device Security > LDAP > Configuration

Parameters Meaning
Description Specifies the description.
If you wish, you describe the authentication server here or note additional information.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Address Specifies the IP address or the DNS name of the server.
Possible values:
 IPv4 address (default setting: 0.0.0.0)
 DNS name in the format <domain>.<tld> or <host>.<domain>.<tld>
 _ldap._tcp.<domain>.<tld>
Using this DNS name, the device queries the LDAP server list (SRV Resource Record) from
the DNS server.
Use a DNS name, if in the Connection security row another value than none is specified and
the certificate contains only DNS names of the server. Enable the Client function in the
Advanced > DNS > Client > Global dialog.
Destination TCP Specifies the TCP Port on which the server expects the requests.
port If you have specified the value _ldap._tcp.domain.tld in the Address column, the device
ignores this value.
Possible values:
 0..65535 (default setting: 389)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
– LDAP: 389
– LDAP over SSL: 636
– Active Directory Global Catalogue: 3268
– Active Directory Global Catalogue SSL: 3269
Connection security Specifies the protocol which encrypts the communication between the device and the
authentication server.
Possible values:
 none
No encryption.
The device establishes an LDAP connection to the server and transmits the communication
including the passwords in clear text.
 ssl
Encryption with SSL.
The device establishes a TLS connection to the server and tunnels the LDAP communication
over it.
 startTLS (default setting)
Encryption with startTLS extension.
The device establishes an LDAP connection to the server and encrypts the communication.
The prerequisite for encrypted communication is that the device uses the correct time. If the
certificate contains only the DNS names, you specify the DNS name of the server in the Address
row . Enable the Client function in the Advanced > DNS > Client > Global dialog.
If the certificate contains the IP address of the server in the “Subject Alternative Name” field , the
device is able to verify the identity of the server without the DNS configuration.
Server status Displays the connection status and the authentication with the authentication server.
Possible values:
 ok
The server is reachable.
If in the Connection security row a value other than none is specified, the device has
verified the certificate of the server.
 unreachable
Server is unreachable.
 other
The device has not established a connection to the server yet.

98 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > LDAP > Configuration

Parameters Meaning
Active Activates/deactivates the use of the server.
Possible values:
 marked
The device uses the server.
 unmarked (default setting)
The device does not use the server.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Flush cache Removes the cached log on data of the successfully logged on users.

RM GUI HiOS-2A GRS1040 99


Release 7.0 11/2017
Device Security
Device Security > LDAP > Role Mapping

Device Security > LDAP > Role Mapping

3.3.2 LDAP Role Mapping

This dialog allows you to create up to 64 mappings to assign a role to users.


In the table, you specify whether the device assigns a role to the user based on an attribute with a
specific value or based on the group membership.
 The device searches for the attribute and the attribute value within the user object.
 By evaluating the “Distinguished Name” (DN) contained in the member attributes, the device checks
group the membership.
When a user logs on, the device searches for the following information on the LDAP server:
 In the related user project, the device searches for attributes specified in the mappings.
 In the group objects of the groups specified in the mappings, the device searches for the member
attributes.
On this basis, the device checks any mapping.
– Does the user object contain the required attribute?
or
– Is the user member if the group?
If the device does not find a match, the user does not get access to the device.
If the device finds more than 1 mapping that applies to a user, the setting in the Matching policy field
decides. The user either obtains the role with the more extensive authorizations or the 1st role in the
table that applies.

 Configuration

Parameters Meaning
Matching policy Specifies which role the device applies if more than 1 mapping applies to a user.
Possible values:
 highest (default setting)
The device applies the role with more extensive authorizations.
 first
The device applies the rule which has the lower value in the Index column to the user.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.

100 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > LDAP > Role Mapping

Parameters Meaning
Role Specifies the user role that regulates the access of the user to the individual functions of the
device.
Possible values:
 unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If an error occurs when another role is
being assigned, the device assigns this role to the user account.
 guest (default setting)
The user is authorized to monitor the device.
 auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics >
Report > Audit Trail dialog.
 operator
The user is authorized to monitor the device and to change the settings – with the exception
of security settings for device access.
 administrator
The user is authorized to monitor the device and to change the settings.
Type Specifies whether a group or an attribute with an attribute value is set in the Parameter column.
Possible values:
 attribute (default setting)
The Parameter column contains an attribute with an attribute value.
 group
The Parameter column contains the “Distinguished Name” (DN) of a group.
Parameter Specifies a group or an attribute with an attribute value, depending on the setting in the Type
column.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
The device differentiates between upper and lower case.
– If in the Type column the value attribute is specified, you specify the attribute in the form
of Attribute_name=Attribute_value.
Example: l=Germany
– If in the Type column the value group is specified, you specify the “Distinguished Name”
(DN) of a group.
Example: CN=admin-users,OU=Groups,DC=example,DC=com
Active Activates/deactivates the role mapping.
Possible values:
 marked (default setting)
The role mapping is active.
 unmarked
The role mapping is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Index field, you specify the index number.
Possible values:
– 1..64

RM GUI HiOS-2A GRS1040 101


Release 7.0 11/2017
Device Security
Device Security > Management Access

Device Security > Management Access

3.4 Management Access

The menu contains the following dialogs:


 Server
 IP Access Restriction
 Web
 Command Line Interface
 SNMPv1/v2 Community

102 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

Device Security > Management Access > Server

3.4.1 Server

This dialog allows you to set up the server services which enable users or applications to access the
management of the device.

The dialog contains the following tabs:


 [Information ]
 [SNMP ]
 [Telnet ]
 [SSH ]
 [HTTP ]
 [HTTPS ]

RM GUI HiOS-2A GRS1040 103


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[Information ]
This tab displays as an overview which server services are enabled.

 Table

Parameters Meaning
SNMPv1 Displays whether the server service which allows access to the device using SNMP version 1 is
active or inactive. See the SNMP tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
SNMPv2 Displays whether the server service which allows access to the device using SNMP version 2 is
active or inactive. See the SNMP tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
SNMPv3 Displays whether the server service which allows access to the device using SNMP version 3 is
active or inactive. See the SNMP tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
Telnet server Displays whether the server service which allows access to the device using Telnet is active or
inactive. See the Telnet tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
SSH server Displays whether the server service which allows access to the device using Secure Shell is active
or inactive. See the SSH tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
HTTP server Displays whether the server service which allows access to the device using the Graphical User
Inerface through HTTP is active or inactive. See the HTTP tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.
HTTPS server Displays whether the server service which allows access to the device using the Graphical User
Inerface through HTTPS is active or inactive. See the HTTP tab.
Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

104 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 105


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[SNMP ]
This tab allows you to specify settings for the SNMP agent of the device and to enable/disable access
to the device with different SNMP versions.
The SNMP agent enables management access to the device with SNMP-based applications.

 Configuration

Parameters Meaning
SNMPv1 Activates/deactivates the access to the device with SNMP version 1.
Possible values:
 marked (default setting)
Access is activated.
 unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/
v2 Community dialog.
SNMPv2 Activates/deactivates the access to the device with SNMP version 2.
Possible values:
 marked (default setting)
Access is activated.
 unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/
v2 Community dialog.
SNMPv3 Activates/deactivates the access to the device with SNMP version 3.
Possible values:
 marked (default setting)
Access is activated.
 unmarked
Access is deactivated.
Network management systems like Industrial HiVision use this protocol to communicate with the
device.
UDP port Specifies the number of the UDP port on which the SNMP agent receives requests from clients.
Possible values:
 1..65535 (default setting: 161)
Exception: Port 2222 is reserved for internal functions.
To enable the SNMP agent to use the new port after a change, you proceed as follows:
 Click the button.
 Select in the Basic Settings > Load/Save dialog the active configuration profile.
 Click the button and then the Save item.
 Restart the device.
SNMPover802 Activates/deactivates the access to the device through SNMP over IEEE-802.
Possible values:
 marked
Access is activated.
 unmarked (default setting)
Access is deactivated.
The HiDiscovery software uses SNMP over IEEE-802 to access devices without an IP address.

106 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 107


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[Telnet ]
This tab allows you to enable/disable the Telnet server in the device and specify its settings.
The Telnet server enables management access to the device remotely through the Command Line
Interface. Telnet connections are unencrypted.

 Operation

Parameters Meaning
Operation Enables/disables the Telnet server.
Possible values:
 On (default setting)
The Telnet server is enabled.
The management access to the device is possible through the Command Line Interface using
an unencrypted Telnet connection.
 Off
The Telnet server is disabled.

Note: If the SSH server is disabled and you also disable Telnet, the access to the Command Line
Interface is only possible through the V.24 interface of the device.

 Configuration

Parameters Meaning
TCP port Specifies the number of the TCP port on which the device receives Telnet requests from clients.
Possible values:
 1..65535 (default setting: 23)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
Connections Displays how many Telnet connections are currently established to the device.
Connections (max.) Specifies the maximum number of Telnet connections to the device that can be set up
simultaneously.
Possible values:
 1..5 (default setting: 5)
Session timeout Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
[min] for the user logged on.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
 0
Deactivates the function. The connection remains established in the case of inactivity.
 1..160 (default setting: 5)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

108 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[SSH ]
This tab allows you to enable/disable the SSH server in the device and specify its settings required for
SSH. The server works with SSH version 2.
The SSH server enables management access to the device remotely through the Command Line
Interface. SSH connections are encrypted.
The SSH server identifies itself to the clients using its public RSA or DSA key. When first setting up the
connection, the client program displays the user the fingerprint of this key. The fingerprint contains a
hexadecimal number sequence that is easy to check. When you make this number sequence available
to the users via a reliable channel, they have the option to compare both fingerprints. If the number
sequences match, the client is connected to the correct server.
The device allows you to create the private and public keys (host keys) required for RSA and DSA
directly on the device. Otherwise you have the option to copy your own keys to the device in PEM format.
As an alternative, the device allows you to load the DSA/RSA key (host key) from an external memory
upon restart. You activate this function in the Basic Settings > External Memory dialog, SSH key
auto upload column.

 Operation

Parameters Meaning
Operation Enables/disables the SSH server.
Possible values:
 On (default setting)
The SSH server is enabled.
The management access to the device is possible through the Command Line Interface using
an encrypted SSH connection.
The server can solely then be started if there is an RSA or DSA signature on the device.
 Off
The SSH server is disabled.
When you disable the SSH server, the existing connections remain established. However, the
device prevents new connections from being set up.

Note: If the Telnet server is disabled and you also disable SSH, the access to the Command Line
Interface is only possible through the V.24 interface of the device.

 Configuration

Parameters Meaning
TCP port Specifies the number of the TCP port on which the device receives SSH requests from clients.
Possible values:
 1..65535 (default setting: 22)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
Sessions Displays how many SSH connections are currently established to the device.
Sessions (max.) Specifies the maximum number of SSH connections to the device that can be set up
simultaneously.
Possible values:
 1..5 (default setting: 5)

RM GUI HiOS-2A GRS1040 109


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

Parameters Meaning
Session timeout Specifies the timeout in minutes. After the user logged on has been inactive for this time, the ends
[min] the connection.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
 0
Deactivates the function. The connection remains established in the case of inactivity.
 1..160 (default setting: 5)

 Fingerprint
The fingerprint is an easy-to-verify string that uniquely identifies the RSA or DSA host key of the SSH
server.

Parameters Meaning
DSA Fingerprint of the public DSA host key of the server.
RSA Fingerprint of the public RSA host key of the server.

After importing a new RSA or DSA host key, the device continues to display the existing fingerprint
until you restart the server.

 Signature

Parameters Meaning
DSA present Displays whether a DSA host key is present on the device.
Possible values:
 marked
A key is present.
 unmarked
No key is present.
RSA present Displays whether an RSA host key is present on the device.
Possible values:
 marked
A key is present.
 unmarked
No key is present.
Create Generates a host key on the device. The prerequisite is that the SSH server is disabled.
Length of the key created:
 2048 bit (RSA)
 1024 bit (DSA)
To get the server to use the generated host key, you enable the server.
Alternatively, you have the option to copy your own key to the device in PEM format. See the Key
import frame.
Delete Removes the host key from the device. The prerequisite is that the SSH server is disabled.

110 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

Parameters Meaning
Oper status Displays whether the device currently generates a host key.
It is possible that another user triggered this action.
Possible values:
 dsa
The device currently generates a DSA host key.
 rsa
The device currently generates an RSA host key.
 both
The device currently generates a DSA and a RSA host key at the same time.
 none
The device does not generate a host key.

 Key import

Parameters Meaning
URL Specifies the path and file name of your own DSA/RSA host key.
The device accepts the DSA/RSA key if it has the following key length:
– 2048 bit (RSA)
– 1024 bit (DSA)
The device gives you the following options for copying the key to the device:
 Import from the PC
If the host key is located on your PC or on a network drive, drag and drop the file that contains
the key in the area. Alternatively click in the area to select the file.
 Import from an FTP server
If the key is on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
 Import from a TFTP server
If the key is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Import from an SCP or SFTP server
If the key is on an SCP or SFTP server, you specify the URL for the file in the following form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the key specified in the URL field to the device.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 111


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[HTTP ]
This tab allows you to enable/disable the HTTP protocol for the web server and specify the settings
required for HTTP.
The web server provides the graphical user interface via an unencrypted HTTP connection. For security
reasons, disable the HTTP protocol and use the HTTPS protocol instead.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.

Note: If you change the settings in this tab and click the button, the device ends the session and
disconnects every opened connection. To continue working with the graphical user interface, login
again.

 Operation

Parameters Meaning
Operation Enables/disables the HTTP protocol for the web server.
Possible values:
 On (default setting)
The HTTP protocol is enabled.
The management access to the device is possible through an unencrypted HTTP connection.
If the HTTPS protocol is also enabled, the device automatically redirects the request for a HTTP
connection to an encrypted HTTPS connection.
 Off
The HTTP protocol is disabled.
If the HTTPS protocol is enabled, the management access to the device is possible through an
encrypted HTTPS connection.

Note: If the HTTP and HTTPS protocols are disabled, you can enable the HTTP protocol using the
CLI command http server to get to the graphical user interface.

 Configuration

Parameters Meaning
TCP port Specifies the number of the TCP port on which the web server receives HTTP requests from
clients.
Possible values:
 1..65535 (default setting: 80)
Exception: Port 2222 is reserved for internal functions.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

112 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

[HTTPS ]
This tab allows you to enable/disable the HTTPS protocol for the web server and specify the settings
required for HTTPS.
The web server provides the graphical user interface via an encrypted HTTP connection.
A digital certificate is required for the encryption of the HTTP connection. The device allows you to
create this certificate yourself or to load an existing certificate onto the device.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.

Note: If you change the settings in this tab and click the button, the device ends the session and
disconnects every opened connection. To continue working with the graphical user interface, login
again.

 Operation

Parameters Meaning
Operation Enables/disables the HTTPS protocol for the web server.
Possible values:
 On (default setting)
The HTTPS protocol is enabled.
The management access to the device is possible through an encrypted HTTPS connection.
If there is no digital certificate present, the device generates a digital certificate before it
enables the HTTPS protocol.
 Off
The HTTPS protocol is disabled.
If the HTTP protocol is enabled, the management access to the device is possible through an
unencrypted HTTP connection.

Note: If the HTTP and HTTPS protocols are disabled, you can enable the HTTPS protocol using the
CLI command https server to get to the graphical user interface.

 Configuration

Parameters Meaning
TCP port Specifies the number of the TCP port on which the web server receives HTTPS requests from
clients.
Possible values:
 1..65535 (default setting: 443)
Exception: Port 2222 is reserved for internal functions.

 Fingerprint
The fingerprint is an easily verified hexadecimal number sequence that uniquely identifies the digital
certificate of the HTTPS server.
After importing a new digital certificate, the device displays the current fingerprint until you restart the
server.

RM GUI HiOS-2A GRS1040 113


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

Parameters Meaning
Fingerprint type Specifies which fingerprint the Fingerprint field displays.
Possible values:
 sha1
The Fingerprint field displays the SHA1 fingerprint of the certificate.
 sha256
The Fingerprint field displays the SHA256 fingerprint of the certificate.
Fingerprint Character sequence of the digital certificate used by the server.

When you change the settings in the Fingerprint type field, click afterwards the button

and then the button to update the display.

 Certificate

Parameters Meaning
Present Displays whether the digital certificate is present on the device.
Possible values:
 marked
The certificate is present.
 unmarked
The certificate has been removed.
Create Generates a digital certificate on the device.
Until restarting the web server uses the previous certificate.
To get the web server to use the newly generated certificate, restart the web server. Restarting
the web server is possible solely through the Command Line Interface (CLI).
Alternatively, you have the option of copying your own certificate to the device. See the
Certificate import frame.
Delete Deletes the digital certificate.
Until restarting the web server uses the previous certificate.
Oper status Displays whether the device currently generates or deletes a digital certificate.
It is possible that another user has triggered the action.
Possible values:
 none
The device does currently not generate or delete a certificate.
 delete
The device currently deletes a certificate.
 generate
The device currently generates a certificate.

Note: When loading the graphical user interface, the web browser displays a warning if the device
uses a certificate that is not signed by a certification authority. To continue, add an exception rule for
the certificate in the web browser.

114 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Server

 Certificate import

Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
• -----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
as well as
• -----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
– RSA key with 2048 bit length
The device gives you the following options for copying the certificate to the device:
 Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
 Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
 Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 115


Release 7.0 11/2017
Device Security
Device Security > Management Access > IP Access Restriction

Device Security > Management Access > IP Access Restriction

3.4.2 IP Access Restriction

This dialog enables you to restrict the management access to the device to specific IP address ranges
and selected IP-based applications.
 If the function is disabled, the management access to the device is possible from any IP address and
using every application.
 If the function is enabled, the access is restricted. You have management access under the following
conditions exclusively:
– At least one table entry is activated.
and
– You are accessing the device with a permitted application from a permitted IP address range.

 Operation

Parameters Meaning
Operation Enables/disables the IP Access Restriction function.
Possible values:
 On
The IP Access Restriction function is enabled.
The management access to the device is restricted.
 Off (default setting)
The IP Access Restriction function is disabled.

Note: Before you enable the function, verify that at least one active entry in the table allows you
access. Otherwise, the connection to the device terminates when you change the settings. The
management access to the device is possible exclusively using the CLI through the V.24 interface.

 Table
You have the option of defining up to 16 table entries and activating them separately.

Parameters Meaning
Index Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
 1..16
Address Specifies the IP address of the network from which you allow the management access to the
device. You specify the network range in the Netmask column.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Netmask Specifies the range of the network specified in the Address column.
Possible values:
 Valid netmask (default setting: 0.0.0.0)
HTTP Activates/deactivates the HTTP access.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.

116 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > IP Access Restriction

Parameters Meaning
HTTPS Activates/deactivates the HTTPS access.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
SNMP Activates/deactivates the SNMP access.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
Telnet Activates/deactivates the Telnet access.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
SSH Activates/deactivates the SSH access.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
IEC61850-MMS Activates/deactivates the access to the MMS server.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
Modbus TCP Activates/deactivates the access to the Modbus TCP server.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
EtherNet/IP Activates/deactivates the access to the EtherNet/IP server.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
PROFINET Activates/deactivates the access to the PROFINET server.
Possible values:
 marked (default setting)
Access is activated for the adjacent IP address range.
 unmarked
Access is deactivated.
Active Activates/deactivates the table entry.
Possible values:
 marked (default setting)
Table entry is activated. The device restricts the management access to the adjacent IP
address range and the selected IP-based applications.
 unmarked
Table entry is deactivated.

RM GUI HiOS-2A GRS1040 117


Release 7.0 11/2017
Device Security
Device Security > Management Access > IP Access Restriction

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

118 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > Web

Device Security > Management Access > Web

3.4.3 Web

In this dialog, you specify settings for the graphical user interface.

 Configuration

Parameters Meaning
Web interface Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
session timeout for the user logged on.
[min]
Possible values:
 0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 119


Release 7.0 11/2017
Device Security
Device Security > Management Access > CLI

Device Security > Management Access > CLI

3.4.4 Command Line Interface

In this dialog, you specify settings for the Command Line Interface (CLI). You find detailed information
about the Command Line Interface in the “Command Line Interface” reference manual.

The dialog contains the following tabs:


 [Global ]
 [Login banner ]

120 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > CLI

[Global ]
This tab allows you to change the CLI prompt and to specify the automatic closing of sessions through
the V.24 interface when they have been inactive.

 Configuration

Parameters Meaning
Login prompt Specifies the character string that the device displays in the Command Line Interface (CLI) at the
start of every command line.
Possible values:
 Alphanumeric ASCII character string with 0..128 characters
(0x20..0x7E) including space characters
Wildcards
– %d date
– %i IP address
– %m MAC address
– %p product name
– %t time
Default setting: ((GRS))
Changes to this setting are immediately effective in the active CLI session.
V.24 timeout [min] Specifies the time in minutes after which the device automatically closes the session of a logged
on user in the Command Line Interface via the V.24 interface when it has been inactive.
Possible values:
 0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.
A change in the value takes effect the next time a user logs on to the device.
For Telnet and SSH, you specify the timeout in the Device Security > Management Access >
Server dialog.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 121


Release 7.0 11/2017
Device Security
Device Security > Management Access > CLI

[Login banner ]
In this tab, you replace the CLI start screen with your own text.
In the default setting, the CLI start screen displays information about the device, such as the software
version and the device settings. With the function in this tab, you deactivate this information and replace
it with an individually specified text.
To display your own text in the CLI and in the graphical user interface before the login, you use the
Device Security > Pre-login Banner dialog.

 Operation

Parameters Meaning
Operation Enables/disables the Login banner function.
Possible values:
 On
The Login banner function is enabled.
The device displays the text information specified in the Banner text field to the users that
login to the device using the Command Line Interface (CLI).
 Off (default setting)
The Login banner function is disabled.
The CLI start screen displays information about the device. The text information in the Banner
text field is kept.

 Banner text

Parameters Meaning
Banner text Specifies the character string that the device displays in the Command Line Interface at the start
of every session.
Possible values:
 Alphanumeric ASCII character string with 0..1024 characters
(0x20..0x7E) including space characters
 <Tab>
 <Line break>
Remaining Displays how many characters are still remaining in the Banner text field for the text information.
characters
Possible values:
 1024..0

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

122 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Device Security
Device Security > Management Access > SNMPv1/v2 Community

Device Security > Management Access > SNMPv1/v2 Community

3.4.5 SNMPv1/v2 Community

In this dialog, you specify the community name for SNMPv1/v2 applications.
Applications send requests via SNMPv1/v2 with a community name in the SNMP data packet header.
Depending on the community name, the application gets read authorization or read and write
authorization for the device.
You activate the access to the device via SNMPv1/v2 in the Device Security > Management
Access > Server dialog.

 Table

Parameters Meaning
Community Displays the authorization for SNMPv1/v2 applications to the device:
 Write
For requests with the community name entered, the application receives read and write
authorization for the device.
 Read
For requests with the community name entered, the application receives read authorization for
the device.
Name Specifies the community name for the adjacent authorization.
Possible values:
 Alphanumeric ASCII character string with 0..32 characters
private (default setting for read and write authorizations)
public (default setting for read authorization)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 123


Release 7.0 11/2017
Device Security
Device Security > Pre-login Banner

Device Security > Pre-login Banner

3.5 Pre-login Banner

This dialog allows you to display a greeting or information text to users before they login to the device.
The users see this text in the login dialog of the graphical user interface (GUI) and of the Command Line
Interface (CLI). Users logging in with SSH see the text - regardless of the client used - before or during
the login.
To display the text in the Command Line Interface (CLI) exclusively, use the settings in the Device
Security > Management Access > CLI dialog.

 Operation

Parameters Meaning
Operation Enables/disables the Pre-login Banner function.
Using the Pre-login Banner function, the device displays a greeting or information text in the
login dialog of the Graphical User Interface and of the Command Line Interface.
Possible values:
 On
The Pre-login Banner function is enabled.
The device displays the text specified in the Banner text field in the login dialog.
 Off (default setting)
The Pre-login Banner function is disabled.
The device does not display a text in the login dialog. If you entered a text in the Banner text
field, this text is saved on the device.

 Banner text

Parameters Meaning
Banner text Specifies the greeting or information text that the device displays in the Login dialog of the
graphical user interface (GUI) and of the Command Line Interface (CLI).
Possible values:
 Alphanumeric ASCII character string with 0..512 characters
(0x20..0x7E) including space characters
 <Tab>
 <Line break>
Remaining Displays how many characters are still remaining in the Banner text field.
characters
Possible values:
 512..0

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

124 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security

4 Network Security

The menu contains the following dialogs:


 Network Security Overview
 Port Security
 802.1X Port Authentication
 RADIUS
 DoS
 DHCP Snooping
 IP Source Guard
 Dynamic ARP Inspection
 ACL

RM GUI HiOS-2A GRS1040 125


Release 7.0 11/2017
Network Security
Network Security > Overview

Network Security > Overview

4.1 Network Security Overview

This dialog displays the network security rules used in the device.

 Parameter

Parameters Meaning
Port/VLAN Specifies whether the device displays VLAN- and/or port-based rules.
Possible values:
 All (default setting)
The device displays the VLAN- and port-based rules specified by you.
 Port: <Port Number>
The device displays port-based rules for a specific port. This selection is available if you have
specified one or more rules for this port.
 VLAN: <VLAN ID>
The device displays VLAN-based rules for a specific VLAN. This selection is available if you
have specified one or more rules for this VLAN.
ACL Displays the ACL rules in the overview.
You edit Access Control Lists in the Network Security > ACL dialog.
All Marks the adjacent checkboxes. The device displays the related rules in the overview.
None Unmarks the adjacent checkboxes. The device does not display any rules in the overview.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

126 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Port Security

Network Security > Port Security

4.2 Port Security

The device allows you to transmit only data packets from desired senders on one port. When this
function is enabled, the device checks the VLAN ID and MAC address of the sender before it transmits
a data packet. The device discards data packets from other senders and logs this event. If the Auto-
Disable function is activated, the device disables the port. This restriction makes MAC Spoofing
attacks more difficult. The Auto-Disable function enables the relevant port again automatically when
the parameters are no longer being exceeded.
In this dialog a Wizard window helps you to connect the ports with one or more desired sources. In the
device these addresses are known as Static entries (/) . To view the specified static addresses,
highlight the relevant port and click the button.
To keep the setup process as simple as possible, the device allows you to record the desired senders
automatically. The device “learns” the senders by evaluating the received data packets. In the device
these addresses are known as Dynamic entries . When a user-defined upper limit has been reached
(Dynamic limit ), the device stops the “learning” on the relevant port and transmits exclusively the data
packets of the senders already recorded. When you adjust the upper limit to the number of expected
senders, you thus make MAC Flooding attacks more difficult.

Note: With the automatic recording of the Dynamic entries , the device always discards the 1st data
packet from unknown senders. Using this 1st data packet, the device checks whether the upper limit
has been reached. The device records the sender until the upper limit is reached. Afterwards, the device
transmits data packets that it receives on the relevant port from this sender.

 Operation

Parameters Meaning
Operation Enables/disables the Port Security function.
Possible values:
 On
The Port Security function is enabled.
The device checks the VLAN ID and MAC address of the source before it transmits a data
packet.
The device transmits solely a received data packet if its source is desired on the relevant port.
Also activate the checking of the source on the relevant ports.
 Off (default setting)
The Port Security function is disabled.
The device transmits every received data packet without checking the source.

 Configuration

Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for Port Security .
Possible values:
 marked
The Auto-Disable function for Port Security is active.
Also mark the checkbox in the Auto-disable column for the relevant ports.
 unmarked (default setting)
The Auto-Disable function for Port Security is inactive.

RM GUI HiOS-2A GRS1040 127


Release 7.0 11/2017
Network Security
Network Security > Port Security

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the checking of the source on the port.
Possible values:
 marked
The device checks every data packet received on the port and transmits it if its source is
desired. Also enable the function in the Operation frame.
 unmarked (default setting)
The device transmits every data packet received on the port without checking the source.

Note: If you are operating the device as an active subscriber within an MRP ring, we recommend
you unmark the checkbox.
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Port Security
function is monitoring on the port.
Possible values:
 marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that you mark the checkbox Auto-disable in the Configuration frame.
– The device disables the port if the port registers undesired source MAC addresses or more
source MAC addresses than specified in the Dynamic limit column. The “Link status”
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked
The Auto-Disable function on the port is inactive.
Send trap Activates/deactivates the sending of SNMP traps when the device discards data packets from an
undesired sender on the port.
Possible values:
 marked
The device sends an SNMP trap when it discards data packets from an undesired sender on
the port.
 unmarked (default setting)
The sending of SNMP traps is deactivated.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Trap interval [s] Specifies the delay time in seconds that the device waits after sending an SNMP trap before
sending the next SNMP trap.
Possible values:
 0..3600 (default setting: 0)
The value 0 deactivates the delay time.
Dynamic limit Specifies the upper limit for the number of automatically registered sources (Dynamic entries ).
When the upper limit has been reached, the device stops “learning” on this port.
Adjust the value to the number of expected sources.
If the port registers more senders than specified here, the port disables the Auto-Disable
function. The prerequisite is that you mark the checkbox in the Auto-disable column and the
Auto-disable checkbox in the Configuration frame.
Possible values:
 0
Deactivates the automatic registering of sources on this port.
 1..600 (default setting: 600)

128 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Port Security

Parameters Meaning
Static limit Specifies the upper limit for the number of sources connected to the port (Static entries (/) ).
The Wizard window helps you to connect the port with one or more desired sources.
Possible values:
 0..64 (default setting: 64)
The value 0 prevents you from connecting a source with the port.
Dynamic entries Displays the number of senders that the device has automatically determined.
See the Wizard window, Dynamic entries field.
Static entries Displays the number of senders that are linked with the port.
See the Wizard window, Static entries (/) field.
Last violating VLAN Displays the VLAN ID and MAC address of an undesired sender whose data packets the device
ID/MAC last discarded on this port.
Sent traps Displays the number of discarded data packets on this port that caused the device to send an
SNMP trap.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Wizard dialog.
In the Wizard dialog you assign the permitted MAC addresses to a port.

RM GUI HiOS-2A GRS1040 129


Release 7.0 11/2017
Network Security
Network Security > Port Security

[Wizard : Port security ]

 Select port
The Wizard window helps you to connect the ports with one or more desired sources.

Parameters Meaning
Port Specifies the port that you assign to the sender in the next step.

 Addresses
The Wizard window helps you to connect the ports with one or more desired sources. When you
have specified the settings, click the Finish button.

After closing the Wizard window, click the button to save your settings.

Parameters Meaning
VLAN ID Specifies the VLAN ID of the desired source.
Possible values:
 1..4042
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add
button.
MAC address Specifies the MAC address of the desired source.
Possible values:
 Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add
button.
Add Transfers the values specified in the VLAN ID and MAC address fields to the Static entries
(/) field.
Static entries (/) Displays the VLAN ID and MAC address of desired senders connected to the port.
The device uses this field to display the number of senders connected to the port and the upper
limit. You specify the upper limit for the number of entries in the table, Static limit field.

Note: You cannot assign a MAC address that you assign to this port to any other port.
Remove Removes the entries highlighted in the Static entries (/) field.
Moves the entries highlighted in the Dynamic entries field to the Static entries (/) field.

Moves every entry from the Dynamic entries field to the Static entries (/) field.
If the Dynamic entries field contains more entries than are allowed in theStatic entries (/
) field, the device moves the foremost entries until the upper limit is reached.

130 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Port Security

Parameters Meaning
Dynamic entries Displays in ascending order the VLAN ID and MAC address of the senders automatically recorded
on this port. The device transmits data packets from these senders when it receives the data
packets on this port.
You specify the upper limit for the number of entries in the table, Dynamic limit field.

The and buttons allow you to transfer entries from this field into the Static entries (/
) field. In this way, you connect the relevant senders with the port.

Note: The device saves the sources connected with the port until you deactivate the checking of the
source on the relevant port or in the Operation frame.

RM GUI HiOS-2A GRS1040 131


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication

Network Security > 802.1X Port Authentication

4.3 802.1X Port Authentication

With the port-based access control according to IEEE 802.1X, the device monitors the access to the
network from connected end devices. The device (authenticator) allows an end device (supplicant) to
access the network if it logs in with valid login data. The authenticator and the end devices communicate
via the EAPoL (Extensible Authentication Protocol over LANs) authentication protocol.
The device supports the following methods to authenticate end devices:
 radius
A RADIUS server in the network authenticates the end devices.
 ias
The Integrated Authentication Server (IAS) implemented in the device authenticates the end devices.
Compared to RADIUS, the IAS provides basic functions exclusively.
The menu contains the following dialogs:
 802.1X Global
 802.1X Port Configuration
 802.1X Port Clients
 802.1X EAPOL Port Statistics
 802.1X Port Authentication History
 802.1X Integrated Authentication Server

132 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Global

Network Security > 802.1X Port Authentication > Global

4.3.1 802.1X Global

This dialog allows you to specify basic settings for the port-based access control.

 Operation

Parameters Meaning
Operation Enables/disables the 802.1X Port Authentication function.
Possible values:
 On
The 802.1X Port Authentication function is enabled.
The device checks the access to the network from connected end devices.
The port-based access control is enabled.
 Off (default setting)
The 802.1X Port Authentication function is disabled.
The port-based access control is disabled.

 Configuration

Parameters Meaning
VLAN assignment Activates/deactivates the assigning of the relevant port to a VLAN. This function allows you to
provide selected services to the connected end device in this VLAN.
Possible values:
 marked
The assigning is active.
If the end device successfully authenticates itself, the device assigns to the relevant port the
VLAN ID transferred by the RADIUS authentication server.
 unmarked (default setting)
The assigning is inactive.
The relevant port is assigned to the VLAN specified in the Network Security > 802.1X Port
Authentication > Port Configuration dialog, Assigned VLAN ID row.
Dynamic VLAN Activates/deactivates the automatic creation of the VLAN assigned by the RADIUS authentication
creation server if the VLAN does not exist.
Possible values:
 marked
The automatic VLAN creation is active.
The device creates the VLAN if it does not exist.
 unmarked (default setting)
The automatic VLAN creation is inactive.
If the assigned VLAN does not exist, the port remains assigned to the original VLAN.
Monitor mode Activates/deactivates the monitor mode.
Possible values:
 marked
The monitor mode is active.
The device monitors the authentication and helps with diagnosing detected errors. If an end
device has not logged in successfully, the device gives the end device access to the network.
 unmarked (default setting)
The monitor mode is inactive.

RM GUI HiOS-2A GRS1040 133


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Global

 MAC authentication bypass format options

Parameters Meaning
Group size Specifies the size of the MAC address groups. The device splits the MAC address for
authentication into groups. The size of the groups is specified in half bytes, each of which is
represented as 1 character.
Possible values:
 1
The device splits the MAC address into 12 groups of 1 character.
Example: A:A:B:B:C:C:D:D:E:E:F:F
 2
The device splits the MAC address into 6 groups of 2 characters.
Example: AA:BB:CC:DD:EE:FF
 4
The device splits the MAC address into 3 groups of 4 characters.
Example: AABB:CCDD:EEFF
 12 (default setting)
The device formats the MAC address as 1 group of 12 characters.
Example: AABBCCDDEEFF
Group separator Specifies the character which separates the groups.
Possible values:
 -
dash
 :
colon
 .
dot
Upper or lower Specifies whether the device formats the authentication data in lowercase or uppercase letters.
case
Possible values:
 lower-case
 upper-case
Password Specifies the optional password for the clients which use the authentication bypass.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
After entering the field displays ***** (asterisk) instead of the password.
 <empty>
The device uses the username of the client also as the password.

 Information

Parameters Meaning
Monitor mode Displays to how many end devices the device gave network access even though they did not login
clients successfully.
The prerequisite is that you activate the Monitor mode function. See the Configuration frame.
Non monitor mode Displays the number of end devices to which the device gave network access after successful
clients login.
Policy 1 Displays the method that the device currently uses to authenticate the end devices using
IEEE 802.1X.
You specify the method used in the Device Security > Authentication List dialog.
 To authenticate the end devices through a RADIUS server, you assign the radius policy to
the 8021x list.
 To authenticate the end devices through the Integrated Authentication Server (IAS) you assign
the ias policy to the 8021x list.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

134 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Configuration

Network Security > 802.1X Port Authentication > Port Configuration

4.3.2 802.1X Port Configuration

This dialog allows you to specify the access settings for every port.
If multiple end devices are connected to a port, the device allows you to authenticate these individually
(multi-client authentication). In this case, the device allows logged in end devices to access the network.
In contrast, the device blocks access for unauthenticated end devices, or for end devices whose
authentication has elapsed.

 Table

Parameters Meaning
Port Displays the port number.
Port initialization Activates/deactivates the port initialization in order to activate the access control on the port or
reset it to its initial state. Use this function exclusively to ports in which the Port control column
contains the value auto.
Possible values:
 marked
The port initialization is active.
When the initialization is complete, the device changes the value to unmarked again.
 unmarked (default setting)
The port initialization is inactive.
The device keeps the current port status.
Port Activates/deactivates the one-time reauthentication request.
reauthentication Use this function exclusively to ports in which the Port control column contains the value auto.
The device also allows you to periodically request the end device to login again. See the Periodic
reauthentication column.
Possible values:
 marked
The one-time reauthentication request is active.
The device requests the end device to login again. Afterwards, the device changes the value
to unmarked again.
 unmarked (default setting)
The one-time reauthentication request is inactive.
The device keeps the end device logged in.
Authentication Displays the current status of the Authenticator (Authenticator PAE state).
activity
Possible values:
 initialize
 disconnected
 connecting
 authenticating
 authenticated
 aborting
 held
 forceAuth
 forceUnauth
Backend Displays the current status of the connection to the authentication server (Backend
authentication state Authentication state).
Possible values:
 request
 response
 success
 fail
 timeout
 idle
 initialize

RM GUI HiOS-2A GRS1040 135


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Configuration

Parameters Meaning
Authentication state Displays the current status of the authentication on the port (Controlled Port Status).
Possible values:
 authorized
The end device is logged in successfully.
 unauthorized
The end device is not logged in.
Users (max.) Specifies the upper limit for the number of end devices that the device authenticates on this port
at the same time. This upper limit applies exclusively to ports in which the Port control column
contains the value multiClient.
Possible values:
 1..16 (default setting: 16)
Port control Specifies how the device grants access to the network (Port control mode).
Possible values:
 forceUnauthorized
The device blocks the access to the network. You use this setting if an end device is connected
to the port that does not receive access to the network.
 auto
The device grants access to the network if the end device has logged in successfully. You use
this setting if an end device is connected to the port that logs in at the authenticator.
If other end devices are connected through the same port, they get access to the network
without additional authentication.
 forceAuthorized (default setting)
The device grants access to the network. You use this setting if an end device is connected to
the port that receives access to the network without logging in.
 multiClient
The device grants access to the network if the end device logs in successfully.
If the end device does not send any EAPoL data packets, the device grants or denies access
to the network individually depending on the MAC address of the end device. See the MAC
authorized bypass column.
You use this setting if multiple end devices are connected to the port.
Quiet period [s] Specifies the time period in seconds in which the authenticator does not accept any more logins
from the end device after an unsuccessful log in attempt (Quiet period [s] ).
Possible values:
 0..65535 (default setting: 60)
Transmit period [s] Specifies the period in seconds after which the authenticator requests the end device to login
again. After this waiting period, the device sends an EAP request/identity data packet to the end
device.
Possible values:
 1..65535 (default setting: 30)
Supplicant timeout Specifies the period in seconds for which the authenticator waits for the login of the end device.
period [s]
Possible values:
 1..65535 (default setting: 30)
Server timeout [s] Specifies the period in seconds for which the authenticator waits for the response from the
authentication server (RADIUS or IAS).
Possible values:
 1..65535 (default setting: 30)
Requests (max.) Specifies how many times the authenticator requests the end device to login until the time
specified in the Supplicant timeout period [s] column has elapsed. The device sends an
EAP request/identity data packet to the end device as often as specified here.
Possible values:
 0..10 (default setting: 2)

136 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Configuration

Parameters Meaning
Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port. This value applies
exclusively to ports in which the Port control column contains the value auto.
Possible values:
 0..4042 (default setting: 0)
You find the VLAN ID that the authenticator assigned to the ports in the Network Security >
802.1X Port Authentication > Port Clients dialog.
To ports in which the Port control column contains the value multiClient : the device assigns
the VLAN tag based on the MAC address of the end device when it receives data packets without
a VLAN tag.
Assignment reason Displays the cause for the assignment of the VLAN ID. This value applies exclusively to ports in
which the Port control column contains the value auto.
Possible values:
 notAssigned (default setting)
 radius
 guestVlan
 unauthenticatedVlan
You find the VLAN ID that the authenticator assigned to the ports in the Network Security >
802.1X Port Authentication > Port Clients dialog.
Reauthentication Specifies the period in seconds after which the authenticator periodically requests the end device
period [s] to login again.
Possible values:
 1..65535 (default setting: 3600)
Periodic Activates/deactivates periodic reauthentication requests.
reauthentication
Possible values:
 marked
The periodic reauthentication requests are active.
The device periodically requests the end device to login again. You specify this time period in
the Reauthentication period [s] column.
This setting becomes ineffective if the authenticator has assigned the end device the ID of a
Voice, Unauthenticated or Guest VLAN.
 unmarked (default setting)
The periodic reauthentication requests are inactive.
The device keeps the end device logged in.
Guest VLAN ID Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
log in during the time period specified in the Guest VLAN period column. This value applies
exclusively to ports in which the Port control column contains the value auto.
This function allows you to grant end devices, without 802.1X support, access to selected services
in the network.
Possible values:
 0 (default setting)
The authenticator does not assign a guest VLAN to the port.
When you enable the the MAC-based authentication in the MAC authorized bypass column,
the device automatically sets the value to 0.
 1..4042

Note: Assign to the port a VLAN set up statically in the device.


Guest VLAN period Specifies the period in seconds for which the authenticator waits for EAPOL data packets after the
end device is connected. If this period elapses, the authenticator grants the end device access to
the network and assigns the port to the guest VLAN specified in the Guest VLAN ID column.
Possible values:
 1..300 (default setting: 90)

RM GUI HiOS-2A GRS1040 137


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Configuration

Parameters Meaning
Unauthenticated Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
VLAN ID login successfully. This value applies exclusively to ports in which the Port control column
contains the value auto.
This function allows you to grant end devices without valid login data access to selected services
in the network.
Possible values:
 0..4042 (default setting: 0)
The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the
port.

Note: Assign to the port a VLAN set up statically in the device.


MAC authorized Activates/deactivates the MAC-based authentication.
bypass This function allows you to authenticate end devices without 802.1X support on the basis of their
MAC address.
Possible values:
 marked
The MAC-based authentication is active.
The authenticator uses the MAC-based authentication before it assigns a guest VLAN ID to
the port. The device sends the MAC address of the end device to the RADIUS authentication
server. The device assigns the port to the corresponding VLAN as if the authentication had
been performed through 802.1X directly.
 unmarked (default setting)
The MAC-based authentication is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

138 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Clients

Network Security > 802.1X Port Authentication > Port Clients

4.3.3 802.1X Port Clients

This dialog displays information on the connected end devices.

 Table

Parameters Meaning
Port Displays the port number.
User name Displays the user name with which the end device logged in.
MAC address Displays the MAC address of the end device.
Filter ID Displays the name of the filter list that the RADIUS authentication server assigned to the end
device after successful authentication.
The authentication server transfers the filter ID attributes in the Access Accept data packet.
Assigned VLAN ID Displays the VLAN ID that the authenticator assigned to the port after the successful
authentication of the end device.
If for the port in the Network Security > 802.1X Port Authentication > Port
Configuration dialog, Port control column the value multiClient is specified: The device
assigns the VLAN tag based on the MAC address of the end device when it receives data packets
without a VLAN tag.
Assignment reason Displays the reason for the assignment of the VLAN.
Possible values:
 default
 radius
 unauthenticatedVlan
 guestVlan
 monitorVlan
 invalid
The field displays solely a valid value as long as the client is authenticated.
Session timeout Displays the remaining time in seconds until the log in of the end device expires. This value applies
solely if for the port in the Network Security > 802.1X Port Authentication > Port
Configuration dialog, Port control column the value auto or multiClient is specified.
The authentication server assigns the timeout period to the device through RADIUS. The value 0
means that the authentication server has not assigned a timeout.
Termination action Displays the action performed by the device when the login has elapsed.
Possible values:
 default
 reauthenticate

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 139


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Statistics

Network Security > 802.1X Port Authentication > Statistics

4.3.4 802.1X EAPOL Port Statistics

This dialog displays which EAPoL data packets the end device has sent and received for the
authentication of the end devices.

 Table

Parameters Meaning
Port Displays the port number.
Received packets Displays the total number of EAPOL data packets that the device received on the port.
Transmitted Displays the total number of EAPOL data packets that the device sent on the port.
packets
Start packets Displays the number of EAPOL start data packets that the device received on the port.
Logoff packets Displays the number of EAPOL logoff data packets that the device received on the port.
Response/ID Displays the number of EAP response/identity data packets that the device received on the port.
packets
Response packets Displays the number of valid EAP response data packets that the device received on the port
(without EAP response/identity data packets).
Request/ID packets Displays the number of EAP request/identity data packets that the device received on the port.
Request packets Displays the number of valid EAP request data packets that the device received on the port
(without EAP request/identity data packets).
Invalid packets Displays the number of EAPOL data packets with an unknown frame type that the device received
on the port.
Received error Displays the number of EAPOL data packets with an invalid packet body length field that the
packets device received on the port.
Packet version Displays the protocol version number of the EAPOL data packet that the device last received on
the port.
Source of last Displays the sender MAC address of the EAPOL data packet that the device last received on the
received packet port.
The value 00:00:00:00:00:00 means that the port has not received any EAPOL data packets
yet.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

140 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Authentication History

Network Security > 802.1X Port Authentication > Port Authentication History

4.3.5 802.1X Port Authentication History

The device registers the authentication process of the end devices that are connected to its ports. This
dialog displays the information recorded during the authentication.

 Table

Parameters Meaning
Port Displays the port number.
Authentification Displays the time at which the authenticator authenticated the end device.
time stamp
Result age Displays since when this entry has been entered in the table.
MAC address Displays the MAC address of the end device.
VLAN ID Displays the ID of the VLAN that was assigned to the end device before the login.
Authentication Displays the status of the authentication on the port.
status
Possible values:
 success
The authentication was successful.
 failure
The authentication failed.
Access status Displays whether the device grants the end device access to the network.
Possible values:
 granted
The device grants the end device access to the network.
 denied
The device denies the end device access to the network.
Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port.
Assignment type Displays the type of the VLAN that the authenticator assigned to the port.
Possible values:
 default
 radius
 unauthenticatedVlan
 guestVlan
 monitorVlan
 notAssigned
Assignment reason Displays the reason for the assignment of the VLAN ID and the VLAN type.

 802.1X Port Authentication History

Parameters Meaning
Port Simplifies the table and displays solely the entries relating to the port selected here. This makes
it easier for you to record the table and sort it as you desire.
Possible values:
 all
The table displays the entries for every port.
 <Port number>
The table displays the entries that apply to the port selected here.

RM GUI HiOS-2A GRS1040 141


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Port Authentication History

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

142 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > 802.1X Port Authentication > Integrated Authentication Server

Network Security > 802.1X Port Authentication > Integrated Authentication Server

4.3.6 802.1X Integrated Authentication


Server

The Integrated Authentication Server (IAS) allows you to authenticate end devices using IEEE 802.1X.
Compared to RADIUS, the IAS has a very limited range of functions. The authentication is based solely
on the user name and the password.
In this dialog you manage the login data of the end devices. The device allows you to set up up to 100
sets of login data.
To authenticate the end devices through the Integrated Authentication Server you assign you assign in
the Device Security > Authentication List dialog the ias policy to the 8021x list.

 Table

Parameters Meaning
User name Displays the user name of the end device.
To create a new user, click the button.
Password Specifies the password with which the user authenticates.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters
The device differentiates between upper and lower case.
Active Activates/deactivates the login data.
Possible values:
 marked
The login data is active. An end device has the option of logging in through 802.1x using this
login data.
 unmarked (default setting)
The login data is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
In the User name field, you specify the user name of the end device.

RM GUI HiOS-2A GRS1040 143


Release 7.0 11/2017
Network Security
Network Security > RADIUS

Network Security > RADIUS

4.4 RADIUS

With its factory settings, the device authenticates users based on the local user management. However,
as the size of a network increases, it becomes more difficult to keep the login data of the users
consistent across the devices.
RADIUS (Remote Authentication Dial-In User Service) allows you to authenticate and authorize the
users at a central point in the network. A RADIUS server performs the following tasks here:
 Authentication
The authentication server authenticates the users when the RADIUS client at the access point
forwards the users’ login data to the server.
 Authorization
The authentication server authorizes logged in users for selected services by assigning various
parameters for the relevant end device to the RADIUS client at the access point.
 Accounting
The accounting server records the traffic data that has occurred during the port authentication
according to IEEE 802.1X. This enables you to subsequently determine which services the users
have used, and to what extent.
The device operates in the role of the RADIUS client if you assign the radius policy to an application in
the Device Security > Authentication List dialog. The device forwards the users’ login data to
the primary authentication server. The authentication server decides whether the login data is valid and
transfers the user’s authorizations to the device.
The device assigns the Service Type transferred in the response of a RADIUS server as follows to a
user role existing in the device:
– Administrative-User: administrator
– Login-User: operator
– NAS-Prompt-User: guest
The device also allows you to authenticate end devices with IEEE 802.1X through an authentication
server. To do this, you assign the radius policy to the 8021x list in the Device Security >
Authentication List dialog.
The menu contains the following dialogs:
 RADIUS Global
 RADIUS Authentication Server
 RADIUS Accounting Server
 RADIUS Authentication Statistics
 RADIUS Accounting Statistics

144 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Global

Network Security > RADIUS > Global

4.4.1 RADIUS Global

This dialog allows you to specify basic settings for RADIUS.

 RADIUS configuration

Parameters Meaning
Retransmits (max.) Specifies how many times the device retransmits an unanswered request to the authentication
server before the device sends the request to an alternative authentication server.
Possible values:
 1..15 (default setting: 4)
Timeout [s] Specifies how many seconds the device waits for a response after a request to an authentication
server before it retransmits the request.
Possible values:
 1..30 (default setting: 5)
Accounting Activates/deactivates the accounting.
Possible values:
 marked
Accounting is active.
The device sends the traffic data to an accounting server specified in the Network Security >
RADIUS > Accounting Server dialog.
 unmarked (default setting)
Accounting is inactive.
NAS IP address Specifies the IP address that the device transfers to the authentication server as attribute 4.
(attribute 4) Specify the IP address of the device or another available address.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
In many cases, there is a firewall between the device and the authentication server. In the Network
Address Translation (NAT) in the firewall changes the original IP address, and the authentication
server receives the translated IP address of the device.
The device transfers the IP address in this field unchanged across the Network Address
Translation (NAT).

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Deletes the statistics in the Network Security > RADIUS > Authentication Statistics
dialog and in the Network Security > RADIUS > Accounting Statistics dialog.

RM GUI HiOS-2A GRS1040 145


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Authentication Server

Network Security > RADIUS > Authentication Server

4.4.2 RADIUS Authentication Server

This dialog allows you to specify up to 8 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the login data to the specified primary authentication server. If the server does not
respond, the device contacts the specified authentication server that is highest in the table. If no
response comes from this server either, the device contacts the next server in the table.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Name Displays the name of the server.
To change the value, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address Specifies the IP address of the server.
Possible values:
 Valid IPv4 address
Destination UDP Specifies the number of the UDP port on which the server receives requests.
port
Possible values:
 0..65535 (default setting: 1812)
Exception: Port 2222 is reserved for internal functions.
Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 1..64 characters
You get the password from the administrator of the authentication server.
Primary server Specifies the authentication server as primary or secondary.
Possible values:
 marked
The server is specified as the primary authentication server. The device sends the login data
for authenticating the users to this authentication server.
If you activate multiple servers, the device specifies the last server activated as the primary
authentication server.
 unmarked (default setting)
The server is the secondary authentication server. The device sends the login data to the
secondary authentication server if it does not receive a response from the primary
authentication server.
Active Activates/deactivates the connection to the server.
The device uses the server, if you specify in the Device Security > Authentication List
dialog the value radius in one of the rows Policy 1 to Policy 5 .
Possible values:
 marked (default setting)
The connection is active. The device sends the login data for authenticating the users to this
server if the preconditions named above are fulfilled.
 unmarked
The connection is inactive. The device does not send any login data to this server.

146 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Authentication Server

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Index field, you specify the index number.
 In the Address field, you specify the IP address of the server.

RM GUI HiOS-2A GRS1040 147


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Accounting Server

Network Security > RADIUS > Accounting Server

4.4.3 RADIUS Accounting Server

This dialog allows you to specify up to 8 accounting servers. An accounting server records the traffic
data that has occurred during the port authentication according to IEEE 802.1X. The prerequisite is that
you activate in the Network Security > RADIUS > Global menu the Accounting function.
The device sends the traffic data to the first accounting server that can be reached. If it does not
respond, the device contacts the next server in the table.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
 1..8
Name Displays the name of the server.
To change the value, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address Specifies the IP address of the server.
Possible values:
 Valid IPv4 address
Destination UDP Specifies the number of the UDP port on which the server receives requests.
port
Possible values:
 0..65535 (default setting: 1813)
Exception: Port 2222 is reserved for internal functions.
Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 1..16 characters
You get the password from the administrator of the authentication server.
Active Activates/deactivates the connection to the server.
Possible values:
 marked (default setting)
The connection is active. The device sends traffic data to this server if the preconditions named
above are fulfilled.
 unmarked
The connection is inactive. The device does not send any traffic data to this server.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Index field, you specify the index number.
 In the Address field, you specify the IP address of the server.

148 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Authentication Statistics

Network Security > RADIUS > Authentication Statistics

4.4.4 RADIUS Authentication Statistics

This dialog displays information about the communication between the device and the authentication
server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.

 Table

Parameters Meaning
Name Displays the name of the server.
Address Displays the IP address of the server.
Round trip time Displays the time interval in hundredths of a second between the last response received from the
server (Access Reply/Access Challenge) and the corresponding data packet sent (Access
Request).
Access requests Displays the number of access data packets that the device sent to the server. This value does
not take repetitions into account.
Retransmitted Displays the number of access data packets that the device retransmitted to the server.
access-request
packets
Access accepts Displays the number of access accept data packets that the device received from the server.
Access rejects Displays the number of access reject data packets that the device received from the server.
Access challenges Displays the number of access challenge data packets that the device received from the server.
Malformed access Displays the number of malformed access response data packets that the device received from
responses the server (including data packets with an invalid length).
Bad authenticators Displays the number of access response data packets with an invalid authenticator that the device
received from the server.
Pending requests Displays the number of access request data packets that the device sent to the server to which it
has not yet received a response from the server.
Timeouts Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types Displays the number data packets with an unknown data type that the device received from the
server on the authentication port.
Packets dropped Displays the number of data packets that the device received from the server on the authentication
port and then discarded them.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 149


Release 7.0 11/2017
Network Security
Network Security > RADIUS > Accounting Statistics

Network Security > RADIUS > Accounting Statistics

4.4.5 RADIUS Accounting Statistics

This dialog displays information about the communication between the device and the accounting
server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.

 Table

Parameters Meaning
Name Displays the name of the server.
Address Displays the IP address of the server.
Round trip time Displays the time interval in hundredths of a second between the last response received from the
server (Accounting Response) and the corresponding data packet sent (Accounting Request).
Accounting-request Displays the number of accounting request data packets that the device sent to the server. This
packets value does not take repetitions into account.
Retransmitted Displays the number of accounting request data packets that the device retransmitted to the
accounting-request server.
packets
Received packets Displays the number of accounting response data packets that the device received from the
server.
Malformed packets Displays the number of malformed accounting response data packets that the device received
from the server (including data packets with an invalid length).
Bad authenticators Displays the number of accounting response data packets with an invalid authenticator that the
device received from the server.
Pending requests Displays the number of accounting request data packets that the device sent to the server to which
it has not yet received a response from the server.
Timeouts Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types Displays the number data packets with an unknown data type that the device received from the
server on the accounting port.
Packets dropped Displays the number of data packets that the device received from the server on the accounting
port and then discarded them.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

150 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DoS

Network Security > DoS

4.5 DoS

Denial of Service (DoS) is a cyber-attack that aims to bring down specific services or devices. In this
menu you can set up several filters to protect the device from DoS attacks.
The menu contains the following dialogs:
 DoS Global

RM GUI HiOS-2A GRS1040 151


Release 7.0 11/2017
Network Security
Network Security > DoS > Global

Network Security > DoS > Global

4.5.1 DoS Global

In this dialog, you specify the DoS settings for the TCP/UDP, IP and ICMP protocols.

 TCP/UDP
A scanner uses port scans to prepare network attacks. The scanner uses different techniques to
determine running devices and open ports. This frame allows you to activate filters for specific scanning
techniques.
The device supports the detection of the following scan types:
 Null scans
 Xmas scans
 SYN/FIN scans
 TCP Offset attacks
 TCP SYN attacks
 L4 Port attacks
 Minimal Header scans

Parameters Meaning
Null Scan filter Activates/deactivates the Null Scan filter.
The Null Scan filter detects incoming data packets with no TCP flags set and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
Xmas filter Activates/deactivates the Xmas filter.
The Xmas filter detects incoming data packets with the TCP flags FIN, URG and PUSH set
simultaneously and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
SYN/FIN filter Activates/deactivates the SYN/FIN filter.
The SYN/FIN filter detects incoming data packets with the TCP flags SYN and FIN set
simultaneously and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
TCP Offset Activates/deactivates the TCP Offset protection.
protection The TCP Offset protection detects incoming TCP data packets whose fragment offset field of the
IP header is equal to 1 and discards them.
The TCP Offset protection accepts UDP and ICMP packets whose fragment offset field of the IP
header is equal to 1.
Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.

152 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DoS > Global

Parameters Meaning
TCP SYN Activates/deactivates the TCP SYN protection.
protection The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4
source port <1024 and discards them.
Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.
L4 Port protection Activates/deactivates the L4 Port protection.
The L4 Port protection detects incoming TCP and UDP data packets whose source port number
and destination port number are identical and discards them.
Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.
Min. Header Size Activates/deactivates the Minimal Header filter.
filter The Minimal Header filter detects incoming data packets whose IP payload length in the IP header
less the outer IP header size is smaller than the minimum TCP header size. If this is the first
fragment that the device detects, the device discards the data packet.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
Min. TCP header Displays the minimum size of a valid TCP header.
size

 IP
This frame allows you to activate or deactivate the Land Attack filter. With the land attack method, the
attacking station sends data packets whose source and destination addresses are identical to those of
the recipient. When you activate this filter, the device detects data packets with identical source and
destination addresses and discards these.

Parameters Meaning
Land Attack filter Activates/deactivates the Land Attack filter.
The Land Attack filter detects incoming IP data packets whose source and destination IP address
are identical and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

RM GUI HiOS-2A GRS1040 153


Release 7.0 11/2017
Network Security
Network Security > DoS > Global

 ICMP
This dialog provides you with filter options for the following ICMP parameters:
 Fragmented data packets
 ICMP packets from a specific size upwards
 Broadcast pings

Parameters Meaning
Filter fragmented Activates/deactivates the filter for fragmented ICMP packets.
packets The filter detects fragmented ICMP packets and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
Filter by packet size Activates/deactivates the filter for incoming ICMP packets.
The filter detects ICMP packets whose size exceeds the packet size specified in the Allowed
packet size [byte] field and discards them.
Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.
Allowed packet size Specifies the maximum allowed payload size of ICMP packets in bytes.
[byte] Mark the Filter by packet size checkbox if you want the device to discard incoming data
packets whose size exceeds the maximum allowed size for ICMP packets.
Possible values:
 0..1472 (default setting: 512)
Drop broadcast Activates/deactivates the filter for Broadcast Pings. Broadcast Pings are a known evidence for
ping Smurf Attacks.
Possible values:
 marked
The filter is active.
The device detects Broadcast Pings and drops them.
 unmarked (default setting)
The filter is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

154 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping

Network Security > DHCP Snooping

4.6 DHCP Snooping

DHCP Snooping is a function that supports the network security. DHCP Snooping monitors DHCP
packets between the DHCP client and the DHCP server and acts like a firewall between the unsecured
hosts and the secured DHCP servers.
In this dialog, you configure and monitor the following device properties:
 Validate DHCP packets from untrusted sources and filter out invalid packets.
 Limit DHCP data traffic from trusted and untrusted sources.
 Set up and update the DHCP Snooping binding database. This database contains the MAC address,
IP address, VLAN and port of DHCP clients at untrusted ports.
 Validate follow-up requests from untrusted hosts on the basis of the DHCP Snooping binding
database.
You can activate DHCP Snooping globally and for a specific VLAN. You specify the security status
(trusted or untrusted) on individual ports. Verify that the DHCP service can be reached via trusted ports.
For DHCP Snooping you typically configure the user/client ports as untrusted and the uplink ports as
trusted.
The menu contains the following dialogs:
 DHCP Snooping Global
 DHCP Snooping Configuration
 DHCP Snooping Statistics
 DHCP Snooping Bindings

RM GUI HiOS-2A GRS1040 155


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Global

Network Security > DHCP Snooping > Global

4.6.1 DHCP Snooping Global

This dialog allows you to configure the global DHCP Snooping parameters for your device:
 Activate/deactivate DHCP Snooping globally.
 Activate/deactivate Auto-Disable globally.
 Enable/disable the checking of the source MAC address.
 Configure the name, storage location and storing interval for the binding database.

 Operation

Parameters Meaning
Operation Enables/disables the DHCP Snooping function globally.
Possible values:
 On
 Off (default setting)

 Configuration

Parameters Meaning
Verify MAC Activates/deactivates the source MAC address verification in the Ethernet packet.
Possible values:
 marked
The source MAC address verification is active.
The device compares the source MAC address with the MAC address of the client in the
received DHCP packet.
 unmarked (default setting)
The source MAC address verification is inactive.
Auto-disable Activates/deactivates the Auto-Disable function for DHCP Snooping .
Possible values:
 marked
The Auto-Disable function for DHCP Snooping is active.
Also mark the checkbox in the Auto-disable column on the Port tab in the Network
Security > DHCP Snooping > Configuration dialog for the relevant ports.
 unmarked (default setting)
The Auto-Disable function for DHCP Snooping is inactive.

 Binding database

Parameters Meaning
Remote file name Specifies the name of the file in which the device saves the DHCP Snooping binding database.

Note:
The device saves solely dynamic bindings in the persistent binding database. The device saves
static bindings in the configuration profile.

156 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Global

Parameters Meaning
Remote IP address Specifies the remote IP address under which the device saves the persistent DHCP Snooping
binding database. With the value 0.0.0.0 the device saves the binding database locally.
Possible values:
 Valid IPv4 address
 0.0.0.0 (default setting)
The device saves the DHCP Snooping binding database locally.
Store interval [s] Specifies the time delay in seconds after which the device saves the DHCP Snooping binding
database when it determines a change in the database.
Possible values:
 15..86400 (default setting: 300)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 157


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Configuration

Network Security > DHCP Snooping > Configuration

4.6.2 DHCP Snooping Configuration

This dialog allows you to configure DHCP Snooping for individual ports and for individual VLANs.

The dialog contains the following tabs:


 [Port ]
 [VLAN ID ]

158 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Configuration

[Port ]
In this tab, you configure the DHCP Snooping function for individual ports.
 Configure a port as trusted/untrusted.
 Activate/deactivate the logging of invalid packets for individual ports.
 Limit the number of DHCP packets.
 Deactivate a port automatically if the DHCP data traffic exceeds the specified limit.

 Table

Parameters Meaning
Port Displays the port number.
Trust Activates/deactivates the security status (trusted, untrusted) of the port.
When this function is active, the port is configured as trusted. Typically, you have connected the
trusted port to a DHCP server.
When this function is inactive, the port is configured as untrusted.
Possible values:
 marked
The port is specified as trusted. DHCP Snooping forwards permissible client packets through
trusted ports.
 unmarked (default setting)
The port is configured as untrusted. On untrusted ports, the device compares the receiver port
with the client port in the binding database.
Log Activates/deactivates the logging of invalid packets that the device determines on this port.
Possible values:
 marked
The logging of invalid packets is active.
 unmarked (default setting)
The logging of invalid packets is inactive.
Rate limit Specifies the maximum number of DHCP packets per burst interval for this port. If the number of
incoming DHCP packets is currently exceeding the specified limit in a burst interval, the device
discards the additional incoming DHCP packets.
The value -1 deactivates the limitation.
Possible values:
 -1 (default setting)
Deactivates the limitation of the number of DHCP packets per burst interval on this port.
 0..150 packets per interval
Limits the maximum number of DHCP packets per burst interval on this port.
You specify the burst interval in the Burst interval column.
When you activate the auto-disable function, the device also disables the port. You find the auto-
disable function in the Auto-disable column.
Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of DHCP packets per burst interval in the Rate limit column.
Possible values:
 1..15 (default setting: 1)

RM GUI HiOS-2A GRS1040 159


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Configuration

Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the DHCP Snooping
function is monitoring on the port.
Possible values:
 marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > DHCP Snooping > Global dialog the
Auto-disable checkbox in the Configuration frame is marked.
– The device disables the port if the port receives in the time specified in the Burst
interval column more DHCP packets than is specified in the Rate limit field. The “Link
status” LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked
The Auto-Disable function on the port is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

160 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Configuration

[VLAN ID ]
In this tab, you configure the DHCP Snooping function for individual VLANs.

 Table

Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Active Activates/deactivates the DHCP Snooping function in this VLAN.
The DHCP Snooping function forwards valid DHCP client messages to the trusted ports in VLANs
without the Routing function.
Possible values:
 marked
The DHCP Snooping function is active in this VLAN.
 unmarked (default setting)
The DHCP Snooping function is inactive in this VLAN.
The device forwards DHCP packets according to the switching settings without monitoring the
packets. The binding database remains unchanged.

Note: To enable DHCP Snooping for a port, enable the DHCP Snooping function globally in the
Network Security > DHCP Snooping > Global dialog. Verify that you assigned the port to a
VLAN in which DHCP Snooping is enabled.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 161


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Statistics

Network Security > DHCP Snooping > Statistics

4.6.3 DHCP Snooping Statistics

With DHCP Snooping, the device logs detected errors and generates statistics. In this dialog, you
monitor the DHCP Snooping statistics for each port.
The device logs the following:
 Errors detected when validating the MAC address of the DHCP client
 DHCP client messages with a detected incorrect port
 DHCP server messages to untrusted ports

 Table

Parameters Meaning
Port Displays the port number.
MAC verify failures Displays the number of discrepancies between the MAC address of the DHCP client in the
‘chaddr’ field of the DHCP data packet and the source address in the Ethernet packet.
Invalid client Displays the number of incoming DHCP client messages received on the port for which the device
messages expects the client on another port according to the DHCP Snooping binding database.
Invalid server Displays the number of DHCP server messages the device received on the untrusted port.
messages

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Resets the entire table.

162 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Bindings

Network Security > DHCP Snooping > Bindings

4.6.4 DHCP Snooping Bindings

DHCP Snooping uses DHCP messages to set up and update the binding database.
 Static bindings
The device allows you to enter up to 1,024 static DHCP Snooping bindings in the database.
 Dynamic bindings
The dynamic binding database contains data for clients on untrusted ports exclusively.
This menu allows you to specify the settings for static and dynamic bindings.
 Set up new static bindings and set them to active/inactive.
 Display, activate/deactivate or delete static bindings that have been set up.

 Table

Parameters Meaning
MAC address Specifies the MAC address in the table entry that you bind to a IP address and VLAN ID .
Possible values:
 Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
IP address Specifies the IP address for the static DHCP Snooping binding.
Possible values:
 Valid Unicast IPv4 address smaller than 224.x.x.x and outside the range 127.0.0.0/8
(default setting: 0.0.0.0)
VLAN ID Specifies the ID of the VLAN to which the table entry applies.
Possible values:
 <ID of the VLANs that are set up>
Port Specifies the port for the static DHCP Snooping binding.
Possible values:
 Available ports
Remaining binding Displays the remaining time for the dynamic DHCP Snooping binding.
time
Active Activates/deactivates the specified static DHCP Snooping binding.
Possible values:
 marked
The static DHCP Snooping binding is active.
 unmarked (default setting)
The static DHCP Snooping binding is inactive.

RM GUI HiOS-2A GRS1040 163


Release 7.0 11/2017
Network Security
Network Security > DHCP Snooping > Bindings

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address which you bind to an IP address and a
VLAN ID.
Removes the highlighted table entry.
The prerequisite is that the checkbox in the Active column is unmarked.
Also, the device removes the dynamic bindings of this port created with the IP Source Guard
function.

164 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > IP Source Guard

Network Security > IP Source Guard

4.7 IP Source Guard

IP Source Guard (IPSG) is a function that supports the network security. The function filters IP data
packets based on the source ID (source IP address or source MAC address) of the subscriber. IPSG
supports you in protecting the network against attacks through IP/MAC address spoofing.

IPSG and DHCP Snooping


IP Source Guard operates in combination with the port DHCP Snooping function.
DHCP Snooping discards IP data packets on untrusted ports, except DHCP messages. When the device
receives DHCP responses and the DHCP Snooping binding database is set up, the device creates a
VLAN Access Control List (VACL) for each port containing the source IDs of the subscribers.
You configure the parameters of the DHCP Snooping function for individual ports and individual VLANs
in the Network Security > DHCP Snooping > Configuration dialog.

IPSG and port security


IP Source Guard cooperates with the Port Security function. See the Network Security > Port
Security dialog. Upon request, IPSG informs the Port Security function on request whether a MAC
address belongs to a valid binding.
 If you have deactivated IPSG on the ingress port, IPSG designates the data packet to be valid.
 If you have activated IPSG on the ingress port, IPSG checks the MAC address using the bindings
database. If the MAC address is entered in the bindings database, IPSG designates the data packet
to be valid, and otherwise invalid.
The Port Security function takes over the subsequent processing of invalid data packets. You specify
the settings of the Port Security function in the Network Security > Port Security dialog.

Note: In order for the device to check the IP address and the MAC address of the data packets received
on the port, enable the Verify MAC function.
In order for the device to check the VLAN ID and the MAC address of the source before forwarding the
data packet, additionally enable the Port Security function. See the Network Security > Port
Security dialog.
The menu contains the following dialogs:
 IP Source Guard Port
 IP Source Guard Bindings

RM GUI HiOS-2A GRS1040 165


Release 7.0 11/2017
Network Security
Network Security > IP Source Guard > Port

Network Security > IP Source Guard > Port

4.7.1 IP Source Guard Port

This dialog allows you to display and configure the following device properties for each port:
 Include/exclude source MAC addresses for the filtering
 Activate/deactivate the IPSG function

 Table

Parameters Meaning
Port Displays the port number.
Verify MAC Activates/deactivates the filtering based on the source MAC address if the IPSG function is active.
The device executes this filtering in addition to the filtering based on the source IP address.
Possible values:
 marked
Filtering based on the source MAC address is active.
To activate the function, mark the Active checkbox.
 unmarked (default setting)
Filtering based on the source MAC address is inactive.
To deactivate the function, also unmark the Active checkbox.
Active Activates/deactivates the IPSG function on the port.
Possible values:
 marked
The IPSG function is active.
You also enable the DHCP Snooping function in the Network Security > DHCP Snooping >
Global. dialog.
 unmarked (default setting)
The IPSG function is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

166 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > IP Source Guard > Bindings

Network Security > IP Source Guard > Bindings

4.7.2 IP Source Guard Bindings

This dialog displays static and dynamic IP Source Guard bindings.


 The device learns dynamic bindings through DHCP Snooping. See the Network Security > DHCP
Snooping > Configuration dialog.
 Static bindings are IP Source Guard bindings manually set up by the user. The dialog allows you to
edit static bindings.

 Table

Parameters Meaning
MAC address Displays the MAC address of the binding.
IP address Displays the IP address of the binding.
VLAN ID Displays the VLAN ID of the binding.
Port Displays the number of the port of the binding.
Hardware status Displays the hardware status of the binding.
The device applies the binding to the hardware solely if the settings are correct. Before the device
applies the static IPSG binding to the hardware, it checks the following prerequisites:
– The Active checkbox is marked.
– The IPSG function on the port is active, in the Network Security > IP Source Guard >
Port dialog the Active checkbox is marked.
Possible values:
 marked
The binding is active, the device applies the binding to the hardware.
 unmarked
The binding is inactive.
Active Activates/deactivates the specified static IPSG binding between the specified MAC address and
the specified IP address, for the specified VLAN on the specified port.
Possible values:
 marked
The static IPSG binding is active.
 unmarked (default setting)
The static IPSG binding is inactive.

Note: To make the static binding effective, activate the IPSG function on the corresponding port.
In the Network Security > IP Source Guard > Port dialog, mark the Active checkbox.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the MAC address field, you specify the MAC address for the static binding.
 In the IP address field, you specify the IP address for the static binding.
 In the VLAN ID field, you specify the VLAN ID.
 In the Port field, you specify the ID of the VLAN.
Removes the highlighted table entry.
The prerequisite is that the checkbox in the Active column is unmarked.

RM GUI HiOS-2A GRS1040 167


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection

Network Security > Dynamic ARP Inspection

4.8 Dynamic ARP Inspection

Dynamic ARP Inspection is a function that supports the network security. This function analyzes ARP
packets, logs them, and discards invalid and hostile ARP packets.
The Dynamic ARP Inspection function helps prevent a range of man-in-the-middle attacks. With this
kind of attack, a hostile station listens in on the data traffic from other subscribers by encroaching on the
ARP cache of its unsuspecting neighbors. The hostile station sends ARP requests and ARP responses
and enters the IP address of another subscriber for its own MAC address in the IP-to-MAC address
relationship (binding).
Using the following measures, the Dynamic ARP Inspection function helps ensure that the device
forwards valid ARP requests and ARP responses exclusively.
 Listening in on ARP requests and ARP responses on untrusted ports.
 Verifying that the determined packets have a valid IP to MAC address relationship (binding) before
the device updates the local ARP cache and before the device forwards the packets to the related
destination address.
 Discarding invalid ARP packets.
The device allows you to specify up to 100 active ARP ACLs (access lists). You can activate up to 20
rules for each ARP ACL.
The menu contains the following dialogs:
 Dynamic ARP Inspection Global
 Dynamic ARP Inspection Configuration
 Dynamic ARP Inspection ARP Rules
 Dynamic ARP Inspection Statistics

168 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > Global

Network Security > Dynamic ARP Inspection > Global

4.8.1 Dynamic ARP Inspection Global

 Configuration

Parameters Meaning
Verify source MAC Activates/deactivates the source MAC address verification. The device executes the check in both
ARP requests and ARP responses.
Possible values:
 marked
The source MAC address verification is active.
The device checks the source MAC address of the received ARP packets.
– The device transmits ARP packets with a valid source MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid source MAC address.
 unmarked (default setting)
The source MAC address verification is inactive.
Verify destination Activates/deactivates the destination MAC address verification. The device executes the check in
MAC ARP responses.
Possible values:
 marked
The destination MAC address verification is active.
The device checks the destination MAC address of the incoming ARP packets.
– The device transmits ARP packets with a valid destination MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid destination MAC address.
 unmarked (default setting)
The checking of the destination MAC address of the incoming ARP packets is inactive.
Verify IP address Activates/deactivates the IP address verification.
In ARP requests, the device checks the source IP address. In ARP responses, the device checks
the destination and source IP address.
The device designates the following IP addresses as invalid:
– 0.0.0.0
– Broadcast addresses 255.255.255.255
– Multicast addresses 224.0.0.0/4 (Class D)
– Class E addresses 240.0.0.0/4 (reserved for subsequent purposes)
– Loopback addresses in the range 127.0.0.0/8.
Possible values:
 marked
The IP address verification is active.
The device checks the IP address of the incoming ARP packets. The device transmits ARP
packets with a valid IP address to the related destination address and updates the local ARP
cache. The device discards ARP packets with an invalid IP address.
 unmarked (default setting)
The IP address verification is inactive.
Auto-disable Activates/deactivates the Auto-Disable function for Dynamic ARP Inspection .
Possible values:
 marked
The Auto-Disable function for Dynamic ARP Inspection is active.
Also mark the checkbox in the Port column on the Auto-disable tab in the Network
Security > Dynamic ARP Inspection > Configuration dialog for the relevant ports.
 unmarked (default setting)
The Auto-Disable function for Dynamic ARP Inspection is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 169


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > Configuration

Network Security > Dynamic ARP Inspection > Configuration

4.8.2 Dynamic ARP Inspection


Configuration

The dialog contains the following tabs:


 [Port ]
 [VLAN ID ]

170 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > Configuration

[Port ]

 Table

Parameters Meaning
Port Displays the port number.
Trust Activates/deactivates the monitoring of ARP packets on untrusted ports.
Possible values:
 marked
Monitoring is active.
The device monitors ARP packets on untrusted ports.
The device immediately forwards ARP packets on trusted ports.
 unmarked (default setting)
Monitoring is inactive.
Rate limit Specifies the maximum number of ARP packets per interval on this port. If the rate of incoming
ARP packets is currently exceeding the specified limit in a burst interval, the device discards the
additional incoming ARP packets. You specify the burst interval in the Burst interval column.
Optionally, the device also deactivates the port if you activate the auto-disable function. You
enable/disable the Auto-Disable function in the Auto-disable column.
Possible values:
 -1 (default setting)
Deactivates the limitation of the number of ARP packets per burst interval on this port.
 0..300 packets per interval
Limits the maximum number of ARP packets per burst interval on this port.
Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of ARP packets per burst interval in the Rate limit column.
Possible values:
 1..15 (default setting: 1)
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Dynamic ARP
Inspection function is monitoring on the port.
Possible values:
 marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > Dynamic ARP Inspection > Global
dialog the Auto-disable checkbox in the Configuration frame is marked.
– The device disables the port if the port receives in the time specified in the Burst
interval column more ARP packets than is specified in the Rate limit field. The “Link
status” LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked
The Auto-Disable function on the port is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 171


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > Configuration

[VLAN ID ]

 Table

Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Log Activates/deactivates the logging of invalid ARP packets that the device determines in this VLAN.
The device treats an ARP packet as invalid if it detects an error when checking the IP, source MAC
or destination MAC address, or when checking the IP-to-MAC address relationship (binding).
Possible values:
 marked
The logging of invalid packets is active.
The device registers invalid ARP packets.
 unmarked (default setting)
The logging of invalid packets is inactive.
Binding check Activates/deactivates the checking of incoming ARP packets that the device receives on untrusted
ports and on VLANs for which the Dynamic ARP Inspection function is active. For these ARP
packets the device checks the ARP ACL and the DHCP Snooping relationship (bindings).
Possible values:
 marked (default setting)
The binding check of ARP packets is active.
 unmarked
The binding check of ARP packets is inactive.
ACL strict Activates/deactivates the strict checking of incoming ARP packets based on the ARP ACL rules
specified.
Possible values:
 marked
The strict checking is active.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the .ARP
ACL column.
 unmarked (default setting)
The strict checking is inactive.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the .ARP
ACL column and subsequently on the entries in the DHCP Snooping database.
ARP ACL Specifies the ARP ACL that the device uses.
Possible values:
 <rule name>
You specify the rules in the Network Security > Dynamic ARP Inspection > ARP Rules
dialog.
Active Activates/deactivates the Dynamic ARP Inspection function in this VLAN.
Possible values:
 marked
The Dynamic ARP Inspection function is active in this VLAN.
 unmarked (default setting)
The Dynamic ARP Inspection function is inactive in this VLAN.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

172 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > ARP Rules

Network Security > Dynamic ARP Inspection > ARP Rules

4.8.3 Dynamic ARP Inspection ARP Rules

This dialog allows you to specify rules for checking and filtering ARP packets.

 Table

Parameters Meaning
Name Displays the name of the ARP rule.
Source IP address Specifies the source address of the IP data packets to which the device applies the rule.
Possible values:
 Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
Source MAC Specifies the source address of the MAC data packets to which the device applies the rule.
address
Possible values:
 Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
Active Activates/deactivates the rule.
Possible values:
 marked (default setting)
The rule is active.
 unmarked
The rule is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Name field, you specify the name of the ARP rule.
 In the Source IP address field, you specify the source IP address of the ARP rule.
 In the Source MAC address field, you specify the source MAC address of the ARP rule.

RM GUI HiOS-2A GRS1040 173


Release 7.0 11/2017
Network Security
Network Security > Dynamic ARP Inspection > Statistics

Network Security > Dynamic ARP Inspection > Statistics

4.8.4 Dynamic ARP Inspection Statistics

This window displays the number of discarded and forwarded ARP packets in an overview.

 Table

Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Packets forwarded Displays the number of ARP packets that the device forwards after checking them using the
Dynamic ARP Inspection function.
Packets dropped Displays the number of ARP packets that the device discards after checking them using the
Dynamic ARP Inspection function.
DHCP drops Displays the number of ARP packets that the device discards after checking the DHCP Snooping
relationship (binding).
DHCP permits Displays the number of ARP packets that the device forwards after checking the DHCP Snooping
relationship (binding).
ACL drops Displays the number of ARP packets that the device discards after checking them using the ARP
ACL rules.
ACL permits Displays the number of ARP packets that the device forwards after checking them using the ARP
ACL rules.
Bad source MAC Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the source MAC address.
Bad destination Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
MAC function detected an error in the destination MAC address.
Invalid IP address Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the IP address.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Resets the entire table.

174 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL

Network Security > ACL

4.9 ACL

In this menu, you specify the settings for the Access Control Lists (ACL). Access Control Lists contain
rules which the device applies successively to the data stream on its ports or VLANs.
If a data packet complies with the criteria of one or more rules, the device applies the action specified
in the first rule applying to the data stream. The device ignores the rules following. Possible actions
include:
 permit : The device transmits the data packet to a port or to a VLAN.
If desired, the device transmits a copy of the data packets to a further port
 deny : The device drops the data packet.
In the default setting, the device forwards every data packet. Once you assign an Access Control List
to an interface or VLAN, there is changing this behavior. The device enters at the end of an Access
Control List an implicit Deny-All rule. Consequently, the device discards data packets that do not meet
any of the rules. If you want a different behavior, add a "permit" rule at the end of your Access Control
Lists.
Proceed as follows to set up Access Control Lists and rules:
 If you wish you create time profile. See the Network Security > ACL > Time Profile dialog. The
device applies Access Control Lists with a time profile at specified times instead of permanently.
 Create a rule and specify the rule settings. See the Network Security > ACL > IPv4 Rule dialog,
or the Network Security > ACL > MAC Rule dialog.
 Assign the Access Control List to the Ports and VLANs of the device. See the Network Security >
ACL > Assignment dialog.
The menu contains the following dialogs:
 ACL IPv4 Rule
 ACL MAC Rule
 ACL Assignment
 ACL Time Profile

RM GUI HiOS-2A GRS1040 175


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Network Security > ACL > IPv4 Rule

4.9.1 ACL IPv4 Rule

In this dialog, you specify the rules that the device applies to the IP data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an Access
Control List successively, beginning with the rule with the lowest value in the Index column.
The device allows you to filter according to the following criteria:
 Source or destination IP address of a data packet
 Type of the transmitting protocol
 Source or destination port of a data packet
 Classification according to DSCP
 Classification according to ToS

 Table

Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Index Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, the device processes the rule with the lowest
value first.
Active Activates/deactivates the Access Control List or the rule within an Access Control List.
Possible values (for an Access Control List):
 marked (default setting)
The Access Control List is active. The device applies the associated active rules to the data
stream.
 unmarked
The Access Control List is inactive.
Possible values (for rules within an Access Control List):
 marked (default setting)
The rule is active. The device applies the rule to the data stream if the associated Access
Control List is also active.
 unmarked
The rule is inactive.
Match every packet Specifies to which IP data packets the device applies the rule.
Possible values:
 marked (default setting)
The device applies the rule to every IP data packet.
 unmarked
The device applies the rule to IP data packets depending on the value in the following fields:
– Source IP address , Destination IP address , Protocol
– DSCP , TOS priority , TOS mask
– ICMP type , ICMP code
– IGMP type
– Established
– Packet fragmented
– TCP flag

176 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Parameters Meaning
Source IP address Specifies the source address of the IP data packets to which the device applies the rule.
Possible values:
 ?.?.?.? (default setting)
The device applies the rule to IP data packets with any source address.
 Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
 Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified source address. The inverse
bit mask allows you to specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a
source address in the range from 192.168.1.0 to ….127.
Destination IP Specifies the destination address of the IP data packets to which the device applies the rule.
address
Possible values:
 ?.?.?.? (default setting)
The device applies the rule to IP data packets with any destination address.
 Valid IPv4 address
The device applies the rule to IP data packets with the specified destination address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
 Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified destination address. The
inverse bit mask allows you to specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a
destination address in the range from 192.168.1.0 to ….127.
Protocol Specifies the protocol type of the IP data packets to which the device applies the rule.
Possible values:
 any (default setting)
The device applies the rule to every IP data packet without considering the protocol type.
 icmp
 igmp
 ip-in-ip
 tcp
 udp
 ip
Source TCP/UDP Specifies the source port of the IP data packets to which the device applies the rule. The
port prerequisite is that you specify in the Protocol column the value TCP or UDP.
Possible values:
 any (default setting)
The device applies the rule to every IP data packet without considering the source port.
 1..65535
The device applies the rule solely to IP data packets containing the specified source port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
These operators are allowed only in rules which the device applies to the received data
packets. See the Network Security > ACL > Assignment dialog: Direction column =
inbound.

RM GUI HiOS-2A GRS1040 177


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Parameters Meaning
Destination TCP/ Specifies the destination port of the IP data packets to which the device applies the rule. The
UDP port prerequisite is that you specify in the Protocol column the value TCP or UDP.
Possible values:
 any (default setting)
The device applies the rule to every IP data packet without considering the destination port.
 1..65535
The device applies the rule exclusively to IP data packets containing the specified destination
port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
These operators are allowed only in rules which the device applies to the received data
packets. See the Network Security > ACL > Assignment dialog: Direction column =
inbound.
DSCP Specifies the Differentiated Service Code Point (DSCP value) in the header of the IP data packets
to which the device applies the rule.
Possible values:
 – (default setting)
The device applies the rule to every IP data packet without considering the DSCP value.
 0..63
The device applies the rule solely to IP data packets containing the specified DSCP value.
TOS priority Specifies the IP precedence (ToS value) in the header of the IP data packets to which the device
applies the rule.
Possible values:
 any (default setting)
The device applies the rule to every IP data packet without considering the ToS value.
 0..7
The device applies the rule solely to IP data packets containing the specified ToS value.
TOS mask Specifies the bit mask for the ToS value in the header of the IP data packets to which the device
applies the rule. The prerequisite is that you specify in the TOS priority column a ToS value.
Possible values:
 any (default setting)
The device applies the rule to IP data packets and considers the ToS value completely.
 1..1f
The device applies the rule to IP data packets and considers the bits of the ToS value specified
in the bit mask.
ICMP type Specifies the ICMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
 -1 (default setting)
ICMP type matching is inactive.
 0..255
The device applies the rule to every IP data packet and considers the specified ICMP type.
ICMP code Specifies the ICMP code in the TCP header of the IP data packets to which the device applies the
rule. The prerequisite is that, in the ICMP type field, you specify an ICMP value.
Possible values:
 -1 (default setting)
ICMP code matching is inactive.
 0..255
The device applies the rule to every IP data packet and considers the specified ICMP code.

178 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Parameters Meaning
IGMP type Specifies the IGMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
 0 (default setting)
IGMP type matching is inactive.
 1..255
The device applies the rule to every IP data packet and considers the specified IGMP type.
Established Activates/deactivates applying the ACL rule to TCP data packets which have either the RST bit,
or the ACK bit set in the TCP header.
Possible values:
 marked
The device applies the rule to every IP data packet in which the RST bit, or the ACK bit is set
in the TCP header.
 unmarked (default setting)
Matching is inactive.
Packet fragmented Activates/deactivates applying the ACL rule to fragmented packets.
Possible values:
 marked
The device applies the ACL rule to fragmented packets.
 unmarked (default setting)
Matching is inactive.
TCP flag Specifies the TCP flag and mask value.
The device allows you to enter multiple values, by separating the values with a comma.
Specify the flags as either + or -.
Possible values:
 - (default setting)
TCP flag matching is inactive.
 -
When you use this value in combination with the following flags, the device considers packets
in which the flag is not set.
 +
When you use this value in combination with the following flags, the device considers packets
in which the flag is set.
 fin
Indicates that the sending device has finished its transmission.
 syn
Indicates that the Synchronize sequence numbers are significant. Only the first packet sent
from each end device has this flag set.
 rst
Indicates a reset on the link.
 psh
Indicates the push function, in which a device asks to push the buffered data to the receiving
application.
 ack
Indicates that the Acknowledgment field is significant. Every packet, after the initial syn packet
sent by the client, has this flag set.
 urg
Indicates that the Urgent pointer field is significant.
Action Specifies how the device handles received IP data packets when it applies the rule.
Possible values:
 permit (default setting)
The device transmits the IP data packets.
 deny
The device drops the IP data packets.

RM GUI HiOS-2A GRS1040 179


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Parameters Meaning
Redirection port Specifies the port on which the device transmits the IP data packets. The prerequisite is that you
specify in the Action column the value permit .
Possible values:
 – (default setting)
The Redirection port function is disabled.
 <Port number>
The device transmits the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Mirror port Specifies the port on which the device transmits a copy of the IP data packets. The prerequisite is
that you specify in the Action column the value permit .
Possible values:
 – (default setting)
The Mirror port function is disabled.
 <Port number>
The device transmits a copy of the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Assigned queue ID Specifies the priority queue to which the device assigns the IP data packets.
Possible values:
 0..7 (default setting: 0)
Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log
dialog.
Possible values:
 marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny
rule to IP data packets.
 unmarked (default setting)
Logging is deactivated.
The device allows you to activate this function for up to 128 deny rules.
Time profile Specifies whether the device applies the rule permanently or time-controlled.
Possible values:
 <empty> (default setting)
The device applies the rule permanently.
 [Time Profile]
The device applies the rule solely at the times specifies in the time profile. You edit the time
profile in the Network Security > ACL > Time Profile dialog.
Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column.
The limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
 0 (default setting)
No limitation of the data transfer rate.
 1..4294967295
When the data transfer rate on the port exceeds the value specified, the device discards
surplus IP data packets. The prerequisite is that you specify in the Burst size column a value
>0. You specify the measurement unit of the limit in the Unit column.
Unit Specifies the measurement unit for the data transfer rate specified in the Rate limit column.
Possible values:
 kbps (default setting)
kByte per second
 pps
Data packet per second

180 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > IPv4 Rule

Parameters Meaning
Burst size Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
 0 (default setting)
No limitation of the data volume.
 1..128
If during temporary bursts on the port the data volume exceeds the value specified, the device
discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
 If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
 If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
 In the Index field, you specify the number of the rule within the Access Control List. If the
Access Control List contains multiple rules, the device processes the rule with the lowest value
first.
Displays a sub menu with the following items.

RM GUI HiOS-2A GRS1040 181


Release 7.0 11/2017
Network Security
Network Security > ACL > MAC Rule

Network Security > ACL > MAC Rule

4.9.2 ACL MAC Rule

In this dialog, you specify the rules that the device applies to the MAC data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an Access
Control List successively, beginning with the rule with the lowest value in the Index column.
The device allows you to filter according to the following criteria:
 Source or destination MAC address of a data packet
 Type of the transmitting protocol
 Membership of a specific VLAN
 Service class of a data packet

 Table

Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Index Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, the device processes the rule with the lowest
value first.
Active Activates/deactivates the Access Control List or the rule within an Access Control List.
Possible values (for an Access Control List):
 marked (default setting)
The Access Control List is active. The device applies the associated active rules to the data
stream.
 unmarked
The Access Control List is inactive.
Possible values (for rules within an Access Control List):
 marked (default setting)
The rule is active. The device applies the rule to the data stream if the associated Access
Control List is also active.
 unmarked
The rule is inactive.
Match every packet Specifies to which MAC data packets the device applies the rule.
Possible values:
 marked (default setting)
The device applies the rule to every MAC data packet.
The device ignores the value in the fields Source MAC address , Destination MAC address ,
Ethertype , Ethertype custom value , VLAN ID , and COS .
 unmarked
The device applies the rule to MAC data packets depending on the value in the fields Source
MAC address , Destination MAC address , Ethertype , Ethertype custom value , VLAN
ID , and COS .

182 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > MAC Rule

Parameters Meaning
Source MAC Specifies the source address of the MAC data packets to which the device applies the rule.
address
Possible values:
 ??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any source address.
 Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose source
address begins with 00:11.
 Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask allows you to specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a source address in the range from 00:11:22:33:44:54 to …:57.
Destination MAC Specifies the destination address of the MAC data packets to which the device applies the rule.
address
Possible values:
 ??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any destination address.
 Valid MAC address
The device applies the rule to MAC data packets with the specified destination address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose
destination address begins with 00:11.
 Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask allows you to specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a destination address in the range from 00:11:22:33:44:54 to …:57.
Ethertype Specifies the Ethertype keyword of the MAC data packets to which the device applies the rule.
Possible values:
 custom (default setting)
The device applies the value specified in the Ethertype custom value column.
 appletalk
 arp
 ibmsna
 ipv4
 ipv6
 ipxold
 mplsmcast
 mplsucast
 netbios
 novell
 rarp
 pppoe
Ethertype custom Specifies the Ethertype value of the MAC data packets to which the device applies the rule. The
value prerequisite is that in the Ethertype column the value custom is specified.
Possible values:
 any (default setting)
The device applies the rule to every MAC data packet without considering the Ethertype value.
 600..ffff
The device applies the rule exclusively to MAC data packets containing the Ethertype value
specified here.
VLAN ID Specifies the VLAN ID of the MAC data packets to which the device applies the rule.
Possible values:
 0 (default setting)
The device applies the rule to every MAC data packet without considering the VLAN ID.
 1..4042

RM GUI HiOS-2A GRS1040 183


Release 7.0 11/2017
Network Security
Network Security > ACL > MAC Rule

Parameters Meaning
COS Specifies the Class of Service (COS) value of the MAC data packets to which the device applies
the rule.
Possible values:
 0..7
 any (default setting)
The device applies the rule to every MAC data packet without considering the Class of Service
value.

Note: For data packets without a VLAN tag, the device uses the port priority instead of the COS
value.
Action Specifies how the device handles received MAC data packets when it applies the rule.
Possible values:
 permit (default setting)
The device transmits the MAC data packets.
 deny
The device discards the MAC data packets.
Redirection port Specifies the port on which the device transmits the MAC data packets. The prerequisite is that in
the Action column the value permit is specified.
Possible values:
 – (default setting)
The Redirection port function is disabled.
 <Port number>
The device transmits the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Mirror port Specifies the port on which the device transmits a copy of the MAC data packets. The prerequisite
is that in the Action column the value permit is specified.
Possible values:
 – (default setting)
The Mirror port function is disabled.
 <Port number>
The device transmits a copy of the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Assigned queue ID Specifies the ID of the priority queue on which the device transmits the MAC data packets.
Possible values:
 0..7 (default setting: 0)
Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log
dialog.
Possible values:
 marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny
rule to MAC data packets.
 unmarked (default setting)
Logging is deactivated.
The device allows you to activate this function for up to 128 deny rules.
Time profile Specifies whether the device applies the rule permanently or time-controlled.
Possible values:
 <empty> (default setting)
The device applies the rule permanently.
 [Time Profile]
The device applies the rule solely at the times specifies in the time profile. You edit the time
profile in the Network Security > ACL > Time Profile dialog.

184 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > MAC Rule

Parameters Meaning
Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column.
The limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
 0 (default setting)
No limitation of the data transfer rate.
 1..4294967295
When the data transfer rate on the port exceeds the value specified, the device discards
surplus MAC data packets. The prerequisite is that you specify in the Burst size column a
value >0. You specify the measurement unit of the limit in the Unit column.
Unit Specifies the unit of measurement for the data transfer rate specified in the Rate limit column.
Possible values:
 kbps (default setting)
kByte per second
 pps
Data packet per second
Burst size Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
 0 (default setting)
No limitation of the data volume.
 1..128
If during temporary bursts on the port the data volume exceeds the value specified, the device
discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
 If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
 If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
 In the Index field, you specify the number of the rule within the Access Control List. If the
Access Control List contains multiple rules, the device processes the rule with the lowest value
first.
Displays a sub menu with the following items.

RM GUI HiOS-2A GRS1040 185


Release 7.0 11/2017
Network Security
Network Security > ACL > Assignment

Network Security > ACL > Assignment

4.9.3 ACL Assignment

This dialog allows you to assign one or more Access Control Lists to the ports and VLANs of the device.
By assigning a priority you specify the processing sequence, provided you assign one or more Access
Control Lists to a port or VLAN.
The device applies rules successively, namely in the sequence specified by the rule index. You specify
the priority of a group in the Priority column. The lower the number, the higher the priority. In this
process, the device applies the rules with a high priority before the rules with a low priority.
The assignment of Access Control Lists to ports and VLANs results in the following different types of
ACL:
 Port-based IPv4-ACLs
 Port-based MAC ACLs
 VLAN-based IPv4 ACLs
 VLAN-based MAC ACLs
The device allows you to apply the Access Control Lists to data packets received (inbound) or sent
(outbound).

Note: Before you enable the function, verify that at least one active entry in the table allows you access.
Otherwise, the connection to the device terminates when you change the settings. To access the
management functions is possible solely using the CLI through the V.24 interface of the device.

 Table

Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Type Displays whether the Access Control List contains MAC rules or IPv4 rules.
Possible values:
 mac
The Access Control List contains MAC rules.
 ip
The Access Control List contains IPv4 rules.
You edit Access Control Lists with IPv4 rules in the Network Security > ACL > IPv4 Rule
dialog. You edit Access Control Lists with MAC rules in the Network Security > ACL > IPv4
Rule dialog.
Port Displays the port to which the Access Control List is assigned. The field remains empty if the
Access Control List is assigned to a VLAN.
VLAN ID Displays the VLAN to which the Access Control List is assigned. The field remains empty if the
Access Control List is assigned to a port.
Direction Displays whether the device applies the Access Control List to data packets received or sent.
Possible values:
 inbound
The device applies the Access Control List to data packets received on the port or in the VLAN.
 outbound
The device applies the Access Control List to data packets sent on the port or in the VLAN.

186 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > Assignment

Parameters Meaning
Priority Displays the priority of the Access Control List.
Using the priority, you specify the sequence in which the device applies the Access Control Lists
to the data stream. The device applies the rules in ascending order starting with priority 1.
Possible values:
 1..4294967295
If an Access Control List is assigned to a port and to a VLAN with the same priority, the device
applies the rules first to the port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create dialog to assign a rule to a port or a VLAN.
 In the Port/VLAN field, you specify the port or the VLAN ID.
 In the Priority field, you specify the source MAC address of the ARP rule.
 In the Direction field, you specify the data packets to which the device applies the rule.
 In the Group name filed, you specify which rule the device assigns to the port or VLAN.

RM GUI HiOS-2A GRS1040 187


Release 7.0 11/2017
Network Security
Network Security > ACL > Time Profile

Network Security > ACL > Time Profile

4.9.4 ACL Time Profile

This dialog allows you to edit time profiles. If you assign a time profile to a MAC or IPv4 rule, the device
applies the rule at the times specified in the time profile. If no time profile is assigned, the device applies
the rule permanently.
The device allows you to create up to 100 time profiles with up to 10 time periods.
The device applies the MAC and IPv4 rules during the time specified within the time period.
 If you specify time periods using the Absolute option, the device applies the rule one time.
 If you specify time periods using the Periodic option, the device applies the rule recurrently.
The implied Deny-All rule of the ACLs is always valid independently of the time control.

 Table

Parameters Meaning
Profile name Displays the name of the time profile. The time profile contains the time periods.
Index Displays the number of the time period within the time profile. The device automatically assigns
this number.
Absolute
Start date Specifies the date at which the device starts to apply the one-time rule.
Possible values:
 YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
Start time Specifies the time at which the device starts to apply the one-time rule.
Possible values:
 hh:mm
Hour:Minute
End date Specifies the date at which the device terminates the one-time rule.
Possible values:
 YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
End time Specifies the time at which the device terminates the one-time rule.
Possible values:
 hh:mm
Hour:Minute
Periodic
Starting days Specifies the days of the week on which the device periodically starts to apply the rule.
Possible values:
 Sun
 Mon
 Tue
 Wed
 Thu
 Fri
 Sat
Start time Specifies the time at which the device periodically starts to apply the rule.
Possible values:
 hh:mm
Hour:Minute

188 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Network Security
Network Security > ACL > Time Profile

Parameters Meaning
Ending days Specifies the days of the week on which the device periodically terminates the rule.
Possible values:
 Sun
 Mon
 Tue
 Wed
 Thu
 Fri
 Sat
End time Specifies the time at which the device periodically terminates the rule.
Possible values:
 hh:mm
Hour:Minute

Note: When you reconfigure a time period specify first the end time and then the start time. Otherwise,
the dialog displays an error message.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create dialog to create a new time period.
 In the Profile name field, you specify the name of the time profile to which the time period
belongs.
 In the Type field, you specify the type of time period.
– With the Periodic radio button, you specify a time period at which the device activates the
recurring rule.
– With the Absolute radio button, you specify a time period at which the device activates the
rule one time. Within every time profile, exactly one such time period is allowed.
 In the Start frame, you specify the time at which the device starts to apply the rule.
 In the End frame, you specify the time at which the device terminates to apply the rule.

RM GUI HiOS-2A GRS1040 189


Release 7.0 11/2017
Network Security
Network Security > ACL > Time Profile

190 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching

5 Switching

The menu contains the following dialogs:


 Switching Global
 Rate Limiter
 Filter for MAC Addresses
 IGMP Snooping
 MRP-IEEE
 GARP
 QoS/Priority
 VLAN
 L2-Redundancy

RM GUI HiOS-2A GRS1040 191


Release 7.0 11/2017
Switching
Switching > Global

Switching > Global

5.1 Switching Global

This dialog allows you to specify the following settings:


 Change the Aging time of the address table
 Enable the flow control in the device
 Enable the VLAN Unaware Mode

If a large number of data packets are received in the priority queue of a port at the same time, this can
cause the port memory to overflow. This happens, for example, when the device receives data on a
Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus data packets.
The flow control mechanism described in standard IEEE 802.3 ensures that no data packets are lost
due to a port memory overflowing. Shortly before a port memory is completely full, the device signals to
the connected devices that it is not accepting any more data packets from them.
 In full-duplex mode, the device sends a pause data packet.
 In half-duplex mode, the device simulates a collision.
Then the connected devices do not send any more data packets for as long as the signaling takes. On
uplink ports, this can possibly cause undesired sending breaks in the higher-level network segment
(“wandering backpressure”).

According to standard IEEE 802.1Q, the device forwards data packets with a VLAN tag in a VLAN ≥1.
However, a small number of applications on connected end devices send or receive data packets with
a VLAN ID=0. When the device receives one of these data packets, before forwarding it the device
overwrites the original value in the data packet with the VLAN ID of the receiving port. When you activate
the VLAN Unaware Mode, this deactivates the VLAN settings in the device. The device then
transparently forwards the data packets and evaluates the priority information contained in the data
packet exclusively.

 Configuration

Parameters Meaning
MAC address Displays the MAC address of the device.
Aging time [s] Specifies the aging time in seconds.
Possible values:
 10..500000 (default setting: 30)
The device monitors the age of the learned unicast MAC addresses. The device deletes address
entries that exceed a particular age (aging time) from its address table.
You find the address table in the Switching > Filter for MAC Addresses dialog.
Flow control Activates/deactivates the flow control in the device.
Possible values:
 marked
The flow control is active in the device.
Additionally activate the flow control on the required ports. See the Basic Settings > Port
dialog, Configuration tab, checkbox in the Flow control column.
 unmarked (default setting)
The flow control is inactive in the device.
When you are using a redundancy function, you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function operates sporadically.

192 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > Global

Parameters Meaning
VLAN unaware Activates/deactivates the VLAN unaware mode.
mode
Possible values:
 marked
The VLAN unaware mode is active.
The device works in the VLAN Unaware bridging mode (802.1Q):
– The device ignores the VLAN settings in the device and the VLAN tags in the data packets.
The device transmits the data packets based on their destination MAC address or
destination IP address in VLAN 1.
– The device ignores the VLAN settings specified in the Switching > VLAN > Configuration
and Switching > VLAN > Port dialogs. Every port is assigned to VLAN 1.
– The device evaluates the priority information contained in the data packet.

Note: You specify the VLAN ID 1 for every function on the device which uses VLAN settings.
Among other things, this applies to static filters, MRP and IGMP Snooping.
 unmarked (default setting)
The VLAN unaware mode is inactive.
The device works in the VLAN Aware bridging mode (802.1Q):
– The device evaluates the VLAN tags in the data packets.
– The device transmits the data packets based on their destination MAC address or
destination IP address in the corresponding VLAN.
– The device evaluates the priority information contained in the data packet.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 193


Release 7.0 11/2017
Switching
Switching > Rate Limiter

Switching > Rate Limiter

5.2 Rate Limiter

The device allows you to limit the traffic on the ports in order to help provide reliable operation even with
a large traffic volume. If the traffic on a port exceeds the traffic value entered, the device discards the
excess traffic on this port.
The rate limiter function operates exclusively on Layer 2, and is used to limit the effects of storms of data
packets that flood the device (typically Broadcasts).
The rate limiter function ignores protocol information on higher levels, such as IP or TCP.

In this dialog, you enable the Rate Limiter function. The threshold value specifies the maximum
amount of traffic the port receives. If the traffic on this port exceeds the threshold value, the device
discards the excess traffic on this port.

Parameters Meaning
Port Displays the port number.
Threshold unit Specifies the unit for the threshold value:
Possible values:
 percent (default setting)
Specifies the threshold value as a percentage of the data rate of the port.
 pps
Specifies the threshold value in data packets per second.
Broadcast mode Activates/deactivates the rate limiter function for received broadcast data packets.
Possible values:
 marked
 unmarked (default setting)
If the threshold value is exceeded, the device discards the excess broadcast data packets on this
port.
Broadcast Specifies the threshold value for received broadcasts on this port.
threshold
Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
 Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .
Multicast mode Activates/deactivates the rate limiter function for received multicast data packets.
Possible values:
 marked
 unmarked (default setting)
If the threshold value is exceeded, the device discards the excess multicast data packets on this
port.
Multicast threshold Specifies the threshold value for received multicasts on this port.
Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
 Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .

194 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > Rate Limiter

Parameters Meaning
Unknown unicast Activates/deactivates the rate limiter function for received unicast data packets with an unknown
mode destination address.
Possible values:
 marked
 unmarked (default setting)
If the threshold value is exceeded, the device discards the excess unicast data packets on this
port.
Unicast threshold Specifies the threshold value for received unicasts with an unknown destination address on this
port.
Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
 Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 195


Release 7.0 11/2017
Switching
Switching > Filter for MAC Addresses

Switching > Filter for MAC Addresses

5.3 Filter for MAC Addresses

This dialog allows you to display and edit address filters for the address table. Address filters specify the
way the data packets are forwarded in the device based on the destination MAC address.
Each row in the table represents one filter. The device automatically sets up the filters. The device
allows you to set up additional filters manually.
The device transmits the data packets as follows:
 If the table contains an entry for the destination address of a data packet, the device transmits the
data packet from the receiving port to the port specified in the table entry.
 If there is no table entry for the destination address, the device transmits the data packet from the
receiving port to every other port.

 Table

Parameters Meaning
Address Displays the destination MAC address to which the table entry applies.
VLAN ID Displays the ID of the VLAN to which the table entry applies.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
Status Displays how the device has set up the address filter.
Possible values:
 learned
Address filter set up automatically by the device based on received data packets.
 permanent
Address filter set up manually. The address filter stays set up permanently.
 IGMP
Address filter automatically set up by IGMP Snooping.
 mgmt
MAC address of the device. The address filter is protected against changes.
 invalid
Deletes a manually set up address filter.
 MRP-MMRPMRP-MMRP
Multicast address filter automatically set up by MMRP.
<Port number> Displays how the corresponding port transmits data packets which it directs to the adjacent
destination address.
Possible values:
 –
The port does not transmit any data packets to the destination address.
 learned
The port transmits data packets to the destination address. The device created the filter
automatically based on received data packets.
 IGMP learned
The port transmits data packets to the destination address. The device created the filter
automatically based on IGMP.
 unicast static
The port transmits data packets to the destination address. A user created the filter.
 multicast static
The port transmits data packets to the destination address. A user created the filter.

To delete the learned MAC addresses from the address table, click in the Basic Settings > Restart
dialog the Reset MAC address table button.

196 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > Filter for MAC Addresses

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Address field, you specify the destination MAC address.
 In the VLAN ID field, you specify the ID of the VLAN.
 In the Port field, you specify the port.
– Select one port if the destination MAC address is a unicast address.
– Select one or more ports if the destination MAC address is a multicast address.
– Select no port to create a discard filter. The device discards data packets with the
destination MAC address specified in the table entry.
Displays a sub menu with the following items.

Reset MAC address Removes the MAC addresses from the forwarding table that have the value learned in the
table Status column.

RM GUI HiOS-2A GRS1040 197


Release 7.0 11/2017
Switching
Switching > IGMP Snooping

Switching > IGMP Snooping

5.4 IGMP Snooping

The Internet Group Management Protocol (IGMP) is a protocol for dynamically managing Multicast
groups. The protocol describes the distribution of Multicast data packets between routers and end
devices on Layer 3.
The device allows you to use the IGMP Snooping function to also use the IGMP mechanisms on
Layer 2:
 Without IGMP Snooping, the device transmits the Multicast data packets to every port.
 With the activated IGMP Snooping function, the device transmits the Multicast data packets
exclusively on ports to which Multicast receivers are connected. This reduces the network load. The
device evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2.
 Activate the IGMP Snooping function not until the following conditions are fulfilled:
– There is a Multicast router in the network that creates IGMP queries (periodic queries).
– The devices participating in IGMP Snooping forward the IGMP queries.
The device links the IGMP reports with the entries in its address table. If a multicast receiver joins a
multicast group, the device creates a table entry for this port in the Switching > Filter for MAC
Addresses dialog. If the multicast receiver leaves the multicast group, the device removes the table
entry.
The menu contains the following dialogs:
 IGMP Snooping Global
 IGMP Snooping Configuration
 IGMP Snooping Enhancements
 IGMP Snooping Querier
 IGMP Snooping Multicasts

198 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Global

Switching > IGMP Snooping > Global

5.4.1 IGMP Snooping Global

This dialog allows you to enable the IGMP Snooping protocol in the device and also configure it for each
port and each VLAN.

 Operation

Parameters Meaning
Operation Enables/disables the IGMP Snooping function in the device.
Possible values:
 On
The IGMP Snooping function is enabled in the device according to RFC 4541 (Considerations
for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD)
Snooping Switches).
 Off (default setting)
The IGMP Snooping function is disabled in the device.
The device transmits received query, report, and leave data packets without evaluating them.
Received data packets with a Multicast destination address are transmitted to every port by
the device.

 Information

Parameters Meaning
Multicast control Displays the number of Multicast control data packets processed.
packets processed This statistic encompasses the following packet types:
– IGMP Reports
– IGMP Queries version V1
– IGMP Queries version V2
– IGMP Queries version V3
– IGMP Queries with an incorrect version
– PIM or DVMRP packets
The device uses the Multicast control data packets to create the address table for transmitting the
Multicast data packets.
Possible values:
 0..231-1
You use the Reset IGMP snooping data button in the Basic Settings > Restart dialog or
the clear igmp-snooping CLI command to reset the IGMP Snooping entries, including the
counter for the processed multicast control data packets.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset IGMP Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
snooping counters

RM GUI HiOS-2A GRS1040 199


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Configuration

Switching > IGMP Snooping > Configuration

5.4.2 IGMP Snooping Configuration

This dialog allows you to enable the IGMP Snooping function in the device and also configure it for each
port and each VLAN.

The dialog contains the following tabs:


 [VLAN ID ]
 [Port ]

200 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Configuration

[VLAN ID ]
In this tab, you configure the IGMP Snooping function for every VLAN.

 Table

Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Active Activates/deactivates the IGMP Snooping function for this VLAN.
The prerequisite is that the IGMP Snooping function is globally enabled.
Possible values:
 marked
IGMP Snooping is activated for this VLAN. The VLAN has joined the Multicast data stream.
 unmarked (default setting)
IGMP Snooping is deactivated for this VLAN. The VLAN has left the Multicast data stream.
Group membership Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered
interval in the address table when the device does not receive any more report data packets from the
VLAN.
Specify a value larger than the value in the Max. response time column.
Possible values:
 2..3600 (default setting: 260)
Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a
query data packet. For their response, the members specify a random time within the response
time. You thus help prevent the multicast group members from responding to the query at the
same time.
Specify a value smaller than the value in the Group membership interval column.
Possible values:
 1..25 (default setting: 10)
Fast leave admin Activates/deactivates the Fast Leave function for this VLAN.
mode
Possible values:
 marked
If the device receives an IGMP Leave message from a multicast group, when the Fast Leave
function is active it removes the entry immediately from its address table.
 unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group, and removes an entry when a VLAN does not send any more
report messages.
MRP expiration Multicast Router Present Expiration Time. Specifies the time in seconds for which the device waits
time for a query on this port that belongs to a VLAN. If the port does not receive a query data packet,
the device removes the port from the list of ports with connected multicast routers.
You have the option of configuring this parameter solely if the port belongs to an existing VLAN.
Possible values:
 0
unlimited timeout - no expiration time
 1..3600 (default setting: 260)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 201


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Configuration

[Port ]
In this tab, you configure the IGMP Snooping function for every port.

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the IGMP Snooping function for this port.
The prerequisite is that the IGMP Snooping function is globally enabled.
Possible values:
 marked
IGMP Snooping is active on this port. The device includes the port in the multicast data stream.
 unmarked (default setting)
IGMP Snooping is inactive on this port. The port left the multicast data stream.
Group membership Specifies the time in seconds for which a port, from a dynamic multicast group, remains entered
interval in the address table when the device does not receive any more report data packets from the port.
Possible values:
 2..3600 (default setting: 260)
Specify the value larger than the value in the Max. response time column.
Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a
query data packet. For their response, the members specify a random time within the response
time. You thus help prevent the multicast group members from responding to the query at the
same time.
Possible values:
 1..25 (default setting: 10)
Specify a value lower than the value in the Group membership interval column.
MRP expiration Specifies the Multicast Router Present Expiration Time. The MRP expiration time is the time in
time seconds for which the device waits for a query packet on this port. If the port does not receive a
query data packet, the device removes the port from the list of ports with connected multicast
routers.
Possible values:
 0
unlimited timeout - no expiration time
 1..3600 (default setting: 260)
Fast leave admin Activates/deactivates the Fast Leave function for this port.
mode
Possible values:
 marked
If the device receives an IGMP Leave message from a multicast group, when the Fast Leave
function is active it removes the entry immediately from its address table.
 unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group, and removes an entry when a port does not send any more
report messages.
Static query port Activates/deactivates the Static query port mode.
Possible values:
 marked
The Static query port mode is active.
The port is a static query port in the VLANs that are set up.
 unmarked (default setting)
The Static query port mode is inactive.
The port is not a static query port. The device transmits IGMP report messages to the port
solely if it receives IGMP queries.
VLAN IDs Displays the ID of the VLANs to which the table entry applies.

202 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Configuration

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 203


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Snooping Enhancements

Switching > IGMP Snooping > Snooping Enhancements

5.4.3 IGMP Snooping Enhancements

This dialog allows you to select a port for a VLAN ID and to configure the port.

 Table

Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
<Port number> Displays for every VLAN set up in the device whether the relevant port is a query port. Additionally,
the field displays whether the device transmits every Multicast stream in the VLAN to this port.
Possible values:
 –
The port is not a query port in this VLAN.
 L = Learned
The device detected the port as a query port because the port received IGMP queries in this
VLAN. The port is not a statically configured query port.
 A = Automatic
The device detected the port as a query port. The prerequisite is that you configure the port as
Learn by LLDP .
 S = Static (manual setting)
A user specified the port as a static query port. The device transmits IGMP reports solely to
ports on which it previously received IGMP queries – and to statically configured query ports.
To assign this value, proceed as follows:
 Open the Wizard window.
 On the Configuration page, mark the Static checkbox.
 P = Learn by LLDP (manual setting)
A user specified the port as Learn by LLDP .
With the Link Layer Discovery Protocol (LLDP), the device detects Hirschmann devices
connected directly to the port. The device denotes the detected query ports with A.
To assign this value, proceed as follows:
 Open the Wizard window.
 On the Configuration page, mark the Learn by LLDP checkbox.
 F = Forward All (manual setting)
A user specified the port so that the device transmits every received Multicast stream in the
VLAN to this port. Use this setting for diagnostics purposes, for example.
To assign this value, proceed as follows:
 Open the Wizard window.
 On the Configuration page, mark the Forward all checkbox.

Parameters Meaning
Display categories Enhances the clarity of the display. The table emphasizes the cells which contain the specified
value. This helps to analyze and sort the table according to your needs.
 Learned (L)
The table displays cells which contain the value L and possibly further values. Cells which
contain other values than L exclusively, the table displays with the “-“ symbol.
 Static (S)
The table displays cells which contain the value S and possibly further values. Cells which
contain other values than S exclusively, the table displays with the “-“ symbol.
 Automatic (A)
The table displays cells which contain the value A and possibly further values. Cells which
contain other values than A exclusively, the table displays with the “-“ symbol.
 Learn by LLDP
The table displays cells which contain the value P and possibly further values. Cells which
contain other values than P exclusively, the table displays with the “-“ symbol.
 Forward all (F)
The table displays cells which contain the value F and possibly further values. Cells which
contain other values than F exclusively, the table displays with the “-“ symbol.

204 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Snooping Enhancements

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Wizard window that helps you to select and configure the ports.

RM GUI HiOS-2A GRS1040 205


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Snooping Enhancements

[Wizard : Selection VLAN/Port ]

After closing the Wizard window, click the button to save your settings.

 Selection VLAN/Port

On this page you assign a VLAN ID to port.

Parameters Meaning
VLAN ID Select the ID of the VLAN.
Possible values:
 1..4042
Port Select the port.
Possible values:
 <Port number>

 Configuration

On this page you specify the settings for the port.

Parameters Meaning
VLAN ID Displays the ID of the selected VLAN.
Port Displays the number of the selected port.
Static Specifies the port as a static query port in the VLANs that are set up. The device transmits IGMP
report messages to the ports at which it receives IGMP queries. Allows you to also transmit IGMP
report messages to other selected ports (enable) or connected Hirschmann devices (Automatic).
Learn by LLDP Specifies the port as Learn by LLDP . Allows directly connected Hirschmann devices to be
detected via LLDP and learned as query ports.
Forward all Specifies the port as Forward all . With the Forward all setting, the device transmits at this
port every data packet with a Multicast address in the destination address field.

206 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Querier

Switching > IGMP Snooping > Querier

5.4.4 IGMP Snooping Querier

The device allows you to send a Multicast stream solely to those ports to which a Multicast receiver is
connected.
To determine which ports Multicast receivers are connected to, the device sends query data packets to
the ports at a definable interval. If a Multicast receiver is connected, it joins the Multicast stream by
responding to the device with a report data packet.
This dialog allows you to configure the Snooping Querier settings globally and for the VLANs that are
set up.

 Operation

Parameters Meaning
Operation Enables/disables the IGMP Querier function globally in the device.
Possible values:
 On
 Off (default setting)

 Configuration
In this frame you specify the IGMP Snooping Querier settings for the general query data packets.

Parameters Meaning
Protocol version Specifies the IGMP version of the general query data packets.
Possible values:
 1
IGMP v1
 2 (default setting)
IGMP v2
 3
IGMP v3
Query interval [s] Specifies the time in seconds after which the device generates general query data packets itself
when it has received query data packets from the Multicast router.
Possible values:
 1..1800 (default setting: 60)
Expiry interval [s] Specifies the time in seconds after which an active querier switches from the passive state back
to the active state if it has not received any query packets for longer than specified here.
Possible values:
 60..300 (default setting: 125)

 Table
In the table you specify the Snooping Querier settings for the VLANs that are set up.

Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.

RM GUI HiOS-2A GRS1040 207


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Querier

Parameters Meaning
Active Activates/deactivates the IGMP Snooping Querier function for this VLAN.
Possible values:
 marked
The IGMP Snooping Querier function is active for this VLAN.
 unmarked (default setting)
The IGMP Snooping Querier function is inactive for this VLAN.
Current state Displays whether the Snooping Querier is active for this VLAN.
Possible values:
 marked
The Snooping Querier is active for this VLAN.
 unmarked
The Snooping Querier is inactive for this VLAN.
Address Specifies the IP address that the device adds as the source address in generated general query
data packets. You use the address of the multicast router.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Protocol version Displays the IGMP protocol version of the general query data packets.
Possible values:
 1
IGMP v1
 2
IGMP v2
 3
IGMP v3
Max. response time Displays the time in seconds in which the members of a Multicast group should respond to a query
data packet. For their response, the members specify a random time within the response time.
This helps to prevent every Multicast group member to respond to the query at the same time.
Last querier Displays the IP address of the Multicast router from which the last received IGMP query was sent
address out..
Last querier version Displays the IGMP version that the Multicast router used when sending out the last IGMP query
received in this VLAN.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

208 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > IGMP Snooping > Multicasts

Switching > IGMP Snooping > Multicasts

5.4.5 IGMP Snooping Multicasts

The device allows you to specify how it transmits data packets with unknown Multicast addresses: Either
the device discards these data packets, floods them to every port, or transmits them solely to the ports
that previously received query packets.
The device also allows you to transmit the data packets with known Multicast addresses to the query
ports.

 Configuration

Parameters Meaning
Unknown Specifies how the device transmits the data packets with unknown Multicast addresses.
multicasts
Possible values:
 Discard
The device discards data packets with an unknown MAC/IP Multicast address.
 Send to all ports (default setting)
The device sends data packets with an unknown MAC/IP Multicast address to the registered
ports.
 Send to query ports
The device sends data packets with an unknown MAC/IP Multicast address to the query ports.

 Table
In the table you specify the settings for known Multicasts for the VLANs that are set up.

Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Known multicasts Specifies how the device transmits the data packets with known Multicast addresses.
Possible values:
 send to query and registered ports
The device sends data packets with an unknown MAC/IP Multicast address to the query ports
and to the registered ports.
 send to registered ports (default setting)
The device sends data packets with an unknown MAC/IP Multicast address to registered ports.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 209


Release 7.0 11/2017
Switching
Switching > MRP-IEEE

Switching > MRP-IEEE

5.5 MRP-IEEE

The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE also modified
and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP) and GARP VLAN
Registration Protocol (GVRP). The Multiple MAC Registration Protocol (MMRP) and the Multiple VLAN
Registration Protocol (MVRP) replace these protocols.
MRP-IEEE helps confine traffic to the required areas of the LAN. To confine traffic, the MRP-
IEEE applications distribute attribute values to participating MRP-IEEE devices across a LAN
registering and de-registering multicast group membership and VLAN identifiers.
Registering group participants allows you to reserve resources for specific traffic transversing a LAN.
Defining resource requirements regulates the level of traffic, allowing the devices to determine the
required resources and provides for dynamic maintenance of the allocated resources.
The menu contains the following dialogs:
 MRP-IEEE Configuration
 MRP-IEEE Multiple MAC Registration Protocol
 MRP-IEEE Multiple VLAN Registration Protocol

210 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > Configuration

Switching > MRP-IEEE > Configuration

5.5.1 MRP-IEEE Configuration

This dialog allows you to set the various MRP timers. By maintaining a relationship between the various
timer values, the protocol operates efficiently and with less likelihood of unnecessary attribute withdraws
and re-registration. The default timer values effectively maintain these relationships.
Maintain the following relationships when you reconfigure the timers:
 To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message, specify
the LeaveTime to: ≥ (2x JoinTime) + 60.
 To minimize the volume of rejoining traffic generated following a LeaveAll event, specify the value for
the LeaveAll timer larger than the LeaveTime value.

 Table

Parameters Meaning
Port Displays the port number.
Join time [1/100s] Specifies the Join timer which controls the interval between transmit opportunities applied to the
Applicant state machine.
Possible values:
 10..100 (default setting: 20)
Leave time [1/100s] Specifies the Leave timer which controls the period that the Registrar state machine waits in the
leave (LV) state before transiting to the empty (MT) state.
Possible values:
 20..600 (default setting: 60)
Leave all time [1/ Specifies the LeaveAll timer which controls the frequency with which the LeaveAll state machine
100s] generates LeaveAll PDUs.
Possible values:
 200..6000 (default setting: 1000)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 211


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MMRP

Switching > MRP-IEEE > MMRP

5.5.2 MRP-IEEE Multiple MAC Registration


Protocol

The Multiple MAC Registration Protocol (MMRP) allows end devices and MAC switches to register and
de-register group membership and individual MAC address information with switches located in the
same LAN. The switches within the LAN disseminate the information through switches that support
extended filtering services. Using the MAC address information, MMRP allows you to confine multicast
traffic to the required areas of a Layer 2 network.
For an example of how MMRP works, consider a security camera mounted on a mast overlooking a
building. The camera sends multicast packets onto a LAN. You have 2 end devices installed for
surveillance in separate locations. You register the MAC addresses of the camera and the 2 end devices
in the same multicast group. You then specify the MMRP settings on the ports to send the multicast
group packets to the 2 end devices.

The dialog contains the following tabs:


 [Configuration ]
 [Service requirement ]
 [Statistics ]

212 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MMRP

[Configuration ]
In this tab, you select active MMRP port participants and set the device to transmit periodic events. The
dialog also allows you to enable VLAN registered MAC address broadcasting.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the status of
the devices associated with the active port.

 Operation

Parameters Meaning
Operation Enables/disables the global MMRP function on the device. The device participates in MMRP
message exchanges.
Possible values:
 On
The device is a normal participant in MMRP message exchanges.
 Off (default setting)
The device ignores MMRP messages.

 Configuration

Parameters Meaning
Periodic state Enables/disables the global periodic state machine on the device.
machine
Possible values:
 On
With MMRP Operation enabled globally, the device transmits MMRP messages in one-
second intervals, on MMRP participating ports.
 Off (default setting)
Disables the periodic state machine on the device.

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the port MMRP participation.
Possible values:
 marked (default setting)
With MMRP enabled globally and on this port, the device sends and receives MMRP
messages on this port.
 unmarked
Disables the port MMRP participation.
Restricted group Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
registration port.
Possible values:
 marked
When enabled and a static filter entry for the MAC address exists on the VLAN concerned, then
the device allows the dynamic registration of MAC address attributes.
 unmarked (default setting)
Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
port.

RM GUI HiOS-2A GRS1040 213


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MMRP

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

214 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MMRP

[Service requirement ]
This tab contains forwarding parameters for each active VLAN, specifying the ports on which multicast
forwarding applies. The device allows you to statically setup VLAN ports as Forward all or Forbidden.
You set the Forbidden MMRP service requirement statically through the graphical user interface or CLI
exclusively.
A port is setup solely as ForwardAll or Forbidden.

 Table

Parameters Meaning
VLAN ID Displays the ID of the VLAN.
<Port number> Specifies the service requirement handling for the port.
Possible values:
 FA
Specifies the ForwardAll traffic setting on the port. The device forwards traffic destined to
MMRP registered multicast MAC addresses on the VLAN. The device forwards traffic to ports
which MMRP has dynamically setup or ports which the administrator has statically setup as
ForwardAll ports.
 F
Specifies the Forbidden traffic setting on the port. The device blocks dynamic MMRP
ForwardAll service requirements. With ForwardAll requests blocked on this port in this VLAN,
the device blocks traffic destined to MMRP registered multicast MAC addresses on this port.
Furthermore, the device blocks MMRP service request for changing this value on this port.
 - (default setting)
Disables the forwarding functions on this port.
 Learned
Displays values setup by MMRP service requests.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 215


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MMRP

[Statistics ]
Devices on a LAN exchange Multiple MAC Registration Protocol Data Units (MMRPDU) to maintain
statuses of devices on an active MMRP port. This tab allows you to monitor the MMRP traffic statistics
for each port.

 Information

Parameters Meaning
Transmitted MMRP Displays the number of MMRPDUs transmitted on the device.
PDU
Received MMRP Displays the number of MMRPDUs received on the device.
PDU
Received bad Displays the number of MMRPDUs received with a bad header on the device.
header PDU
Received bad Displays the number of MMRPDUs with a bad data field that were not transmitted on the device.
format PDU
Transmission failed Displays the number of MMRPDUs not transmitted on the device.

 Table

Parameters Meaning
Port Displays the port number.
Transmitted MMRP Displays the number of MMRPDUs transmitted on the port.
PDU
Received MMRP Displays the number of MMRPDUs received on the port.
PDU
Received bad Displays the number of MMRPDUs with a bad header that were received on the port.
header PDU
Received bad Displays the number of MMRPDUs with a bad data field that were not transmitted on the port.
format PDU
Transmission failed Displays the number of MMRPDUs not transmitted on the port.
Last received MAC Displays the last MAC address from which the port received MMRPPDUs.
address

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Resets the port statistics counters and the values in the Last received MAC address column.

216 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MVRP

Switching > MRP-IEEE > MVRP

5.5.3 MRP-IEEE Multiple VLAN


Registration Protocol

The Multiple VLAN Registration Protocol (MVRP) provides a mechanism that allows you to distribute
VLAN information and configure VLANs dynamically. For example, when you configure a VLAN on an
active MVRP port, the device distributes the VLAN information to other MVRP enabled devices. Using
the information received, an MVRP enabled device dynamically creates the VLAN trunks on other
MVRP enabled devices as needed.

The dialog contains the following tabs:


 [Configuration ]
 [Statistics ]

RM GUI HiOS-2A GRS1040 217


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MVRP

[Configuration ]
In this tab, you select active MVRP port participants and set the device to transmit periodic events.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the status of
the VLANs associated with the active port. Using the periodic events, MVRP enabled switches
dynamically maintain the VLANs.

 Operation

Parameters Meaning
Operation Enables/disables the global Applicant Administrative Control which specifies whether the
Applicant state machine participates in MMRP message exchanges.
Possible values:
 On
Normal Participant. The Applicant state machine participates in MMRP message exchanges.
 Off (default setting)
Non-Participant. The Applicant state machine ignores MMRP messages.

 Configuration

Parameters Meaning
Periodic state Enables/disables the periodic state machine on the device.
machine
Possible values:
 On
The periodic state machine is enabled.
With MVRP Operation enabled globally, the device transmits MVRP periodic events in 1
second intervals, on MVRP participating ports.
 Off (default setting)
The periodic state machine is disabled.
Disables the periodic state machine on the device.

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the port MVRP participation.
Possible values:
 marked (default setting)
With MVRP enabled globally and on this port, the device distributes VLAN membership
information to MVRP aware devices connected to this port.
 unmarked
Disables the port MVRP participation.
Restricted VLAN Activates/deactivates the Restricted VLAN registration function on this port.
registration
Possible values:
 marked
When enabled and a static VLAN registration entry exists, then the device allows you to create
a dynamic VLAN for this entry.
 unmarked (default setting)
Disables the Restricted VLAN registration function on this port.

218 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MVRP

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 219


Release 7.0 11/2017
Switching
Switching > MRP-IEEE > MVRP

[Statistics ]
Devices on a LAN exchange Multiple VLAN Registration Protocol Data Units (MVRPDU) to maintain
statuses of VLANs on active ports. This tab allows you to monitor the MVRP traffic.

 Information

Parameters Meaning
Transmitted MVRP Displays the number of MVRPDUs transmitted on the device.
PDU
Received MVRP Displays the number of MVRPDUs received on the device.
PDU
Received bad Displays the number of MVRPDUs received with a bad header on the device.
header PDU
Received bad Displays the number of MVRPDUs with a bad data field that the device blocked.
format PDU
Transmission failed Displays the number of failures while adding a message into the MVRP queue.
Message queue Displays the number of MVRPDUs that the device blocked.
failures

 Table

Parameters Meaning
Port Displays the port number.
Transmitted MVRP Displays the number of MVRPDUs transmitted on the port.
PDU
Received MVRP Displays the number of MVRPDUs received on the port.
PDU
Received bad Displays the number of MVRPDUs with a bad header that the device received on the port.
header PDU
Received bad Displays the number of MVRPDUs with a bad data field that the device blocked on the port.
format PDU
Transmission failed Displays the number of MVRPDUs that the device blocked on the port.
Registrations failed Displays the number of failed registration attempts on the port.
Last received MAC Displays the last MAC address from which the port received MMRPDUs.
address

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Resets the port statistics counters and the values in the Last received MAC address column.

220 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > GARP

Switching > GARP

5.6 GARP

The Generic Attribute Registration Protocol (GARP) is defined by the IEEE to provide a generic
framework so switches can register and deregister attribute values, such as VLAN identifiers and
multicast group membership.
When an attribute for a participant is registered or deregistered according to GARP, the participant is
modified according to specific rules. The participants are a set of reachable end stations and network
devices. The defined set of participants at any given time, along with their attributes, is the reachability
tree for the subset of the network topology. The device forwards the data frames only to the registered
end stations. The station registration helps to prevent attempts to send data to the end stations that are
unreachable.

Note: Before you enable the GMRP function, verify that the MMRP function is disabled.
The menu contains the following dialogs:
 GMRP
 GVRP

RM GUI HiOS-2A GRS1040 221


Release 7.0 11/2017
Switching
Switching > GARP > GMRP

Switching > GARP > GMRP

5.6.1 GMRP

The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol (GARP)
that provides a mechanism allowing network devices and end stations to dynamically register group
membership. The devices register group membership information with the devices attached to the same
LAN segment. GARP also allows the devices to disseminate the information across the network devices
that support extended filtering services.
GMRP and GARP are industry-standard protocols defined by the IEEE 802.1P.

 Operation

Parameters Meaning
Operation Enables/disables the global GMRP function on the device. The device participates in GMRP
message exchanges.
Possible values:
 On
GMRP is enabled.
 Off (default setting)
The device ignores GMRP messages.

 Multicasts

Parameters Meaning
Unknown Enables/disables the unknown multicast data to be either flooded or discarded.
multicasts
Possible values:
 Discard
The device discards unknown multicast data.
 Send to all ports (default setting)
The device sends unknown multicast data to every port.

 Table

Parameters Meaning
Port Displays the port number.
GMRP active Activates/deactivates the port GMRP participation.
The prerequisite is that the GMRP function is globally enabled.
Possible values:
 marked (default setting)
The port GMRP participation is active.
 unmarked
The port GMRP participation is inactive.
Service Specifies the ports on which multicast forwarding applies.
requirement
Possible values:
 Forward all unregistered groups (default setting)
The device forwards data destined to GMRP -registered multicast MAC addresses on the VLAN.
The device forwards data to the unregistered groups.
 Forward all groups
The device forwards data destined to every group, registered or unregistered.

222 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > GARP > GMRP

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 223


Release 7.0 11/2017
Switching
Switching > GARP > GVRP

Switching > GARP > GVRP

5.6.2 GVRP

The GARP VLAN Registration Protocol (GVRP) or Generic VLAN Registration Protocol is a protocol that
facilitates control of Virtual Local Area Networks (VLANs) within a larger network. GVRP is a Layer 2
network protocol, used to automatically configure devices in a VLAN network.
GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning, and creating
dynamic VLAN on 802.1Q trunk ports. With GVRP, the device exchanges VLAN configuration
information with other GVRP devices. Thus, the device reduces the unnecessary broadcast and
unknown unicast traffic. Exchanging VLAN configuration information also allows you to dynamically
create and manage VLANs connected through the 802.1Q trunk ports.

 Operation

Parameters Meaning
Operation Enables/disables the GVRP function globally on the device. The device participates in GVRP
message exchanges. When the function is disabled, the device ignores GVRP messages.
Possible values:
 On
The GVRP function is enabled.
 Off (default setting)
The GVRP function is disabled.

 Table

Parameters Meaning
Port Displays the port number.
GVRP active Activates/deactivates the port GVRP participation.
The prerequisite is that the GVRP function is globally enabled.
Possible values:
 marked (default setting)
The port GVRP participation is active.
 unmarked
The port GVRP participation is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

224 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority

Switching > QoS/Priority

5.7 QoS/Priority

Communication networks transmit a number of applications at the same time that have different
requirements as regards availability, bandwidth and latency periods.
QoS (Quality of Service) is a procedure defined in IEEE 802.1D. It is used to distribute resources in the
network. You therefore have the possibility of providing minimum bandwidth for important applications.
The prerequisite is that the end devices and the devices in the network support prioritized data
transmission. Data packets with high priority are given preference when transmitted by devices in the
network. You transfer data packets with lower priority when there are no data packets with a higher
priority to be transmitted.
The device provides the following setting options:
 You specify how the device evaluates QoS/prioritization information for inbound data packets.
 For outbound packets, you specify which QoS/prioritization information the device writes in the data
packet (for example priority for management packets, port priority).

Note: Disable flow control if you use the functions in this menu. The flow control is inactive if in the
Switching > Global dialog, Configuration frame the Flow control checkbox is unmarked.
The menu contains the following dialogs:
 QoS/Priority Global
 QoS/Priority Port Configuration
 802.1D/p Mapping
 IP DSCP Mapping
 Queue Management
 DiffServ

RM GUI HiOS-2A GRS1040 225


Release 7.0 11/2017
Switching
Switching > QoS/Priority > Global

Switching > QoS/Priority > Global

5.7.1 QoS/Priority Global

The device allows you to maintain access to the management functions, even in situations with heavy
utilization. In this dialog you specify the required QoS/priority settings.

 Configuration

Parameters Meaning
VLAN priority for Specifies the VLAN priority for sending management data packets. Depending on the VLAN
management priority, the device assigns the data packet to a specific traffic class and thus to a specific priority
packets queue of the port.
Possible values:
 0..7 (default setting: 0)
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
IP DSCP value for Specifies the IP DSCP value for sending management data packets. Depending on the IP DSCP
management value, the device assigns the data packet to a specific traffic class and thus to a specific priority
packets queue of the port.
Possible values:
 0 (be/cs0) ..63 (default setting: 0 (be/cs0) )
Some values in the list also have a DSCP keyword, for example 0 (be/cs0) , 10 (af11) and 46
(ef) . These values are compatible with the IP precedence model.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every
IP DSCP value.
Queues per port Displays the number of priority queues per port.
The device has 8 priority queues per port. You assign every priority queue to a specific traffic class
(traffic class according to IEEE 802.1D).

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

226 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > Port Configuration

Switching > QoS/Priority > Port Configuration

5.7.2 QoS/Priority Port Configuration

In this dialog, you specify for every port how the device processes received data packets based on their
QoS/priority information.

 Table

Parameters Meaning
Port Displays the port number.
Port priority Specifies what VLAN priority information the device writes into a data packet if the data packet
contains no priority information. After this, the device transmits the data packet depending on the
value specified in the Trust mode column.
Possible values:
 0..7 (default setting: 0)
Trust mode Specifies how the device handles a received data packet if the data packet contains QoS/priority
information.
Possible values:
 untrusted
The device transmits the data packet according to the priority specified in the Port priority
column. The device ignores the priority information contained in the data packet.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
 trustDot1p (default setting)
The device transmits the data packet according to the priority information in the VLAN tag.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
 trustIpDscp
– If the data packet is an IP packet:
The device transmits the data packet according to the IP DSCP value contained in the data
packet.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class
to every IP DSCP value.
– If the data packet is not an IP packet:
The device transmits the data packet according to the priority specified in the Port
priority column.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic
class to every VLAN priority.
Untrusted traffic Displays the traffic class assigned to the VLAN priority information specified in the Port priority
class column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic
class to every VLAN priority.
Possible values:
 0..7
Bandwidth [%] Specifies the egress transmission rate.
Possible values:
 0 (default setting)
The bandwidth limitation is disabled.
 1..100
The bandwidth limitation is enabled.
This value specifies the percentage of overall link speed for the port in 1% increments.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 227


Release 7.0 11/2017
Switching
Switching > QoS/Priority > 802.1D/p Mapping

Switching > QoS/Priority > 802.1D/p Mapping

5.7.3 802.1D/p Mapping

The device transmits data packets with a VLAN tag according to the contained QoS/priority information
with a higher or lower priority.
In this dialog, you assign a traffic class to every VLAN priority. You assign the traffic classes to the
priority queues of the ports.

 Table

Parameters Meaning
VLAN priority Displays the VLAN priority.
Traffic class Specifies the traffic class assigned to the VLAN priority.
Possible values:
 0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.

Note: Among other things redundancy mechanisms use the highest traffic class. Therefore, select
another traffic class for application data.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

 Default assignment of the VLAN priority to traffic classes

VLAN Priority Traffic class Content description according to IEEE 802.1D


0 2 Best Effort
Normal data without prioritizing
1 0 Background
Non-time critical data and background services
2 1 Standard
Normal data
3 3 Excellent Effort
Important data
4 4 Controlled Load
Time-critical data with a high priority
5 5 Video
Video transmission with delays and jitter < 100 ms
6 6 Voice
Voice transmission with delays and jitter < 10 ms
7 7 Network Control
Data for network management and redundancy mechanisms

228 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > IP DSCP Mapping

Switching > QoS/Priority > IP DSCP Mapping

5.7.4 IP DSCP Mapping

The device transmits IP data packets according to the DSCP value contained in the data packet with a
higher or lower priority.
In this dialog, you assign a traffic class to every DSCP value. You assign the traffic classes to the priority
queues of the ports.

 Table

Parameters Meaning
DSCP value Displays the DSCP value.
Traffic class Specifies the traffic class which is assigned to the DSCP value.
Possible values:
 0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

 Default assignment of the DSCP values to traffic classes

DSCP Value DSCP Name Traffic class


0 Best Effort /CS0 2
1-7 2
8 CS1 0
9,11,13,15 0
10,12,14 AF11,AF12,AF13 0
16 CS2 1
17,19,21,23 1
18,20,22 AF21,AF22,AF23 1
24 CS3 3
25,27,29,31 3
26,28,30 AF31,AF32,AF33 3
32 CS4 4
33,35,37,39 4
34,36,38 AF41,AF42,AF43 4
40 CS5 5
41,42,43,44,45,47 5
46 EF 5
48 CS6 6
49-55 6
56 CS7 7

RM GUI HiOS-2A GRS1040 229


Release 7.0 11/2017
Switching
Switching > QoS/Priority > IP DSCP Mapping

DSCP Value DSCP Name Traffic class


57-63 7

230 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > Queue Management

Switching > QoS/Priority > Queue Management

5.7.5 Queue Management

This dialog allows you to enable and disable the Strict priority function for the traffic classes. When
you disable the Strict priority function, the device processes the priority queues of the ports with
"Weighted Fair Queuing".
You also have the option of assigning a minimum bandwidths to every traffic classes which the device
uses to process the priority queues with "Weighted Fair Queuing"

 Table

Parameters Meaning
Traffic class Displays the traffic class.
Strict priority Activates/deactivates the processing of the port priority queue with Strict priority for this
traffic class.
Possible values:
 marked (default setting)
The processing of the port priority queue with Strict priority is active.
– The port sends data packets that are in the priority queue with the highest priority
exclusively. If this priority queue is empty, the port sends data packets that are in the priority
queue with the next lower priority.
– The port sends data packets with a lower traffic class after the priority queues with a higher
priority are empty. In unfavorable situations, the port never sends these data packets.
– If you select this setting for a traffic class, the device enables the function also for traffic
classes with a higher priority.
– Use this setting for applications such as VoIP or video that require the least possible delay.
 unmarked
The processing of the port priority queue with Strict priority is inactive. The device uses
"Weighted Fair Queuing"/"Weighted Round Robin" (WRR) to process the port priority queue.
– The device assigns a minimum bandwidth to each traffic class.
– Even under a high network load the port transmits data packets with a low traffic class.
– If you select this setting for a traffic class, the device disables the function also for traffic
classes with a lower priority.
Min. bandwidth [%] Specifies the minimum bandwidth for this traffic class when the device is processing the priority
queues of the ports with "Weighted Fair Queuing".
Possible values:
 0..100 (default setting: 0 = the device does not reserve any bandwidth for this traffic class)
The value specified in percent refers to the available bandwidth on the port. When you disable the
Strict priority function for every traffic class, the maximum bandwidth is available on the port
for the "Weighted Fair Queuing".
The maximum total of the assigned bandwidths is 100 %.
Max. bandwidth [%] Specifies the shaping rate at which a Traffic Class transmits packets (Queue Shaping).
Possible values:
 0 (default setting)
The device does not reserve any bandwidth for this traffic class.
 1..100
The device reserves the specified bandwidth for this traffic class. The specified value in
percent refers to the maximum available bandwidth on this port.
For example, using queue shaping allows you to limit the rate of a strict-high priority queue.
Limiting a strict-high priority queue allows the device to also process low-priority queues. To use
queue shaping, you set the maximum bandwidth for a particular queue.

RM GUI HiOS-2A GRS1040 231


Release 7.0 11/2017
Switching
Switching > QoS/Priority > Queue Management

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

232 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ

Switching > QoS/Priority > DiffServ

5.7.6 DiffServ

Differentiated Services (DiffServ) filter data packets in order to prioritize or limit the data stream.
– In a class, you specify the filter criteria.
– In a policy, you link the class with actions.
The device applies the actions of the policy to those data packets that meet the filter criteria of the
assigned class.
To configure DiffServ, perform the following steps:
 Create a class with the filter criteria.
 Create a policy.
 Assign a class with the filter criteria to the policy.
 Specify the actions of the policy.
 Assign the policy to a port.
 Activate the DiffServ function.
The device allows you to use the following per class and per instance configurations:
 13 rules per class
 28 instances per policy
 3 attributes per instance
The menu contains the following dialogs:
 DiffServ Overview
 DiffServ Global
 DiffServ Class
 DiffServ Policy
 DiffServ Assignment

RM GUI HiOS-2A GRS1040 233


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Overview

Switching > QoS/Priority > DiffServ > Overview

5.7.6.1 DiffServ Overview

This dialog displays the configured DiffServ settings.

 Port

Parameters Meaning
Port Simplifies the table and displays the entries relating to a specific port. Displaying the table in this
fashion makes it easier for you to sort the table as you desire.
Possible values:
 All (default setting)
The table displays the entries for every port.
 <Port number>
The table displays the entries that apply to the selected port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

234 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Global

Switching > QoS/Priority > DiffServ > Global

5.7.6.2 DiffServ Global

In this dialog, you enable the DiffServ function.

 Operation

Parameters Meaning
Operation Enables/disables the DiffServ function.
Possible values:
 On
The DiffServ function is enabled.
The device processes traffic according to the DiffServ rules.
 Off (default setting)
The DiffServ function is disabled.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 235


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Class

Switching > QoS/Priority > DiffServ > Class

5.7.6.3 DiffServ Class

In this dialog, you specify the data packets to which the device executes the actions specified in the
Policy dialog. This assignment is called a class.
Only one class can be assigned to a policy. This means each class can contain multiple filter criteria.

 Table

Parameters Meaning
Class name Specifies the name of the DiffServ class. The device allows you to change the class name directly
in the table.
Possible values:
 Alphanumeric ASCII character string with 1..31 characters
Criteria Displays the specified criteria for this rule.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.

236 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Class

 Create

Parameters Meaning
Class name Specifies the name of the DiffServ class.
Possible values:
 Alphanumeric ASCII character string with 1..31 characters
Type Specifies the type of Class Rule for matching; this determines the individual match conditions for
the present class rule.
Depending on which value you select, the following visable parameters change.
To match every packet regardless of content, select the value every .
Possible values:
 cos (default setting)
 dstip
 dstl4port
 dstmac
 every
 ipdscp
 ipprecedence
 iptos
 protocol
 refclass
 srcip
 srcl4port
 srcmac
 cos2
 etype
 vlanid
 vlanid2

Parameters Meaning
Type = cos
COS Specifies the class of service as the match value for the class.
Possible values:
 0..7 (default setting: 0)

Parameters Meaning
Type = dstip
Destination IP Specifies the destination IP address as the match value for the class.
address
Possible values:
 Valid IP address
Destination IP Specifies the mask for the destination IP address.
address mask
Possible values:
 Valid netmask

Parameters Meaning
Type = dstl4port
Destination port Specifies the destination Layer 4 port as the match value for the class.
Possible values:
 Valid TCP or UDP port number

Parameters Meaning
Type = dstmac
Destination MAC Specifies the destination MAC address as the match value for the class.
address
Possible values:
 Valid MAC address

RM GUI HiOS-2A GRS1040 237


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Class

Parameters Meaning
Destination MAC Specifies the mask for the destination MAC address.
address mask
Possible values:
 Valid netmask

Parameters Meaning
Type = ipdscp
DSCP Specifies the IP DiffServ Code Point (DSCP) as the match value for the class.
Possible values:
 0..63 (default setting: 0(be/cs0))

Parameters Meaning
Type = ipprecedence
TOS priority Specifies the IP Precedence as the match value for the class. The precedence bits are the high-
order 3 bits of the Service Type octet in the IPv4 header.
Possible values:
 0..7 (default setting: 0)

Parameters Meaning
Type = iptos
TOS mask Specifies the IP TOS bits and mask as the match value for the class. The TOS bits are the 8 bits
of the Service Type octet in the IPv4 header.
Possible values:
 0x00..0xFF

Parameters Meaning
Type = protocol
Protocol number Specifies the internet protocol number as the match value for the class.
Possible values:
 0..255
Some common values are listed here:
– 1
ICMP
– 2
IGMP
– 4
IPv4
– 6
TCP
– 17
UDP
– 255
A rule with this value matches every protocol in the list.
The IANA defined the “Assigned Internet Protocol Numbers” that you enter here.
To find a list of the assigned numbers use the following link: http://www.iana.org/assignments/
protocol-numbers/protocol-numbers.xhtml.

238 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Class

Parameters Meaning
Type = refclass
Ref class Specifies the parent class as a corresponding reference class. This reference class uses the set
of match rules specified in a parent class as the match value.
Possible values:
 <Name of the DiffServ Class>
Conditions:
 The parent class to which the user binds this rule and the reference class produce the same
results when, the reference class refers solely to the parent class.
 Any attempt to delete the parent class while still referenced to by another class fails.
 Any subsequent change to the parent class rules changes the reference class rules solely
when, the reference class uses the parent class as the match value.
 You add subsequent rules to the parent class compatible with the rules existing in the
reference class.

Parameters Meaning
Type = srcip
Source IP address Specifies the source IP address as the match value for the class.
Possible values:
 Valid IP address
Source IP address Specifies the mask for the source IP address.
mask
Possible values:
 Valid netmask

Parameters Meaning
Type = srcl4port
Source port Specifies the source Layer 4 port as the match value for the class.
Possible values:
 Valid TCP or UDP port number

Parameters Meaning
Type = srcmac
Source MAC Specifies the source MAC address as the match value for the class.
address
Possible values:
 Valid MAC address and mask
Source MAC Specifies the mask for the source MAC address.
address mask
Possible values:
 Valid netmask

Parameters Meaning
Type = cos2
COS 2 Specifies a secondary class of service as the match value for the class.
Possible values:
 0..7 (default setting: 0)

RM GUI HiOS-2A GRS1040 239


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Class

Parameters Meaning
Type = etype
Etype Specifies the Ethertype as the match value for the class.
Possible values:
 custom (default setting)
You specify the Ethertype in the Etype value field.
 appletalk
 arp
 ibmsna
 ipv4
 ipv6
 ipx
 mplsmcast
 mplsucast
 netbios
 novell
 pppoe
 rarp
Etype value Specifies the user-defined Ethertype value.
The prerequisite is that in the Etype field you specify the value custom .
Possible values:
 0x0600..0xFFFF

Parameters Meaning
Type = vlanid
VLAN ID Specifies the VLAN ID as the match value for the class.
Possible values:
 1..4042

Parameters Meaning
Type = vlanid2
VLAN2 ID Specifies the secondary VLAN ID as the match value for the class.
Possible values:
 1..4042

240 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Switching > QoS/Priority > DiffServ > Policy

5.7.6.4 DiffServ Policy

In this dialog, you specify which actions the device performs on data packets which fulfill the filter criteria
specified in the Class dialog. This assignment is called a policy.
Only one policy can be assigned to a port. Each policy may contain multiple actions.

 Table

Parameters Meaning
Policy name Displays the name of the policy.
To change the value, click the relevant field.
Possible values:
 Alphanumeric ASCII character string with 1..31 characters
Type Displays the data packets (receiving or sending) to which the device applies the policy.
Possible values:
 in
The device applies the policy to data packets that it receives.
 out
The device applies the policy to data packets that it sends.
Class name Displays the name of the class that is assigned to the policy.
The filter criteria are specified in the class.
Attribute Displays the action that the device performs on the data packets.
 To change an existing action, select the affected row, click the button and then the
Modify attribute item.
 To add additional actions to a policy, click the button.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.

Displays a sub menu with the following items.

Modify attribute Specifies the action that the device performs on the data packets.

 Create
In this dialog you create a new policy or add further actions to an existing policy.

Parameters Meaning
Policy name Specifies the name of the policy.
 To create a new policy, add a new name.
 To add more actions to an existing policy, select a name in the list.
Possible values:
 Alphanumeric ASCII character string with 1..31 characters

RM GUI HiOS-2A GRS1040 241


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Parameters Meaning
Direction Specifies the data packets (receiving or sending) to which the device applies the policy.
Possible values:
 in (default setting)
The device applies the policy to data packets that it receives.
 out
The device applies the policy to data packets that it sends.
Class name Assigns the class to the policy.
The filter criteria are specified in the class.
Type Specifies the policy type.
Depending on which value you select, the following visable parameters change.
Possible values:
 markCosVal (default setting)
 markIpDscpVal
 markIpPrecedenceVal
 policeSimple
 policeTworate
 assignQueue
 drop
 redirect
 mirror
 markCosAsSecCos

Parameters Meaning
Type Overwrites the priority field in the VLAN tag of the Ethernet packets:
= markCosVal – in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged data packets, the device writes the value to the outer tag (C tag).
– With data packets without VLAN tags, the device adds a priority tag.
Can be combined with Type = redirect and mirror .
COS Specifies the priority value that the device writes to the priority field of the VLAN tag of the Ethernet
packets.
Possible values:
 0..7

Parameters Meaning
Type Overwrites the DS field of the IP packets.
= markIpDscpVal The device writes the value specified in the DSCP parameter to the DS field. Subsequent devices
in the network to which the device forwards the IP packets, prioritize the IP packets according to
this setting. For making the device prioritize the IP packets, also enter the IP packets with
Type = assignQueue into the desired queue.
Can be combined with Type = assignQueue , redirect and mirror .
DSCP Specifies the value that the device writes to the DS field of the IP packets.
Possible values:
 0..63

Parameters Meaning
Type Overwrites the TOS field of the IP packets.
= markIpPrecede The device writes the value specified in the TOS priority parameter to the TOS field.
nceVal
Can be combined with Type = assignQueue , redirect and mirror .
TOS priority Specifies the value that the device writes to the TOS field of the IP packets.
Possible values:
 0..7

242 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Parameters Meaning
Type Limits the classified data stream to the values specified in the Simple C rate and Simple C
= policeSimple burst fields:
– If the transfer rate and burst size of the data stream are below the specified values, the device
applies the action specified in the Conform action field.
– If the transfer rate and burst size of the data stream are above the specified values, the device
applies the action specified in the Non conform action field.
Can be combined with Type = assignQueue , redirect and mirror .
Simple C rate Specifies the committed rate in kbit/s.
Upper limit
Possible values:
 1..4294967295
Simple C burst Specifies the committed burst size in kBytes.
Possible values:
 0..128
Conform action , In the Conform action field, you specify the action that the device applies to the compliant data
Non conform action stream. Compliant means that the data stream is under the limits specified in the parameters
Simple C rate and Simple C burst .
In the Non conform action field, you specify the action that the device applies to the non-
compliant data stream. Non-compliant means that the data stream is over the limits specified in
the parameters Simple C rate and Simple C burst .
Possible values:
 drop
Discards the data packets.
 markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
 markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
 send
Sends the data packets.
 markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
 markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
 markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).
Color conform class Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
 blind
The device operates in the color blind mode. The devices designates the complete data stream
received as conform (green).
 <Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ >
Class dialog, Criteria column a rule of the type cos , ipdscp , ipprec , cos2 is specified.
The filter criteria of the class selected in the Class name drop-down list above and of the class
selected in this drop-down list, must neither be identical nor exclude each other. Exclusion criteria
are:
– The filter criteria have the same rule type, for example cos and cos . Use classes with a
different rule type, for example cos and ipdscp .
– One of the classes references with the rule type refclass another class that conflicts with the
used classes.

RM GUI HiOS-2A GRS1040 243


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Parameters Meaning
Type Limits the classified data stream to the values specified in the Two rate C rate , Two rate C
= policeTworate burst , Two rate P rate , and Two rate P burst fields.
– The device applies the Conform action action to the data stream if the transfer rate and burst
size are below Two rate C rate and Two rate C burst .
– The device applies the Exceed action action to the data stream if the transfer rate and burst
size are between Two rate C rate and Two rate P rate as well as Two rate C burst
and Two rate P burst .
– The device applies the Non conform action action to the data stream if the transfer rate and
burst size are above Two rate P rate and Two rate P burst .
Can be combined with Type = assignQueue , redirect and mirror .
Two rate C rate Specifies the committed rate in kbit/s.
Possible values:
 1..4294967295
Two rate C burst Specifies the committed burst size in kBytes.
Possible values:
 0..128
Two rate P rate Specifies the peak rate (max. allowable transfer rate of the data stream) in kbit/s.
Possible values:
 1..4294967295
Two rate P burst Specifies the peak burst size (max. allowable burst size) in kBytes.
Possible values:
 1..128
Conform action , In the Conform action field, you specify the action that the device applies to the compliant data
Conform value stream. Compliant means that transfer rate and burst size are below Two rate C rate and Two
rate C burst .
Exceed action ,
Exceed value In the Exceed action field, you specify the action that the device applies to the data stream. The
prerequisite is that the transfer rate and burst size are between Two rate C rate and Two rate
Non conform P rate as well as Two rate C burst and Two rate P burst .
action ,
In the Non conform action field, you specify the action that the device applies to the non-
Non conform value
compliant data stream. Non-compliant means that the transfer rate and burst size are above Two
rate P rate and Two rate P burst .
Possible values:
 drop
Discards the data packets.
 markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
 markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
 send
Sends the data packets.
 markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
 markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
 markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).

244 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Parameters Meaning
Color conform class Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
 0 - blind
The device operates in the color blind mode. The devices designates the complete data stream
received as conform (green).
 <Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ >
Class dialog, Criteria column a rule of the type cos , ipdscp , ipprec , cos2 is specified.
The filter criteria of the class selected in the Class name drop-down list above and of the class
selected in this drop-down list, must neither be identical nor exclude each other. Exclusion criteria
are:
– The filter criteria have the same rule type, for example cos and cos . Use classes with a
different rule type, for example cos and ipdscp .
– One of the classes references with the rule type refclass another class that conflicts with the
used classes.

Parameters Meaning
Type Changes the priority queue into which the device adds the data packets.
= assignQueue The device enqueues the data packets into the priority queue with the ID specified in the Queue
ID parameter.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = drop , markCosVal and markCosAsSecCos .
Queue ID Specifies the ID of the priority queue into which the device adds the data packets. See the
Traffic class field and the Switching > QoS/Priority > 802.1D/p Mapping dialog.
Possible values:
 0..7

Parameters Meaning
Type Discards the data packets.
= drop
Can be combined with Type = mirror if mirror is set up first.

Parameters Meaning
Type The device forwards the received data stream to the port specified in the Redirection
= redirect interface field.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = markCosVal , markIpDscpVal , markIpPrecedenceVal ,
policeSimple , policeTworate , assignQueue and markCosAsSecCos .
Redirection Specifies the destination port.
interface
Possible values:
 <Port number>
Number of the destination port. The device forwards the data packets to this port.

Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.

Parameters Meaning
Type The device copies the received data stream and also transfers it to the port specified in the Mirror
= mirror interface field.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = markCosVal , markIpDscpVal , markIpPrecedenceVal ,
policeSimple , policeTworate , assignQueue and markCosAsSecCos .

RM GUI HiOS-2A GRS1040 245


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Policy

Parameters Meaning
Mirror interface Specifies the destination port.
Possible values:
 <Port number>
Number of the destination port. The device copies the data packets to this port.

Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.

Parameters Meaning
Type Overrides the priority field in the outer VLAN tag of the Ethernet packets with the priority value of
= markCosAsSecC the inner VLAN tag.
os Apply this action exclusively to data packets that the device receives.
Can be combined with Type = assignQueue , redirect and mirror .

246 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Assignment

Switching > QoS/Priority > DiffServ > Assignment

5.7.6.5 DiffServ Assignment

In this dialog you assign the policy to a port.

 Table

Parameters Meaning
Port Displays the port number.
Direction Displays the interface direction to which you assigned the policy.
Policy name Displays the name of the policy assigned to the interface.
Status Displays the port status.
Active Activates/deactivates the DiffServ parameters associated with this row.
Possible values:
 marked
The device forwards traffic according to the specified DiffServ settings.
 unmarked
The device forwards traffic without regarding the specified DiffServ settings.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.

RM GUI HiOS-2A GRS1040 247


Release 7.0 11/2017
Switching
Switching > QoS/Priority > DiffServ > Assignment

 Create

Parameters Meaning
Port Specifies the port to which the table entry relates.
Possible values:
 Available ports
Direction Specifies the direction in which the device applies the policy.
Possible values:
 In (default setting)
 Out
Policy Specifies the policy assigned to the port.
Possible values:
 Available policies

248 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > VLAN

Switching > VLAN

5.8 VLAN

With VLAN (Virtual Local Area Network) you distribute the data traffic in the physical network to logical
subnetworks. This provides you with the following advantages:
 High flexibility
– With VLAN you distribute the data traffic to logical networks in the existing infrastructure. Without
VLAN, it would be necessary to have additional devices and complicated cabling.
– With VLAN you specify network segments independently of the location of the individual end
devices.
 Improved throughput
– In VLANs data packets can be transferred by priority.
If the priority is high, the device transfers the data traffic of a VLAN preferentially, for example for
time-critical applications such as VoIP phone calls.
– The network load is considerably reduced if data packets and Broadcasts are distributed in small
network segments instead of in the entire network.
 Increased security
The distribution of the data traffic among individual logical networks makes unwanted accessing
more difficult and strengthens the system against attacks such as MAC Flooding or MAC Spoofing.
The device supports packet-based “tagged” VLANs according to the IEEE 802.1Q standard. The VLAN
tagging in the data packet indicates the VLAN to which the data packet belongs.
The device transmits the tagged data packets of a VLAN exclusively via ports that are assigned to the
same VLAN. This reduces the network load.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
The device prioritizes the received data stream in the following sequence:
 Voice VLAN
 MAC-based VLAN
 IP subnet-based VLAN
 Protocol-based VLAN
 Port-based VLAN
The menu contains the following dialogs:
 VLAN Global
 VLAN Configuration
 VLAN Port
 VLAN Voice
 MAC Based VLAN
 Subnet Based VLAN
 Protocol Based VLAN

RM GUI HiOS-2A GRS1040 249


Release 7.0 11/2017
Switching
Switching > VLAN > Global

Switching > VLAN > Global

5.8.1 VLAN Global

This dialog allows you to view general VLAN parameters for the device.

 Configuration

Parameters Meaning
Max. VLAN ID Highest ID assignable to a VLAN.
See the Switching > VLAN > Configuration dialog.
VLANs (max.) Displays the maximum number of VLANs possible.
See the Switching > VLAN > Configuration dialog.
VLANs Number of VLANs currently configured in the device.
See the Switching > VLAN > Configuration dialog.
The VLAN ID 1 is always present in the device.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Clear... Resets the VLAN settings of the device to the default setting.
Caution: You loose your connection to the device if you have changed the VLAN ID for the
management in the Basic Settings > Network dialog.

250 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > VLAN > Configuration

Switching > VLAN > Configuration

5.8.2 VLAN Configuration

In this dialog, you manage the VLANs. To set up a VLAN, create a further row in the table. There you
specify for each port if it transmits data packets of the respective VLAN and if the data packets contain
a VLAN tag.
You distinguish between the following VLANs:
 The user sets up static VLANs.
 The device sets up dynamic VLANs automatically and removes them if the prerequisites cease to
apply.
For the following functions the device creates dynamic VLANs:
– MRP : If you assign the ring ports a non-existing VLAN, then the device creates this VLAN.
– MVRP : The device creates a VLAN based on the messages of neighboring devices.

Note: The settings are effective solely if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.

 Table

Parameters Meaning
VLAN ID ID of the VLAN.
The device supports up to 512 VLANs simultaneously set up.
Possible values:
 1..4042
Status Displays how the VLAN is set up.
Possible values:
 other
VLAN 1
or
VLAN set up using the 802.1X Port Authentication function. See the Network
Security > 802.1X Port Authentication dialog.
 permanent
VLAN set up by the user.
or
VLAN set up using the MRP function. See the Switching > L2-Redundancy > MRP dialog.
VLANs with this setting remain set up after a restart, if you save the changes in the non-volatile
memory.
 dynamicMvrp
VLAN set up using the MVRP function. See the Switching > MRP-IEEE > MVRP dialog.
VLANs with this setting are write-protected. The device removes a VLAN from the table as
soon as the last port leaves the VLAN.
Creation time Displays the time of VLAN creation.
The field displays the time stamp for the operating time (system uptime).
Name Specifies the name of the VLAN.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters

RM GUI HiOS-2A GRS1040 251


Release 7.0 11/2017
Switching
Switching > VLAN > Configuration

Parameters Meaning
<Port number> Specifies if the respective port transmits data packets of the VLAN and if the data packets contain
a VLAN tag.
Possible values:
 - (default setting)
The port is not a member of the VLAN and does not transmit data packets of the VLAN.
 T = Tagged
The port is a member of the VLAN and transmits the data packets with a VLAN tag. You use
this setting for uplink ports, for example.
 LT = Tagged Learned
The port is a member of the VLAN and transmits the data packets with a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.
 F = Forbidden
The port is not a member of the VLAN and does not transmit data packets of this VLAN.
Additionally, the device prevents the port from becoming a VLAN member through the MVRP
function.
 U = Untagged (default setting for VLAN 1)
The port is a member of the VLAN and transmits the data packets without a VLAN tag. Use
this setting if the connected device does not evaluate any VLAN tags, for example on end
ports.
 LU = Untagged Learned
The port is a member of the VLAN and transmits the data packets without a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.

Note: Verify that the port on which the network management station is connected is a member of
the VLAN in which the device transmits the management data. In the default setting, the device
transmits the management data on VLAN 1. Otherwise, the connection to the device terminates
when you transfer the changes to the device. The management access to the device is possible
exclusively using the CLI through the V.24 interface.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
In the VLAN ID field, you specify the ID of the VLAN.

252 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > VLAN > Port

Switching > VLAN > Port

5.8.3 VLAN Port

In this dialog you specify how the device handles received data packets that have no VLAN tag, or
whose VLAN tag differs from the VLAN ID of the port.
This dialog allows you to assign a VLAN to the ports and thus specify the port VLAN ID.
Additionally, you also specify for each port how the device transmits data packets when the VLAN
Unaware mode is disabled if one of the following situations occurs:
 The port receives data packets without a VLAN tagging.
 The port receives data packets with VLAN priority information (VLAN ID 0, priority tagged).
 The VLAN tagging of the data packet differs from the VLAN ID of the port.

Note: The settings are effective solely if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.

 Table

Parameters Meaning
Port Displays the port number.
Port-VLAN ID Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. The
prerequisite is that you specify in the Acceptable packet types column the value admitAll .
Possible values:
 ID of a VLAN you set up (default setting: 1)
When you use the MRP function and you have not assigned a VLAN to the ring ports, you specify
the value 1 here for the ring ports. Otherwise, the device assigns the value to the ring ports
automatically.
Acceptable packet Specifies whether the port transmits or discards received data packets without a VLAN tag.
types
Possible values:
 admitAll (default setting)
The port accepts data packets both with and without a VLAN tag.
 admitOnlyVlanTagged
The port accepts solely data packets tagged with a VLAN ID ≥ 1.
Ingress filtering Activates/deactivates the ingress filtering.
Possible values:
 marked
The ingress filtering is active.
The device compares the VLAN ID in the data packet with the VLANs of which the device is a
member. See the Switching > VLAN > Configuration dialog. If the VLAN ID in the data
packet matches one of these VLANs, the port transmits the data packet. Otherwise, the device
discards the data packet.
 unmarked (default setting)
The ingress filtering is inactive.
The device transmits received data packets without comparing the VLAN ID. Thus the port also
transmits data packets with a VLAN ID of which the port is not a member.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 253


Release 7.0 11/2017
Switching
Switching > VLAN > Voice

Switching > VLAN > Voice

5.8.4 VLAN Voice

Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority. A
primary benefit of Voice VLAN is safeguarding the quality of voice traffic when data traffic on the port is
high.
The device detects VoIP phones using the Link Layer Discovery Protocol - Media Endpoint Discovery
(LLDP-MED). The device then adds the appropriate port to the member set of the configured Voice
VLAN. The member set is either tagged or untagged. Tagging depends on the Voice VLAN interface
mode (VLAN ID, Dot1p, None, Untagged).
Another benefit of the Voice VLAN feature is that the VoIP phone obtains VLAN ID or priority information
via LLDP-MED from the device. As a result, the VoIP phone sends voice data tagged as priority, or
untagged. This depends on the configured Voice VLAN Interface mode. You activate Voice VLAN on
the port which is connecting to the VoIP phone.

 Operation

Parameters Meaning
Operation Enables/disables the voice VLAN function of the device globally.
Possible values:
 On
 Off (default setting)

 Table

Parameters Meaning
Port Displays the port number.
Voice VLAN mode Specifies whether the port transmits or discards received data packets without a voice VLAN
tagging or with voice VLAN priority information.
Possible values:
 disabled (default setting)
Deactivates the voice VLAN function for this table entry
 none
Allows IP telephone to use its own configuration for sending untagged voice traffic.
 vlan/dot1p-priority
The port filters data packets of the voice VLAN using the vlan and dot1p priority tags.
 untagged
The port filters data packets without a voice VLAN tag.
 vlan
The port filters data packets of the voice VLAN using the vlan tag.
 dot1p-priority
The port filters data packets of the voice VLAN using the dot1p priority tags. If you select this
value, additionally specify a proper value in the Priority column.

254 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > VLAN > Voice

Parameters Meaning
Data priority mode Specifies the trust mode for the data traffic on the particular port.
The device uses this mode for data traffic on the voice VLAN, when it detects a VoIP telephone
and a PC and when these devices use the same cable for transmitting and receiving data.
Possible values:
 trust (default setting)
Using this setting the data traffic processes with normal priority, if voice traffic is present on the
interface.
 untrust
If voice traffic is present and the Voice VLAN mode is set to dot1p-priority , the data traffic
uses the priority 0. If the interface transmits data traffic exclusively, the data traffic uses the
normal priority.
Status Displays the status of the Voice VLAN on the port.
Possible values:
 marked
The Voice VLAN is enabled.
 unmarked
The Voice VLAN is disabled.
VLAN ID Specifies the ID of the VLAN to which the table entry applies.
To forward traffic to this VLAN ID using this filter, select in the Voice VLAN mode column the value
vlan .
Possible values:
 0..4042
Priority Specifies the Voice VLAN Priority of the port. The prerequisite is that you specify in the Voice
VLAN mode column the value dot1p-priority .
Possible values:
 0 ..7
 none
Deactivates the Voice VLAN Priority of the port.
Bypass Activates the Voice VLAN Authentication mode.
authentication If you deactivate the function and set the value in the Voice VLAN mode column to dot1p-
priority , then voice devices require an authentication.
Possible values:
 marked (default setting)
If you activated the function in the Dialog Network Security > 802.1X Port
Authentication > Global dialog, set the Port control parameter for this port to the
multiClient value before activating this function. The parameter Port control you find in
the Network Security > 802.1X Port Authentication > Global dialog.
 unmarked

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 255


Release 7.0 11/2017
Switching
Switching > VLAN > MAC Based VLAN

Switching > VLAN > MAC Based VLAN

5.8.5 MAC Based VLAN

In a MAC-based VLAN, the device forwards traffic based on the source MAC address associated with
a VLAN. User-defined filters determine whether a packet belongs to a particular VLAN.
MAC-based VLANs specify the filtering criteria for untagged or priority-tagged packets exclusively.
Assign a port to a MAC-based VLAN for a specific source MAC address. The device then forwards
untagged packets received with the configured MAC address to the MAC-based VLAN ID. Other
untagged packets are subject to normal VLAN classification rules.

 Table

Parameters Meaning
MAC address Displays the MAC address to which the table entry relates.
The device supports up to 256 simultaneous MAC-based VLAN assignments.
Possible values:
 Valid MAC address
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Possible values:
 1..4042 (set up VLAN IDs)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the MAC address field, you specify the MAC address.
 In the VLAN ID field, you specify the ID of the VLAN.

256 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > VLAN > Subnet Based VLAN

Switching > VLAN > Subnet Based VLAN

5.8.6 Subnet Based VLAN

In IP subnet-based VLANs, the device forwards traffic based on the source IP address and subnet mask
associated with the VLAN. User-defined filters determine whether a packet belongs to a particular
VLAN.
IP subnet-based VLANs specify the filtering criteria for untagged packets or priority tagged packets
exclusively. Assign a port to an IP subnet-based VLAN for a specific source address. The device then
forwards untagged packets received with the configured address to the IP subnet-based VLAN ID.
To configure an IP subnet based VLAN, specify an IP address, a subnet mask, and the corresponding
VLAN identifier. If multiple entries apply, the device uses the entry with the longest prefix first.

 Table

Parameters Meaning
IP address Displays the IP address to which you assign the subnetwork based VLAN.
The device supports up to 128 VLANs set up simultaneously to subnetwork based VLANs.
Possible values:
 Valid IP address
Netmask Displays the netmask to which you assign the subnetwork based VLAN.
Possible values:
 Valid IP netmask
VLAN ID Displays the VLAN ID.
Possible values:
 1..4042

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the IP address field, you specify the IP address.
 In the Netmask field, you specify the netmask.
 In the VLAN ID field, you specify the ID of the VLAN.

RM GUI HiOS-2A GRS1040 257


Release 7.0 11/2017
Switching
Switching > VLAN > Protocol Based VLAN

Switching > VLAN > Protocol Based VLAN

5.8.7 Protocol Based VLAN

In a protocol-based VLAN, specified ports bridge traffic based on the L3 protocol (EtherType)
associated with the VLAN. User-defined packet filters determine whether a packet belongs to a
particular VLAN.
Protocol-based VLANs specify the filtering criteria for untagged packets exclusively. Assign a port to a
protocol-based VLAN for a specific protocol. The device then forwards untagged packets received with
the configured protocol to the protocol-based VLAN ID. The device assigns other untagged packets with
the port VLAN ID.

 Table

Parameters Meaning
Group ID Displays the group identifier of the protocol-based VLAN entry.
The device supports up to 128 protocol-based VLAN associations simultaneously.
Possible values:
 1..128
Name Specifies the group name of the protocol-based VLAN entry.
Possible values:
 Alphanumeric ASCII character string with 1..16 characters
VLAN ID Specifies the ID of the VLAN.
Possible values:
 1..4042
Port Specifies the ports that are assigned to the group.
Possible values:
 <Port number>
Select the ports in the drop-down list.
Ethertype Specifiies the Ethertype value assigned to the VLAN.
The Ethertype is a two-octet field in an Ethernet packet to indicate which protocol the payload
contains.
Possible values:
 0x0600..0xFFFF
Ethertype as a hexadecimal number sequence
If you enter a decimal value, the device converts the value into a hexadecimal number
sequence when you click the Add button.
 ip
Ethertype keyword for IPv4 (equivalent to 0x0800)
 arp
Ethertype keyword for ARP (equivalent to 0x0806)
 ipx
Ethertype keyword for IPX (equivalent to 0x8137)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

258 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy

Switching > L2-Redundancy

5.9 L2-Redundancy

The menu contains the following dialogs:


 MRP
 HIPER Ring
 Spanning Tree
 Link Aggregation
 Link Backup
 FuseNet ™

RM GUI HiOS-2A GRS1040 259


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > MRP

Switching > L2-Redundancy > MRP

5.9.1 MRP

The Media Redundancy Protocol (MRP) is a protocol that allows you to set up high-availability, ring-
shaped network structures. An MRP ring with Hirschmann devices is made up of up to 100 devices that
support the MRP protocol according to IEC 62439.
The ring structure of an MRP ring changes back into a line structure if a section fails. The maximum
switching time can be configured.
The Ring Manager function of the device closes the ends of a backbone in a line structure to a redundant
ring.

Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the MRP ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.
If you work with oversized Ethernet packets (the value in the MTU column for the port is > 1518, see the
Basic Settings > Port dialog), the switching time in reconfiguration of the MRP ring depends on the
following parameters:
 Bandwidth of the ring line
 Size of the Ethernet packets
 Number of devices in the ring
Set the switching time sufficiently large to avoid delays in the MRP packages due to latencies in the
devices. You can find the formula for calculating the switching time in IEC 62439-2, section 9.5.

 Operation

Parameters Meaning
Operation Enables/disables the MRP function.
After you configured the parameters for the MRP ring, enable the function here.
Possible values:
 On
The MRP function is enabled.
After you configured the devices in the MRP ring, the redundancy is active.
 Off (default setting)
The MRP function is disabled.

 Ring port 1 /Ring port 2

Parameters Meaning
Port Specifies the number of the port that is operating as a ring port.
Possible values:
 <Port number>
Number of the ring port

260 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > MRP

Parameters Meaning
Operation Displays the operating status of the ring port.
Possible values:
 forwarding
The port is enabled, connection exists.
 blocked
The port is blocked, connection exists.
 disabled
The port is disabled.
 not-connected
No connection exists.
Fixed backup Activates/deactivates the backup port function for the Ring port 2 .

Note: The switch over to the primary port can exceed the maximum ring recovery time.
Possible values:
 marked
The Ring port 2 backup function is active. If the ring is closed, the ring manager reverts back
to the primary ring port.
 unmarked (default setting)
The Ring port 2 backup function is inactive. If the ring is closed, the ring manager continues
to send data on the secondary ring port.

 Configuration

Parameters Meaning
Ring manager Enables/disables the Ring manager function.
If there is one device at each end of the line, you activate this function.
Possible values:
 On
The Ring manager function is enabled.
The device operates as a ring manager.
 Off (default setting)
The Ring manager function is disabled.
The device operates as a ring client.
Advanced mode Activates/deactivates the advanced mode for fast switching times.
Possible values:
 marked (default setting)
Advanced mode active.
MRP-capable Hirschmann devices support this mode.
 unmarked
Advanced mode inactive.
Select this setting if another device in the ring does not support this mode.
Ring recovery Specifies the maximum switching time in milliseconds for reconfiguration of the ring. This setting
is effective if the device operates as a ring manager.
Possible values:
 500ms
 200ms (default setting)
Shorter switching times make greater demands on the response time of every individual device in
the ring. Use values lower than 500ms if the other devices in the ring also support this shorter
switching time.
If you are working with oversized Ethernet packets, the number of devices in the ring is limited.
Note that the switching time depends on several parameters. See the description above.

RM GUI HiOS-2A GRS1040 261


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > MRP

Parameters Meaning
VLAN ID Specifies the ID of the VLAN which you assign to the ring ports.
Possible values:
 0 (default setting)
No VLAN assigned.
Assign in the Switching > VLAN > Configuration dialog to the ring ports for VLAN 1 the
value U.
 1..4042
VLAN assigned.
If you assign to the ring ports a non-existing VLAN, the device creates this VLAN. In the
Switching > VLAN > Configuration dialog, the device creates an entry in the table for the
VLAN and assigns the value T to the ring ports.

 Information

Parameters Meaning
Information Displays messages for the redundancy configuration and the possible causes of errors.
The following messages are possible if the device operates as a ring client or a ring manager:
 Redundancy available
The redundancy is set up. When a component of the ring is down, the redundant line takes
over its function.
 Configuration error: Error on ringport link.
Error in the cabling of the ring ports.
The following messages are possible if the device operates as a ring manager:
 Configuration error: Packets from another ring manager received.
Another device exists in the ring that operates as the ring manager.
Enable the Ring manager function only on one device in the ring.
 Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on 1 ring port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Delete ring Disables the redundancy function and resets the settings in the dialog to the default setting.
configuration

262 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > HIPER Ring

Switching > L2-Redundancy > HIPER Ring

5.9.2 HIPER Ring

The concept of HIPER ring redundancy enables the construction of high-availability, ring-shaped
networks. This device provides a HIPER ring client. This function allows you to extend an existing
HIPER ring or to replace a device already participating as a client in a HIPER ring.
A HIPER ring contains a Ring Manager (RM) which controls the ring. The RM sends watchdog packets
into the ring on both the primary and secondary ports. If the RM receives the watchdog packets on both
ports, then the primary port remains in the forwarding state and the secondary port remains in the
discarding state.
The device operates only in the ring client mode. This means that the device is able to recognize and
forward the watchdog packets on the ring ports and can also forward the change in link status to the RM
for example, LinkDown and LinkUp packets.
The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, the
device only supports HIPER ring in VLAN 1.

Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the HIPER ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.

Note: Configure the devices of the HIPER ring individually. Before you connect the redundant link,
complete the configuration of every device of the HIPER ring. You thus avoid loops during the
configuration phase.

 Operation

Parameters Meaning
Operation Enables/disables the HIPER Ring client.
Possible values:
 On
The HIPER Ring client is enabled.
 Off (default setting)
The HIPER Ring client is disabled.

 Ring port 1 /Ring port 2

Parameters Meaning
Port Specifies the port number of the primary/secondary ring port.
Possible values:
 - (default setting)
No primary/secondary ring port selected.
 <Port number>
Number of the ring port

RM GUI HiOS-2A GRS1040 263


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > HIPER Ring

Parameters Meaning
State Displays the state of the primary/secondary ring port.
Possible values:
 not-available
The HIPER Ring client is disabled.
or
No primary or secondary ring port selected.
 active
The ring port is enabled and logically up.
The primary ring port forwards data packets from the ring to the secondary ring port.
 inactive
The ring port is logically down.
As soon as the link goes down on a ring port, the device sends a LinkDown packet to the Ring
Manager on the other ring port.

 Information

Parameters Meaning
Mode Displays that the device is able to operate in the ring client mode.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

264 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree

Switching > L2-Redundancy > Spanning Tree

5.9.3 Spanning Tree

The Spanning Tree Protocol (STP) is a protocol that deactivates redundant paths of a network in order
to avoid loops. If a network component fails on the path, the device calculates the new topology and
reactivates these paths.
The Rapid Spanning Tree Protocol enables fast switching to a newly calculated topology without
interrupting existing connections. RSTP achieves average reconfiguration times of less than a second.
When you use RSTP in a ring with 10 to 20 devices, you can achieve reconfiguration times in the order
of milliseconds.
The device supports the Multiple Spanning Tree Protocol (MSTP) standardized in IEEE 802.1, which is
a further development of the Spanning Tree Protocol (STP).

Note: If you connect the device to the network through twisted pair SFPs instead of through usual
twisted pair ports, the reconfiguration of the network takes slightly longer.
The menu contains the following dialogs:
 Spanning Tree Global
 Spanning Tree MSTP
 Spanning Tree Port

RM GUI HiOS-2A GRS1040 265


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Global

Switching > L2-Redundancy > Spanning Tree > Global

5.9.3.1 Spanning Tree Global

In this dialog, you enable/disable the Spanning Tree function and specify the bridge settings.

 Operation

Parameters Meaning
Operation Enables/disables the Spanning Tree function on the device.
Possible values:
 On (default setting)
 Off
The device behaves transparently. The device floods received Spanning Tree data packets
like multicast data packets to the ports.

 Variant

Parameters Meaning
Variant Specifies the protocol used for the Spanning Tree function:
Possible values:
 rstp (default setting)
The protocol RSTP is active.
With RSTP (IEEE 802.1Q-2005), the Spanning Tree function is effective in every VLAN that
is set up.
 mstp
The protocol MSTP is active.
To avoid recovery times, specify the maximum value 40 in the Tx holds field.

 Traps

Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps in case of one of the following events:
– Another bridge takes over the root bridge role.
– The topology changes. A port changes its Port state from forwarding into discarding or
from discarding into forwarding .
Possible values:
 marked
The sending of SNMP traps is active.
 unmarked (default setting)
The sending of SNMP traps is inactive.

266 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Global

 Ring only mode

Parameters Meaning
Active Activates/deactivates the Ring only mode , preventing the device to verify the age of the BPDUs.
Possible values:
 marked
The Ring only mode is active. Use this setting for applications with RSTP rings with diameters
greater than 40.
 unmarked (default setting)
The Ring only mode is inactive.
First port Specifies the port number of the first interface.
Possible values:
 <Port number> (default setting: -)
Second port Specifies the port number of the second interface.
Possible values:
 <Port number> (default setting: -)

 Bridge configuration

Parameters Meaning
Bridge ID Displays the bridge ID of the device.
The device with the numerically lowest bridge ID takes over the role of the root bridge in the
network.
Possible values:
 <Bridge priority> / <MAC address>
Value in the Priority field / MAC address of the device
Priority Specifies the bridge priority of the device.
Possible values:
 0..61440 in steps of 4096 (default setting: 32768)
Assign the lowest numeric priority in the network to the device to make it the root bridge.
Hello time [s] Specifies the time in seconds between the sending of two configuration messages (Hello data
packets).
Possible values:
 1..2 (default setting: 2)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
Due to the interaction with the Tx holds parameter, we recommend not changing the default
setting.
Forward delay [s] Specifies the delay time for the status change in seconds.
Possible values:
 4..30 (default setting: 15)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled , discarding , learning , forwarding .
The parameters Forward delay [s] and Max age have the following relationship:
Forward delay [s] ≥ (Max age /2) + 1
If you enter values in the fields that contradict this relationship, the device replaces these values with the last valid
values or with the default value.

RM GUI HiOS-2A GRS1040 267


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Global

Parameters Meaning
Max age Specifies the maximum permissible branch length, for example the number of devices to the root
bridge.
Possible values:
 6..40 (default setting: 20)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in
seconds.
Tx holds Limits the maximum transmission rate for sending BPDUs.
Possible values:
 1..40 (default setting: 10)
To avoid longer recovery times when using the MSTP protocol, set the maximum value to 40.
When the device sends a BPDU, it increments a counter on this port.
When the counter reaches the value specified here, the port stops sending BPDUs. On the one
hand, this reduces the load generated by RSTP, and on the other a loop may be caused when the
device stops receiving BPDUs.
The device decrements the counter by 1 every second. In the following second, the device sends
a maximum of 1 new BPDU.
BPDU guard Activates/deactivates the BPDU Guard function on the device.
With this function, the device helps protect your network from incorrect configurations, attacks with
STP-BPDUs, and undesired topology changes.
Possible values:
 marked
The BPDU guard is active.
– The device applies the function to manually specified edge ports. For these ports, in the
Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox
in the Admin edge port column is marked.
– If an edge port receives an STP-BPDU, the device disables the port. For this port, in the
Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column
is unmarked.
 unmarked (default setting)
The BPDU guard is inactive.
To reset the status of the port to the value forwarding , you proceed as follows:
 If the port is still receiving BPDUs:
– In the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab unmark
the checkbox in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the
BPDU guard checkbox.
 To re-enable the port again you use the Auto-Disable function. Alternatively, proceed as
follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.
BPDU filter (all Activates/deactivates the filtering of STP-BPDUs on every manually specified edge port. For these
admin edge ports) ports, in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the
checkbox in the Admin edge port column is marked.
Possible values:
 marked
The BPDU filter is active on every edge port.
The function excludes these ports from Spanning Tree operations.
– The device does not send STP-BPDUs on these ports.
– The device drops any STP-BPDUs received on these ports.
 unmarked (default setting)
The global BPDU filter is inactive.
You have the option to explicitly activate the BPDU filter for single ports. See the Port BPDU
filter column in the Switching > L2-Redundancy > Spanning Tree > Port dialog.

268 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Global

Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that BPDU guard is
monitoring on the port.
Possible values:
 marked
The Auto-Disable function for the BPDU guard is active.
– The device disables an edge port when the port receives an STP-BPDU. The “Link status”
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked (default setting)
The Auto-Disable function for the BPDU guard is inactive.

 Root information

Parameters Meaning
Bridge ID Displays the bridge ID of the current root bridge.
Possible values:
 <Bridge priority> / <MAC address>
Priority Displays the bridge priority of the current root bridge.
Possible values:
 0..61440 in steps of 4096
Hello time [s] Displays the time in seconds specified by the root bridge between the sending of two configuration
messages (Hello data packets).
Possible values:
 1..2
The device uses this specified value. See the Bridge configuration frame.
Forward delay [s] Specifies the delay time in seconds set up by the root bridge for status changes.
Possible values:
 4..30
The device uses this specified value. See the Bridge configuration frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled , discarding , learning , forwarding .
Max age Specifies the maximum permissible branch length set up by the root bridge, for example the
number of devices to the root bridge.
Possible values:
 6..40 (default setting: 20)
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in
seconds.

RM GUI HiOS-2A GRS1040 269


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Global

 Topology information

Parameters Meaning
Bridge is root Displays whether the device currently has the role of the root bridge.
Possible values:
 marked
The device currently has the role of the root bridge.
 unmarked
Another device currently has the role of the root bridge.
Root port Displays the number of the port from which the current path leads to the root bridge.
If the device takes over the role of the root bridge, the field displays the value 0.
Root path cost Specifies the path cost for the path that leads from the root port of the device to the root bridge of
the layer 2 network.
Possible values:
 0..200000000
If the value 0 is specified, the device takes over the role of the root bridge.
Topology changes Displays how many times the device has put a port into the forwarding status via Spanning Tree
since it was started.
Time since topology Displays the time since the last topology change.
change
Possible values:
 <days, hours:minutes:seconds>

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

270 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > MSTP

Switching > L2-Redundancy > Spanning Tree > MSTP

5.9.3.2 Spanning Tree MSTP

In this dialog you manage the settings of the global and local MST instances.
In contrast to the local MST instances, the global MST instance is configured permanently in the device.
The global MST instance contains the VLANs that are not explicitly allocated to a local MST instance.

The device supports up to 16 local MST instances. To create a local instance, click the button.
While STP has a single Spanning Tree spanning the network, MSTP allows you to set up one Spanning
Tree per VLAN or group of VLANs. Thus it is possible to specify several smaller Spanning Trees
covering one network.
How to avoid longer convergence times:
 Only use devices in the network that support RSTP or MSTP.
 Adjust the following parameters to the topology and number of bridges:
– Maximum allowed number of devices to the root bridge
Switching > L2-Redundancy > Spanning Tree > Global dialog, Max age field
– Maximum allowed number of bridges within the MST region in a branch to the root bridge
Switching > L2-Redundancy > Spanning Tree > MSTP dialog, Global CIST parameter
frame, Hops (max.) field
For bridges in an MST region, specify identical values for the following parameters:
 Name of the MST region
 Revision level of the MST region
 Allocation of the VLANs to the MST instances
– Include ports connecting the bridges of an MST region as tagged members in the VLANs set up
on the bridges. You thus avoid potential connection breaks within the MST region when the
topology is changed.
– Include ports connecting an MST region with other MST regions or with the CST region (boundary
ports) as tagged members in the VLANs set up in both regions. You thus avoid potential
connection breaks when topology changes affecting the boundary ports are made.

 MST region identifier

Parameters Meaning
Name Specifies the name of the MST region to which the device belongs.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
Revision level Specifies the version number of the MST region to which the device belongs.
Possible values:
 0..65535 (default setting: 1)
Checksum Displays the MD5 checksum of the MST configuration.

 Global CIST parameter

Parameters Meaning
Hops (max.) Specifies the maximum number of bridges within the MST region in a branch to the root bridge.
Possible values:
 6..40 (default setting: 20)

RM GUI HiOS-2A GRS1040 271


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > MSTP

Parameters Meaning
Attached VLANs Displays the IDs of the VLANs that are assigned only to the global MST instance and to no other
local MST instance.
Possible values:
 ID of the statically configured VLANs
(default setting: 1)
Bridge ID Displays the bridge ID of the device.
Possible values:
 <Bridge priority> / <MAC address>
The value is made up as follows:
– Value in the Priority field. See the Switching > L2-Redundancy > Spanning Tree >
Global dialog, Bridge configuration frame.
– MAC address of the device.
Root ID Displays the bridge ID of the current CIST root bridge of the whole Layer 2 network.
Possible values:
 <Bridge priority> / <MAC address>
The device with the numerically lowest bridge ID takes over the role of the CIST root bridge in the
network. The following devices are able to take over the role of the root bridge:
 Bridges not belonging to any MST region
 Bridges belonging to the global instance of an MST region
In the whole Layer 2 network, the bridges use the time settings of the CIST root bridge, for
example Hello time [s] .
Regional root ID Displays the Bridge ID of the current root bridge that belongs to the global instance of the MST
region to which this device belongs.
Possible values:
 <Bridge priority> / <MAC address>
The values in the Regional root ID and Root ID fields are identical when the regional root
bridge has the lowest bridge ID in the whole Layer 2 network.
Root port Displays the port of the device from which the path leads to the current CIST root bridge of the
whole Layer 2 network.
Possible values:
 no Port
The device currently has the role of the root bridge.
 <Port number>
The path to the current CIST root bridge of the whole Layer 2 network leads over this port.
Root path cost Displays the path cost for the path that leads from the regional root bridge of the MST region to
the current CIST root bridge of the whole Layer 2 network.
Possible values:
 0..200000000
If the value 0 is specified, the regional root bridge simultaneously has the role of the CIST root
bridge.
For the devices within an MST region, the Root path cost values are identical.
If you do not use MSTP, the Root path cost values are identical to the root path costs of
Spanning Tree or Rapid Spanning Tree. In this case, every device considers itself as an own
region.
Internal root path Displays the internal path cost for the path that leads from the root port of the device to the current
cost regional root bridge of the MST region.
Possible values:
 0..200000000
If the value 0 is specified, the local bridge simultaneously has the role of the current regional
root bridge.

272 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > MSTP

 Table

Parameters Meaning
MSTI Displays the instance number of the local MST instance.
Attached VLANs Displays the IDs of the VLANs that are allocated to this local MST instance.
Priority Specifies the bridge priority of the local MST instance.
Possible values:
 0..61440 in steps of 4096 (default setting: 32768)
Assign the lowest numeric priority in this local MST instance to the device to make it the root
bridge.
Bridge ID Displays the bridge ID.
The device with the numerically lowest bridge ID takes over the role of the MSTI (regional) root
bridge in the instance.
Possible values:
 <Bridge priority + Number of the instance> / <MAC address>
Sum of the value in the fields Priority and MSTI / MAC address of the device
Time since topology Displays the time that has elapsed since the last topology change within this instance.
change
Topology changes Displays how many times the device has put a port into the forwarding state using Spanning
Tree since the instance was started.
Topology change Displays whether the device has detected a topology change within the instance.
Possible values:
 true
The device has detected a topology change.
 false
The device has not detected a topology change.
Root ID Displays the bridge ID of the current root bridge in this instance.
Possible values:
 <Bridge ID> / <MAC address>
Root path cost Displays the path cost for the path that leads from the root port of the device to the root bridge of
the instance.
Possible values:
 0..200000000
If the value 0 is specified, the bridge is simultaneously the root bridge of the instance.
Root port Displays the port of the device from which the current path leads to the root bridge of the instance.
Possible values:
 no Port
The device currently has the role of the root bridge.
 <Port number>
The path to the current root bridge of the instance leads over this port.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Adds a new table entry.
The device supports up to local 16 instances.
Displays a sub menu with the following items.

Configure VLANs Opens the Configure VLANs dialog to allocate VLANs to the local MST instance which is
highlighted in the table.

RM GUI HiOS-2A GRS1040 273


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

Switching > L2-Redundancy > Spanning Tree > Port

5.9.3.3 Spanning Tree Port

In this dialog, you activate the Spanning Tree function on the ports, specify edge ports, and specify the
settings for various protection functions.

The dialog contains the following tabs:


 [CIST ]
 [Guards ]
 [MSTI <MSTI >]

274 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

[CIST ]
In this tab, you have the option to activate the Spanning Tree function on the ports individually, specify
the settings for edge ports, and view the current values. The abbreviation CIST stands for Common and
Internal Spanning Tree.

Note: Deactivate the Spanning Tree function on the ports that are participating in other Layer 2
redundancy protocols. Otherwise the redundancy protocols may operate differently to the way intended.
This can cause loops.

 Table

Parameters Meaning
Port Displays the port number.
STP active Activates/deactivates the Spanning Tree function on the port.
Possible values:
 marked (default setting)
 unmarked
If the Spanning Tree function is enabled in the device and disabled on the port, the port does not
send STP-BPDUs and drops any STP-BPDUs received.
Port state Displays the transmission status of the port.
Possible values:
 discarding
The port is blocked and forwards STP-BPDUs exclusively.
 learning
The port is blocked, but it learns the MAC addresses of received data packets.
 forwarding
The port forwards data packets.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
 manualFwd
The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs.
 notParticipate
The port is not participating in STP.
Port role Displays the current role of the port in CIST.
Possible values:
 root
Port with the cheapest path to the root bridge.
 alternate
Port with the alternative path to the root bridge (currently interrupted).
 designated
Port for the side of the tree averted from the root bridge.
 backup
Port receives STP-BPDUs from its own device.
 master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost Specifies the path costs of the port.
Possible values:
 0..200000000 (default setting: 0)
If the value is 0, the device automatically calculates the path costs depending on the data rate of
the port.

RM GUI HiOS-2A GRS1040 275


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

Parameters Meaning
Port priority Specifies the priority of the port.
Possible values:
 16..240 in steps of 16 (default setting: 128)
This value represents the first 4 bits of the port ID.
Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU.
Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
 For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received port ID Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
 For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge.
Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
 For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port in the local MST instance
to the root bridge.
Admin edge port Activates/deactivates the Admin edge port mode. Use the Admin edge port mode if the port
is connected to an end device. This setting allows the edge port to change faster to the forwarding
state after linkup and thus a faster accessibility of the end device.
Possible values:
 marked
The Admin edge port mode is active.
The port is connected to an end device.
– After the connection is set up, the port changes to the forwarding status without changing
to the learning status beforehand.
– If the port receives an STP-BPDU, the device deactivates the port if the BPDU Guard
function is active. See the Switching > L2-Redundancy > Spanning Tree > Global
dialog.
 unmarked (default setting)
The Admin edge port mode is inactive.
The port is connected to another STP bridge.
After the connection is set up, the port changes to the learning status before changing to the
forwarding status, if applicable.
Auto edge port Activates/deactivates the automatic detection of whether you connect an end device to the port.
The prerequisite is that the checkbox in the Admin edge port column is unmarked.
Possible values:
 marked (default setting)
The automatic detection is active.
After the installation of the connection, and after 1.5 × Hello time [s] the device sets the
port to the forwarding status (default setting 1.5 × 2 s) if the port has not received any STP-
BPDUs during this time.
 unmarked
The automatic detection is inactive.
After the installation of the connection, and after Max age the device sets the port to the
forwarding status.
(default setting: 20 s)

276 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

Parameters Meaning
Oper edge port Displays whether an end device or an STP bridge is connected to the port.
Possible values:
 marked
An end device is connected to the port. The port does not receive any STP-BPDUs.
 unmarked
An STP bridge is connected to the port. The port receives STP-BPDUs.
Oper PointToPoint Displays whether the port is connected to an STP device via a direct full-duplex link.
Possible values:
 true
The port is connected directly to an STP device via a full-duplex link. The direct, decentralized
communication between 2 bridges enables short reconfiguration times.
 false
The port is connected in another way, for example via a half-duplex link or via a hub.
Port BPDU filter Activates/deactivates the filtering of STP-BPDUs on the port explicitly.
The prerequisite is that the port is a manually specified edge port. For these ports, the checkbox
in the Admin edge port column is marked.
Possible values:
 marked
The BPDU filter is active on the port.
The function excludes the port from Spanning Tree operations.
– The device does not send STP-BPDUs on the port.
– The device drops any STP-BPDUs received on the port.
 unmarked (default setting)
The BPDU filter is inactive on the port.
You have the option to globally activate the BPDU filter for every edge port. See the
Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration
frame.
If the BPDU filter (all admin edge ports) checkbox is marked, then the BPDU filter is
still active on the port.
BPDU filter status Displays whether or not the BPDU filter is active on the port.
Possible values:
 marked
The BPDU filter is active on the port as a result of the following settings:
– The checkbox in the Port BPDU filter column is marked.
and/or
– The checkbox in the BPDU filter (all admin edge ports) column is marked. See the
Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge
configuration frame.
 unmarked
The BPDU filter is inactive on the port.
BPDU flood Activates/deactivates the BPDU flood mode on the port even if the Spanning Tree function is
inactive on the port. The prerequisite is that the BPDU flood mode is also active for these ports.
Possible values:
 marked
The BPDU flood mode is active.
The device floods STP-BPDUs received on the port to the ports for which the Spanning Tree
function is inactive.
 unmarked (default setting)
The BPDU flood mode is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 277


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

[Guards ]
This tab allows you to specify the settings for various protection functions on the ports.

 Table

Parameters Meaning
Port Displays the port number.
Root guard Activates/deactivates the monitoring of STP-BPDUs on the port. The prerequisite is that the Loop
guard function is inactive.
With this setting the device helps you protect your network from incorrect configurations or attacks
with STP-BPDUs that try to change the topology. This setting is relevant solely for ports with the
STP role designated .
Possible values:
 marked
The monitoring of STP-BPDUs is active.
– If the port receives an STP-BPDU with better path information to the root bridge, the device
discards the STP-BPDU and sets the status of the port to the value discarding instead of
to root .
– If there are no STP-BPDUs with better path information to the root bridge, the device resets
the status of the port after 2 × Hello time [s] .
 unmarked (default setting)
The monitoring of STP-BPDUs is inactive.
TCN guard Activates/deactivates the monitoring of "Topology Change Notifications" on the port. With this
setting the device helps you protect your network from attacks with STP-BPDUs that try to change
the topology.
Possible values:
 marked
The monitoring of "Topology Change Notifications" is enabled.
– The port ignores the Topology Change flag in received STP-BPDUs.
– If the received BPDU contains other information that causes a topology change, the device
processes the BPDU even if the TCN guard is enabled.
Example: The device receives better path information for the root bridge.
 unmarked (default setting)
The monitoring of "Topology Change Notifications" is disabled.
If the device receives STP-BPDUs with a Topology Change flag, it deletes the address table
of the port and forwards the Topology Change Notifications.
Loop guard Activates/deactivates the monitoring of loops on the port. The prerequisite is that the Root guard
function is inactive.
With this setting the device prevents loops if the port does not receive any more STP-BPDUs. Use
this setting solely for ports with the STP role alternate , backup or root .
Possible values:
 marked
The monitoring of loops is active. This prevents loops for example if you disable the Spanning
Tree function on the remote device or if the connection is interrupted solely in the receiving
direction.
– If the port does not receive any STP-BPDUs for a while, the device sets the status of the
port to the value discarding and the value in the Loop state column to true .
– If the port then receives STP-BPDUs again, the device sets the status of the port to a value
according to Port role and the value in the Loop state column to false .
 unmarked (default setting)
The monitoring of loops is inactive.
If the port does not receive any STP-BPDUs for a while, the device sets the status of the port
to the value forwarding .

278 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

Parameters Meaning
Loop state Displays whether the loop state of the port is inconsistent.
Possible values:
 true
The loop state of the port is inconsistent:
– The port is not receiving any STP-BPDUs and the Loop guard function is enabled.
– The device sets the state of the port to the value discarding . The device thus prevents
any potential loops.
 false
The loop state of the port is consistent. The port receives STP-BPDUs.
Trans. into loop Displays how many times the device has set the value in the Loop state column from false to
true .
Trans. out of loop Displays how many times the device has set the value in the Loop state column from true to
false .
BPDU guard effect Displays whether the port received an STP-BPDU as an edge port.
Prerequisite:
– The port is a manually specified edge port. In the Port dialog, the checkbox for this port in the
Admin edge port column is marked.
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, the BPDU Guard
function is active.
Possible values:
 marked
The port is an edge port and received an STP-BPDU.
The device deactivates the port. For this port, in the Basic Settings > Port dialog,
Configuration tab the checkbox in the Port on column is unmarked.
 unmarked
The port is an edge port and has not received any STP-BPDUs, or the port is not an edge port.
To reset the status of the port to the value forwarding , you proceed as follows:
 If the port is still receiving BPDUs:
– In the CIST tab, unmark the checkbox in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the
BPDU guard checkbox.
 To activate the port, proceed as follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.

RM GUI HiOS-2A GRS1040 279


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

[MSTI <MSTI >]


This tab allows you to specify the settings on the ports for path costs and priority in the local MST
instance, and to view current values.

 Table

Parameters Meaning
Port Displays the port number.
Port state Displays the transmission status of the port.
Possible values:
 discarding
The port is blocked and forwards STP-BPDUs exclusively.
 learning
The port is blocked, but it learns the MAC addresses of received data packets.
 forwarding
The port forwards data packets.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
 manualFwd
The Spanning Tree function is disabled on the port.
The port forwards STP-BPDUs.
 notParticipate
The port is not participating in STP.
Port role Specifies the current role of the port in the local instance.
Possible values:
 root
Port with the cheapest path to the root bridge.
 alternate
Port with the alternative path to the root bridge (currently interrupted).
 designated
Port for the side of the tree averted from the root bridge.
 backup
Port which receives STP-BPDUs from its own device.
 master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost Specifies the path costs of the port in the local instance.
Possible values:
 0..200000000 (default setting: 0)
If the value is 0, the device automatically calculates the path costs depending on the data rate
of the port.
Port priority Specifies the priority of the port in the local instance.
Possible values:
 16..240 in steps of 16 (default setting: 128)

280 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Spanning Tree > Port

Parameters Meaning
Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU in the local
instance.
Received port ID Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
 For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge.
Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
 For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 281


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Switching > L2-Redundancy > Link Aggregation

5.9.4 Link Aggregation

IEEE 802.1ax defines a Link Aggregation Group (LAG) as the combining of 2 or more, full-duplex point-
to-point links operating at the same rate, on a single switch to increase bandwidth. Furthermore, Link
Aggregation provides for redundancy. When a link goes down, the remaining links in the LAG continue
to forward the traffic.
The device uses a hash function to determine load balancing across the port group. The device
distributes packets on a LAG interface according to the information contained in tags of the packet for
example, MAC, IP, and port information.
Link Aggregation Control Protocol Data Units (LACPDUs) contain 2 fields with 8 binary bits of
information each the Actor periodically sends to a Partner. The fields describe the state of the Actor and
what the Actor knows about the Partner. The 8 bits contain information about the state of the Actor and
Partner. The port transmits LACPDUs when in the active state. In the passive state, the port transmits
LACPDUs solely when requested.

 Configuration

Parameters Meaning
Hashing option Specifies the Link Aggregation Hashing option on the device. The device uses the information
contained in packets and frames to generate a port number. The device looks for information tags
in a packet and depending on the tags, for example MAC, IP, and port, chooses an egress port.
The device tags the outgoing traffic with the port number.
Possible values:
 sourceMacVlan
The device uses the Source MAC address, VLAN ID, Ethertype, and outgoing port fields of the
packet as a tag.
 destMacVlan
The device uses the Destination MAC address, VLAN ID, Ethertype, and outgoing port fields
of the packet as a tag.
 sourceDestMacVlan (default setting)
The device uses the Source/Destination MAC address, VLAN ID, Ethertype, and outgoing port
fields of the packet as a tag.
 sourceIPsourcePort
The device uses the Source IP address and Source TCP/UDP port fields of the packet as a tag.
 destIPdestPort
The device uses the Destination IP address and Destination TCP/UDP port fields of the packet
as a tag.
 sourceDestIPPort
The device uses the Source/Destination IP address and source/destination TCP/UDP port
fields of the packet as a tag.

 Table

Parameters Meaning
Trunk port Displays the Link Aggregation port number.
Name Specifies the name of the Link Aggregation Group.
Possible values:
 Alphanumeric ASCII character string with 1..15 characters

282 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Parameters Meaning
Active Activates/deactivates Link Aggregation Group.
Possible values:
 marked (default setting)
The LAG instance is in an „up“ state and processes traffic according to the specified values.
 unmarked
The LAG instance, including the member ports, is in a "down" state. The member ports remain
in the LAG instance and block traffic.
STP active Activates/deactivates the Spanning Tree protocol on this LAG interface. After you create the Link
Aggregation instance in the table the device automatically adds the port to the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
Possible values:
 marked (default setting)
Enabling the STP mode in this dialog also enables the port in the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
 unmarked
Disabling the STP mode in this dialog also disables the port in the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
The prerequisite is that you enable the function globally in the Switching > L2-Redundancy >
Spanning Tree > Global dialog.
Static link Activates/deactivates the Static link aggregation function on the LAG interface.
aggregation
Possible values:
 marked
When enabled, the Static link aggregation function provides a stable network and the
administrator manually propagates the aggregation status of the port.
 unmarked (default setting)
The device propagates the aggregation status of the port automatically.
Hashing option Specifies the link aggregation tag on the LAG interface.
Possible values:
 sourceMacVlan
The device uses the source MAC address, VLAN, Ethertype, and incoming port associated
with the packet as a tag.
 destMacVlan
The device uses the destination MAC address, VLAN, Ethertype, and incoming port
associated with the packet as a tag.
 sourceDestMacVlan (default setting)
The device uses the source/destination MAC address, VLAN, Ethertype, and incoming port
associated with the packet as a tag.
 sourceIPsourcePort
The device uses the Source IP address and Source TCP/UDP port fields of the packet as a tag.
 destIPdestPort
The device uses the Destination IP address and Destination TCP/UDP port fields of the packet
as a tag.
 sourceDestIPPort
The device uses the Source/Destination IP address and source/destination TCP/UDP port
fields of the packet as a tag.
MTU Specifies the maximum allowed size of Ethernet packets on the interface in bytes.
Possible values:
 1518..12288 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting allows you to increase the size of the Ethernet packets for specific applications.

RM GUI HiOS-2A GRS1040 283


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Parameters Meaning
Active ports (min.) Specifies how many active ports the device uses for the Link Aggregation group.
Possible values:
 1..2 (default setting: 2)
 1..4 (default setting: 4)

Note: The actual number of ports available depends on the device.


Type Displays the type of group Link Aggregation used.
Possible values:
 static
The device uses static aggregation on the port, Static link aggregation enabled.
 dynamic
The device uses dynamic aggregation on the port, Static link aggregation disabled.
Send trap (Link up/ Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/
down) down status on this interface.
Possible values:
 marked (default setting)
The sending of SNMP traps is inactive.
The device sends an SNMP trap when it detects a link up/down status change.
 unmarked
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
LACP admin key Specifies the administrative value of the local key on this LAG.
The aggregator uses the administrative key to group links in a set. It is possible to have the
administrative key value differ from the operational key value.
Possible values:
 0..65535 (default setting: 0)
LACP collector Specifies the Frame Collector maximum delay time in microseconds.
max. delay [µs]
The LAG uses a Frame Collector to pass frames to the MAC client in the order that the port
receives them. The collector delays either delivering the frame to its MAC client or discarding the
frame according to this value.
Possible values:
 0..65535 (default setting: 0)
Port Displays the port members of the LAG instance.
Status Displays the LAG status of the port.
Possible values:
 active
The port is actively participating in the LAG instance.
 inactive
The port is a non-participant in the LAG instance.
LACP active Activates/deactivates LACP on this port.
Possible values:
 marked (default setting)
The port actively participates in the LAG.
 unmarked
The port is a non-participant in the LAG.
LACP port actor Specifies the administrative key value for the aggregation port.
admin key
The LAG uses keys to assign membership to local ports on the Actor device. Specify the same
key value for the actor ports participating in the same LAG.
Possible values:
 0..65535 (default setting: 0)
When the port is in a LAG, then set this value to correspond with the LAG operational key.

284 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Parameters Meaning
LACP actor admin Specifies the administrative values of the Actor State transmitted in LACPDUs.
state You have the option to combine the values with each other. This allows you administrative control
over the LACPDU parameters. In the drop-down list, select one or more values.
Possible values:
 lacpActivity
Specifies whether the port is an active or passive participant. An active participant transmits
LACPDUs periodically. A passive participant transmits LACPDUs when requested. When
selected you set the parameter to active participant.
 lacpTimeout
The Actor periodically transmits LACPDUs at either a slow or fast transmission rate depending
on the preference of the partner. You set the parameter to either long timeout or short timeout.
When selected you set the parameter to short timeout.
 aggregation
Specifies whether the port is a potential candidate for aggregation or for an individual link.
When selected you set the parameter to aggregatable.
 -
The state is unspecified.
When the parameter is unspecified the device displays the following values for the LACPDU
parameters:
– synchronization
The system considers this link to be allocated to the correct LAG, and the group is associated
with a compatible aggregator. Furthermore, the identity of the LAG is consistent with the
system ID, and operational key information transmitted.
– collecting
Collection of incoming frames on this link is definitely enabled. For example, collection is
currently enabled and remains enabled in the absence of administrative changes or changes
in the received protocol information.
– distributing
Distribution is currently disabled and remains disabled in the absence of administrative
changes or changes in received protocol information.
– defaulted
The LACPDUs received by the actor is using the statically configured partner information.
– expired
The LACPDUs received by the actor is in the expired state.
LACP actor port Specifies the LACP actor port priority value for this port.
priority
Possible values:
 0..65535 (default setting: 128)
The port with the lower value has the higher priority.
LACP partner port Specifies the default value for the partner key, assigned by administrator or system policy for use
admin key when information about the partner is unknown or expired.
The LAG uses keys to assign membership to partner ports. Specify the same key value for the
local partners participating in the same LAG.
Possible values:
 0..65535 (default setting: 0)
If the port is alone in a LAG, then set this value to 0. When the port is in a LAG, then set this
value to correspond with the LAG operational key.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin SysID
– LACP partner admin sys priority

RM GUI HiOS-2A GRS1040 285


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Parameters Meaning
LACP partner Specifies the partner administrative state values.
admin state You have the option to combine the values with each other which allows you administrative control
over the LACPDU parameters. In the drop-down list, select one or more values.
Possible values:
 lacpActivity
Specifies whether the port is an active or passive participant. An active participant transmits
LACPDUs periodically. A passive participant transmits LACPDUs when requested. When
selected you set the parameter to active.
 lacpTimeout
The Actor periodically transmits LACPDUs at either a slow or fast transmission rate depending
on the preference of the Partner either long timeout or short timeout. When selected you set
the parameter to short timeout.
 aggregation
Specifies whether the port is a potential candidate for aggregation or for an individual link.
When selected you set the parameter to aggregatable.
 -
The state is unspecified.
Possible values:
 synchronization
The system considers this link to be allocated to the correct LAG, and the group is associated
with a compatible aggregator. Furthermore, the identity of the LAG is consistent with the
system ID, and operational key information transmitted.
 collecting
Collection of incoming frames on this link is definitely enabled. For example, collection is
currently enabled and remains enabled in the absence of administrative changes or changes
in the received protocol information.
 distributing
Distribution is currently disabled and remains disabled in the absence of administrative
changes or changes in received protocol information.
 defaulted
The LACPDUs received by the actor is using the statically configured partner information.
 expired
The LACPDUs received by the partner is in the expired state.
LACP partner Specifies the port number of the partner port.
admin port
Possible values:
 0..65535 (default setting: 0)
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port priority
– LACP partner admin SysID
– LACP partner admin sys priority
LACP partner Specifies the port priority for the partner port.
admin port priority
Possible values:
 0..65535 (default setting: 0)
The port with the lower value has the higher priority.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin SysID
– LACP partner admin sys priority

286 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Aggregation

Parameters Meaning
LACP partner Specifies a MAC Address value representing the Partner System ID.
admin SysID
Possible values:
 Valid MAC address (default setting: 00:00:00:00:00:00)
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin sys priority
LACP partner Specifies the default value for the system priority component of the system identifier of the partner,
admin sys priority assigned by administrator or system policy for use when the information from the partner is
unknown or expired.
Possible values:
 0..65535 (default setting: 0)
The port with the lower value has the higher priority.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin SysID

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Trunk port drop-down list you select the port number of the Link Aggregation Group
trunk.
 In the Port drop-down list you select the port to assign to the interface.

RM GUI HiOS-2A GRS1040 287


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Backup

Switching > L2-Redundancy > Link Backup

5.9.5 Link Backup

With Link Backup, you configure pairs of redundant links. Each pair has a primary port and a backup
port. The primary port forwards traffic until the device detects an error. When the device detects an error
on the primary port, the Link Backup function transfers traffic over to the backup port.
The dialog also allows you to set a fail back option. When you enable the fail back function and the
primary port returns to normal operation, the device first blocks traffic on the backup port and then
forwards traffic on the primary port. This process helps protect the device from causing loops in the
network.

 Operation

Parameters Meaning
Operation Enables/disables the Link Backup function globally on the device.
Possible values:
 On
Enables the Link Backup function.
 Off (default setting)
Disables the Link Backup function.

 Table

Parameters Meaning
Primary port Displays the primary port of the interface pair. When you enable the Link Backup function this port
is responsible for forwarding traffic.
Possible values:
 Physical ports
Backup port Displays the backup port on which the device forwards traffic when the device detects an error on
the primary port.
Possible values:
 Physical ports except for the port you set as the primary port.
Description Specifies the Link Backup pair. Enter a name to identify the Backup pair.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Primary port status Displays the status of the primary port for this Link Backup pair.
Possible values:
 forwarding
The link is up, no shutdown, and forwarding traffic.
 blocking
The link is up, no shutdown, and blocking traffic.
 down
The port is either link down, cable unplugged, or disabled in software, shutdown.
 unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.

288 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > Link Backup

Parameters Meaning
Backup port status Displays the status of the Backup port for this Link Backup pair.
Possible values:
 forwarding
The link is up, no shutdown, and forwarding traffic.
 blocking
The link is up, no shutdown, and blocking traffic.
 down
The port is either link down, cable unplugged, or disabled in software, shutdown.
 unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.
Fail back Activates/deactivates the automatic fail back.
Possible values:
 marked (default setting)
The automatic fail back is active.
After the delay timer expires, the backup port changes to blocking and the primary port
changes to forwarding .
 unmarked
The automatic fail back is inactive.
The backup port continues forwarding traffic even after the primary port re-establishes a link
or you manually change the admin status of the primary port from shutdown to no shutdown.
Fail back delay [s] Specifies the delay time in seconds that the device waits after the primary port re-establishes a
link. Furthermore, this timer also applies when you manually set the admin status of the primary
port from shutdown to no shutdown. After the delay timer expires, the backup port changes to
blocking and the primary port changes to forwarding .
Possible values:
 0..3600 (default setting: 30)
When set to 0, immediately after the primary port re-establishes a link, the backup port
changes to blocking and the primary port changes to forwarding . Furthermore, immediately
after you manually set the admin status of from shutdown to no shutdown, the backup port
changes to blocking and the primary port changes to forwarding .
Active Activates/deactivates the Link Back up pair configuration.
Possible values:
 marked
The Link Backup pair is active. The device senses the link and administration status and
forwards traffic according to the pair configuration.
 unmarked (default setting)
The Link Backup pair is inactive. The ports forward traffic according to standard switching.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

 Create

Parameters Meaning
Primary port Specifies the primary port of the backup interface pair. During normal operation this port is
responsible for forwarding the traffic.
Possible values:
 Physical ports
Backup port Specifies the backup port to which the device transfers the traffic to when the device detects an
error on the primary port.
Possible values:
 Physical ports except for the port you set as the primary port.

RM GUI HiOS-2A GRS1040 289


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet

Switching > L2-Redundancy > FuseNet

5.9.6 FuseNet ™

FuseNet ™ is a family of Hirschmann proprietary protocols which allows you to couple the following
networks:
 MRP
 HIPER Ring
 RSTP

Note: When you use the Ring/Network Coupling protocol to couple networks verify that the networks
only contain Hirschmann devices.
Use the following table to select the FuseNet coupling protocol:
Connected Network
Main Ring MRP RSTP HIPER ring Fast MRP2) DLR2)
MRP Sub Ring 1) Redundant Redundant Ring/Network Redundant
Coupling Coupling Coupling Coupling
Protocol , Protocol , Protocol ,
Ring/Network Ring/Network Ring/Network
Coupling Coupling Coupling
HIPER ring Sub Ring Redundant Ring/Network Redundant Redundant
Coupling Coupling Coupling Coupling
Protocol , Protocol , Protocol ,
Ring/Network Ring/Network Ring/Network
Coupling Coupling Coupling
RSTP Redundant – Redundant Redundant Redundant
Coupling Protocol Coupling Protocol Coupling Protocol Coupling Protocol

Explanation:
– no suitable coupling protocol
1) with MRP configured on different VLANs
2) depending on the device configuration

The menu contains the following dialogs:


 Sub Ring
 Ring/Network Coupling
 Redundant Coupling Protocol

290 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Sub Ring

Switching > L2-Redundancy > FuseNet > Sub Ring

5.9.6.1 Sub Ring

This dialog allows you to set up the device as a subring manager.


The subring function enables you to easily couple network segments to existing redundancy rings. The
subring manager (SRM) couples a subring to an existing ring (base ring).
In the subring you can use any devices that support MRP as ring participants. These devices do not
require a subring manager function.
When setting up subrings, remember the following rules:
 The device supports Link Aggregation in the subring
 No spanning tree on subring ports
 Same MRP domain on devices within a subring
 Different VLANs for base ring and subring
Specify the VLAN settings as follows:
 VLAN X for base ring
– on the ring ports of the base ring participants
– on the base ring ports of the subring manager
 VLAN Y for subring
– on the ring ports of the subring participants
– on the subring ports of the subring manager

Note: To avoid loops, only close the redundant line when the settings are specified in every device
participating in the ring.

 Operation

Parameters Meaning
Operation Enables/disables the subring function.
Possible values:
 On
The subring function is enabled.
 Off (default setting)
The subring function is disabled.

 Information

Parameters Meaning
Table entries Displays the maximum number of subrings supported by the device.
(max.)

 Table

Parameters Meaning
Sub ring ID Displays the unique identifier of this subring.
Possible values:
 1..20

RM GUI HiOS-2A GRS1040 291


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Sub Ring

Parameters Meaning
Name Specifies the optional name of the subring.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Active Activates/deactivates the subring.
Activate the subring when the configuration of every subring device is complete. Close the subring
only after activating the subring function.
Possible values:
 marked
The subring is active.
 unmarked (default setting)
The subring is inactive.
Configuration Displays the operational state of the subring configuration.
status
Possible values:
 noError
The device detects an acceptable subring configuration.
 ringPortLinkError
– The ring port has no link.
– One of the subring lines is connected to one more port of the device. But the subring line
is not connected to one of the ring ports of the device.
 multipleSRM
The subring manager receives packets from more than one subring manager in the subring.
 noPartnerManager
The subring manager receives its own frames.
 concurrentVLAN
The MRP protocol in the base ring uses the VLAN of the subring manager domain.
 concurrentPort
One more redundancy protocol uses the ring port of the subring manager domain.
 concurrentRedundancy
The subring manager domain is inactive because of one more active redundancy protocol.
 trunkMember
The ring port of the subring manager domain is member of a Link Aggregation connection.
 sharedVLAN
The subring manager domain is inactive because shared VLAN is active and the main ring also
uses the MRP protocol.
Redundancy Displays the operational state of the ring redundancy in the subring.
available
Possible values:
 redGuaranteed
Redundancy reserve is available.
 redNotGuaranteed
Loss of redundancy reserve.
Port Specifies the port that connects the device to the subring.
Possible values:
 <Port number>
SRM mode Specifies the mode of the subring manager.
A subring has 2 managers simultaneously that couple the subring to the base ring. As long as the
subring is physically closed, 1 manager blocks its subring port.
Possible values:
 manager (default setting)
The subring port forwards data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager .
 redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
the subring port transmits the data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager .
 singleManager
Use this value when the subring is coupled to the base ring via one single device. The
prerequisite is that there are 2 instances of the subring in the table. Assign this value to both
instances. The subring port of the instance with the higher port number is blocked while the
subring is physically closed.

292 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Sub Ring

Parameters Meaning
SRM status Displays the current mode of the subring manager.
Possible values:
 manager
The subring port forwards data packets.
 redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
the subring port transmits the data packets.
 singleManager
The subring is coupled to the base ring via one single device. The subring port of the instance
with the higher port number is blocked while the subring is physically closed.
 disabled
The subring is inactive.
Port status Displays the connection status of the subring port.
Possible values:
 forwarding
The port is passing frames according to the forwarding behavior of IEEE 802.1D.
 disabled
The port is dropping every frame.
 blocked
The port is dropping every frame with the exception of the following cases:
– The port passes frames used by the selected ring protocol specified to pass blocked ports.
– The port passes frames from other protocols specified to pass blocked ports.
 not-connected
The port link is down.
VLAN Specifies the VLAN to which this subring is assigned. If no VLAN exists under the VLAN ID
entered, the device automatically creates it.
Possible values:
 Available configured VLANs (default setting: 0)
If you do not want to use a separate VLAN for this subring, you leave the entry as 0.
Partner MAC Displays the MAC address of the subring manager at the other end of the subring.
MRP domain Specifies the MRP domain of the subring manager. Assign the same MRP domain name to every
member of a subring. If you use Hirschmann devices exclusively, you use the default value for the
MRP domain; otherwise adjust this value if necessary. With multiple subrings, the function allows
you to use the same MRP domain name for the subrings.
Possible values:
 Permitted MRP domain names (default setting:
255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255)
Protocol Specifies the protocol.
Possible values:
 iec-62439-mrp

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 293


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

5.9.6.2 Ring/Network Coupling

You use the Ring/Network Coupling function to redundantly couple an existing HIPER ring, MRP ring,
or Fast HIPER ring to another network or another ring. Verify that the coupling partners are Hirschmann
devices.

Note: With two-switch coupling, verify that you have configured a HIPER ring, MRP ring, or Fast HIPER
ring before configuring the Ring/Network Coupling function.

In the Ring/Network Coupling dialog, you can perform the following tasks:
 display an overview of the existing Ring/Network Coupling
 configure a Ring/Network Coupling
 create a new Ring/Network Coupling
 delete Ring/Network Coupling
 enable/disable Ring/Network Coupling
When configuring the coupling ports, specify the following settings in the Basic Settings > Port
dialog:

Port type Bit rate Automatic Port on Manual configuration


configuration
TX 100 Mbit/s unmarked marked 100 Mbit/s FDX
TX 1 Gbit/s – marked –
Optical 100 Mbit/s unmarked marked 100 Mbit/s FDX
Optical 1 Gbit/s – marked –

Note: The operating modes of the port actually available depend on the device configuration and the
media module used.
If you have configured VLANS, note the VLAN configuration of the coupling and partner coupling ports.
In the Ring/Network Coupling configuration, select the following values for the coupling and partner
coupling ports:
 VLAN ID 1 and Ingress filtering disabled in the port table
 VLAN membership T in the VLAN Configuration table
Independently of the VLAN settings, the device sends the ring coupling frames with VLAN ID 1 and
priority 7. Verify that the device sends VLAN 1 frames tagged in the local ring and in the connected
network. Tagging the VLAN frames maintains the priority of the ring coupling frames.

Note: Avoid to operate the Ring manager function and the two-switch coupling method on the same
device. This can cause loops.
The Ring/Network Coupling function operates with test packets. The devices send their test packets
VLAN-tagged, including the VLAN ID 1 and the highest VLAN priority 7. If the forwarding port is an
untagged member in VLAN 1, then the device also sends test packets.

294 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

 Operation

Parameters Meaning
Operation Enables/disables the Ring/Network Coupling function.
Possible values:
 On
The Ring/Network Coupling function is enabled.
 Off (default setting)
The Ring/Network Coupling function is disabled.

RM GUI HiOS-2A GRS1040 295


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

 Mode

Parameters Meaning
Type Specifies the method used to couple the networks together.
Possible values:
 one-switch coupling
Allows you to specify the port settings in the Coupling port and Partner coupling port
frames.
 two-switch coupling, master
Allows you to specify the port settings in the Coupling port frame.
 two-switch coupling, slave
Allows you to specify the port settings in the Coupling port frame.
 two-switch coupling with control line, master
Allows you to specify the port settings in the Coupling port and Control port frames.
 two-switch coupling with control line, slave
Allows you to specify the port settings in the Coupling port and Control port frames.

 Coupling port

Parameters Meaning
Port Specifies the port to which you connect the redundant link.
Possible values:
 -
No port selected.
 <Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.
To help prevent continuous loops, the device disables the coupling port in the following cases:
 disabling the function
 changing the configuration while the connections are operating on the ports
When the device has disabled the coupling port, the Port on checkbox is unmarked in the Basic
Settings > Port dialog, Configuration tab.
State Displays the status of the selected port.
Possible values:
 active
The port is active.
 standby
The port is in stand-by mode.
 not-connected
The port is not connected.
 not-applicable
The port is incompatible with the configured control mode.

 Partner coupling port

Parameters Meaning
Port Specifies the port on which you connect the partner port.
Possible values:
 -
No port selected.
 <Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.

296 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

Parameters Meaning
State Displays the status of the selected port.
Possible values:
 active
The port is active.
 standby
The port is in stand-by mode.
 not-connected
The port is not connected.
 not-applicable
The port is incompatible with the configured control mode.
IP address Displays the IP address of the partner, when the devices are connected.
The prerequisite is that you select a two-switch coupling method and enable the partner in the
network.

 Control port

Parameters Meaning
Port Displays the port on which you connect the control line.
Possible values:
 -
No port selected.
 <Port number>
State Displays the status of the selected port.
Possible values:
 active
The port is active.
 standby
The port is in stand-by mode.
 not-connected
The port is not connected.
 not-applicable
The port is incompatible with the configured control mode.

 Configuration

Parameters Meaning
Redundancy mode Enables/disables the device to respond to a failure in the remote ring or network.
Possible values:
 redundant ring/network coupling
Either the main line or the redundant line is active. Both lines are not active simultaneously. If
the device detects that the link is down between the devices in the connected network, then
the standby device keeps the redundant port in the standby mode.
 extended redundancy
The main line and the redundant line are active simultaneously. If the device detects a problem
in the connection between the devices in the connected network, then the standby device
forwards data on the redundant port. With the setting you can maintain continuity in the remote
network.

Note: During the reconfiguration period, package duplications can occur. Therefore, if your
application is able to detect package duplications, then you can select this setting.

RM GUI HiOS-2A GRS1040 297


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

Parameters Meaning
Coupling mode The settings in this frame allow you to couple a specific type of network.
Possible values:
 ring coupling
The device couples redundant rings. The device allows you to couple rings that use the
following redundancy protocols:
– HIPER ring
– Fast HIPER ring
– MRP ring
 network coupling
The device couples network segments. The function allows you to couple mesh and bus
networks together.

 Information

Parameters Meaning
Redundancy Displays whether or not the redundancy is available.
available When a component of the ring is down, the redundant line takes over its function.
Possible values:
 redGuaranteed
The redundancy is available.
 redNotGuaranteed
The redundancy is unavailable.
Configuration You have configured the function incorrectly, or there is no ring port connection.
failure
Possible values:
 noError
 slaveCouplingLinkError
The coupling line is not connected to the coupling port of the slave device. Instead, the
coupling line is connected to another port of the slave device.
 slaveControlLinkError
The control port of the slave device has no data link.
 masterControlLinkError
The control line is not connected to the control port of the master device. Instead, the control
line is connected to another port of the master device.
 twoSlaves
The control line connects two slave devices.
 localPartnerLinkError
The partner coupling line is not connected to the partner coupling port of the slave device.
Instead, the partner coupling line is connected to another port of the slave device in one-
switch coupling mode.
 localInvalidCouplingPort
In one-switch coupling mode, the coupling line is not connected on the same device as the
partner line. Instead, the coupling line is connected to another device.
 couplingPortNotAvailable
The coupling port is not available because the module to which the port refers is not available
or the port does not exist on this module.
 controlPortNotAvailable
The control port is not available because the module to which the port refers is not available
or the port does not exist on this module.
 partnerPortNotAvailable
The partner coupling port is not available because the module to which the port refers is not
available or the port does not exist on this module.

298 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > Ring/Network Coupling

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Disables the redundancy function and resets the parameters in the dialog to the default setting.

RM GUI HiOS-2A GRS1040 299


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > RCP

Switching > L2-Redundancy > FuseNet > RCP

5.9.6.3 Redundant Coupling Protocol

A ring topology provides short transition times with a minimal use of resources. However, this brings the
challenge of coupling these rings redundantly to a higher-level network.
If you want to use a standard protocol such as MRP for the ring redundancy and RSTP coupling the
rings together, the Redundant Coupling Protocol provide options to you.
For the Redundant Coupling Protocol , select the following settings in the Switching > L2-
Redundancy > RCP dialog:

Note: On the ports of the Redundant Coupling Protocol Primary Ring, exclude a combination with
the following redundancy procedures and settings:
 Subring
 Network/Ring coupling

 Operation

Parameters Meaning
Operation Enables/disables the RCP function.
Possible values:
 On
The RCP function is enabled.
 Off (default setting)
The RCP function is disabled.

 Primary ring/network / Secondary ring/network

Parameters Meaning
Inner port Specifies the number of the inner port in the primary ring. The port is directly connected to the
partner bridge.
Possible values:
 - (default setting)
No port selected.
 <Port number>
Outer port Specifies the number of the outer port in the primary ring.
Possible values:
 - (default setting)
No port selected.
 <Port number>

300 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > RCP

 Coupler configuration

Parameters Meaning
Role Specifies the role of the local device.
Possible values:
 master
The device operates as master.
 slave
The device operates as slave.
 auto (default setting)
The device chooses the role.
Current role Displays the current role of the local device. The value can differ from the configured role:
 If you have configured both partner bridges as auto , the partner bridge that is currently
coupling the instances takes the master role. The other partner bridge takes the slave role.
 If both partner bridges are configured as master or both as slave , the partner bridge with the
smaller Basis MAC address takes the master role.
The other partner bridge takes the slave role.
 When the protocol is started, if the partner bridge cannot be found for a bridge in the configured
role master , slave or auto , it sets its own role to listening .
 If the device detects a configuration problem, for example if the inner Ring ports are connected
crosswise, the device sets its role to error .
Timeout [ms] Specifies the maximum time in milliseconds during which the slave device waits for test packets
from the master device at the outer ports before it takes over the coupling. This only applies in the
state in which both inner ports of the slave device have lost the connection to the master device.
Configure the timeout longer than the longest assumable interruption time for the redundancy
protocol of the faster instance. Otherwise, loops can occur.
Possible values:
 5..60000 (default setting: 250)
Partner MAC Displays the basic MAC address of the partner device.
address
Partner IP address Displays the IP address of the partner device.
Coupling state Displays the coupling status of the local device.
Possible values:
 forwarding
Coupling state of the port is forwarding.
 blocking
Coupling status of the port is blocking.
Redundancy state Displays whether or not the redundancy is available.
For a master-slave configuration, both bridges display this information.
Possible values:
 redAvailable
The redundancy is available.
 redNotAvailable
The redundancy is unavailable.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 301


Release 7.0 11/2017
Switching
Switching > L2-Redundancy > FuseNet > RCP

302 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics

6 Diagnostics

The menu contains the following dialogs:


 Status Configuration
 System
 Email Notification
 Syslog
 Ports
 LLDP
 SFlow
 Report

RM GUI HiOS-2A GRS1040 303


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration

Diagnostics > Status Configuration

6.1 Status Configuration

The menu contains the following dialogs:


 Device Status
 Security Status
 Signal Contact
 MAC Notification
 Alarms (Traps)

304 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

Diagnostics > Status Configuration > Device Status

6.1.1 Device Status

The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device in order to present its condition in graphic
form.
The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Device Status frame.

The dialog contains the following tabs:


 [Global ]
 [Port ]
 [Status ]

RM GUI HiOS-2A GRS1040 305


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

[Global ]

 Device status

Parameters Meaning
Device status Displays the current status of the device. The device determines the status from the individual
monitored parameters.
Possible values:
 error
The device displays this value to indicate a detected error in one of the monitored parameters.
 ok

 Traps

Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
 marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
 unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Table

Parameters Meaning
Temperature Activates/deactivates the monitoring of the temperature in the device.
Possible values:
 marked (default setting)
Monitoring is active.
In the Device status frame, the value changes to error if the temperature exceeds or falls
below the specified limit.
 unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp.
limit [°C] field and Lower temp. limit [°C] field.
Ring redundancy Activates/deactivates the monitoring of the ring redundancy.
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
 unmarked (default setting)
Monitoring is inactive.

306 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

Parameters Meaning
Connection errors Activates/deactivates the monitoring of the port/interface link.
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error if the link interrupts on a monitored
port/interface.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored
individually.
 unmarked (default setting)
Monitoring is inactive.
Module removal Activates/deactivates the monitoring of the modules.
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove a module from the
device.
Further down, you have the option of selecting the modules to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.
External memory Activates/deactivates the monitoring of the active external memory.
removal
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove the active external
memory from the device.
 unmarked (default setting)
Monitoring is inactive.
You specify the active external memory in the Basic Settings > Load/Save dialog, External
memory frame.
External memory Activates/deactivates the monitoring of the configuration profile in the device and in the external
not in sync memory.
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
 unmarked (default setting)
Monitoring is inactive.
Power supply Activates/deactivates the monitoring of the power supply unit.
Possible values:
 marked (default setting)
Monitoring is active.
In the Device status frame, the value changes to error if the device has a detected power
supply fault.
 unmarked
Monitoring is inactive.
Module Activates/deactivates the monitoring of this module.
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove the module from the
device.
 unmarked (default setting)
Monitoring is inactive.
This setting is effective when you mark the Module removal checkbox further up.

RM GUI HiOS-2A GRS1040 307


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

308 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

[Port ]

 Table

Parameters Meaning
Propagate Activates/deactivates the monitoring of the link on the port/interface.
connection error
Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error if the link on the selected port/
interface is interrupted.
 unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 309


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Device Status

[Status ]

 Table

Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

310 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

Diagnostics > Status Configuration > Security Status

6.1.2 Security Status

This dialog gives you an overview of the status of the safety-relevant settings in the device.
The device displays its current status as error or ok in the Security status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Security status frame.

The dialog contains the following tabs:


 [Global ]
 [Port ]
 [Status ]

RM GUI HiOS-2A GRS1040 311


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

[Global ]

 Security status

Parameters Meaning
Security status Displays the current status of the security-relevant settings in the device. The device determines
the status from the individual monitored parameters.
Possible values:
 error
The device displays this value to indicate a detected error in one of the monitored parameters.
 ok

 Traps

Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
 marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
 unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Table

Parameters Meaning
Password default Activates/deactivates the monitoring of the password for the locally set up user accounts user and
settings unchanged admin.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the password for the user or
admin user accounts is the default setting.
 unmarked
Monitoring is inactive.
You set the password in the Device Security > User Management dialog.
Min. password Activates/deactivates the monitoring of the Min. password length policy.
length < 8
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the value for the Min.
password length policy is less than 8.
 unmarked
Monitoring is inactive.
You specify the Min. password length policy in the Device Security > User Management
dialog in the Configuration frame.

312 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

Parameters Meaning
Password policy Activates/deactivates the monitoring of the Password policies settings.
settings
deactivated Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the value for at least one of the
following policies is less than 1:
– Upper-case characters (min.)
– Lower-case characters (min.)
– Digits (min.)
– Special characters (min.)
 unmarked
Monitoring is inactive.
You specify the policy settings in the Device Security > User Management dialog in the
Password policy frame.
User account Activates/deactivates the monitoring of the Policy check function.
password policy
check deactivated Possible values:
 marked
Monitoring is active.
In the Security status frame, the value changes to error if for at least 1 user account the
Policy check function is inactive.
 unmarked (default setting)
Monitoring is inactive.
You activate the Policy check function in the Device Security > User Management dialog.
Telnet server active Activates/deactivates the monitoring of the Telnet server.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the Telnet server.
 unmarked
Monitoring is inactive.
You enable/disable the Telnet server in the Device Security > Management Access > Server
dialog, Telnet tab.
HTTP server active Activates/deactivates the monitoring of the HTTP server.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the HTTP server.
 unmarked
Monitoring is inactive.
You enable/disable the HTTP server in the Device Security > Management Access > Server
dialog, HTTP tab.
SNMP unencrypted Activates/deactivates the monitoring of the SNMP server.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if at least one of the following
conditions applies:
– The SNMPv1 function is enabled.
– The SNMPv2 function is enabled.
– The encryption for SNMPv3 is disabled.
You enable the encryption in the Device Security > User Management dialog, in the
SNMP encryption type column.
 unmarked
Monitoring is inactive.
You specify the settings for the SNMP agent in the Device Security > Management Access >
Server dialog, SNMP tab.

RM GUI HiOS-2A GRS1040 313


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

Parameters Meaning
Access to system Activates/deactivates the monitoring of the system monitor.
monitor with V.24 When the system monitor is activated, the user has the possibility to change to the system monitor
possible via a V.24 connection.
Possible values:
 marked
Monitoring is active.
In the Security status frame, the value changes to error if you activate the system
monitor.
 unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the system monitor in the Diagnostics > System > Selftest dialog.
Saving the Activates/deactivates the monitoring of the configuration profile in the external memory.
configuration profile
on the external Possible values:
 marked
memory possible
Monitoring is active.
In the Security status frame, the value changes to error if you activate the saving of the
configuration profile in the external memory.
 unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the saving of the configuration profile in the external memory in the Basic
Settings > External Memory dialog.
Load unencrypted Activates/deactivates the monitoring of loading unencrypted configuration profiles from the
config from external external memory.
memory
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error when the settings allow the
device to load an unencrypted configuration profile from the external memory.
The Security status frame in the Basic Settings > System dialog, displays an alarm if
the following preconditions are fulfilled:
– The configuration profile stored in the external memory is unencrypted.
and
– The Config priority column in the Basic Settings > External Memory dialog has
the value first or second.
 unmarked
Monitoring is inactive.
Link interrupted on Activates/deactivates the monitoring of the link on the active ports.
enabled device
ports Possible values:
 marked
Monitoring is active.
In the Security status frame, the value changes to error if the link interrupts on an active
port. In the Port tab, you have the option of selecting the ports to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.
Access with Activates/deactivates the monitoring of the HiDiscovery function.
HiDiscovery
Possible values:
possible
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the HiDiscovery
function.
 unmarked
Monitoring is inactive.
You enable/disable the HiDiscovery function in the Basic Settings > Network dialog.

314 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

Parameters Meaning
IEC61850-MMS Activates/deactivates the monitoring of the IEC61850-MMS function.
active
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the IEC61850-MMS
function.
 unmarked
Monitoring is inactive.
You enable/disable the IEC61850-MMS function in the Industrial Protocols > IEC61850-MMS
dialog, Operation frame.
Modbus TCP active Activates/deactivates the monitoring of the Modbus TCP function.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the Modbus TCP
function.
 unmarked
Monitoring is inactive.
You enable/disable the Modbus TCP function in the Advanced > Industrial Protocols >
Modbus TCP dialog, Operation frame.
EtherNet/IP active Activates/deactivates the monitoring of the EtherNet/IP function.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the EtherNet/IP
function.
 unmarked
Monitoring is inactive.
You enable/disable the EtherNet/IP function in the Advanced > Industrial Protocols >
EtherNet/IP dialog, Operation frame.
PROFINET active Activates/deactivates the monitoring of the PROFINET function.
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the PROFINET
function.
 unmarked
Monitoring is inactive.
You enable/disable the PROFINET function in the Advanced > Industrial Protocols >
PROFINET dialog, Operation frame.
Self-signed HTTPS Activates/deactivates the monitoring of the HTTPS certificate.
certificate present
Possible values:
 marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the HTTPS server uses a self-
created digital certificate.
 unmarked
Monitoring is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 315


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

[Port ]

 Table

Parameters Meaning
Link interrupted on Activates/deactivates the monitoring of the link on the active ports.
enabled device
Possible values:
ports
 marked
Monitoring is active.
In the Security status frame, the value changes to error when the port is enabled (Basic
Settings > Port dialog, Configuration tab, Port on checkbox is marked) and the link is
down on the port.
 unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Link interrupted on enabled device ports
checkbox in the Diagnostics > Status Configuration > Security Status dialog, Global
tab.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

316 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Security Status

[Status ]

 Table

Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 317


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact

Diagnostics > Status Configuration > Signal Contact

6.1.3 Signal Contact

The signal contact is a potential-free relay contact. The device thus allows you to perform remote
diagnosis. The device uses the relay contact to signal the occurrence of events by opening the relay
contact and interrupting the closed circuit.

Note: The device can contain several signal contacts. Each contact contains the same monitoring
functions. Several contacts allow you to group various functions together providing flexibility in system
monitoring.
The menu contains the following dialogs:
 Signal Contact 1 / Signal Contact 2

318 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

6.1.3.1 Signal Contact 1 / Signal Contact 2

In this dialog you specify the trigger conditions for the signal contact.
The signal contact gives you the following options:
 Monitoring the correct operation of the device.
 Signaling the device status of the device.
 Signaling the security status of the device.
 Controlling external devices by manually setting the signal contacts.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Signal contact status frame.

The dialog contains the following tabs:


 [Global ]
 [Port ]
 [Status ]

RM GUI HiOS-2A GRS1040 319


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

[Global ]

 Configuration

Parameters Meaning
Mode Specifies which events the signal contact indicates.
Possible values:
 Manual setting (default setting for Signal Contact 2 , if present)
You use this setting to manually open or close the signal contact, for example to turn on or off
a remote device. See the Contact option list.
 Monitoring correct operation (default setting)
Using this setting the signal contact indicates the status of the parameters specified in the table
below.
 Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog. In addition, you can read
the status in the Signal contact status frame.
 Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog. In addition, you can
read the status in the Signal contact status frame.
 Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status
Configuration > Security Status dialog. In addition, you can read the status in the
Signal contact status frame.
Contact Toggles the signal contact manually. The prerequisite is that you select in the Mode drop-down list
the value Manual setting .
Possible values:
 open
The signal contact is opened.
 close
The signal contact is closed.

 Signal contact status

Parameters Meaning
Signal contact Displays the current status of the signal contact.
status
Possible values:
 Opened (error)
The signal contact is opened. The circuit is interrupted.
 Closed (ok)
The signal contact is closed. The circuit is closed.

320 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

 Trap configuration

Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
 marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
 unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Monitoring correct operation


In the table you specify the parameters that the device monitors. The device signals the occurrence of
an event by opening the signal contact.

Parameters Meaning
Temperature Activates/deactivates the monitoring of the temperature in the device.
Possible values:
 marked (default setting)
Monitoring is active.
The signal contact opens if the temperature exceeds / falls below the threshold values.
 unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp.
limit [°C] field and Lower temp. limit [°C] field.
Ring redundancy Activates/deactivates the monitoring of the ring redundancy.
Possible values:
 marked
Monitoring is active.
The signal contact opens in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
 unmarked (default setting)
Monitoring is inactive.
Connection errors Activates/deactivates the monitoring of the port/interface link.
Possible values:
 marked
Monitoring is active.
The signal contact opens if the link interrupts on a monitored port/interface.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored
individually.
 unmarked (default setting)
Monitoring is inactive.
Module removal Activates/deactivates the monitoring of the modules.
Possible values:
 marked
Monitoring is active.
The signal contact opens if you remove a module from the device.
Further down, you have the option of selecting the modules to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.

RM GUI HiOS-2A GRS1040 321


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

Parameters Meaning
External memory Activates/deactivates the monitoring of the active external memory.
removed
Possible values:
 marked
Monitoring is active.
The signal contact opens if you remove the active external memory from the device.
 unmarked (default setting)
Monitoring is inactive.
You specify the active external memory in the Basic Settings > Load/Save dialog, External
memory frame.
External memory Activates/deactivates the monitoring of the configuration profile in the device and in the external
not in sync with memory.
NVM
Possible values:
 marked
Monitoring is active.
The signal contact opens in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
 unmarked (default setting)
Monitoring is inactive.
Power supply Activates/deactivates the monitoring of the power supply unit.
Possible values:
 marked (default setting)
Monitoring is active.
The signal contact opens if the device has a detected power supply fault.
 unmarked
Monitoring is inactive.
Module Activates/deactivates the monitoring of this module.
Possible values:
 marked
Monitoring is active.
The signal contact opens if you remove this module from the device.
 unmarked (default setting)
Monitoring is inactive.
This setting is effective when you mark the Module removal checkbox further up.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

322 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

[Port ]

 Table

Parameters Meaning
Propagate Activates/deactivates the monitoring of the link on the port/interface.
connection error
Possible values:
 marked
Monitoring is active.
The signal contact opens if the link interrupts on the selected port/interface.
 unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 323


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1

[Status ]

 Table

Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

324 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > MAC Notification

Diagnostics > Status Configuration > MAC Notification

6.1.4 MAC Notification

The device allows you to track changes in the network using the MAC address of the devices in the
network. The device saves the combination of port and MAC address in its MAC address table. When
the device (un)learns the MAC address of a (dis)connected device, the device sends an SNMP trap.
This function is intended for ports to which you connect end devices and thus the MAC address changes
infrequently.

 Operation

Parameters Meaning
Operation Enables/disables the MAC Notification function on the device.
Possible values:
 On
The MAC Notification function is enabled.
 Off (default setting)
The MAC Notification function is disabled.

 Configuration

Parameters Meaning
Interval [s] Specifies the send interval in seconds. When the device (un)learns the MAC address of a
(dis)connected device, it sends an SNMP trap after this time.
Possible values:
 0..2147483647 (default setting: 30)
Before sending an SNMP trap, the device registers up to 20 MAC addresses. If the device detects
a high number of changes, it sends the SNMP trap before the send interval expires.

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the MAC Notification function on the port.
Possible values:
 marked
The MAC Notification function is active on the port.
The device sends an SNMP trap in case of one of the following events:
– The device learns the MAC address of a newly connected device.
– The device unlearns the MAC address of a disconnected device.
 unmarked (default setting)
The MAC Notification function is inactive on the port.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Last MAC address Displays the MAC address of the device last connected on or disconnected from the port.
The device detects the MAC addresses of devices which are connected as follows:
– directly connected to the port
– connected to the port through other devices in the network

RM GUI HiOS-2A GRS1040 325


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > MAC Notification

Parameters Meaning
Last MAC status Displays the status of the Last MAC address value on this port.
Possible values:
 added
The device detected that another device was connected at the port.
 removed
The device detected that the connected device was removed from the port.
 other
The device did not detect a status.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

326 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Status Configuration > Alarms (Traps)

Diagnostics > Status Configuration > Alarms (Traps)

6.1.5 Alarms (Traps)

The device offers you the option of sending an SNMP trap as a reaction to specific events. In this dialog,
you specify the trap destinations to which the device sends the SNMP traps.
The events for which the device triggers an SNMP trap, you specify, for example, in the following
dialogs:
 in the Diagnostics > Status Configuration > Device Status dialog
 in the Diagnostics > Status Configuration > Security Status dialog
 in the Diagnostics > Status Configuration > MAC Notification dialog

 Operation

Parameters Meaning
Operation Enables/disables the sending of SNMP traps to the trap destinations.
Possible values:
 On (default setting)
The sending of SNMP traps is enabled.
 Off
The sending of SNMP traps is disabled.

 Table

Parameters Meaning
Name Specifies the name of the trap destination.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
Address Specifies the IP address and the port number of the trap destination.
Possible values:
 <Valid IPv4 address>:<port number>
Active Activates/deactivates the sending of SNMP traps to this trap destination.
Possible values:
 marked (default setting)
The sending of SNMP traps to this trap destination is active.
 unmarked
The sending of SNMP traps to this trap destination is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Opens the Create window to add a new entry to the table.
 In the Name field you specify a name for the trap destination.
 In the Address field you specify the IP address and the port number of the trap destination.
If you choose not to enter a port number, the device automatically adds the port number 162.

RM GUI HiOS-2A GRS1040 327


Release 7.0 11/2017
Diagnostics
Diagnostics > System

Diagnostics > System

6.2 System

The menu contains the following dialogs:


 System Information
 Hardware State
 Configuration Check
 IP Address Conflict Detection
 ARP
 Selftest

328 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > System > System Information

Diagnostics > System > System Information

6.2.1 System Information

This dialog displays the current operating condition of individual components in the device. The
displayed values are a snapshot; they represent the operating condition at the time the dialog was
loaded to the page.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Save system Opens the HTML page in a new web browser window or tab. You can save the HTML page on
information your PC using the appropriate web bowser command.

RM GUI HiOS-2A GRS1040 329


Release 7.0 11/2017
Diagnostics
Diagnostics > System > Hardware State

Diagnostics > System > Hardware State

6.2.2 Hardware State

This dialog provides information about the distribution and state of the flash memory of the device.

 Information

Parameters Meaning
Uptime Displays the total operating time of the device since it was delivered.
Possible values:
 ..d ..h ..m ..s
Day(s) Hour(s) Minute(s) Second(s)

 Table

Parameters Meaning
Flash region Displays the name of the respective memory area.
Description Displays a description of what the device uses the memory area for.
Flash sectors Displays how many sectors are assigned to the memory area.
Sector erase Displays how many times the device has overwritten the sectors of the memory area.
operations

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

330 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > System > Configuration Check

Diagnostics > System > Configuration Check

6.2.3 Configuration Check

The device allows you to compare the settings in the device with the settings in its neighboring devices.
For this purpose, the device uses the information that it received from its neighboring devices through
topology recognition (LLDP).
The dialog lists the deviations detected, which affect the performance of the communication between
the device and the recognized neighboring devices.

You update the content of the table by clicking the button. If the table remains empty, the
configuration check was successful and the settings in device are compatible with the settings in the
detected neighboring devices.

 Summary

You also find this information, when you position the mouse pointer over the button in the
Toolbar in the top part of the Navigation area.

Parameters Meaning
Error Displays the number of errors that the device detected during the configuration check.
Warning Displays the number of warnings that the device detected during the configuration check.
Information Displays the amount of information that the device detected during the configuration check.

 Table
When you highlight a row in the table, the device displays additional information in the area beneath
it.

Parameters Meaning
ID Displays the rule ID of the deviations having occurred. The dialog combines several deviations
with the same rule ID under one rule ID.
Level Displays the level of deviation between the settings in this device and the settings in the detected
neighboring devices.
The device differentiates between the following access statuses:
 INFORMATION
The performance of the communication between the two devices is not impaired.
 WARNING
The performance of the communication between the two devices is possibly impaired.
 ERROR
The communication between the two devices is impaired.
Message Displays the information, warnings and errors having occurred more precisely.

Note: A neighboring device without LLDP support, which forwards LLDP packets, may be the cause
of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch without
management, which ignores the IEEE 802.1D-2004 standard.
In this case, the dialog displays the devices recognized and connected to the neighboring device as
connected to the device itself, even though they are connected to the neighboring device.

RM GUI HiOS-2A GRS1040 331


Release 7.0 11/2017
Diagnostics
Diagnostics > System > Configuration Check

Note: If you have set up more than 39 VLANs on the device, then the dialog always displays a
warning. The reason is the limited number of possible VLAN data sets in LLDP packets with a
maximum length. The device compares the first 39 VLANs automatically.
If you have set up 40 or more VLANs on the device, then check the congruence of the further VLANs
manually, if necessary.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

332 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > System > IP Address Conflict Detection

Diagnostics > System > IP Address Conflict Detection

6.2.4 IP Address Conflict Detection

Using the IP Address Conflict Detection function the device verifies that its IP address is unique
in the network. For this purpose, the device analyzes received ARP packets.
In this dialog you specify the procedure with which the device detects address conflicts and specify the
required settings for this.
The device displays detected address conflicts in the table.
Whenever the device detects an address conflict, the status LED of the device flashes red 4 times.

 Operation

Parameters Meaning
Operation Enables/disables the IP Address Conflict Detection function.
Possible values:
 On (default setting)
The IP Address Conflict Detection function is enabled.
The device verifies that its IP address is unique in the network.
 Off
The IP Address Conflict Detection function is disabled.

RM GUI HiOS-2A GRS1040 333


Release 7.0 11/2017
Diagnostics
Diagnostics > System > IP Address Conflict Detection

 Configuration

Parameters Meaning
Detection mode Specifies the procedure with which the device detects address conflicts.
Possible values:
 active and passive (default setting)
The device uses active and passive address conflict detection.
 active
Active address conflict detection. The device actively avoids communicating with an IP
address that already exists in the network. The address conflict detection begins as soon as
you connect the device to the network or change its IP parameters.
– The device sends 4 ARP probe data packets at the interval specified in the Detection
delay [ms] field. If the device receives a response to these data packets, there is an
address conflict.
– If the device does not detect an address conflict, it sends 2 gratuitous ARP data packets
as an announcement. The device also sends these data packets when the address conflict
detection is disabled.
– If the IP address already exists in the network, the device changes back to the previously
used IP parameters (if possible).
If the device receives its IP parameters from a DHCP server, it sends a DHCPDECLINE
message back to the DHCP server.
– After the period specified in the Release delay [s] field, the device checks whether the
address conflict still exists. If the device detects 10 address conflicts one after the other, it
extends the waiting time to 60 s for the next check.
– When the address conflict has been resolved, the device management returns to the
network again.
 passive
Passive address conflict detection. The device analyzes the data traffic in the network. If
another device in the network is using the same IP address, the device initially “defends” its IP
address. The device stops sending if the other device keeps sending with the same IP
address.
– As a “defence” the device sends gratuituous ARP data packets. The device repeats this
procedure for the number of times specified in the Address protections field.
– If the other device continues sending with the same IP address, after the period specified
in the Release delay [s] field, the device periodically checks whether the address
conflict still exists.
– When the address conflict has been resolved, the device management returns to the
network again.
Send periodic ARP Activates/deactivates the periodic address conflict detection.
probes
Possible values:
 marked (default setting)
The periodic address conflict detection is active.
– The device periodically sends an ARP probe data packet every 90 to 150 seconds and
waits for the time specified in the Detection delay [ms] field for a response.
– If the device detects an address conflict, it applies the passive detection mode function. If
the Send trap function is active, the device sends an SNMP trap.
 unmarked
The periodic address conflict detection is inactive.
Detection delay Specifies the period in milliseconds for which the device waits for a response after sending a ARP
[ms] data packets.
Possible values:
 20..500 (default setting: 200)
Release delay [s] Specifies the period in seconds after which the device checks again whether the address conflict
still exists.
Possible values:
 3..3600 (default setting: 15)
Address Specifies how many times the device sends gratuitous ARP data packets in the passive detection
protections mode to “defend” its IP address.
Possible values:
 0..100 (default setting: 3)

334 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > System > IP Address Conflict Detection

Parameters Meaning
Protection interval Specifies the period in milliseconds after which the device sends gratuitous ARP data packets
[ms] again in the passive detection mode to “defend” its IP address.
Possible values:
 20..5000 (default setting: 200)
Send trap Activates/deactivates the sending of SNMP traps when the device detects address conflicts.
Possible values:
 marked
The sending of SNMP traps is active.
The device sends an SNMP trap when it detects an address conflict.
 unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Information

Parameters Meaning
Conflict detected Displays whether an address conflict currently exists.
Possible values:
 marked
The device detects an address conflict.
 unmarked
The device does not detect an address conflict.

 Table

Parameters Meaning
Timestamp Displays the time at which the device detected an address conflict.
Port Displays the number of the port on which the device detected the address conflict.
IP address Displays the IP address that is causing the address conflict.
MAC address Displays the MAC address of the device with which the address conflict exists.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 335


Release 7.0 11/2017
Diagnostics
Diagnostics > System > ARP

Diagnostics > System > ARP

6.2.5 ARP

This dialog displays the MAC and IP addresses of the neighboring devices connected to the device
management.

 Table

Parameters Meaning
Port Displays the port number.
IP address Displays the IP address of a device that responded to an ARP query to this port.
MAC address Displays the MAC address of a device that responded to an ARP query to this port.
Last updated Displays the time in seconds since the current settings of the entry were registered in the ARP
table.
Type Displays the type of the ARP entry.
Possible values:
 static
Static ARP entry. The ARP entry is kept when the ARP table is deleted.
 dynamic
Dynamic ARP entry. The device deletes the ARP entry when the Aging time [s] has been
exceeded, if the device does not receive any data from this device during this time.
 local
IP and MAC address of the device management.
Active Displays that the ARP table contains the IP/MAC address assignment as an active entry.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset ARP table Removes the dynamically set up addresses from the ARP table.

336 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > System > Selftest

Diagnostics > System > Selftest

6.2.6 Selftest

This dialog allows you to do the following:


 Activate/deactivate the RAM test when the device is being started.
 Enable/disable the option of entering the system monitor upon the system start.
 Specifies how the device behaves in the case of an error.

 Configuration

Parameters Meaning
RAM test Activates/deactivates the RAM memory check during the restart.
Possible values:
 marked (default setting)
The RAM memory check is activated. During the restart, the device checks the RAM memory.
 unmarked
The RAM memory check is deactivated. This shortens the start time for the device.
SysMon1 is Activates/deactivates the access to the system monitor during the restart.
available
Possible values:
 marked (default setting)
The device allows you to open the system monitor during the restart.
 unmarked
The device starts without the option of opening to the system monitor.
Among other things, the system monitor allows you to update the device software and to delete
saved configuration profiles.
Load default config Activates/deactivates the loading of the default settings if the device does not detect any readable
on error configuration profile when it is restarting.
Possible values:
 marked (default setting)
The device loads the default settings.
 unmarked
The device interrupts the restart and stops. The management access to the device is possible
exclusively using the CLI through the V.24 interface.
To regain the access to the device through the network, open the system monitor and reset
the settings. Upon restart, the device loads the default settings.

Note: The following settings block your access to the device permanently if the device does not
detect any readable configuration profile when it is restarting. This is the case, for example, if the
password of the configuration profile that you are loading differs from the password set in the device.
 SysMon1 is available checkbox is unmarked.
 Load default config on error checkbox is unmarked.
To have the device unlocked again, contact your sales partner.

RM GUI HiOS-2A GRS1040 337


Release 7.0 11/2017
Diagnostics
Diagnostics > System > Selftest

 Table
In this table you specify how the device behaves in the case of an error.

Parameters Meaning
Cause Error causes to which the device reacts.
Possible values:
 task
The device detects errors in the applications executed, for example if a task terminates or is
not available.
 resource
The device detects errors in the resources available, for example if the memory is becoming
scarce.
 software
The device detects software errors, for example error in the consistency check.
 hardware
The device detects hardware errors, for example in the chip set.
Action Specifies how the device behaves if the adjacent event occurs.
Possible values:
 reboot (default setting)
The device triggers a restart.
 logOnly
The device registers the detected error in the log file. See the Diagnostics > Report >
System Log dialog.
 sendTrap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

338 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification

Diagnostics > Email Notification

6.3 Email Notification

The device allows you to inform multiple recipients by email about events that have occurred.
The device sends the emails immediately or periodically depending on the event severity. Usually you
specify events with a high severity to be sent immediately.
You can specify multiple recipients to which the device sends the emails either immediately or
periodically.
The menu contains the following dialogs:
 Email Notification Global
 Email Notification Recipients
 Email Notification Mail Server

RM GUI HiOS-2A GRS1040 339


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Global

Diagnostics > Email Notification > Global

6.3.1 Email Notification Global

In this dialog, you specify the sender settings. Also, you specify for which event severities the device
sends the emails immediately and for which periodically.

 Operation

Parameters Meaning
Operation Enables/disables the sending of emails:
Possible values:
 On
The sending of emails is enabled.
 Off (default setting)
The sending of emails is disabled.

 Certificate
The device can send messages to a server over unsecure networks. To help deny a “man in the middle”
attack, request that the Certificate Authority create a certificate for the server. Configure the server to
use the certificate, then upload the certificate to the device.
When you specify the settings for the mail servers, use the IP address or DNS name provided as Common
Name or Subject Alternative Name in the certificate. Otherwise the certificate validation will fail.

Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
 Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
 Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
 Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.

340 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Global

 Sender

Parameters Meaning
Address Specifies the email address of the device.
The device sends the emails using this email address as the sender.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
(default setting: switch@hirschmann.com)

 Notification immediate
Here you specify the settings for emails which the device sends immediately.

Parameters Meaning
Severity Specifies the minimum severity of events for which the device immediately sends an email. If an
event of this severity occurs, or of a more urgent severity, the device sends an email to the
recipients.
Possible values:
 emergency
 alert (default setting)
 critical
 error
 warning
 notice
 informational
 debug
Subject Specifies the subject of the email.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters

 Notification periodic
Here you specify the settings for emails which the device sends periodically.

Parameters Meaning
Severity Specifies the minimum severity of events for which the device periodically sends an email. If an
event of this severity occurs, or of a more urgent severity, the device registers the event in the
buffer. The device sends the buffer content periodically or when the buffer overflows.
If an event of a less urgent severity occurs, the device does not register the event in the buffer.
Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug
Subject Specifies the subject of the email.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Sending interval Specifies the send interval in minutes.
[min] If the device has registered at least 1 event, it sends an email with the log file after the time expires.
Possible values:
 30..1440 (default setting: 30)
Send Sends an email immediately with the buffer content and clears the buffer.

RM GUI HiOS-2A GRS1040 341


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Global

 Information

Parameters Meaning
Sent messages Displays how many times the device has successfully sent an email to the mail server.
Undeliverable Displays how many times the device has unsuccessfully tried to send an email to the mail server.
messages
Time of the last Displays the date and time at which the device has last sent an email to the mail server.
messages sent

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Clear email Resets the counters in the Information frame to 0.


notification
statistics

 Meaning of the event severities

Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
informational Informal message
debug Debug message

342 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Recipients

Diagnostics > Email Notification > Recipients

6.3.2 Email Notification Recipients

In this dialog, you specify the recipients to which the device sends the emails. The device allows you to
specify up to 10 recipients.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Notification type Specifies whether the device sends the emails to this recipient immediately or periodically.
Possible values:
 immediate
The device sends the emails to this recipient immediately.
 periodic
The device sends the emails to this recipient periodically.
Address Specifies the email address of the recipient.
Possible values:
 Valid email address with up to 255 characters
Active Activates/deactivates the informing of the recipient.
Possible values:
 marked (default setting)
The informing of the recipient is active.
 unmarked
The informing of the recipient is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 343


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Mail Server

Diagnostics > Email Notification > Mail Server

6.3.3 Email Notification Mail Server

In this dialog, you specify the settings for the mail servers. The device supports encrypted and
unencrypted connections to the mail server.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Description Specifies the name of the server.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
IP address Specifies the IP address or the DNS name of the server.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
 DNS name in the format domain.tld or host.domain.tld
If you specify a DNS name, then also enable the Client function in the Advanced > DNS >
Client > Global dialog.
If you establish encrypted connections using the uploaded certificate, then the DNS name
must be equal to the server DNS name mentioned in the certificate.
Destination TCP Specifies the TCP port of the server.
port
Possible values:
 1..65535 (default setting: 25)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
– SMTP 25
– Message Submission 587
Encryption Specifies the protocol which encrypts the connection between the device and the mail server.
Possible values:
 none (default setting)
The device establishes an an unencrypted connection to the server.
 tlsv1
The device establishes an encrypted connection to the server using the startTLS extension.
User name Specifies the user name of the account which the device uses to authenticate on the mail server.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Password Specifies the password of the account which the device uses to authenticate on the mail server.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Timeout [s] Specifies the time in seconds after which the device sends an email again. The prerequisite is that
the device has failed to send the complete email due to a connection error.
Possible values:
 1..15 (default setting: 3)
Active Activates/deactivates the use of the mail server.
Possible values:
 marked
The mail server is active.
The device sends emails to this mail server.
 unmarked (default setting)
The mail server is inactive.
The device does not send emails to this mail server.

344 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Email Notification > Mail Server

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Connection test Opens the Connection test dialog to send a test email.
If the mail server settings are correct, then the selected recipients receive a test email.
 In the Recipient field, you specify to which recipients the device sends the test email:
– immediate
The device sends the test email to the recipients to which the device sends emails
immediately.
– periodic
The device sends the test email to the recipients to which the device sends emails
periodically.
 In the Message text field, you specify the text of the test email.

RM GUI HiOS-2A GRS1040 345


Release 7.0 11/2017
Diagnostics
Diagnostics > Syslog

Diagnostics > Syslog

6.4 Syslog

The device allows you to report selected events, independent of the severity of the event, to different
syslog servers. In this dialog, you specify the settings for this function and manage up to 8 syslog
servers.

 Operation

Parameters Meaning
Operation Enables/disables the sending of events to the syslog servers.
Possible values:
 On
The sending of events is enabled.
The device sends the events specified in the table to the specified syslog servers.
 Off (default setting)
The sending of events is disabled.

 Certificate
The device can send messages to a server over unsecure networks. To help deny a “man in the
middle” attack, request that the Certificate Authority create a certificate for the server. Configure the
server to use the certificate, then upload the certificate to the device.
When you specify the parameters on the server, verify that you specify the IP address and DNS name
provided in the certificate as the Common Name or Subject Alternative Name. Otherwise the
certificate validation will fail.

Note: In order for the changes to take effect after loading a new certificate, restart the Syslog
function.

346 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Syslog

Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
 Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
 Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
 Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
 1..8
IP address Specifies the IP address of the syslog server.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP Specifies the TCP or UDP port on which the syslog server expects the log entries.
port
Possible values:
 1..65535 (default setting: 514)
Transport type Specifies the transport type the device uses to send the events to the syslog server.
Possible values:
 udp (default setting)
The device sends the events over the UDP port specified in the Destination UDP port
column.
 tls
The device sends the events over TLS on the TCP port specified in the Destination UDP
port column.

RM GUI HiOS-2A GRS1040 347


Release 7.0 11/2017
Diagnostics
Diagnostics > Syslog

Parameters Meaning
Min. severity Specifies the minimum severity of the events. The device sends a log entry for events with this
severity and with more urgent severities to the syslog server.
Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug
Type Specifies the type of the log entry transmitted by the device.
Possible values:
 systemlog (default setting)
 audittrail
Active Activates/deactivates the transmission of events to the syslog server:
 marked
The device sends events to the syslog server.
 unmarked (default setting)
The transmission of events to the syslog server is deactivated.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

348 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports

Diagnostics > Ports

6.5 Ports

The menu contains the following dialogs:


 SFP
 TP cable diagnosis
 Port Monitor
 Auto-Disable
 Port Mirroring

RM GUI HiOS-2A GRS1040 349


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > SFP

Diagnostics > Ports > SFP

6.5.1 SFP

This dialog allows you to look at the SFP transceivers currently connected to the device and their
properties.

 Table
The table displays valid values if the device is equipped with SFP transceivers.

Parameters Meaning
Port Displays the port number.
Module type Type of the SFP transceiver, for example M-SFP-SX/LC.
Serial number Displays the serial number of the SFP transceiver.
Connector type Displays the connector type.
Supported Displays whether the device supports the SFP transceiver.
Temperature [°C] Operating temperature of the SFP transceiver in °Celsius.
Tx power [mW] Transmission power of the SFP transceiver in mW.
Rx power [mW] Receiving power of the SFP transceiver in mW.
Tx power [dBm] Transmission power of the SFP transceiver in dBm.
Rx power [dBm] Receiving power of the SFP transceiver in dBm.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

350 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > TP cable diagnosis

Diagnostics > Ports > TP cable diagnosis

6.5.2 TP cable diagnosis

This feature tests the cable attached to an interface for short or open circuit. The table displays the cable
status and estimated length. The device also displays the individual cable pairs connected to the port.
When the device detects a short circuit or an open circuit in the cable, it also displays the estimated
distance to the problem.

Note: This test interrupts traffic on the port.

 Information

Parameters Meaning
Port Displays the port number.
Status Status of the Virtual Cable Tester.
Possible values:
 active
Cable testing is in progress.
To start the test, click the button and then the Start cable diagnosis... item. This
action opens the Select port dialog.
 success
The device displays this entry after performing a successful test.
 failure
The device displays this entry after an interruption in the test.
 uninitialized
The device displays this entry while in standby.

 Table

Parameters Meaning
Cable pair Displays the cable pair to which this entry relates. The device uses the first PHY index supported
to display the values.
Result Displays the results of the cable test.
Possible values:
 normal
The cable is functioning properly.
 open
There is a break in the cable causing an interruption.
 short
Wires in the cable are touching together causing a short circuit.
 unknown
The device displays this value for untested cable pairs.

Note: The device displays different values than expected in the following cases:
– If no cable is connected to the port, the device displays the value unknown instead of open .
– If the port is deactivated, the device displays the value short .
Min. length Displays the minimum estimated length of the cable in meters.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .
Max. length Displays the maximum estimated length of the cable in meters.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .

RM GUI HiOS-2A GRS1040 351


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > TP cable diagnosis

Parameters Meaning
Distance [m] Displays the estimated distance in meters from the end of the cable to the failure location.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Start cable Opens the Select port dialog.


diagnosis... In the Port drop-down list you select the port to be tested. Use for copper-based ports exclusively.
To initiate the cable test on the selected port, click the Ok button.

352 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

Diagnostics > Ports > Port Monitor

6.5.3 Port Monitor

The Port Monitor function monitors the adherence to the specified parameters on the ports. If the Port
Monitor function detects that the parameters are being exceeded, the device performs an action.
To apply the Port Monitor function, proceed as follows:
 Global tab
 Enable the Operation function in the Port Monitor frame.
 Activate for each port those parameters that you want the Port Monitor function to monitor.
 Link flap , CRC/Fragments and Overload detection tabs
 Specify the threshold values for the parameters for each port.
 Link speed/Duplex mode detection tab
 Activate the allowed combinations of speed and duplex mode for each port.
 Global tab
 Specify for each port an action that the device carries out when the Port Monitor function detects
that the parameters have been exceeded.
 Auto-disable tab
 Mark the Auto-disable checkbox for the monitored parameters when you have specified the
auto-disable action at least once.

The dialog contains the following tabs:


 [Global ]
 [Auto-disable ]
 [Link flap ]
 [CRC/Fragments ]
 [Overload detection ]
 [Link speed/Duplex mode detection ]

[Global ]
In this tab, you enable the Port Monitor function and specify the parameters that the Port Monitor
function is monitoring. Also specify the action that the device carries out when the Port Monitor
function detects that the parameters have been exceeded.

 Operation

Parameters Meaning
Operation Enables/disables the Port Monitor function globally.
Possible values:
 On
The Port Monitor function is enabled.
 Off (default setting)
The Port Monitor function is disabled.

RM GUI HiOS-2A GRS1040 353


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

 Table

Parameters Meaning
Port Displays the port number.
Link flap on Activates/deactivates the monitoring of link flaps on the port.
Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors link flaps on the port.
– If the device detects too many link flaps, the device executes the action specified in the
Action column.
– On the Link flap tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.
CRC/Fragments on Activates/deactivates the monitoring of CRC/fragment errors on the port.
Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors CRC/fragment errors on the port.
– If the device detects too many CRC/fragment errors, the device executes the action
specified in the Action column.
– On the CRC/Fragments tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.
Duplex mismatch Activates/deactivates the monitoring of duplex mismatches on the port.
detection active
Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors duplex mismatches on the port.
– If the device detects a duplex mismatch, the device executes the action specified in the
Action column.
 unmarked (default setting)
Monitoring is inactive.
Overload detection Activates/deactivates the overload detection on the port.
on
Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors the data load on the port.
– If the device detects a data overload on the port, the device executes the action specified
in the Action column.
– On the Overload detection tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.
Link speed/Duplex Activates/deactivates the monitoring of the link speed and duplex mode on the port.
mode detection on
Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors the link speed and duplex mode on the port.
– If the device detects an unpermitted combination of link speed and duplex mode, the device
executes the action specified in the Action column.
– On the Link speed/Duplex mode detection tab, specify the parameters to be
monitored.
 unmarked (default setting)
Monitoring is inactive.

354 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

Parameters Meaning
Active condition Displays the monitored parameter that led to the action on the port.
Possible values:
 -
No monitored parameter.
The device does not carry out any action.
 Link flap
Too many link changes in the observed period.
 CRC/Fragments
Too many CRC/fragment errors in the observed period.
 Duplex mismatch
Duplex mismatch detected.
 Overload detection
Overload detected in the observed period.
 Link speed/Duplex mode detection
Impermissible combination of speed and duplex mode detected.
Action Specifies the action that the device carries out when the Port Monitor function detects that the
parameters have been exceeded.
Possible values:
 disable port
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
– To re-enable the port, highlight the port and click the button and then the Reset item.
– The Auto-Disable function enables the port again after the specified waiting period when
the parameters are no longer being exceeded. The prerequisite is that on the Auto-
disable tab the checkbox for the monitored parameter is marked.
 send trap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
 auto-disable (default setting)
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
The prerequisite is that on the Auto-disable tab the checkbox for the monitored parameter
is marked.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
Port status Displays the operating state of the port.
Possible values:
 up
The port is enabled.
 down
The port is disabled.
 notPresent
Physical port unavailable.

RM GUI HiOS-2A GRS1040 355


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

[Auto-disable ]
In this tab, you activate the Auto-Disable function for the parameters monitored by the Port Monitor
function.

 Table

Parameters Meaning
Reason Displays the parameters monitored by the Port Monitor function.
Mark the adjacent checkbox so that the Port Monitor function carries out the auto-disable
action when it detects that the monitored parameters have been exceeded.
Auto-disable Activates/deactivates the Auto-Disable function for the adjacent parameters.
Possible values:
 marked
The Auto-Disable function for the adjacent parameters is active.
When the adjacent parameters are exceeded, the device carries out the Auto-Disable
function when the value auto-disable is specified in the Action column.
 unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.

356 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

[Link flap ]
In this tab, you specify individually for every port the following settings:
 The number of link changes.
 The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see how many link changes the Port Monitor function has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Link flap on column
is marked on the Global tab.

 Table

Parameters Meaning
Port Displays the port number.
Sampling interval Specifies in seconds, the period during which the Port Monitor function monitors a parameter
[s] to detect discrepancies.
Possible values:
 1..180 (default setting: 10)
Link flaps Specifies the number of link changes.
If the Port Monitor function detects this number of link changes in the monitored period, the
device performs the specified action.
Possible values:
 1..100 (default setting: 5)
Last sampling Displays the number of errors that the device has detected during the period that has elapsed.
interval
Total Displays the total number of errors that the device has detected since the port was enabled.

RM GUI HiOS-2A GRS1040 357


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

[CRC/Fragments ]
In this tab, you specify individually for every port the following settings:
 The fragment error rate.
 The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the fragment error rate that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the CRC/Fragments on
column is marked on the Global tab.

 Table

Parameters Meaning
Port Displays the port number.
Sampling interval Specifies in seconds, the period during which the Port Monitor function monitors a parameter
[s] to detect discrepancies.
Possible values:
 5..180 (default setting: 10)
CRC/Fragments Specifies the fragment error rate (in parts per million).
count [ppm] If the Port Monitor function detects this fragment error rate in the monitored period, the device
performs the specified action.
Possible values:
 1..1000000 (default setting: 1000)
Last active interval Displays the fragment error rate that the device has detected during the period that has elapsed.
[ppm]
Total [ppm] Displays the fragment error rate that the device has detected since the port was enabled.

358 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

[Overload detection ]
In this tab, you specify individually for every port the following settings:
 The load threshold values.
 The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the number of data packets that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Overload detection
on column is marked on the Global tab.
The Port Monitor function does not monitor any ports that are members of a link aggregation group.

 Table

Parameters Meaning
Port Displays the port number.
Traffic type Specifies the type of data packets that the device considers when monitoring the load on the port.
Possible values:
 all
The Port Monitor function monitors Broadcast, Multicast and Unicast packets.
 bc (default setting)
The Port Monitor function monitors only Broadcast packets.
 bc-mc
The Port Monitor function monitors only Broadcast and Multicast packets.
Threshold type Specifies the unit for the data rate.
Possible values:
 pps (default setting)
packets per second
 kbps
kbit per second
The prerequisite is that the value in the Traffic type column = all.

RM GUI HiOS-2A GRS1040 359


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

Parameters Meaning
Lower threshold Specifies the lower threshold value for the data rate.
The Auto-Disable function enables the port again only when the load on the port is lower than
the value specified here.
Possible values:
 0..10000000 (default setting: 0)
Upper threshold Specifies the upper threshold value for the data rate.
If the Port Monitor function detects this load in the monitored period, the device performs the
specified action.
Possible values:
 0..10000000 (default setting: 0))
Interval [s] Specifies in seconds, the period that the Port Monitor function observes a parameter to detect
that a parameter is being exceeded.
Possible values:
 1..20 (default setting: 1)
Packets Displays the number of Broadcast, Multicast and Unicast packets that the device has detected
during the period that has elapsed.
Broadcast packets Displays the number of Broadcast packets that the device has detected during the period that has
elapsed.
Multicast packets Displays the number of Multicast packets that the device has detected during the period that has
elapsed.
Kbit/s Displays the data rate in Kbits per second that the device has detected during the period that has
elapsed.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

360 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

[Link speed/Duplex mode detection ]


In this tab, you activate the allowed combinations of speed and duplex mode for each port.
The Port Monitor function monitors those ports for which the checkbox in the Link speed/Duplex
mode detection on column is marked on the Global tab.
The Port Monitor function monitors only enabled physical ports.

 Table

Parameters Meaning
Port Displays the port number.
10 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 10 Mbit/s data rate combination
on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
10 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 10 Mbit/s data rate combination
on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 100 Mbit/s data rate
combination on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 100 Mbit/s data rate combination
on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
1,000 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 1 Gbit/s data rate combination
on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.

RM GUI HiOS-2A GRS1040 361


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Monitor

Parameters Meaning
2.5 Gbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 2.5 Gbit/s data rate combination
on the port.
Possible values:
 marked
The port monitor allows the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

362 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Auto-Disable

Diagnostics > Ports > Auto-Disable

6.5.4 Auto-Disable

The Auto-Disable function allows you to disable monitored ports automatically and enable them again
as you desire.
For example, the Port Monitor function and selected functions in the Network Security menu use
the Auto-Disable function to disable ports when monitored parameters are exceeded.
When the parameters are no longer being exceeded, the Auto-Disable function enables the relevant
port again after a specified waiting period.

The dialog contains the following tabs:


 [Port ]
 [Status ]

[Port ]
This tab displays which ports are currently disabled due to the parameters being exceeded. When you
specify a waiting period in the Reset timer [s] column, the Auto-Disable function automatically
enables the relevant port again when the parameters are no longer being exceeded.

 Table

Parameters Meaning
Port Displays the port number.
Reset timer [s] Specifies the waiting period in seconds, after which the Auto-Disable function enables the port
again.
Possible values:
 0 (default setting)
The timer is inactive. The port remains disabled.
 30..4294967295
The Auto-Disable function enables the port again after the waiting period specified here and
when the parameters are no longer being exceeded.
Error time Displays when the device disabled the port due to the parameters being exceeded.
Remaining time [s] Displays the remaining time in seconds, until the Auto-Disable function enables the port again.

RM GUI HiOS-2A GRS1040 363


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Auto-Disable

Parameters Meaning
Component Displays the software component in the device that disabled the port.
Possible values:
 PORT_MON
Port Monitor
See the Diagnostics > Ports > Port Monitor dialog.
 PORT_ML
Port Security
See the Network Security > Port Security dialog.
 DHCP_SNP
DHCP Snooping
See the Network Security > DHCP Snooping dialog.
 DOT1S
BPDU guard
See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 DAI
Dynamic ARP Inspection
See the Network Security > Dynamic ARP Inspection dialog.
Reason Displays the monitored parameter that led to the port being disabled.
Possible values:
 none
No monitored parameter.
The port is enabled.
 link-flap
Too many link changes. See the Diagnostics > Ports > Port Monitor dialog, Link flap
tab.
 crc-error
Too many CRC/fragment errors. See the Diagnostics > Ports > Port Monitor dialog,
CRC/Fragments tab.
 duplex-mismatch
Duplex mismatch detected. See the Diagnostics > Ports > Port Monitor dialog, Global
tab.
 dhcp-snooping
Too many DHCP packages from untrusted sources. See the Network Security > DHCP
Snooping > Configuration dialog, Port tab.
 arp-rate
Too many ARP packages from untrusted sources. See the Network Security > Dynamic
ARP Inspection > Configuration dialog, Port tab.
 bpdu-rate
STP-BPDUs received. See the Switching > L2-Redundancy > Spanning Tree > Global
dialog.
 mac-based-port-security
Too many data packets from undesired senders. See the Network Security > Port
Security dialog.
 overload-detection
Overload. See the Diagnostics > Ports > Port Monitor dialog, Overload detection
tab.
 speed-duplex
Impermissible combination of speed and duplex mode detected. See the Diagnostics >
Ports > Port Monitor dialog, Link speed/Duplex mode detection tab.
Active Displays whether the port is currently disabled due to the parameters being exceeded.
Possible values:
 marked
The port is currently disabled.
 unmarked
The port is enabled.

364 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Auto-Disable

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

[Status ]
This tab displays the monitored parameters for which the Auto-Disable function is activated.

 Table

Parameters Meaning
Reason Displays the parameters that the device monitors.
Mark the adjacent checkbox so that the Auto-Disable function disables and, if applicable,
enables the port again when the monitored parameters are exceeded.
Category Displays which function the adjacent parameter belongs to.
Possible values:
 port-monitor
The parameter belongs to the Port Monitor function. See the Diagnostics > Port > Port
Monitor dialog.
 network-security
The parameter belongs to the functions in the Network Security menu.
 l2-redundancy
The parameter belongs to the L2-Redundancy functions. See the Switching > L2-
Redundancy dialog.
Auto-disable Displays whether the Auto-Disable function is activated/deactivated for the adjacent parameter.
Possible values:
 marked
The Auto-Disable function for the adjacent parameters is active.
The Auto-Disable function disables and, if applicable, enables the relevant port again when
the monitored parameters are exceeded.
 unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

RM GUI HiOS-2A GRS1040 365


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Mirroring

Diagnostics > Ports > Port Mirroring

6.5.5 Port Mirroring

The Port Mirroring function allows you to copy received and sent data packets from selected ports
to a destination port. You can watch and process the data stream using an analyzer or an RMON probe,
connected to the destination port. The data packets remain unmodified on the source port.

Note: To enable the management access using the destination port, mark the checkbox Allow
management in the Destination port frame before you enable the Port Mirroring function.

 Operation

Parameters Meaning
Operation Enables/disables the Port Mirroring function.
Possible values:
 On
The Port Mirroring function is enabled.
The device copies the data packets from the selected source ports to the destination port.
 Off (default setting)
The Port Mirroring function is disabled.

 Destination port

Parameters Meaning
Primary port Specifies the destination port.
Suitable ports are those ports that are not used for the following purposes:
– Source port
– L2 redundancy protocols
Possible values:
 no Port (default setting)
No destination port selected.
 <Port number>
Number of the destination port. The device copies the data packets from the source ports to
this port.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port
receives.

Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.
Secondary port Specifies a second destination port.
The port transmits the same data as the port specified above.
Exception:
– no VLAN mirroring data
– no RSPAN data
Possible values:
 no Port (default setting)
No destination port selected.
 <Port number>
Number of the destination port. The device copies the data packets from the source ports to
this port.

366 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Mirroring

Parameters Meaning
Allow management Activates/deactivates the management access using the destination port.
Possible values:
 marked
The management access using the destination port is active.
The device allows the management access to the device using the destination port without
interrupting the active Port Mirroring session.
– The device duplicates multicasts, broadcasts and unknown unicasts on the destination
port.
– The VLAN settings on the destination port remain unchanged. The prerequisite for
management access via the destination port is that the destination port is not a member of
the management VLAN.
 unmarked (default setting)
The management access using the destination port is inactive.
The device prohibits the management access to the device using the destination port.

 VLAN mirroring
The VLAN mirroring function allows you to copy ingress data packets in a specific VLAN to the
selected destination port. The device forwards the data stream out of the specified destination port.

Note: The VLAN mirroring function is only available on the primary port.

Parameters Meaning
Source VLAN ID Specifies the VLAN from which the device mirrors data to the destination port.
Possible values:
 0 (default setting)
Disables the VLAN mirroring function.
 2..4042
The device only allows you to specify a VLAN when no source port is specified.

 RSPAN
The RSPAN (Remote Switched Port Analyzer) function extends the mirroring function by allowing the
device to forward the monitored data across multiple devices, on a specific VLAN, to a single
destination.

Note: When you use the device on the path between the source and destination device, specify in
the VLAN ID field the VLAN needed to use the RSPAN function. For this, the Port Mirroring function
is not required and remains disabled.

Note: The RSPAN function is only available on the primary port.

Parameters Meaning
Source VLAN ID Specifies the source VLAN from which the device mirrors data to the destination VLAN.
Possible values:
 0 (default setting: 0)
The source VLAN is inactive.
 2..4042
Mirrored ports may not be members of the RSPAN VLAN.

RM GUI HiOS-2A GRS1040 367


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Mirroring

Parameters Meaning
VLAN ID Specifies the VLAN that the device uses to tag and forward mirrored data.
Possible values:
 0 (default setting: 0)
The RSPAN VLAN is inactive.
 2..4042
The device uses the value to tag and forward mirrored data.
Destination VLAN Specifies the VLAN that the device uses to forward the network traffic to the destination device.
ID
Possible values:
 0 (default setting: 0)
The destination VLAN is inactive.
 2..4042
The device uses this value to tag data and to forward the network traffic to the destination
device.

 Table

Parameters Meaning
Source port Specifies the port number.
Possible values:
 <Port number>
Enabled Activates/deactivates the copying of the data packets from this source port to the destination port.
Possible values:
 marked
The copying of the data packets is active.
The port is specified as a source port.
 unmarked (default setting)
The copying of the data packets is inactive.
 (Grayed-out display)
It is not possible to copy the data packets for this port.
Possible causes:
– The port is already specified as a destination port.
– The port is a logical port, not a physical port.

Note: The device allows you to activate every physical port as source port except for the
destination port.
Type Specifies which data packets the device copies to the destination port.
Possible values:
 none (default setting)
No data packets.
 tx
Data packets that the source port transmits.
 rx
Data packets that the source port receives.
 txrx
Data packets that the source port transmits and receives.

Note: With the txrx setting the device copies transmitted and received data packets. The
destination ports needs at least a bandwidth that corresponds to the sum of the send and
receive channel of the source ports. For example, for similar ports the destination port is at
100 % capacity when the send and receive channel of a source port are at 50 % capacity
respectively.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port
receives.

368 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Ports > Port Mirroring

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset config Resets the settings in the dialog to the default settings and transfers the changes to the volatile
memory of the device (RAM ).

RM GUI HiOS-2A GRS1040 369


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP

Diagnostics > LLDP

6.6 LLDP

The device allows you to gather information about neighboring devices. For this, the device uses the
Link Layer Discovery Protocol (LLDP). This information enables a network management station to map
the structure of your network.
This menu allows you to configure the topology discovery and to display the information received in table
form.
The menu contains the following dialogs:
 LLDP Configuration
 LLDP Topology Discovery

370 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Configuration

Diagnostics > LLDP > Configuration

6.6.1 LLDP Configuration

This dialog allows you to configure the topology discovery for every port.

 Operation

Parameters Meaning
Operation Enables/disables the LLDP function.
Possible values:
 On (default setting)
The LLDP function is enabled.
The topology discovery using LLDP is active on the device.
 Off
The LLDP function is disabled.

 Configuration

Parameters Meaning
Transmit interval [s] Specifies the interval in seconds at which the device transmits LLDP data packets.
Possible values:
 5..32768 (default setting: 30)
Transmit interval Specifies the factor for determining the time-to-live value for the LLDP data packets.
multiplier
Possible values:
 2..10 (default setting: 4)
The time-to-live value coded in the LLDP header results from multiplying this value with the value
in the Transmit interval [s] field.
Reinit delay [s] Specifies the delay in seconds for the reinitialization of a port.
Possible values:
 1..10 (default setting: 2)
If in the Operation column the value Off is specified, the device tries to reinitialize the port after
the time specified here has elapsed.
Transmit delay [s] Specifies the delay in seconds for transmitting successive LLDP data packets after configuration
changes in the device occur.
Possible values:
 1..8192 (default setting: 2)
The recommended value is between a minimum of 1 and a maximum of a quarter of the value in
the Transmit interval [s] field.
Notification interval Specifies the interval in seconds for transmitting LLDP notifications.
[s]
Possible values:
 5..3600 (default setting: 5)
After transmitting a notification trap, the device waits for a minimum of the time specified here
before transmitting the next notification trap.

RM GUI HiOS-2A GRS1040 371


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Configuration

 Table

Parameters Meaning
Port Displays the port number.
Operation Specifies whether the port transmits and receives LLDP data packets.
Possible values:
 transmit
The port transmits LLDP data packets but does not save any information about neighboring
devices.
 receive
The port receives LLDP data packets but does not transmit any information to neighboring
devices.
 receive and transmit (default setting)
The port transmits LLDP data packets and saves information about neighboring devices.
 disabled
The port does not transmit LLDP data packets and does not save information about
neighboring devices.
Notification Activates/deactivates the LLDP notifications on the port.
Possible values:
 marked
LLDP notifications are active on the port.
 unmarked (default setting)
LLDP notifications are inactive on the port.
Transmit port Activates/deactivates the transmitting of a TLV (Type Length Value) with the port description.
description
Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the port description.
 unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the port description.
Transmit system Activates/deactivates the transmitting of a TLV (Type Length Value) with the device name.
name
Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the device name.
 unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the device name.
Transmit system Activates/deactivates the transmitting of the TLV (Type Length Value) with the system description.
description
Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system description.
 unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system description.
Transmit system Activates/deactivates the transmitting of the TLV (Type Length Value) with the system capabilities.
capabilities
Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system capabilities.
 unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system capabilities.
Neighbors (max.) Limits the number of neighboring devices to be recorded for this port.
Possible values:
 1..50 (default setting: 10)

372 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Configuration

Parameters Meaning
FDB mode Specifies which function the device uses to record neighboring devices on this port.
Possible values:
 lldpOnly
The device uses LLDP data packets exclusively to record neighboring devices on this port.
 macOnly
The device uses learned MAC addresses to record neighboring devices on this port. The
device uses the MAC address exclusively if there is no other entry in the address table (FDB,
Forwarding Database) for this port.
 both
The device uses LLDP data packets and learned MAC addresses to record neighboring
devices on this port.
 autoDetect (default setting)
If the device receives LLDP data packets at this port, the device works the same as with the
lldpOnly setting. Otherwise, the device works the same as with the macOnly setting.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 373


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Topology Discovery

Diagnostics > LLDP > Topology Discovery

6.6.2 LLDP Topology Discovery

Devices in networks send notifications in the form of packets which are also known as "LLDPDU" (LLDP
data units). The data that is sent and received via LLDPDU are useful for many reasons. Thus the device
detects which devices in the network are neighbors and via which ports they are connected.
The dialog allows you to display the network and to detect the connected devices along with their
specific features.

The dialog contains the following tabs:


 [LLDP ]
 [LLDP-MED ]

374 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Topology Discovery

[LLDP ]
This tab displays the collected LLDP information for the neighboring devices. This information enables
a network management station to map the structure of your network.
When devices both with and without an active topology discovery function are connected to a port, the
topology table hides the devices without active topology discovery.
When devices without active topology discovery are connected to a port exclusively, then the table
contains one line for this port to represent every device. This line contains the number of connected
devices.
The Forwarding Database (FDB) address table contains MAC addresses of devices that the topology
table hides for the sake of clarity.
If you use 1 port to connect several devices, for example via a hub, the table contains 1 line for each
connected device.

 Table

Parameters Meaning
Port Displays the port number.
Neighbor identifier Displays the chassis ID of the neighboring device. This can be the basis MAC address of the
neighboring device, for example.
FDB Displays whether or not the connected device has active LLDP support.
Possible values:
 marked
The connected device does not have active LLDP support.
The device uses information from its address table (FDB, Forwarding Database)
 unmarked (default setting)
The connected device has active LLDP support.
Neighbor IP Displays the IP address with which the management access to the neighboring device is possible.
address
Neighbor port Displays a description for the port of the neighboring device.
description
Neighbor system Displays the device name of the neighboring device.
name
Neighbor system Displays a description for the neighboring device.
description
Port ID Displays the ID of the port through which the neighboring device is connected to the device.
Autonegotiation Displays whether the port of the neighboring device supports autonegotiation.
supported
Autonegotiation Displays whether autonegotiation is enabled on the port of the neighboring device.
PoE supported Displays whether the port of the neighboring device supports Power over Ethernet (PoE).
PoE enabled Displays whether Power over Ethernet (PoE) is enabled on the port of the neighboring device.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 375


Release 7.0 11/2017
Diagnostics
Diagnostics > LLDP > Topology Discovery

[LLDP-MED ]
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices and network devices. It specifically provides support for VoIP applications. In this
support rule, it provides an additional set of common advertisement, Type Length Value (TLV),
messages. The device uses the TLVs for capabilities discovery such as network policy, Power over
Ethernet, inventory management and location information.

 Table

Parameters Meaning
Port Displays the port number.
Device class Displays the device class of the remotely connected device.
 A value of notDefined indicates that the device has capabilities not covered by any of the
LLDP-MED classes.
 A value of endpointClass1..3 indicates that the device has "endpoint class 1..3" capabilities.
 A value of networkConnectivity indicates that the device has network connectivity device
capabilities.
VLAN ID Displays the extension of the VLAN Identifier for the remote system connected to this port, as
defined in IEEE 802.3.
 The device uses a value from 1 through 4042 to specify a valid Port VLAN ID.
 The device displays the value 0 for priority tagged packets. This means that only the 802.1D
priority is significant and the device uses the default VLAN ID of the ingress port.
Priority Displays the value of the 802.1D priority which is associated with the remote system connected to
the port.
DSCP Displays the value of the Differentiated Service Code Point (DSCP) which is associated with the
remote system connected to the port.
Unknown bit status Displays the unknown bit status of incoming traffic.
 A value of true indicates that the network policy for the specified application type is currently
unknown. In this case, the VLAN ID ignores the Layer 2 priority and value of the DSCP field.
 A value of false indicates a specified network policy.
Tagged bit status Displays the tagged bit status.
 A value of true indicates that the application uses a tagged VLAN.
 A value of false indicates that for the specific application the device uses untagged VLAN
operation. In this case, the device ignores both the VLAN ID and the Layer 2 priority fields. The
DSCP value, however, is relevant.
Hardware revision Displays the vendor-specific hardware revision string as advertised by the remote endpoint.
Firmware revision Displays the vendor-specific firmware revision string as advertised by the remote endpoint.
Software revision Displays the vendor-specific software revision string as advertised by the remote endpoint.
Serial number Displays the vendor-specific serial number as advertised by the remote endpoint.
Manufacturer name Displays the vendor-specific manufacturer name as advertised by the remote endpoint.
Model name Displays the vendor-specific model name as advertised by the remote endpoint.
Asset ID Displays the vendor-specific asset tracking identifier as advertised by the remote endpoint.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

376 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow

Diagnostics > SFlow

6.7 SFlow

sFlow is a standard protocol for monitoring networks. The device contains the sFlow feature which gives
you visibility into network activity, allowing for effective management and control of network resources.
The sFlow monitoring system consists of an sFlow agent and a central sFlow collector. The agent uses
the following forms of sampling:
 statistical packet-based sampling of packet flows
 time-based sampling of counters
The device combines both types of samples into datagrams. sFlow uses the datagrams to forward the
sampled traffic statistics to an sFlow collector for analysis.
In order to perform packet flow sampling, you configure an instance with a sampling rate. You then
configure the instance with a polling interval for counter sampling.
The menu contains the following dialogs:
 SFlow Configuration
 SFlow Receiver

RM GUI HiOS-2A GRS1040 377


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow > Configuration

Diagnostics > SFlow > Configuration

6.7.1 SFlow Configuration

This dialog displays device parameters and allows you to set up sFlow instances.

The dialog contains the following tabs:


 [Global ]
 [Sampler ]
 [Poller ]

378 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow > Configuration

[Global ]

 Information

Parameters Meaning
Version Displays the MIB version, the organization responsible for agent implementation, and the device
software revision.
IP address Displays the IP address associated with the agent providing SNMP connectivity.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 379


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow > Configuration

[Sampler ]

 Table

Parameters Meaning
Port Displays the physical source of data for the sampler.
Receiver Displays the receiver index associated with the sampler.
Sampling rate Specifies the static sampling rate for the sampling of the packets from this source.
Possible values:
 0 (default setting)
Deactivates the sampling.
 256..65535
When the ports receives data the device increments to the set value and then samples the
data.
Max. header size Specifies the maximum header size in bytes copied from a sampled packet.
[byte]
Possible values:
 20..256 (default setting: 128)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

380 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow > Configuration

[Poller ]

 Table

Parameters Meaning
Port Displays the physical source of data for the poller counter.
Receiver Displays the receiver index associated with the query counter.
Possible values:
 0..8 (default setting: 0)
Interval [s] Specifies the maximum number of seconds between successive samples of the counters which
are associated with this data source.
Possible values:
 0..86400 (default setting: 0)
A sampling interval with the value 0 deactivates the sampling of the counters.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 381


Release 7.0 11/2017
Diagnostics
Diagnostics > SFlow > Receiver

Diagnostics > SFlow > Receiver

6.7.2 SFlow Receiver

In order to avoid a condition where 2 persons or organizations attempt to assume control of the same
sampler, the person or organization sets both the Name and Timeout [s] parameters in the same
SNMP set request.
When releasing a sampler, the controlling person or organization deletes the value in the Name column.
The controlling person or organization also restores the other parameters in this row to their default
settings.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Name Specifies the name of the person or company which uses the entry. An empty field indicates that
the entry is currently unused. Edit this field before making changes to other sampler parameters.
Possible values:
 Alphanumeric ASCII character string with 0..127 characters
Timeout [s] Displays the time, in seconds, remaining before the sampler is released and stops sampling.
Datagram size Specifies the maximum number of data bytes that are sent in one sample datagram.
[byte]
Possible values:
 200..3996 (default setting: 1400)
IP address Specifies the IP address of the sFlow collector.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP Specifies the number of the UDP port for sFlow datagrams.
port
Possible values:
 1..65535 (default setting: 6343)
Exception: Port 2222 is reserved for internal functions.
Datagram version Displays the version of sFlow datagrams requested.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

382 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Report

Diagnostics > Report

6.8 Report

The menu contains the following dialogs:


 Report Global
 Persistent Logging
 System Log
 Audit Trail

RM GUI HiOS-2A GRS1040 383


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Global

Diagnostics > Report > Global

6.8.1 Report Global

The device allows you to log specific events using the following outputs:
 on the console
 on one or more syslog servers
 on a CLI connection set up using SSH
 on a CLI connection set up using Telnet
In this dialog, you specify the required settings. By assigning the severity you specify which events the
device registers.
The dialog allows you to save a ZIP archive with system information on your PC.

 Console logging

Parameters Meaning
Operation Enables/disables the Console logging function.
Possible values:
 On
The Console logging function is enabled.
The device logs the events on the console.
 Off (default setting)
The Console logging function is disabled.
Severity Specifies the minimum severity for the events. The device logs events with this severity and with
more urgent severities.
The device outputs the messages on the V.24 interface.
Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

384 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Global

 Buffered logging
The device buffers logged events in 2 separate storage areas so that the log entries for urgent events
are kept.
This dialog allows you to specify the minimum severity for events that the device buffers in the
storage area with a higher priority.

Parameters Meaning
Severity Specifies the minimum severity for the events. The device buffers log entries for events with this
severity and with more urgent severities in the storage area with a higher priority.
Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

 SNMP logging

Parameters Meaning
Log SNMP get Enables/disables the logging of SNMP Get requests.
request
Possible values:
 On
The logging is enabled.
The device registers SNMP Get requests as events in the syslog.
In the Severity get request drop-down list, you select the severity for this event.
 Off (default setting)
The logging is disabled.
Log SNMP set Enables/disables the logging of SNMP Set requests.
request
Possible values:
 On
The logging is enabled.
The device registers SNMP Set requests as events in the syslog.
In the Severity set request drop-down list, you select the severity for this event.
 Off (default setting)
The logging is disabled.
Severity get Specifies the severity of the event that the device registers for SNMP Get requests.
request
Possible values:
 emergency
 alert
 critical
 error
 warning
 notice (default setting)
 informational
 debug
Severity set request Specifies the severity of the event that the device registers for SNMP Set requests.
Possible values:
 emergency
 alert
 critical
 error
 warning
 notice (default setting)
 informational
 debug

RM GUI HiOS-2A GRS1040 385


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Global

When you enable the logging of SNMP requests, the device sends these as events with the preset
severity notice to the list of syslog servers. The preset minimum severity for a syslog server entry is
critical.
To send SNMP requests to a syslog server, you have a number of options to change the default
settings. Select the ones that meet your requirements best.
 Set the severity for which the device creates SNMP requests as events to warning or error and
change the minimum severity for a syslog entry for one or more syslog servers to the same value.
You also have the option of creating a separate syslog server entry for this.
 When you set the severity for SNMP requests to critical or higher. The device then sends
SNMP requests as events with the severity critical or higher to the syslog servers.
 When you set the minimum severity for one or more syslog server entries to notice or lower.
Then it is possible that the device sends many events to the syslog servers.

 CLI logging

Parameters Meaning
Operation Enables/disables the CLI logging function.
Possible values:
 On
The CLI logging function is enabled.
The device logs every command received using the Command Line Interface (CLI).
 Off (default setting)
The CLI logging function is disabled.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Download support Generates a ZIP archive which the web browser offers to you for download on your PC.
information The ZIP archive contains system information about the device. You will find an explanation of the
files contained in the ZIP archive in the following section.

 Support Information: Files contained in ZIP archive

File name Format Comments


audittrail.html HTML Contains the chronological recording of the system events and saved user
changes in the Audit Trail.
defaultconfig.xml XML Contains the configuration profile with the default settings.
script TEXT Contains the output of CLI command show running-config script.
runningconfig.xml XML Contains the configuration profile with the current operating settings.
supportinfo.html TEXT Contains device internal service information.
systeminfo.html HTML Contains information about the current settings and operating parameters.
systemlog.html HTML Contains the logged events in the Log file. See the Diagnostics >
Report > System Log dialog.

386 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Global

 Meaning of the severities for events

Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
informational Informal message
debug Debug message

RM GUI HiOS-2A GRS1040 387


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Persistent Logging

Diagnostics > Report > Persistent Logging

6.8.2 Persistent Logging

The device allows you to save log entries permanently in a file on the external memory. Therefore, even
after the device is restarted you have access to the log entries.
In this dialog, you limit the size of the log file and specify the minimum severity for the events to be
saved. If the log file attains the specified size, the device archives this file and saves the following log
entries in a newly created file.
In the table the device displays you the log files held on the external memory. As soon as the specified
maximum number of files has been attained, the device deletes the oldest file and renames the
remaining files. This ensures that there is always enough memory space on the external memory.

 Operation

Parameters Meaning
Operation Enables/disables the Persistent Logging function.
Only activate this function when the external memory is available on the device.
Possible values:
 On (default setting)
The Persistent Logging function is enabled.
The device saves the log entries in a file on the external memory.
 Off
The Persistent Logging function is disabled.

 Configuration

Parameters Meaning
Max. file size Specifies the maximum size of the log file in KBytes. If the log file attains the specified size, the
[kbyte] device archives this file and saves the following log entries in a newly created file.
Possible values:
 0..4096 (default setting: 1024)
The value 0 deactivates saving of log entries in the log file.
Files (max.) Specifies the number of log files that the device keeps on the external memory.
As soon as the specified maximum number of files has been attained, the device deletes the
oldest file and renames the remaining files.
Possible values:
 0..25 (default setting: 4)
The value 0 deactivates saving of log entries in the log file.
Severity Specifies the minimum severity of the events. The device saves the log entry for events with this
severity and with more urgent severities in the log file on the external memory.
Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

388 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Persistent Logging

Parameters Meaning
Log file target Specifies the external memory device for logging.
Possible values:
 sd
External SD memory (ACA31)
 usb
External USB memory (ACA22)

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
 1..25
The device automatically assigns this number.
File name Displays the file name of the log file on the external memory.
Possible values:
 messages
 messages.X
File size [byte] Displays the size of the log file on the external memory in bytes.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Delete persistent Removes the log files from the external memory.
log file

RM GUI HiOS-2A GRS1040 389


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > System Log

Diagnostics > Report > System Log

6.8.3 System Log

The device logs important device-internal events in a log file (System Log).
This dialog displays the log file (System Log). The dialog allows you to save the log file in HTML format
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The log file is kept until a restart is performed on the device. After the restart the device creates the file
again.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Save log file Opens the HTML page in a new web browser window or tab. You can save the HTML page on
your PC using the appropriate web bowser command.
Delete log file Removes the logged events from the log file.

390 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Audit Trail

Diagnostics > Report > Audit Trail

6.8.4 Audit Trail

This dialog displays the log file (Audit Trail). The dialog allows you to save the log file as an HTML file
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The device logs system events and writing user actions on the device. This gives you the option of
following WHO changes WHAT on the device WHEN. The prerequisite is that the user role auditor or
administrator is assigned to your user account.
The device logs the following user actions, among others:
 A user logging on via CLI (local or remote)
 A user logging off manually
 Automatic logging off of a user in CLI after a specified period of inactivity
 Device restart
 Locking of a user account due to too many failed logon attempts
 Locking of the management access due to failed logon attempts
 Commands executed in CLI, apart from show commands
 Changes to configuration variables
 Changes to the system time
 File transfer operations, including firmware updates
 Configuration changes via HiDiscovery
 Firmware updates and automatic configuration of the device via the external memory
 Opening and closing of SNMP via an HTTPS tunnel
The device does not log passwords. The logged entries are write-protected and remain saved in the
device after a restart.

Note: During the restart, access to the system monitor is possible using the default settings of the
device. When an attacker gains physical access to the device, they are able to reset the device settings
to its default values using the system monitor. After this, the device and log file are accessible using the
standard password. Take appropriate measures to restrict physical access to the device. Otherwise,
deactivate access to the system monitor. See the Diagnostics > System > Selftest dialog, SysMon1
is available checkbox.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Save audit trail file Opens the HTML page in a new web browser window or tab. You can save the HTML page on
your PC using the appropriate web bowser command.

RM GUI HiOS-2A GRS1040 391


Release 7.0 11/2017
Diagnostics
Diagnostics > Report > Audit Trail

392 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced

7 Advanced

The menu contains the following dialogs:


 DHCP L2 Relay
 DHCP Server
 DNS
 Industrial Protocols

RM GUI HiOS-2A GRS1040 393


Release 7.0 11/2017
Advanced
Advanced > DHCP L2 Relay

Advanced > DHCP L2 Relay

7.1 DHCP L2 Relay

A network administrator uses the DHCP L2 Relay Agent to add DHCP client information. L3 Relay
Agents and DHCP servers need the DHCP client information to assign an IP address and a
configuration to the clients.
When active, the relay adds Option 82 information configured in this dialog to the packets before it relays
DHCP requests from the clients to the server. The Option 82 fields provide unique information about the
client and relay. This unique identifier consists of a Circuit ID for the client and a Remote ID for the relay.
In addition to the type, length, and multicast fields, the Circuit ID includes the VLAN ID, unit number, slot
number, and port number for the connected client.
The Remote ID consists of a type and length field and either a MAC address, IP address, client identifier,
or a user-defined device description. A client identifier is the user-defined system name for the device.
The menu contains the following dialogs:
 DHCP L2 Relay Configuration
 DHCP L2 Relay Statistics

394 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DHCP L2 Relay > Configuration

Advanced > DHCP L2 Relay > Configuration

7.1.1 DHCP L2 Relay Configuration

This dialog allows you to activate the relay function on an interface and VLAN. When you activate this
function on a port, the device either relays the Option 82 information or drops the information on
untrusted ports. Furthermore, the device allows you to specify the VLAN remote identifier.

The dialog contains the following tabs:


 [Interface ]
 [VLAN ID ]

 Operation

Parameters Meaning
Operation Enables/disables the DHCP L2 Relay function of the device globally.
Possible values:
 On
Enables the DHCP Layer 2 Relay function of the device.
 Off (default setting)
Disables the DHCP Layer 2 Relay function of the device.

RM GUI HiOS-2A GRS1040 395


Release 7.0 11/2017
Advanced
Advanced > DHCP L2 Relay > Configuration

[Interface ]

 Table

Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the DHCP L2 Relay function on the port.
The prerequisite is that you enable the function globally.
Possible values:
 marked
The DHCP L2 Relay function is active.
 unmarked (default setting)
The DHCP L2 Relay function is inactive.
Trusted port Activates/deactivates the secure DHCP L2 Relay mode for the corresponding port.
Possible values:
 marked
The device accepts DHCP packets with Option 82 information.
 unmarked (default setting)
The device discards DHCP packets received on non-secure ports that contain Option 82
information.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

396 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DHCP L2 Relay > Configuration

[VLAN ID ]

 Table

Parameters Meaning
VLAN ID VLAN to which the table entry relates.
Active Activates/deactivates the DHCP Layer 2 Relay function on the VLAN.
The prerequisite is that you enable the function globally.
Possible values:
 marked
The DHCP Layer 2 Relay function is active.
 unmarked (default setting)
The DHCP Layer 2 Relay function is inactive.
Circuit ID Activates or deactivates the addition of the Circuit ID to the Option 82 information.
Possible values:
 marked (default setting)
Enables Circuit ID and Remote ID to be sent together.
 unmarked
The device sends the Remote ID exclusively.
Remote ID type Specifies the components of the Remote ID for this VLAN.
Possible values:
 ip
Specifies the IP address of the device as Remote ID.
 mac (default setting)
Specifies the MAC address of the device as Remote ID.
 client-id
Specifies the system name of the device as Remote ID.
 other
Enter in the Remote ID column user-defined information if you use this value.
Remote ID Displays the Remote ID for the VLAN.
Specify the identifier when yo specify the value other in the Remote ID type column.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 397


Release 7.0 11/2017
Advanced
Advanced > DHCP L2 Relay > Statistics

Advanced > DHCP L2 Relay > Statistics

7.1.2 DHCP L2 Relay Statistics

The device monitors the traffic on the ports and displays the results in tabular form.
This table is divided into various categories to aid you in traffic analysis.

 Table

Parameters Meaning
Port Displays the port number.
Untrusted server Displays the number of DHCP server messages received with Option 82 information on the
messages with untrusted interface.
Option 82
Untrusted client Displays the number of DHCP client messages received with Option 82 information on the
messages with untrusted interface.
Option 82
Trusted server Displays the number of DHCP server messages received without Option 82 information on the
messages without trusted interface.
Option 82
Trusted client Displays the number of DHCP client messages received without Option 82 information on the
messages without trusted interface.
Option 82

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Reset Resets the entire table.

398 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DHCP Server

Advanced > DHCP Server

7.2 DHCP Server

With the DHCP server, you manage a database of available IP addresses and configuration information.
When the device receives a request from a client, the DHCP server validates the DHCP client network,
and then leases an IP address. When activated, the DHCP server also allocates configuration
information appropriate for that client. The configuration information specifies, for example, which IP
address, DNS server and the default route a client uses.
The DHCP server assigns an IP address to a client for a user-defined interval. The DHCP client is
responsible for renewing the IP address before the interval expires. If the DHCP client is unable to renew
the address then the address returns to the pool for reassignment.
The menu contains the following dialogs:
 DHCP Server Global
 DHCP Server Pool
 DHCP Server Lease Table

RM GUI HiOS-2A GRS1040 399


Release 7.0 11/2017
Advanced
Advanced > DHCP Server > Global

Advanced > DHCP Server > Global

7.2.1 DHCP Server Global

Activate the function either globally or per port according to your requirements.

 Operation

Parameters Meaning
Operation Enables/disables the DHCP server function of the device globally.
Possible values:
 On
 Off (default setting)

 Table

Parameters Meaning
Port Displays the port number.
DHCP server active Activates/deactivates the DHCP server function on this port.
The prerequisite is that you enable the function globally.
Possible values:
 marked (default setting)
The DHCP server function is active.
 unmarked
The DHCP server function is inactive.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

400 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DHCP Server > Pool

Advanced > DHCP Server > Pool

7.2.2 DHCP Server Pool

Assign an IP address to an end device or switch connected to a port or included in a VLAN.


The DHCP server provides IP address pools from which it allocates IP addresses to clients. A pool
consists of a list of entries. Specify an entry as static to a specific IP address, or as dynamic to an IP
address range. The device accommodates up to 128 pools.
With static allocation, the DHCP server assigns an IP address to a specific client. The DHCP server
identifies the client using a unique hardware ID. A static address entry contains 1 IP address. You apply
this IP address to every port or to a specific port of the device. For static allocation, enter an IP address
for allocation in the IP address field, and leave the Last IP address column empty. Enter a hardware
ID with which the DHCP server uniquely identifies the client. This ID is either a MAC address, a
Client ID, a Remote ID, or a Circuit ID. If a client contacts the device with a known hardware ID, the
DHCP server allocates the static IP address.
In dynamic allocation, if a DHCP client makes contact on a port, the DHCP server assigns an available
IP address from a pool for this port. For dynamic allocation, create a pool for the ports by assigning an
IP address range. Specify the first and last IP addresses for the IP address range. Leave the MAC
address , Client ID , Remote ID and Circuit ID fields empty. You have the option of creating multiple
pool entries. This allows you to create an IP address range that contains gaps.
This dialog displays the different information that is required for the assignment of an IP address for a
port or a VLAN. Use the button to add an entry. The device adds a writable and readable entry.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Active Activates/deactivates the DHCP server function on this port.
Possible values:
 marked
The DHCP server function is active.
 unmarked (default setting)
The DHCP server function is inactive.
IP address Specifies the IP address for static IP address assignment. When using dynamic IP address
assignment, this value specifies the start of the IP address range.
Possible values:
 Valid IPv4 address
Last IP address Specifies the end of the IP address range when using dynamic IP address assignment.
Possible values:
 Valid IPv4 address
Port Displays the port number.
VLAN ID Displays the VLAN to which the table entry relates.
A value of 1 corresponds to the default management VLAN.
Possible values:
 1..4042

RM GUI HiOS-2A GRS1040 401


Release 7.0 11/2017
Advanced
Advanced > DHCP Server > Pool

Parameters Meaning
MAC address Specifies the MAC address of the device leasing the IP address.
Possible values:
 Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
 –
For the IP address assignment, the server ignores this variable.
DHCP relay Specifies the IP address of the DHCP relay through which the clients transmit their requests to the
DHCP server. If the DHCP server receives the client's request through another DHCP relay, it
ignores this request.
Possible values:
 Valid IPv4 address
IP address of the DHCP relay.
 –
Between the client and the DHCP server there is no DHCP relay.
Client ID Specifies the identification of the client device leasing the IP address.
Possible values:
 1..80 bytes (format XX XX .. XX)
 –
For the IP address assignment, the server ignores this variable.
Remote ID Specifies the identification of the remote device leasing the IP address.
Possible values:
 1..80 bytes (format XX XX .. XX)
 –
For the IP address assignment, the server ignores this variable.
Circuit ID Specifies the Circuit ID of the device leasing the IP address.
Possible values:
 1..80 bytes (format XX XX .. XX)
 –
For the IP address assignment, the server ignores this variable.
Hirschmann device Activates/deactivates Hirschmann multicasts.
Activate this function if the device in this IP address range serves only Hirschmann devices.
Possible values:
 marked
In this IP address range, the device serves only Hirschmann devices. Hirschmann multicasts
are activated.
 unmarked (default setting)
In this IP address range, the device serves the devices of different manufacturers. Hirschmann
multicasts are deactivated.
Configuration URL Specifies the protocol to be used as well as the name and path of the configuration file.
Possible values:
 Alphanumeric ASCII character string with 0..70 characters
Example: tftp://192.9.200.1/cfg/config.sav
If you leave this field blank, the device leaves this option field blank in the DHCP message.
Lease time [s] Specifies the lease time in seconds.
Possible values:
 1..4294967294 (default setting: 86400)
 4294967295
Use this value for assignments unlimited in time and for assignments via BOOTP.
Default gateway Specifies the IP address of the default gateway.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
 Valid IPv4 address

402 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DHCP Server > Pool

Parameters Meaning
Netmask Specifies the mask of the network to which the client belongs.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
 Valid IPv4 netmask
WINS server Specifies the IP address of the Windows Internet Name Server which converts NetBIOS names.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
 Valid IPv4 address
DNS server Specifies the IP address of the DNS server.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
 Valid IPv4 address
Hostname Specifies the hostname.
If you leave this field blank, the device leaves this option field blank in the DHCP message.
Possible values:
 Alphanumeric ASCII character string with 0..64 characters

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 403


Release 7.0 11/2017
Advanced
Advanced > DHCP Server > Lease Table

Advanced > DHCP Server > Lease Table

7.2.3 DHCP Server Lease Table

This dialog displays the status of IP address leasing on a per port basis.

 Table

Parameters Meaning
Port Displays the port number to which the address is currently being leased.
IP address Displays the leased IP address to which the entry refers.
Status Displays the lease phase.
According to the standard for DHCP operations, there are 4 phases to leasing an IP address:
Discovery, Offer, Request, and Acknowledgement.
Possible values:
 bootp
A DHCP client is attempting to discover a DHCP server for IP address allocation.
 offering
The DHCP server is validating that the IP address is suitable for the client.
 requesting
A DHCP client is acquiring the offered IP address.
 bound
The DHCP server is leasing the IP address to a client.
 renewing
The DHCP client is requesting an extension to the lease.
 rebinding
The DHCP server is assigning the IP address to the client after a successful renewal.
 declined
The DHCP server denied the request for the IP address.
 released
The IP address is available for other clients.
Remaining lifetime Displays the time remaining on the leased IP address.
Leased MAC Displays the MAC address of the device leasing the IP address.
address
Gateway Displays the Gateway IP address of the device leasing the IP address.
Client ID Displays the client identifier of the device leasing the IP address.
Remote ID Displays the remote identifier of the device leasing the IP address.
Circuit ID Displays the Circuit ID of the device leasing the IP address.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

404 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DNS

Advanced > DNS

7.3 DNS

The menu contains the following dialogs:


 DNS Client

RM GUI HiOS-2A GRS1040 405


Release 7.0 11/2017
Advanced
Advanced > DNS > Client

Advanced > DNS > Client

7.3.1 DNS Client

DNS (Domain Name System) is a service in the network that translates host names into IP addresses.
This name resolution gives you the option of contacting other devices using their host names instead of
their IP addresses.
The Client function enables the device to send requests for resolving hostnames in IP addresses to a
DNS server.
The menu contains the following dialogs:
 DNS Client Global
 DNS Client Current
 DNS Client Static
 DNS Client Static Hosts

406 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DNS > Client > Global

Advanced > DNS > Client > Global

7.3.1.1 DNS Client Global

In this dialog, you enable the Client function and the Cache function.

 Operation

Parameters Meaning
Operation Enables/disables the Client function.
Possible values:
 On
The Client function is enabled.
The device sends requests for resolving hostnames in IP addresses to a DNS server.
 Off (default setting)
The Client function is disabled.

 Cache

Parameters Meaning
Cache Enables/disables the Cache function.
Possible values:
 On (default setting)
The Cache function is enabled.
The device temporarily saves up to 128 DNS server responses (hostname and corresponding
IP address) in the cache. The host name of a new request the device resolves itselves, if the
cache contains a matching entry. This makes sending a new query to the DNS server
unnecessary.
 Off
The Cache function is disabled.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Flush cache Removes every entry from the DNS cache.

RM GUI HiOS-2A GRS1040 407


Release 7.0 11/2017
Advanced
Advanced > DNS > Client > Current

Advanced > DNS > Client > Current

7.3.1.2 DNS Client Current

This dialog displays to which DNS servers the device sends requests for resolving hostnames in IP
addresses.

 Table

Parameters Meaning
Index Displays the sequential number of the DNS server.
Address Displays the IP address of the DNS server. The device forwards requests for resolving host names
in IP addresses to the DNS server with this IP address.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

408 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DNS > Client > Static

Advanced > DNS > Client > Static

7.3.1.3 DNS Client Static

In this dialog, you specify the DNS servers to which the device forwards requests for resolving host
names in IP addresses. The device allows you to specify up to 4 IP addresses yourself or to transfer the
IP addresses from a DHCP server.

 Configuration

Parameters Meaning
Configuration Specifies the source from which the device obtains the IP address of DNS servers to which the
source device addresses requests.
Possible values:
 user
The device uses the IP addresses specified in the table.
 mgmt-dhcp (default setting)
The device uses the IP addresses which the DHCP server delivers to the device.
Domain name Specifies the domain name according to RFC1034 which the device adds to hostnames without
a domain suffix.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
Request timeout [s] Specifies the time interval in seconds for sending again a request to the server.
Possible values:
 0
Deactivates the function. The device does not send a request to the server again.
 1..3600 (default setting: 3)
Request Specifies, how many times the device retransmits a request.
retransmits The prerequisite is that, in the Request timeout [s] field, you specify a value >0.
Possible values:
 0..100 (default setting: 2)

 Table

Parameters Meaning
Index Displays the sequential number of the DNS server.
The device allows you to specify up to 4 DNS servers.
Address Specifies the IP address of the DNS server.
Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Active Activates/deactivates the table entry.
The device sends requests to the DNS server configured in the first active table entry. If the device
does not receive a response from this server, it sends requests to the DNS server configured in
the next active table entry.
Possible values:
 marked
Allows the DNS client to send requests to this DNS server.
Prerequisites:
 Enable the DNS-client function in the Advanced > DNS > Global dialog.
 Select in the Configuration frame, Configuration source drop-down-list the value
user.
 unmarked (default setting)
The device does not send requests to this DNS server.

RM GUI HiOS-2A GRS1040 409


Release 7.0 11/2017
Advanced
Advanced > DNS > Client > Static

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

410 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > DNS > Client > Static Hosts

Advanced > DNS > Client > Static Hosts

7.3.1.4 DNS Client Static Hosts

This dialog allows you to specify up to 64 hostnames which you link with one IP address each. Upon a
request for resolving hostnames in IP addresses, the device searches this table for a corresponding
entry. If the device does not find a corresponding entry, it forwards the request.

 Table

Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
 1..64
Name Specifies the hostname.
Possible values:
 Alphanumeric ASCII character string with 0..255 characters
IP address Specifies the IP address under which the host is reachable.
Possible values:
 Valid IPv4 address
Active Activates/deactivates the table entry.
Possible values:
 marked
The device resolves a request for the host name for this entry.
 unmarked
After receiving a request for this host name, the device sends a request to one of the
configured name servers for resolution.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

RM GUI HiOS-2A GRS1040 411


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols

Advanced > Industrial Protocols

7.4 Industrial Protocols

The menu contains the following dialogs:


 IEC61850-MMS
 Modbus TCP
 EtherNet/IP
 PROFINET

412 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > IEC61850-MMS

Advanced > Industrial Protocols > IEC61850-MMS

7.4.1 IEC61850-MMS

The IEC61850-MMS is a standardized industrial communication protocol from the International


Electrotechnical Commission (IEC). For example, automatic switching equipment uses this protocol
when communicating with power station equipment.
The packet orientated protocol defines a uniform communication language based on the transport
protocol, TCP/IP. The protocol uses a Manufacturing Message Specification (MMS) server for client
server communications. The protocol includes functions for SCADA, Intelligent Electronic Device (IED)
and the network control systems.

Note: IEC61850/MMS does not provide any authentication mechanisms. If the write access for
IEC61850/MMS is activated, every client that can access the device using TCP/IP is capable of
changing the settings of the device. This in turn can result in an incorrect configuration of the device and
to failures in the network.
Activate the write access exclusively if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce the risk of unauthorized access.
This dialog allows you to specify the following MMS server settings:
 Activates/deactivates the MMS server.
 Activates/deactivates the write access to the MMS server.
 The MMS server TCP Port.
 The maximum number of MMS server sessions.

 Operation

Parameters Meaning
Operation Enables/disables the IEC61850-MMS server.
Possible values:
 On
The IEC61850-MMS server is enabled.
 Off (default setting)
The IEC61850-MMS server is disabled.
The IEC61850 MIBs stay accessible.

 Configuration

Parameters Meaning
Write access Activates/deactivates the write access to the MMS server.
Possible values:
 marked
The write access to the MMS server is activated. This setting allows you to change the device
settings using the IEC 61850 MMS protocol.
 unmarked (default setting)
The write access to the MMS server is deactivated. The MMS server is accessible as read-
only.

RM GUI HiOS-2A GRS1040 413


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > IEC61850-MMS

Parameters Meaning
Technical key Specifies the IED name.
The IED name is eligible independently of the system name.
Possible values:
 Alphanumeric ASCII character string with 0..32 characters
The following characters are allowed:
– _
– 0..9
– a..z
– A..Z (default setting: KEY)

To get the MMS server to use the IED name, click the button and restart the MMS server.
The connection to connected clients is then interrupted.
TCP port Specifies TCP port for MMS server access.
Possible values:
 1..65535 (default setting: 102)
Exception: Port 2222 is reserved for internal functions.

Note: The server restarts automatically after you change the port. In the process, the device
terminates open connections to the server.
Sessions (max.) Specifies the maximum number of MMS server connections.
Possible values:
 1..15 (default setting: 5)

 Information

Parameters Meaning
Status Displays the current IEC61850-MMS server status.
Possible values:
 unavailable
 starting
 running
 stopping
 halted
 error

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Download Copies the ICD file to your PC.

414 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > Modbus TCP

Advanced > Industrial Protocols > Modbus TCP

7.4.2 Modbus TCP

Modbus TCP is a protocol used for Supervisory Control and Data Acquisition (SCADA) system
integration. Modbus TCP is a vendor-neutral protocol used to monitor and control industrial automation
equipment such as Programmable Logic Controllers (PLC), sensors and meters.
This dialog allows you to specify the parameters of the protocol. To monitor and control the parameters
of the device, you need Human-Machine Interface (HMI) software and the memory mapping table. Refer
to the tables located in the Industrial Protocol user manual for the supported objects and memory
mapping.
The dialog allows you to enable the function, activate the write access, control which TCP port the
Human-Machine Interface (HMI) polls for data. You can also specify the number of sessions allowed to
be open at the same time.

Note: Activating the Modbus TCP write-access can cause a possible security risk, because the protocol
does not authenticate user access.
To help minimize the security risks, specify the IP address range located in the Device Security >
Management Access dialog. Enter only the IP addresses assigned to your devices before enabling the
function. Furthermore, the default setting for monitoring function activation in the Diagnostics > Status
Configuration > Security Status > Global tab, is active.

 Operation

Parameters Meaning
Operation Enables/disables the Modbus TCP server on the device.
Possible values:
 On
The Modbus TCP server is enabled.
 Off (default setting)
The Modbus TCP server is disabled.

 Configuration

Parameters Meaning
Write access Activates/deactivates the write access to the Modbus TCP parameters.

Note: Activating the Modbus TCP write-access can cause a possible security risk, because the
protocol does not authenticate user access.
Possible values:
 marked (default setting)
The Modbus TCP server read/write access is active. This allows you to change the device
configuration using the Modbus TCP protocol.
 unmarked
The Modbus TCP server read-only access is active.
TCP port Specifies the TCP port number that the Modbus TCP server uses for communication.
Possible values:
 <TCP Port number> (default setting: 502)
Specifying 0 is not allowed.

RM GUI HiOS-2A GRS1040 415


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > Modbus TCP

Parameters Meaning
Sessions (max.) Specifies the maximum number of concurrent sessions that the Modbus TCP server allows.
Possible values:
 1..5 (default setting: 5)

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

416 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > PROFINET

Advanced > Industrial Protocols > PROFINET

7.4.3 PROFINET

This dialog allows you to configure the PROFINET protocol on this device used in conjunction with
PROFINET Controllers and PROFINET devices. The device bases the PROFINET function on the
Siemens V2.2 PROFINET stack for common Ethernet controllers. The PROFINET protocol
implemented in the device conforms to Class B for real time responses according to IEC 61158.
Functions that directly affect the PROFINET function require the following default values to be changed.
If you have obtained the device as a specially available PROFINET variant, these values are already
predefined:

PROFINET Advanced > Industrial Protocols > PROFINET dialog


– Operation frame
Operation = On
– Configuration frame
Name of station field = <empty>
Network Basic Settings > Network dialog
– Management interface frame
IP address assignment radio button = Local
– HiDiscovery protocol v1/v2 frame
Access drop-down list = readOnly
– IP parameter frame
IP address field = 0.0.0.0
Netmask field = 0.0.0.0
Gateway address field = 0.0.0.0
VLAN Switching > Global dialog
– Configuration frame
VLAN unaware mode checkbox = marked
LLDP Diagnostics > LLDP > Configuration dialog
– Configuration frame
Transmit interval [s] field = 5
Transmit delay [s] field = 1

 Operation

Parameters Meaning
Operation Enables/disables the PROFINET function on the device.
Possible values:
 On
The PROFINET function is enabled.
 Off (default setting)
The PROFINET function is disabled.

 Configuration

Parameters Meaning
Name of station Specifies the name of the device.
Possible values:
 Alphanumeric ASCII character string with 0..240 characters
The device prohibits you from using a number as the first character.

RM GUI HiOS-2A GRS1040 417


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > PROFINET

 Information

Parameters Meaning
Active application Displays how many application realations are active.
relations

 Table

Parameters Meaning
Port Displays the port number.
DCP mode Specifies the data stream direction on the port to monitor for DCP packets.
The Programmable Logic Controller (PLC) detects PROFINET devices using the Discovery and
Configuration Protocol (DCP).
The DCP identify request packets are multicast, the responses from the agents are unicast.
Regardless of the settings, the device forwards the received DCP packets to other ports whose
setting is either egress or both.
Management Management
none
none
DCP
ingress
none ingress ingress
DCP
DCP DCP
egress egress

both both

Management Management

none none

egress ingress both ingress


egress
DCP DCP DCP egress
both
both
DCP

Possible values:
 none
The agent does not respond to packets received on this port. The port does not forward
packets received on other ports.
 ingress
The agent responds to packets received on this port. The port does not forward packets
received on other ports.
 egress
The agent does not respond to packets received on this port. The port forwards packets
received on other ports.
 both (default setting)
The agent responds to packets received on this port. The port forwards packets received on
other ports.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Parameters Meaning
Displays a sub menu with the following items.

Download GSDML Copies the GSDML file onto your PC.


file

418 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > EtherNet/IP

Advanced > Industrial Protocols > EtherNet/IP

7.4.4 EtherNet/IP

This dialog allows you to activate the EtherNet/IP protocol, to change the SET/GET capability and to
download the EDS file from the device.

 Operation

Parameters Meaning
Operation Enables/disables the EtherNet/IP function on the device.
Possible values:
 On
The EtherNet/IP function is enabled.
 Off (default setting)
The EtherNet/IP function is disabled. The device continues to read the EtherNet/IP data.

 Configuration

Parameters Meaning
Write access Activates/deactivates the read/write capability of the EtherNet/IP protocol.
Possible values:
 marked
The EtherNet/IP protocol allows set/get requests.
 unmarked (default setting)
The EtherNet/IP protocol allows only get requests.

 Buttons
You find the description of the standard buttons in section “Buttons” on page 18.

Button Meaning
Displays a sub menu with the following items.

Download EDS file Copies the following information in a zip file onto your PC:
 Electronic Data Sheet (EDS) with device related information
 device icon

RM GUI HiOS-2A GRS1040 419


Release 7.0 11/2017
Advanced
Advanced > Industrial Protocols > EtherNet/IP

420 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Index

A Index

1 F
802.1D/p mapping 228 Fast\ MRP 290
802.1X 92, 132 FAQ 423
FDB 196
A Filter MAC addresses 196
Access control 132 Fingerprint 110, 113
Access control lists 175 Flash memory 32, 330
Access restriction 116 Flow control 192
ACL 175 Forwarding database 196
Address conflict detection 333 FuseNet 290
Aging time 192, 336
Alarms 327 G
ARP 333 GARP 221
ARP inspection 168 GMRP 222
ARP table 336 Guards 278
Audit trail 391 GVRP 224
Authentication history 141
Authentication list 92 H
Auto disable127, 156, 169, 171, 268, 355, 356, 356, 363 Hardware clock 60
Hardware state 330
B HiDiscovery 26, 27, 106, 314, 391
Boundary clock 74 HIPER ring 263
Bridge 266 Host key 111
HTML 329, 390
C HTTP 112
Cable diagnosis 351 HTTPS 113
Certificate 21, 41, 97, 114, 115, 315, 340, 347 HTTP server 313
CLI 120
Command line interface 120 I
Community names 123 IAS 92, 143
Configuration check 331 IEC61850-MMS 315, 413
Configuration profile 17, 33 IEEE 802.1X 92
Context menu 16 IGMP snooping 198
Counter reset 57 Industrial HiVision 11, 106
Ingress filtering 253
D Ingress rate limiter 194
Daylight saving time 62 Integrated authentication server 92, 143
Device software 31 IPv4 rule 176
Device software backup 31 IP access restriction 116
Device status 20, 305 IP address conflict detection 333
DHCP L2 relay 394 IP DSCP mapping 229
DHCP server 399 IP source guard 165
DHCP snooping 155
DNS 406 L
DNS cache 407 L2 relay 394
DNS client 407 LDAP 92
Domain name system 406 Link aggregation 282
DoS 151 Link backup 288
DSCP 229 LLDP 370
Dynamic ARP inspection 168 Load/save 33
Login banner 122, 124
E Log file 57, 390
EAPOL 140 Loops 265
Egress rate limiter 194
Email notification 339 M
Encryption 33 Mail notification 339
ENVM 32, 37, 42, 307, 314, 322, 389 Management access 26, 116
EtherNet/IP 315, 419 Management VLAN 26
Event severity 342, 387 Manufacturing message specification 413
External memory 32, 37, 42, 389 MAC address table 196

RM GUI HiOS-2A GRS1040 421


Release 7.0 11/2017
Index

MAC flood 127 Severity 342, 387


MAC rule 182 SFP module 350
MAC spoof 127 Signal contact 21, 318
Media redundancy protocol 260 Signature 110
Menu 16 SNMPv1/v2 123
MMRP 212 SNMP server 106, 313
MMS 413 SNMP traps47, 53, 54, 128, 266, 284, 306, 312, 321, 327,
Modbus TCP 315, 415 335, 355
Modules 307, 321 SNTP 65
MRP 260 SNTP client 66
MRP-IEEE 210 SNTP server 69
MSTP 266 Software backup 31
MVRP 217 Software update 31
Source guard 165
N Spanning tree protocol 265
Network load 51 SSH server 109
NVM 16, 17, 23, 32, 37 Subring 291
Switch dump 386
P Syslog 346
Password 88, 312, 313
System information 329
Password length 88, 312
System log 390
Persistent logging 388
System monitor 337
PoE 52
System time 61
Port clients 139
Port configuration 135, 227 T
Port mirroring 366 Technical questions 423
Port monitor 363 Telnet server 108, 313
Port priority 227 Temperature 22, 306, 321
Port security 127 Threshold values network load 194
Port statistics 140 Time profile 188
Port VLAN 253 Topology discovery 374
Port-based access control 132 Training courses 423
Power over Ethernet 52 Transparent clock 81
Power supply 22, 307, 322 Traps47, 53, 54, 128, 266, 284, 306, 312, 321, 327, 335,
Pre-Login banner 124 355
Priority queue 226 Trap destination 327
PROFINET 315, 417 Trust mode 227
Twisted pair 351
Q
Queues 226 U
Queue management 231 Unaware mode 192
User administration 88
R Utilization 51
Rate limiter 194
RADIUS 92, 144 V
RAM 37 Virtual local area network 249
RAM test 337 VLAN 26, 249
RCP 300 VLAN configuration 251
Reboot 57 VLAN ports 253
Redundant coupling protocol 300 VLAN unaware mode 192
Relay 394 V.24 314
Request interval 66
Ring structure 260 W
Ring/Network coupling 294 Watchdog 33, 36
RNC 294 Web server 112, 113
Root bridge 266
RSTP 265, 266 Z
ZIP archive 386
S
sFlow 377
Secure shell 109
Security status 20, 311
Self-test 337
Service port 29
Settings 33

422 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Further support

B Further support

Technical questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You find the addresses of our partners on the Internet at http://www.hirschmann.com.
A list of local telephone numbers and email addresses for technical support directly from Hirschmann is
available at https://hirschmann-support.belden.eu.com.
This site also includes a free of charge knowledge base and a software download section.

Hirschmann Competence Center


The Hirschmann Competence Center is ahead of its competitors on three counts with its complete range
of innovative services:
 Consulting incorporates comprehensive technical advice, from system evaluation through network
planning to project planning.
 Training offers you an introduction to the basics, product briefing and user training with certification.
You find the training courses on technology and products currently available at http://
www.hicomcenter.com.
 Support ranges from the first installation through the standby service to maintenance concepts.
With the Hirschmann Competence Center, you decided against making any compromises. Our client-
customized package leaves you free to choose the service components you want to use.
Internet:
http://www.hicomcenter.com

RM GUI HiOS-2A GRS1040 423


Release 7.0 11/2017
Readers’ Comments

C Readers’ Comments

What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation of
this product. Your comments and suggestions help us to further improve the quality of our
documentation.

Your assessment of this manual:

Very Good Good Satisfactory Mediocre Poor


Precise description O O O O O
Readability O O O O O
Understandability O O O O O
Examples O O O O O
Structure O O O O O
Comprehensive O O O O O
Graphics O O O O O
Drawings O O O O O
Tables O O O O O

Did you discover any errors in this manual?


If so, on what page?

Suggestions for improvement and additional information:

General comments:

424 RM GUI HiOS-2A GRS1040


Release 7.0 11/2017
Readers’ Comments

Sender:

Company / Department:

Name / Telephone number:

Street:

Zip code / City:

E-mail:

Date / Signature:

Dear User,
Please fill out and return this page
 as a fax to the number +49 (0)7127/14-1600 or
 per mail to
Hirschmann Automation and Control GmbH
Department 01RD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen

RM GUI HiOS-2A GRS1040 425


Release 7.0 11/2017
Reference Manual
Command Line Interface
HiOS-2A GRS1040 (Greyhound Switch)

RM CLI HiOS-2A GRS1040 Technical support


Release 6.1 09/2016 https://hirschmann-support.belden.eu.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.

© 2016 Hirschmann Automation and Control GmbH

Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.

The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.

Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.

You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).

Hirschmann Automation and Control GmbH


Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

Rel. 6.1 - 09/2016 – 10.01.2018


Contents

Contents

Safety instructions 32

About this Manual 33

1 Command reference 35

2 Address Conflict Detection (ACD) 37


2.1 address-conflict 38
2.1.1 address-conflict operation 38
2.1.2 address-conflict detection-mode 38
2.1.3 address-conflict detection-ongoing 39
2.1.4 address-conflict delay 39
2.1.5 address-conflict release-delay 39
2.1.6 address-conflict max-protection 40
2.1.7 address-conflict protect-interval 40
2.1.8 address-conflict trap-status 40
2.2 mac-address-conflict 41
2.2.1 mac-address-conflict operation 41
2.3 show 42
2.3.1 show address-conflict global 42
2.3.2 show address-conflict detected 42
2.3.3 show address-conflict fault-state 42
2.3.4 show mac-address-conflict global 43

3 Access Control List (ACL) 45


3.1 mac 46
3.1.1 mac access-list extended name 46
3.1.2 mac access-list extended rename 48
3.1.3 mac access-list extended del 48
3.1.4 mac access-group name 48
3.1.5 mac access-group del 49
3.2 mac 50
3.2.1 mac access-group name 50
3.2.2 mac access-group del 50
3.3 ip 52
3.3.1 ip access-list extended name 52
3.3.2 ip access-list extended rename 57
3.3.3 ip access-list extended del 57
3.3.4 ip access-group name 58
3.3.5 ip access-group del 58
3.4 ip 59
3.4.1 ip access-group name 59
3.4.2 ip access-group del 59
3.5 show 61
3.5.1 show access-list global 61
3.5.2 show access-list mac 61
3.5.3 show access-list ip 61
3.5.4 show access-list assignment ip 62
3.5.5 show access-list assignment mac 62

4 Application Lists 63
4.1 appllists 64
4.1.1 appllists set-authlist 64

RM CLI HiOS-2A GRS1040 3


Release 6.1 09/2016
Contents

4.1.2 appllists enable 64


4.1.3 appllists disable 64
4.2 show 65
4.2.1 show appllists 65

5 Authentication Lists 67
5.1 authlists 68
5.1.1 authlists add 68
5.1.2 authlists delete 68
5.1.3 authlists set-policy 68
5.1.4 authlists enable 69
5.1.5 authlists disable 70
5.2 show 71
5.2.1 show authlists 71

6 Auto Disable 73
6.1 auto-disable 74
6.1.1 auto-disable reason 74
6.2 auto-disable 75
6.2.1 auto-disable timer 75
6.2.2 auto-disable reset 75
6.3 show 76
6.3.1 show auto-disable brief 76
6.3.2 show auto-disable reasons 76

7 Cabletest 77
7.1 cable-test 78
7.1.1 cable-test 78

8 Class Of Service 79
8.1 classofservice 80
8.1.1 classofservice ip-dscp-mapping 80
8.1.2 classofservice dot1p-mapping 83
8.2 classofservice 84
8.2.1 classofservice trust 84
8.3 cos-queue 85
8.3.1 cos-queue strict 85
8.3.2 cos-queue weighted 85
8.3.3 cos-queue max-bandwidth 85
8.3.4 cos-queue min-bandwidth 86
8.4 show 87
8.4.1 show classofservice ip-dscp-mapping 87
8.4.2 show classofservice dot1p-mapping 87
8.4.3 show classofservice trust 87
8.4.4 show cos-queue 88

9 Command Line Interface (CLI) 89


9.1 cli 90
9.1.1 cli serial-timeout 90
9.1.2 cli prompt 90
9.1.3 cli numlines 91
9.1.4 cli banner operation 91
9.1.5 cli banner text 91
9.2 show 92
9.2.1 show cli global 92

4 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

9.2.2 show cli command-tree 92


9.3 logging 93
9.3.1 logging cli-command 93
9.4 show 94
9.4.1 show logging cli-command 94

10 Clock 95
10.1 clock 96
10.1.1clock set 96
10.1.2clock timezone offset 96
10.1.3clock timezone zone 96
10.1.4clock summer-time mode 97
10.1.5clock summer-time recurring start 97
10.1.6clock summer-time recurring end 98
10.1.7clock summer-time zone 98
10.2 show 99
10.2.1show clock 99

11 Configuration 101
11.1 save 102
11.1.1save profile 102
11.2 config 103
11.2.1config watchdog admin-state 103
11.2.2config watchdog timeout 103
11.2.3config encryption password set 104
11.2.4config encryption password clear 104
11.2.5config envm choose-active 104
11.2.6config envm log-device 105
11.2.7config envm auto-update 105
11.2.8config envm sshkey-auto-update 105
11.2.9config envm config-save 106
11.2.10config envm load-priority 106
11.2.11config profile select 107
11.2.12config profile delete 107
11.2.13config fingerprint verify 107
11.3 copy 108
11.3.1copy sysinfo system envm 108
11.3.2copy sysinfoall system envm 108
11.3.3copy firmware envm 108
11.3.4copy firmware remote 109
11.3.5copy config running-config nvm 109
11.3.6copy config running-config remote 109
11.3.7copy config nvm 110
11.3.8copy config envm 110
11.3.9copy config remote 110
11.3.10copy sfp-white-list remote 111
11.3.11copy sfp-white-list envm 111
11.4 clear 112
11.4.1clear config 112
11.4.2clear factory 112
11.4.3clear sfp-white-list 112
11.5 show 113
11.5.1show running-config xml 113
11.5.2show running-config script 113
11.6 show 114
11.6.1show config envm settings 114
11.6.2show config envm properties 114
11.6.3show config envm active 114

RM CLI HiOS-2A GRS1040 5


Release 6.1 09/2016
Contents

11.6.4show config watchdog 115


11.6.5show config encryption 115
11.6.6show config profiles 115
11.6.7show config status 115
11.7 swap 116
11.7.1swap firmware system backup 116

12 Dynamic ARP Inspection 117


12.1 ip 118
12.1.1ip arp-inspection verify src-mac 118
12.1.2ip arp-inspection verify dst-mac 118
12.1.3ip arp-inspection verify ip 119
12.1.4ip arp-inspection access-list add 119
12.1.5ip arp-inspection access-list delete 119
12.1.6ip arp-inspection access-list mode 120
12.1.7ip arp-inspection access-list rule add 120
12.1.8ip arp-inspection access-list rule delete 120
12.1.9ip arp-inspection access-list rule mode 121
12.2 clear 122
12.2.1clear ip arp-inspection statistics 122
12.3 ip 123
12.3.1ip arp-inspection mode 123
12.3.2ip arp-inspection log 123
12.3.3ip arp-inspection bind-check 124
12.3.4ip arp-inspection access-list strict 124
12.3.5ip arp-inspection access-list assign 125
12.4 ip 126
12.4.1ip arp-inspection trust 126
12.4.2ip arp-inspection auto-disable 126
12.4.3ip arp-inspection limit 127
12.5 show 128
12.5.1show ip arp-inspection global 128
12.5.2show ip arp-inspection statistics dropped 128
12.5.3show ip arp-inspection statistics forwarded 128
12.5.4show ip arp-inspection access-list names 129
12.5.5show ip arp-inspection access-list rules 129
12.5.6show ip arp-inspection interfaces 129
12.5.7show ip arp-inspection vlan 129

13 Debugging 131
13.1 debug 132
13.1.1debug tcpdump help 132
13.1.2debug tcpdump start cpu 132
13.1.3debug tcpdump stop 132
13.1.4debug tcpdump filter show 133
13.1.5debug tcpdump filter list 133
13.1.6debug tcpdump filter delete 133
13.2 show 134
13.2.1show debug logic-modules 134
13.3 copy 135
13.3.1copy tcpdumpcap nvm envm 135
13.3.2copy tcpdumpcap nvm remote 135
13.3.3copy tcpdumpfilter remote 135
13.3.4copy tcpdumpfilter envm 136
13.3.5copy tcpdumpfilter nvm 136

14 Device Monitoring 137


14.1 device-status 138

6 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

14.1.1device-status monitor link-failure 138


14.1.2device-status monitor temperature 138
14.1.3device-status monitor module-removal 139
14.1.4device-status monitor envm-removal 139
14.1.5device-status monitor envm-not-in-sync 139
14.1.6device-status monitor ring-redundancy 140
14.1.7device-status monitor power-supply 140
14.1.8device-status trap 141
14.1.9device-status module 141
14.2 device-status 142
14.2.1device-status link-alarm 142
14.3 show 143
14.3.1show device-status monitor 143
14.3.2show device-status state 143
14.3.3show device-status trap 143
14.3.4show device-status events 144
14.3.5show device-status link-alarm 144
14.3.6show device-status module 144
14.3.7show device-status all 144

15 Device Security 145


15.1 security-status 146
15.1.1security-status monitor pwd-change 146
15.1.2security-status monitor pwd-min-length 146
15.1.3security-status monitor pwd-policy-config 147
15.1.4security-status monitor pwd-str-not-config 147
15.1.5security-status monitor pwd-policy-inactive 147
15.1.6security-status monitor bypass-pwd-strength 148
15.1.7security-status monitor telnet-enabled 148
15.1.8security-status monitor http-enabled 149
15.1.9security-status monitor snmp-unsecure 149
15.1.10security-status monitor sysmon-enabled 149
15.1.11security-status monitor extnvm-upd-enabled 150
15.1.12security-status monitor no-link-enabled 150
15.1.13security-status monitor hidisc-write-enabled 151
15.1.14security-status monitor extnvm-load-unsecure 151
15.1.15security-status monitor iec61850-mms-enabled 151
15.1.16security-status monitor https-certificate 152
15.1.17security-status monitor modbus-tcp-enabled 152
15.1.18security-status monitor ethernet-ip-enabled 153
15.1.19security-status monitor profinet-io-enabled 153
15.1.20security-status trap 153
15.2 security-status 155
15.2.1security-status no-link 155
15.3 show 156
15.3.1show security-status monitor 156
15.3.2show security-status state 156
15.3.3show security-status no-link 156
15.3.4show security-status trap 157
15.3.5show security-status events 157
15.3.6show security-status all 157

16 Dynamic Host Configuration Protocol (DHCP) 159


16.1 dhcp-server 160
16.1.1dhcp-server operation 160
16.2 dhcp-server 161
16.2.1dhcp-server operation 161
16.2.2dhcp-server pool add 161
16.2.3dhcp-server pool modify 162
16.2.4dhcp-server pool mode 163
RM CLI HiOS-2A GRS1040 7
Release 6.1 09/2016
Contents

16.2.5dhcp-server pool delete 163


16.3 show 164
16.3.1show dhcp-server operation 164
16.3.2show dhcp-server pool 164
16.3.3show dhcp-server interface 164
16.3.4show dhcp-server lease 165

17 DHCP Layer 2 Relay 167


17.1 dhcp-l2relay 168
17.1.1dhcp-l2relay mode 168
17.2 dhcp-l2relay 169
17.2.1dhcp-l2relay mode 169
17.2.2dhcp-l2relay circuit-id 169
17.2.3dhcp-l2relay remote-id ip 170
17.2.4dhcp-l2relay remote-id mac 170
17.2.5dhcp-l2relay remote-id client-id 170
17.2.6dhcp-l2relay remote-id other 171
17.3 dhcp-l2relay 172
17.3.1dhcp-l2relay mode 172
17.3.2dhcp-l2relay trust 172
17.4 clear 173
17.4.1clear dhcp-l2relay statistics 173
17.5 show 174
17.5.1show dhcp-l2relay global 174
17.5.2show dhcp-l2relay statistics 174
17.5.3show dhcp-l2relay interfaces 174
17.5.4show dhcp-l2relay vlan 175

18 DHCP Snooping 177


18.1 ip 178
18.1.1ip dhcp-snooping verify-mac 178
18.1.2ip dhcp-snooping mode 178
18.1.3ip dhcp-snooping database storage 179
18.1.4ip dhcp-snooping database write-delay 179
18.1.5ip dhcp-snooping binding add 179
18.1.6ip dhcp-snooping binding delete all 180
18.1.7ip dhcp-snooping binding delete interface 180
18.1.8ip dhcp-snooping binding delete mac 180
18.1.9ip dhcp-snooping binding mode 181
18.2 clear 182
18.2.1clear ip dhcp-snooping bindings 182
18.2.2clear ip dhcp-snooping statistics 182
18.3 ip 183
18.3.1ip dhcp-snooping mode 183
18.4 ip 184
18.4.1ip dhcp-snooping trust 184
18.4.2ip dhcp-snooping log 184
18.4.3ip dhcp-snooping auto-disable 185
18.4.4ip dhcp-snooping limit 185
18.5 show 186
18.5.1show ip dhcp-snooping global 186
18.5.2show ip dhcp-snooping statistics 186
18.5.3show ip dhcp-snooping interfaces 186
18.5.4show ip dhcp-snooping vlan 187
18.5.5show ip dhcp-snooping bindings 187

19 Differentiated Services (DiffServ) 189

8 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

19.1 diffserv 190


19.2 class-map 191
19.2.1class-map name 191
19.2.2class-map rename 193
19.2.3class-map match-all 194
19.2.4class-map remove 194
19.3 policy-map 195
19.3.1policy-map create 195
19.3.2policy-map name class add 195
19.3.3policy-map name class name assign-queue 196
19.3.4policy-map name class name conform-color 196
19.3.5policy-map name class name drop 196
19.3.6policy-map name class name mark 197
19.3.7policy-map name class name mirror 198
19.3.8policy-map name class name police-simple conform action drop violate-action 199
19.3.9policy-map name class name police-simple conform action set-cos-as-sec-cos
violate-action 201
19.3.10policy-map name class name police-simple conform action set-cos-transmit
violate-action 202
19.3.11policy-map name class name police-simple conform action set-dscp-transmit
violate-action 204
19.3.12policy-map name class name police-simple conform action set-prec-transmit
violate-action 206
19.3.13policy-map name class name police-simple conform action set-sec-cos-
transmit violate-action 207
19.3.14policy-map name class name police-simple conform action transmit violate-
action 209
19.3.15policy-map name class name police-two-rate conform-action ... exceed-action
... violate-action ... 210
19.3.16policy-map name class name redirect 212
19.3.17policy-map name class remove 213
19.3.18policy-map rename 213
19.3.19policy-map remove 213
19.4 service-policy 214
19.5 service-policy 215
19.6 show 216
19.6.1show diffserv global 216
19.6.2show diffserv service brief 216
19.6.3show diffserv service interface 216
19.6.4show class-map 217
19.6.5show policy-map all 217
19.6.6show policy-map interface 217
19.6.7show policy-map name 217
19.6.8show service-policy 218

20 Domain Name System (DNS) 219


20.1 dns 220
20.1.1dns cache adminstate 220
20.1.2dns cache flush 220
20.1.3dns client adminstate 221
20.1.4dns client cache adminstate 221
20.1.5dns client cache flush 221
20.1.6dns client domain-name 222
20.1.7dns client host add 222
20.1.8dns client host delete 222
20.1.9dns client host modify 223
20.1.10dns client source 223
20.1.11dns client servers add 223

RM CLI HiOS-2A GRS1040 9


Release 6.1 09/2016
Contents

20.1.12dns client servers delete 224


20.1.13dns client servers modify 224
20.1.14dns client servers enable 224
20.1.15dns client servers disable 225
20.1.16dns client timeout 225
20.1.17dns client retry 225
20.2 show 226
20.2.1show dns client hosts 226
20.2.2show dns client info 226
20.2.3show dns client servers 226

21 DoS Mitigation 227


21.1 dos 228
21.1.1dos tcp-null 228
21.1.2dos tcp-xmas 228
21.1.3dos tcp-syn-fin 229
21.1.4dos tcp-min-header 229
21.1.5dos icmp-fragmented 229
21.1.6dos icmp payload-check 230
21.1.7dos icmp payload-size 230
21.1.8dos ip-land 231
21.1.9dos tcp-offset 231
21.1.10dos tcp-syn 231
21.1.11dos l4-port 232
21.1.12dos icmp-smurf-attack 232
21.2 show 233
21.2.1show dos 233

22 IEEE 802.1x (Dot1x) 235


22.1 dot1x 236
22.1.1dot1x dynamic-vlan 236
22.1.2dot1x system-auth-control 236
22.1.3dot1x monitor 237
22.2 dot1x 238
22.2.1dot1x guest-vlan 238
22.2.2dot1x max-req 238
22.2.3dot1x max-users 238
22.2.4dot1x mac-auth-bypass 239
22.2.5dot1x port-control 239
22.2.6dot1x re-authentication 239
22.2.7dot1x unauthenticated-vlan 240
22.2.8dot1x timeout guest-vlan-period 240
22.2.9dot1x timeout reauth-period 240
22.2.10dot1x timeout quiet-period 241
22.2.11dot1x timeout tx-period 241
22.2.12dot1x timeout supp-timeout 241
22.2.13dot1x timeout server-timeout 241
22.2.14dot1x initialize 242
22.2.15dot1x re-authenticate 242
22.3 show 243
22.3.1show dot1x global 243
22.3.2show dot1x auth-history 243
22.3.3show dot1x detail 243
22.3.4show dot1x summary 244
22.3.5show dot1x clients 244
22.3.6show dot1x statistics 244
22.4 clear 245
22.4.1clear dot1x statistics port 245
22.4.2clear dot1x statistics all 245
22.4.3clear dot1x auth-history port 245

10 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

22.4.4clear dot1x auth-history all 246

23 IEEE 802.3ad (Dot3ad) 247


23.1 link-aggregation 248
23.1.1link-aggregation add 248
23.1.2link-aggregation modify 248
23.1.3link-aggregation delete 249
23.1.4link-aggregation hashmode 249
23.2 lacp 251
23.2.1lacp admin-key 251
23.2.2lacp collector-max-delay 251
23.2.3lacp lacpmode 251
23.2.4lacp actor admin key 252
23.2.5lacp actor admin state lacp-activity 252
23.2.6lacp actor admin state lacp-timeout 253
23.2.7lacp actor admin state aggregation 253
23.2.8lacp actor admin port priority 253
23.2.9lacp partner admin key 254
23.2.10lacp partner admin state lacp-activity 254
23.2.11lacp partner admin state lacp-timeout 254
23.2.12lacp partner admin state aggregation 255
23.2.13lacp partner admin port priority 255
23.2.14lacp partner admin port id 255
23.2.15lacp partner admin system-priority 256
23.2.16lacp partner admin system-id 256
23.3 show 257
23.3.1show link-aggregation port 257
23.3.2show link-aggregation statistics 257
23.3.3show link-aggregation members 257
23.3.4show lacp interface 258
23.3.5show lacp mode 258
23.3.6show lacp actor 258
23.3.7show lacp partner operational 258
23.3.8show lacp partner admin 259

24 Ethernet IP 261
24.1 ethernet-ip 262
24.1.1ethernet-ip operation 262
24.1.2ethernet-ip write-access 262
24.2 show 263
24.2.1show ethernet-ip 263
24.3 copy 264
24.3.1copy eds-ethernet-ip system remote 264
24.3.2copy eds-ethernet-ip system envm 264

25 Filtering Database (FDB) 265


25.1 mac-filter 266
25.1.1mac-filter 266
25.2 bridge 267
25.2.1bridge aging-time 267
25.3 show 268
25.3.1show mac-filter-table static 268
25.4 show 269
25.4.1show bridge aging-time 269
25.5 show 270
25.5.1show mac-addr-table 270
25.6 clear 271

RM CLI HiOS-2A GRS1040 11


Release 6.1 09/2016
Contents

25.6.1clear mac-addr-table 271

26 GARP VLAN and Multicast Registration Protocol (GVRP and GMRP) 273
26.1 garp 274
26.1.1garp gvrp operation 274
26.1.2garp gmrp operation 274
26.1.3garp gmrp forward-unknown 275
26.2 garp 276
26.2.1garp interface join-time 276
26.2.2garp interface leave-time 276
26.2.3garp interface leave-all-time 277
26.2.4garp gvrp operation 277
26.2.5garp gmrp operation 277
26.2.6garp gmrp forward-all-groups 278
26.3 show 279
26.3.1show garp interface 279
26.3.2show garp gvrp global 279
26.3.3show garp gvrp interface 279
26.3.4show garp gvrp statistics interface 280
26.3.5show garp gmrp global 280
26.3.6show garp gmrp interface 280
26.3.7show garp gmrp statistics interface 280
26.4 show 281
26.4.1show mac-filter-table gmrp 281

27 HiDiscovery 283
27.1 network 284
27.1.1network hidiscovery operation 284
27.1.2network hidiscovery mode 284
27.1.3network hidiscovery blinking 285
27.1.4network hidiscovery relay 285
27.2 show 286
27.2.1show network hidiscovery 286

28 HIPER-Ring 287
28.1 hiper-ring 288
28.1.1hiper-ring operation 288
28.1.2hiper-ring mode 288
28.1.3hiper-ring primary-port 289
28.1.4hiper-ring secondary-port 289
28.2 show 290
28.2.1show hiper-ring global 290

29 Hypertext Transfer Protocol (HTTP) 291


29.1 http 292
29.1.1http port 292
29.1.2http server 292
29.2 show 293
29.2.1show http 293

30 HTTP Secure (HTTPS) 295


30.1 https 296
30.1.1https server 296
30.1.2https port 296
30.1.3https certificate 297
30.2 copy 298

12 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

30.2.1copy httpscert remote 298


30.2.2copy httpscert envm 298
30.3 show 299
30.3.1show https 299

31 Integrated Authentification Server (IAS) 301


31.1 ias-users 302
31.1.1ias-users add 302
31.1.2ias-users delete 302
31.1.3ias-users enable 302
31.1.4ias-users disable 303
31.1.5ias-users password 303
31.2 show 304
31.2.1show ias-users 304

32 IEC 61850 MMS Server 305


32.1 iec61850-mms 306
32.1.1iec61850-mms operation 306
32.1.2iec61850-mms write-access 306
32.1.3iec61850-mms port 307
32.1.4iec61850-mms max-sessions 307
32.1.5iec61850-mms technical-key 307
32.2 show 308
32.2.1show iec61850-mms 308

33 Internet Group Management Protocol (IGMP) 309


33.1 ip 310
33.1.1ip igmp operation 310
33.2 ip 311
33.2.1ip igmp operation 311
33.2.2ip igmp version 311
33.2.3ip igmp robustness 312
33.2.4ip igmp querier query-interval 312
33.2.5ip igmp querier last-member-interval 312
33.2.6ip igmp querier max-response-time 312
33.3 show 314
33.3.1show ip igmp global 314
33.3.2show ip igmp interface 314
33.3.3show ip igmp membership 314
33.3.4show ip igmp groups 315
33.3.5show ip igmp statistics 315

34 IGMP Proxy 317


34.1 ip 318
34.1.1ip igmp-proxy interface 318
34.1.2ip igmp-proxy report-interval 318
34.2 show 319
34.2.1show ip igmp-proxy global 319
34.2.2show ip igmp-proxy groups 319
34.2.3show ip igmp-proxy source-list 319

35 IGMP Snooping 321


35.1 igmp-snooping 322
35.1.1igmp-snooping mode 322
35.1.2igmp-snooping querier mode 322
35.1.3igmp-snooping querier query-interval 323

RM CLI HiOS-2A GRS1040 13


Release 6.1 09/2016
Contents

35.1.4igmp-snooping querier timer-expiry 323


35.1.5igmp-snooping querier version 323
35.1.6igmp-snooping forward-unknown 324
35.2 igmp-snooping 325
35.2.1igmp-snooping vlan-id 325
35.3 igmp-snooping 327
35.3.1igmp-snooping mode 327
35.3.2igmp-snooping fast-leave 327
35.3.3igmp-snooping groupmembership-interval 328
35.3.4igmp-snooping maxresponse 328
35.3.5igmp-snooping mcrtrexpiretime 328
35.3.6igmp-snooping static-query-port 328
35.4 show 330
35.4.1show igmp-snooping global 330
35.4.2show igmp-snooping interface 330
35.4.3show igmp-snooping vlan 330
35.4.4show igmp-snooping querier global 331
35.4.5show igmp-snooping querier vlan 331
35.4.6show igmp-snooping enhancements vlan 331
35.4.7show igmp-snooping enhancements unknown-filtering 331
35.4.8show igmp-snooping statistics global 332
35.4.9show igmp-snooping statistics interface 332
35.5 show 333
35.5.1show mac-filter-table igmp-snooping 333
35.6 clear 334
35.6.1clear igmp-snooping 334

36 Interface 335
36.1 shutdown 336
36.1.1shutdown 336
36.2 auto-negotiate 337
36.2.1auto-negotiate 337
36.3 auto-power-down 338
36.3.1auto-power-down 338
36.4 cable-crossing 339
36.4.1cable-crossing 339
36.5 linktraps 340
36.5.1linktraps 340
36.6 link-loss-alert 341
36.6.1link-loss-alert operation 341
36.7 speed 342
36.7.1speed 342
36.8 name 343
36.8.1name 343
36.9 power-state 344
36.9.1power-state 344
36.10mac-filter 345
36.10.1mac-filter 345
36.11led-signaling 346
36.11.1led-signaling operation 346
36.12show 347
36.12.1show port 347
36.13show 348
36.13.1show link-loss-alert 348

14 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

36.14show 349
36.14.1show led-signaling operation 349

37 Interface Statistics 351


37.1 utilization 352
37.1.1utilization control-interval 352
37.1.2utilization alarm-threshold lower 352
37.1.3utilization alarm-threshold upper 352
37.2 clear 354
37.2.1clear port-statistics 354
37.3 show 355
37.3.1show interface counters 355
37.3.2show interface layout 355
37.3.3show interface utilization 355
37.3.4show interface statistics 356
37.3.5show interface ether-stats 356

38 Intern 357
38.1 help 358
38.2 logout 359
38.3 history 360
38.4 vlan-mode 361
38.4.1vlan-mode 361
38.5 exit 362
38.6 end 363
38.7 serviceshell 364
38.7.1serviceshell deactivate 364
38.8 serviceshell-f 365
38.8.1serviceshell-f deactivate 365
38.9 traceroute 366
38.9.1traceroute maxttl 366
38.10traceroute 367
38.10.1traceroute source 367
38.11reboot 368
38.11.1reboot after 368
38.12ping 369
38.12.1ping 369
38.13ping 370
38.13.1ping source 370
38.14show 371
38.14.1show reboot 371
38.14.2show serviceshell 371

39 Open Shortest Path First (OSPF) 373


39.1 ip 374
39.1.1ip ospf area 374
39.1.2ip ospf trapflags all 376
39.1.3ip ospf operation 377
39.1.4ip ospf 1583compatability 377
39.1.5ip ospf default-metric 378
39.1.6ip ospf router-id 378
39.1.7ip ospf external-lsdb-limit 378
39.1.8ip ospf exit-overflow 379

RM CLI HiOS-2A GRS1040 15


Release 6.1 09/2016
Contents

39.1.9ip ospf spf-delay 379


39.1.10ip ospf spf-holdtime 379
39.1.11ip ospf auto-cost 380
39.1.12ip ospf distance intra 380
39.1.13ip ospf distance inter 380
39.1.14ip ospf distance external 381
39.1.15ip ospf re-distribute 381
39.1.16ip ospf distribute-list 382
39.1.17ip ospf default-info originate 382
39.2 ip 384
39.2.1ip ospf operation 384
39.2.2ip ospf area-id 384
39.2.3ip ospf link-type 385
39.2.4ip ospf priority 385
39.2.5ip ospf transmit-delay 385
39.2.6ip ospf retransmit-interval 386
39.2.7ip ospf hello-interval 386
39.2.8ip ospf dead-interval 386
39.2.9ip ospf cost 387
39.2.10ip ospf mtu-ignore 387
39.2.11ip ospf authentication type 388
39.2.12ip ospf authentication key 388
39.2.13ip ospf authentication key-id 388
39.3 show 389
39.3.1show ip ospf global 389
39.3.2show ip ospf area 389
39.3.3show ip ospf stub 389
39.3.4show ip ospf database internal 390
39.3.5show ip ospf database external 390
39.3.6show ip ospf range 390
39.3.7show ip ospf interface 390
39.3.8show ip ospf virtual-link 391
39.3.9show ip ospf virtual-neighbor 391
39.3.10show ip ospf neighbor 391
39.3.11show ip ospf statistics 391
39.3.12show ip ospf re-distribute 392
39.3.13show ip ospf nssa 392
39.3.14show ip ospf route 392

40 IP Source Guard (IPSG) 393


40.1 ip 394
40.1.1ip source-guard binding add 394
40.1.2ip source-guard binding delete all 394
40.1.3ip source-guard binding delete interface 394
40.1.4ip source-guard binding delete index 395
40.1.5ip source-guard binding mode 395
40.2 clear 396
40.2.1clear ip source-guard bindings 396
40.3 ip 397
40.3.1ip source-guard mode 397
40.3.2ip source-guard verify-mac 397
40.4 show 398
40.4.1show ip source-guard interfaces 398
40.4.2show ip source-guard bindings 398

41 IP Subnet VLAN 399


41.1 vlan 400
41.1.1vlan association subnet 400
41.2 show 401

16 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

41.2.1show vlan association subnet 401

42 Internet Protocol Version 4 (IPv4) 403


42.1 network 404
42.1.1network protocol 404
42.1.2network parms 404
42.2 clear 405
42.2.1clear arp-table-switch 405
42.3 show 406
42.3.1show network parms 406
42.4 show 407
42.4.1show arp 407

43 Ring Coupling 409


43.1 ring-coupling 410
43.1.1ring-coupling add 410
43.1.2ring-coupling delete 411
43.1.3ring-coupling modify 411
43.1.4ring-coupling enable 412
43.1.5ring-coupling disable 412
43.2 show 413
43.2.1show ring-coupling global 413
43.2.2show ring-coupling status 413

44 License Manager 415


44.1 license 416
44.1.1license level 416
44.2 show 417
44.2.1show license global 417

45 Link Backup 419


45.1 link-backup 420
45.1.1link-backup operation 420
45.2 link-backup 421
45.2.1link-backup add 421
45.2.2link-backup delete 421
45.2.3link-backup modify 422
45.3 show 423
45.3.1show link-backup operation 423
45.3.2show link-backup pairs 423

46 Link Layer Discovery Protocol (LLDP) 425


46.1 lldp 426
46.1.1lldp operation 426
46.1.2lldp config chassis admin-state 426
46.1.3lldp config chassis notification-interval 427
46.1.4lldp config chassis re-init-delay 427
46.1.5lldp config chassis tx-delay 427
46.1.6lldp config chassis tx-hold-multiplier 428
46.1.7lldp config chassis tx-interval 428
46.2 show 429
46.2.1show lldp global 429
46.2.2show lldp port 429
46.2.3show lldp remote-data 429
46.3 lldp 430

RM CLI HiOS-2A GRS1040 17


Release 6.1 09/2016
Contents

46.3.1lldp admin-state 430


46.3.2lldp fdb-mode 430
46.3.3lldp max-neighbors 431
46.3.4lldp notification 431
46.3.5lldp tlv inline-power 431
46.3.6lldp tlv link-aggregation 432
46.3.7lldp tlv mac-phy-config-state 432
46.3.8lldp tlv max-frame-size 432
46.3.9lldp tlv mgmt-addr 433
46.3.10lldp tlv port-desc 433
46.3.11lldp tlv port-vlan 434
46.3.12lldp tlv protocol 434
46.3.13lldp tlv sys-cap 435
46.3.14lldp tlv sys-desc 435
46.3.15lldp tlv sys-name 435
46.3.16lldp tlv vlan-name 436
46.3.17lldp tlv protocol-based-vlan 436
46.3.18lldp tlv igmp 437
46.3.19lldp tlv portsec 437
46.3.20lldp tlv ptp 437
46.3.21lldp tlv pnio 438
46.3.22lldp tlv pnio-alias 438
46.3.23lldp tlv pnio-mrp 439

47 Media Endpoint Discovery LLDP-MED 441


47.1 lldp 442
47.1.1lldp med confignotification 442
47.1.2lldp med transmit-tlv capabilities 442
47.1.3lldp med transmit-tlv network-policy 443
47.2 lldp 444
47.2.1lldp med faststartrepeatcount 444
47.3 show 445
47.3.1show lldp med global 445
47.3.2show lldp med interface 445
47.3.3show lldp med local-device 445
47.3.4show lldp med remote-device detail 446
47.3.5show lldp med remote-device summary 446

48 Logging 447
48.1 logging 448
48.1.1logging audit-trail 448
48.1.2logging buffered severity 448
48.1.3logging host add 449
48.1.4logging host delete 449
48.1.5logging host enable 450
48.1.6logging host disable 450
48.1.7logging host modify 450
48.1.8logging syslog operation 451
48.1.9logging current-console operation 451
48.1.10logging current-console severity 452
48.1.11logging console operation 452
48.1.12logging console severity 453
48.1.13logging persistent operation 453
48.1.14logging persistent numfiles 454
48.1.15logging persistent filesize 454
48.1.16logging persistent severity-level 454
48.1.17logging email operation 455
48.1.18logging email from-addr 455
48.1.19logging email duration 456
48.1.20logging email severity urgent 456
48.1.21logging email severity non-urgent 457

18 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

48.1.22logging email to-addr add 457


48.1.23logging email to-addr delete 458
48.1.24logging email to-addr modify 458
48.1.25logging email mail-server add 458
48.1.26logging email mail-server delete 459
48.1.27logging email mail-server modify 459
48.1.28logging email subject add 460
48.1.29logging email subject delete 460
48.1.30logging email subject modify 461
48.1.31logging email test msgtype 461
48.2 show 462
48.2.1show logging buffered 462
48.2.2show logging traplogs 462
48.2.3show logging console 462
48.2.4show logging persistent 463
48.2.5show logging syslog 463
48.2.6show logging host 463
48.2.7show logging email statistics 463
48.2.8show logging email global 464
48.2.9show logging email to-addr 464
48.2.10show logging email subject 464
48.2.11show logging email mail-server 464
48.3 copy 466
48.3.1copy eventlog buffered envm 466
48.3.2copy eventlog buffered remote 466
48.3.3copy eventlog persistent 466
48.3.4copy traplog system envm 467
48.3.5copy traplog system remote 467
48.3.6copy audittrail system envm 467
48.3.7copy audittrail system remote 468
48.3.8copy mailcacert remote 468
48.3.9copy mailcacert envm 468
48.3.10copy syslogcacert remote 469
48.3.11copy syslogcacert envm 469
48.4 clear 470
48.4.1clear logging buffered 470
48.4.2clear logging persistent 470
48.4.3clear logging email statistics 470
48.4.4clear eventlog 471

49 MAC Notification 473


49.1 mac 474
49.1.1mac notification operation 474
49.1.2mac notification interval 474
49.2 mac 475
49.2.1mac notification operation 475
49.3 show 476
49.3.1show mac notification global 476
49.3.2show mac notification interface 476

50 MAC VLAN 477


50.1 vlan 478
50.1.1vlan association mac 478
50.2 show 479
50.2.1show vlan association mac 479

51 Management Access 481


51.1 network 482

RM CLI HiOS-2A GRS1040 19


Release 6.1 09/2016
Contents

51.1.1network management access web timeout 482


51.1.2network management access add 482
51.1.3network management access delete 483
51.1.4network management access modify 483
51.1.5network management access operation 484
51.1.6network management access status 485
51.2 show 486
51.2.1show network management access global 486
51.2.2show network management access rules 486

52 Modbus 487
52.1 modbus-tcp 488
52.1.1modbus-tcp operation 488
52.1.2modbus-tcp write-access 488
52.1.3modbus-tcp port 489
52.1.4modbus-tcp max-sessions 489
52.2 show 490
52.2.1show modbus-tcp 490

53 Media Redundancy Protocol (MRP) 491


53.1 mrp 492
53.1.1mrp domain modify advanced-mode 492
53.1.2mrp domain modify manager-priority 492
53.1.3mrp domain modify mode 492
53.1.4mrp domain modify name 493
53.1.5mrp domain modify operation 493
53.1.6mrp domain modify port primary 493
53.1.7mrp domain modify port secondary 494
53.1.8mrp domain modify recovery-delay 494
53.1.9mrp domain modify round-trip-delay 494
53.1.10mrp domain modify vlan 495
53.1.11mrp domain add default-domain 495
53.1.12mrp domain add domain-id 495
53.1.13mrp domain delete 495
53.1.14mrp operation 496
53.2 show 497
53.2.1show mrp 497

54 MRP IEEE 499


54.1 mrp-ieee 500
54.1.1mrp-ieee global join-time 500
54.1.2mrp-ieee global leave-time 500
54.1.3mrp-ieee global leave-all-time 501
54.2 show 502
54.2.1show mrp-ieee global interface 502

55 MRP IEEE MMRP 503


55.1 mrp-ieee 504
55.1.1mrp-ieee mmrp vlan-id 504
55.2 show 505
55.2.1show mrp-ieee mmrp global 505
55.2.2show mrp-ieee mmrp interface 505
55.2.3show mrp-ieee mmrp statistics global 505
55.2.4show mrp-ieee mmrp statistics interface 506
55.2.5show mrp-ieee mmrp service-requirement forward-all vlan 506
55.2.6show mrp-ieee mmrp service-requirement forbidden vlan 506
55.3 mrp-ieee 507

20 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

55.3.1mrp-ieee mmrp operation 507


55.3.2mrp-ieee mmrp periodic-machine 507
55.4 clear 508
55.4.1clear mrp-ieee mmrp 508
55.5 mrp-ieee 509
55.5.1mrp-ieee mmrp operation 509
55.5.2mrp-ieee mmrp restrict-register 509
55.6 show 510
55.6.1show mac-filter-table mmrp 510

56 MRP IEEE MVRP 511


56.1 mrp-ieee 512
56.1.1mrp-ieee mvrp operation 512
56.1.2mrp-ieee mvrp periodic-machine 512
56.2 mrp-ieee 513
56.2.1mrp-ieee mvrp operation 513
56.2.2mrp-ieee mvrp restrict-register 513
56.3 show 514
56.3.1show mrp-ieee mvrp global 514
56.3.2show mrp-ieee mvrp interface 514
56.3.3show mrp-ieee mvrp statistics global 514
56.3.4show mrp-ieee mvrp statistics interface 515
56.4 clear 516
56.4.1clear mrp-ieee mvrp 516

57 Out-of-band Management 517


57.1 network 518
57.1.1network out-of-band operation 518
57.1.2network out-of-band protocol 518
57.1.3network out-of-band parms 519
57.2 show 520
57.2.1show network out-of-band 520

58 Protocol Based VLAN 521


58.1 vlan 522
58.1.1vlan protocol group add 522
58.1.2vlan protocol group modify 522
58.1.3vlan protocol group delete 523
58.2 vlan 524
58.2.1vlan protocol group add 524
58.2.2vlan protocol group delete 524
58.3 show 525
58.3.1show vlan protocol 525

59 Power Over Ethernet (PoE) 527


59.1 inlinepower 528
59.1.1inlinepower operation 528
59.1.2inlinepower slot 528
59.1.3inlinepower threshold 529
59.1.4inlinepower trap 529
59.2 inlinepower 530
59.2.1inlinepower allowed-classes 530
59.2.2inlinepower auto-shutdown-end 530
59.2.3inlinepower auto-shutdown-start 531
59.2.4inlinepower auto-shutdown-timer 531

RM CLI HiOS-2A GRS1040 21


Release 6.1 09/2016
Contents

59.2.5inlinepower operation 531


59.2.6inlinepower name 532
59.2.7inlinepower priority 532
59.2.8inlinepower fast-startup 532
59.2.9inlinepower power-limit 533
59.3 show 534
59.3.1show inlinepower global 534
59.3.2show inlinepower port 534
59.3.3show inlinepower slot 534

60 Port Monitor 535


60.1 port-monitor 536
60.1.1port-monitor operation 536
60.2 port-monitor 537
60.2.1port-monitor condition crc-fragments interval 537
60.2.2port-monitor condition crc-fragments count 537
60.2.3port-monitor condition crc-fragments mode 537
60.2.4port-monitor condition link-flap interval 538
60.2.5port-monitor condition link-flap count 538
60.2.6port-monitor condition link-flap mode 538
60.2.7port-monitor condition duplex-mismatch mode 539
60.2.8port-monitor condition overload-detection traffic-type 539
60.2.9port-monitor condition overload-detection unit 540
60.2.10port-monitor condition overload-detection upper-threshold 540
60.2.11port-monitor condition overload-detection lower-threshold 540
60.2.12port-monitor condition overload-detection polling-interval 541
60.2.13port-monitor condition overload-detection mode 541
60.2.14port-monitor condition speed-duplex mode 541
60.2.15port-monitor condition speed-duplex speed 542
60.2.16port-monitor condition speed-duplex clear 542
60.2.17port-monitor action 542
60.2.18port-monitor reset 543
60.3 show 544
60.3.1show port-monitor operation 544
60.3.2show port-monitor brief 544
60.3.3show port-monitor overload-detection counters 544
60.3.4show port-monitor overload-detection port 545
60.3.5show port-monitor speed-duplex 545
60.3.6show port-monitor port 545
60.3.7show port-monitor link-flap 545
60.3.8show port-monitor crc-fragments 546

61 Port Security 547


61.1 port-security 548
61.1.1port-security operation 548
61.2 port-security 549
61.2.1port-security operation 549
61.2.2port-security max-dynamic 549
61.2.3port-security max-static 550
61.2.4port-security mac-address add 550
61.2.5port-security mac-address move 550
61.2.6port-security mac-address delete 550
61.2.7port-security violation-traps 551
61.3 show 552
61.3.1show port-security global 552
61.3.2show port-security interface 552
61.3.3show port-security dynamic 552
61.3.4show port-security static 553
61.3.5show port-security violation 553

22 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

62 Profinet IO 555
62.1 profinet 556
62.1.1profinet operation 556
62.1.2profinet name-of-station 556
62.2 profinet 557
62.2.1profinet dcp-mode 557
62.3 copy 558
62.3.1copy gsdml-profinet system remote 558
62.3.2copy gsdml-profinet system envm 558
62.4 show 559
62.4.1show profinet global 559
62.4.2show profinet port 559

63 Precision Time Protocol (PTP) 561


63.1 ptp 562
63.1.1ptp operation 562
63.1.2ptp clock-mode 562
63.1.3ptp sync-lower-bound 563
63.1.4ptp sync-upper-bound 563
63.1.5ptp management 563
63.1.6ptp v2-transparent-clock syntonization 564
63.1.7ptp v2-transparent-clock network-protocol 564
63.1.8ptp v2-transparent-clock multi-domain 564
63.1.9ptp v2-transparent-clock sync-local-clock 565
63.1.10ptp v2-transparent-clock delay-mechanism 565
63.1.11ptp v2-transparent-clock primary-domain 565
63.1.12ptp v2-transparent-clock vlan 566
63.1.13ptp v2-transparent-clock vlan-priority 566
63.1.14ptp v2-boundary-clock domain 566
63.1.15ptp v2-boundary-clock priority1 567
63.1.16ptp v2-boundary-clock priority2 567
63.1.17ptp v2-boundary-clock utc-offset 567
63.1.18ptp v2-boundary-clock utc-offset-valid 567
63.2 ptp 569
63.2.1ptp v2-transparent-clock operation 569
63.2.2ptp v2-transparent-clock asymmetry 569
63.2.3ptp v2-transparent-clock pdelay-interval 570
63.2.4ptp v2-boundary-clock operation 570
63.2.5ptp v2-boundary-clock pdelay-interval 570
63.2.6ptp v2-boundary-clock announce-interval 571
63.2.7ptp v2-boundary-clock sync-interval 571
63.2.8ptp v2-boundary-clock announce-timeout 572
63.2.9ptp v2-boundary-clock asymmetry 572
63.2.10ptp v2-boundary-clock v1-compatibility-mode 572
63.2.11ptp v2-boundary-clock delay-mechanism 573
63.2.12ptp v2-boundary-clock network-protocol 573
63.2.13ptp v2-boundary-clock vlan-priority 573
63.2.14ptp v2-boundary-clock vlan 574
63.3 show 575
63.3.1show ptp 575

64 Password Management 577


64.1 passwords 578
64.1.1passwords min-length 578
64.1.2passwords max-login-attempts 578
64.1.3passwords min-uppercase-chars 578
64.1.4passwords min-lowercase-chars 579
64.1.5passwords min-numeric-chars 579

RM CLI HiOS-2A GRS1040 23


Release 6.1 09/2016
Contents

64.1.6passwords min-special-chars 579


64.2 show 580
64.2.1show passwords 580

65 Radius 581
65.1 authorization 582
65.1.1authorization network radius 582
65.2 radius 583
65.2.1radius accounting mode 583
65.2.2radius server attribute 4 583
65.2.3radius server acct add 584
65.2.4radius server acct delete 584
65.2.5radius server acct modify 584
65.2.6radius server auth add 585
65.2.7radius server auth delete 585
65.2.8radius server auth modify 586
65.2.9radius server retransmit 586
65.2.10radius server timeout 587
65.3 show 588
65.3.1show radius global 588
65.3.2show radius auth servers 588
65.3.3show radius auth statistics 588
65.3.4show radius acct statistics 589
65.3.5show radius acct servers 589
65.4 clear 590
65.4.1clear radius 590

66 Redundant Coupling Protocol (RCP) 591


66.1 redundant-coupling 592
66.1.1redundant-coupling operation 592
66.1.2redundant-coupling timeout 592
66.1.3redundant-coupling role 593
66.1.4redundant-coupling port primary inner 593
66.1.5redundant-coupling port primary outer 593
66.1.6redundant-coupling port secondary inner 594
66.1.7redundant-coupling port secondary outer 594
66.2 show 595
66.2.1show redundant-coupling global 595
66.2.2show redundant-coupling status 595
66.2.3show redundant-coupling partner 595

67 Remote Authentication 597


67.1 ldap 598
67.1.1ldap operation 598
67.1.2ldap cache-timeout 598
67.1.3ldap flush-user-cache 599
67.1.4ldap role-policy 599
67.1.5ldap basedn 599
67.1.6ldap search-attr 600
67.1.7ldap bind-user 600
67.1.8ldap bind-passwd 600
67.1.9ldap default-domain 600
67.1.10ldap client server add 601
67.1.11ldap client server delete 601
67.1.12ldap client server enable 602
67.1.13ldap client server disable 602
67.1.14ldap client server modify 602
67.1.15ldap mapping add 603
67.1.16ldap mapping delete 603

24 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

67.1.17ldap mapping enable 603


67.1.18ldap mapping disable 604
67.2 show 605
67.2.1show ldap global 605
67.2.2show ldap client server 605
67.2.3show ldap mapping 605
67.3 copy 606
67.3.1copy ldapcacert remote 606
67.3.2copy ldapcacert envm 606

68 Remote Monitoring (RMON) 607


68.1 rmon-alarm 608
68.1.1rmon-alarm add 608
68.1.2rmon-alarm enable 608
68.1.3rmon-alarm disable 609
68.1.4rmon-alarm delete 609
68.1.5rmon-alarm modify 609
68.2 show 611
68.2.1show rmon statistics 611
68.2.2show rmon alarm 611

69 Script File 613


69.1 script 614
69.1.1script apply 614
69.1.2script validate 614
69.1.3script list system 614
69.1.4script list envm 615
69.1.5script delete 615
69.2 copy 616
69.2.1copy script envm 616
69.2.2copy script remote 616
69.2.3copy script nvm 617
69.2.4copy script running-config nvm 617
69.2.5copy script running-config envm 617
69.2.6copy script running-config remote 618
69.3 show 619
69.3.1show script envm 619
69.3.2show script system 619

70 Selftest 621
70.1 selftest 622
70.1.1selftest action 622
70.1.2selftest ramtest 622
70.1.3selftest system-monitor 623
70.1.4selftest boot-default-on-error 623
70.2 show 624
70.2.1show selftest action 624
70.2.2show selftest settings 624

71 sFlow 625
71.1 sflow 626
71.1.1sflow receiver 626
71.2 sflow 627
71.2.1sflow poller receiver 627
71.2.2sflow poller interval 627
71.2.3sflow sampler receiver 627
71.2.4sflow sampler rate 628

RM CLI HiOS-2A GRS1040 25


Release 6.1 09/2016
Contents

71.2.5sflow sampler maxheadersize 628


71.3 show 629
71.3.1show sflow agent 629
71.3.2show sflow receivers 629
71.3.3show sflow pollers 629
71.3.4show sflow samplers 630

72 Small Form-factor Pluggable (SFP) 631


72.1 show 632
72.1.1show sfp 632

73 Signal Contact 633


73.1 signal-contact 634
73.1.1signal-contact mode 634
73.1.2signal-contact monitor link-failure 634
73.1.3signal-contact monitor module-removal 635
73.1.4signal-contact monitor envm-not-in-sync 635
73.1.5signal-contact monitor envm-removal 636
73.1.6signal-contact monitor temperature 636
73.1.7signal-contact monitor ring-redundancy 636
73.1.8signal-contact monitor power-supply 637
73.1.9signal-contact state 637
73.1.10signal-contact trap 638
73.1.11signal-contact module 638
73.2 signal-contact 639
73.2.1signal-contact link-alarm 639
73.3 show 640
73.3.1show signal-contact 640

74 Slot 641
74.1 slot 642
74.1.1slot operation 642
74.1.2slot module 642
74.2 show 643
74.2.1show slot 643

75 Switched Monitoring (SMON) 645


75.1 monitor 646
75.1.1monitor session 646
75.2 rspan-vlan 648
75.2.1rspan-vlan 648
75.3 show 649
75.3.1show monitor session 649
75.4 clear 650
75.4.1clear monitor session 650

76 Simple Network Management Protocol (SNMP) 651


76.1 snmp 652
76.1.1snmp access version v1 652
76.1.2snmp access version v2 652
76.1.3snmp access version v3 653
76.1.4snmp access port 653
76.1.5snmp access snmp-over-802 653
76.2 show 654
76.2.1show snmp access 654

26 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

77 SNMP Community 655


77.1 snmp 656
77.1.1snmp community ro 656
77.1.2snmp community rw 656
77.2 show 657
77.2.1show snmp community 657

78 SNMP Logging 659


78.1 logging 660
78.1.1logging snmp-request get operation 660
78.1.2logging snmp-request get severity 660
78.1.3logging snmp-request set operation 661
78.1.4logging snmp-request set severity 662
78.2 show 663
78.2.1show logging snmp 663

79 Simple Network Time Protocol (SNTP) 665


79.1 sntp 666
79.1.1sntp client operation 666
79.1.2sntp client operating-mode 666
79.1.3sntp client request-interval 667
79.1.4sntp client broadcast-rcv-timeout 667
79.1.5sntp client disable-after-sync 667
79.1.6sntp client server add 668
79.1.7sntp client server delete 668
79.1.8sntp client server mode 668
79.1.9sntp server operation 669
79.1.10sntp server port 669
79.1.11sntp server only-if-synchronized 669
79.1.12sntp server broadcast operation 670
79.1.13sntp server broadcast address 670
79.1.14sntp server broadcast port 670
79.1.15sntp server broadcast interval 671
79.1.16sntp server broadcast vlan 671
79.2 show 672
79.2.1show sntp global 672
79.2.2show sntp client status 672
79.2.3show sntp client server 672
79.2.4show sntp server status 673
79.2.5show sntp server broadcast 673

80 Spanning Tree 675


80.1 spanning-tree 676
80.1.1spanning-tree operation 676
80.1.2spanning-tree bpdu-filter 676
80.1.3spanning-tree bpdu-guard 677
80.1.4spanning-tree bpdu-migration-check 677
80.1.5spanning-tree forceversion 677
80.1.6spanning-tree forward-time 678
80.1.7spanning-tree hello-time 678
80.1.8spanning-tree hold-count 678
80.1.9spanning-tree max-age 678
80.1.10spanning-tree ring-only-mode operation 679
80.1.11spanning-tree ring-only-mode first-port 679
80.1.12spanning-tree ring-only-mode second-port 679
80.1.13spanning-tree mst 680
80.2 spanning-tree 681

RM CLI HiOS-2A GRS1040 27


Release 6.1 09/2016
Contents

80.2.1spanning-tree mode 681


80.2.2spanning-tree bpdu-flood 681
80.2.3spanning-tree edge-auto 682
80.2.4spanning-tree edge-port 682
80.2.5spanning-tree guard-loop 682
80.2.6spanning-tree guard-root 683
80.2.7spanning-tree guard-tcn 683
80.2.8spanning-tree cost 684
80.2.9spanning-tree priority 684
80.3 show 685
80.3.1show spanning-tree global 685
80.3.2show spanning-tree mst instance 685
80.3.3show spanning-tree mst port 685
80.3.4show spanning-tree port 686

81 Subring Management 687


81.1 sub-ring 688
81.1.1sub-ring operation 688
81.1.2sub-ring add 688
81.1.3sub-ring delete 689
81.1.4sub-ring enable 689
81.1.5sub-ring disable 689
81.1.6sub-ring modify 690
81.2 show 691
81.2.1show sub-ring global 691
81.2.2show sub-ring ring 691

82 Secure Shell (SSH) 693


82.1 ssh 694
82.1.1ssh server 694
82.1.2ssh timeout 694
82.1.3ssh port 695
82.1.4ssh max-sessions 695
82.1.5ssh outbound max-sessions 695
82.1.6ssh outbound timeout 695
82.1.7ssh key rsa 696
82.1.8ssh key dsa 696
82.2 copy 697
82.2.1copy sshkey remote 697
82.2.2copy sshkey envm 697
82.3 show 698
82.3.1show ssh 698

83 Storm Control 699


83.1 storm-control 700
83.1.1storm-control flow-control 700
83.2 traffic-shape 701
83.2.1traffic-shape bw 701
83.3 mtu 702
83.3.1mtu 702
83.4 mtu 703
83.4.1mtu 703
83.5 storm-control 704
83.5.1storm-control flow-control 704
83.5.2storm-control ingress unit 704
83.5.3storm-control ingress unicast operation 705
83.5.4storm-control ingress unicast threshold 705

28 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

83.5.5storm-control ingress multicast operation 705


83.5.6storm-control ingress multicast threshold 706
83.5.7storm-control ingress broadcast operation 706
83.5.8storm-control ingress broadcast threshold 706
83.6 show 707
83.6.1show storm-control flow-control 707
83.6.2show storm-control ingress 707
83.6.3show traffic-shape 707
83.6.4show mtu 708

84 System 709
84.1 system 710
84.1.1system name 710
84.1.2system location 710
84.1.3system contact 710
84.1.4system port-led-mode 711
84.1.5system pre-login-banner operation 711
84.1.6system pre-login-banner text 712
84.1.7system resources operation 712
84.2 temperature 713
84.2.1temperature upper-limit 713
84.2.2temperature lower-limit 713
84.3 show 714
84.3.1show eventlog 714
84.3.2show system info 714
84.3.3show system port-led-mode 714
84.3.4show system pre-login-banner 715
84.3.5show system flash-status 715
84.3.6show system temperature limits 715
84.3.7show system temperature extremes 715
84.3.8show system temperature histogram 716
84.3.9show system temperature counters 716
84.3.10show system resources 716
84.3.11show psu slot 716
84.3.12show psu unit 717

85 Telnet 719
85.1 telnet 720
85.1.1telnet server 720
85.1.2telnet timeout 720
85.1.3telnet port 721
85.1.4telnet max-sessions 721
85.2 telnet 722
85.2.1telnet 722
85.3 show 723
85.3.1show telnet 723

86 Time Range 725


86.1 time 726
86.1.1time range 726
86.2 show 728
86.2.1show time-range 728

87 Traps 729
87.1 snmp 730
87.1.1snmp trap operation 730
87.1.2snmp trap mode 730

RM CLI HiOS-2A GRS1040 29


Release 6.1 09/2016
Contents

87.1.3snmp trap delete 731


87.1.4snmp trap add 731
87.2 show 732
87.2.1show snmp traps 732

88 User Management 733


88.1 show 734
88.1.1show custom-role global 734
88.1.2show custom-role commands 734

89 Users 735
89.1 users 736
89.1.1users add 736
89.1.2users delete 736
89.1.3users enable 736
89.1.4users disable 737
89.1.5users password 737
89.1.6users snmpv3 authentication 737
89.1.7users snmpv3 encryption 738
89.1.8users access-role 738
89.1.9users lock-status 738
89.1.10users password-policy-check 739
89.2 show 740
89.2.1show users 740

90 Virtual LAN (VLAN) 741


90.1 name 742
90.1.1name 742
90.2 vlan-unaware-mode 743
90.2.1vlan-unaware-mode 743
90.3 vlan 744
90.3.1vlan add 744
90.3.2vlan delete 744
90.4 vlan 745
90.4.1vlan acceptframe 745
90.4.2vlan ingressfilter 745
90.4.3vlan priority 746
90.4.4vlan pvid 746
90.4.5vlan tagging 746
90.4.6vlan participation include 747
90.4.7vlan participation exclude 747
90.4.8vlan participation auto 747
90.5 show 748
90.5.1show vlan id 748
90.5.2show vlan brief 748
90.5.3show vlan port 748
90.5.4show vlan member current 749
90.5.5show vlan member static 749
90.6 network 750
90.6.1network management vlan 750
90.6.2network management priority dot1p 750
90.6.3network management priority ip-dscp 750

91 Voice VLAN 751


91.1 voice 752
91.1.1voice vlan 752

30 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Contents

91.2 voice 753


91.2.1voice vlan vlan-id 753
91.2.2voice vlan dot1p 753
91.2.3voice vlan none 754
91.2.4voice vlan untagged 754
91.2.5voice vlan disable 754
91.2.6voice vlan auth 754
91.2.7voice vlan data priority 755
91.3 show 756
91.3.1show voice vlan global 756
91.3.2show voice vlan interface 756

A Further Support 757

RM CLI HiOS-2A GRS1040 31


Release 6.1 09/2016
Safety instructions

Safety instructions

WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

32 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
About this Manual

About this Manual

The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.

The “GUI” reference manual contains detailed information on using the graphical interface to operate
the individual functions of the device.

The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.

The “Basic Configuration” user manual contains the information you need to start operating the device.
It takes you step by step from the first startup operation through to the basic settings for operation in
your environment.

The “Redundancy Configuration” user manual document contains the information you require to select
the suitable redundancy procedure and configure it.

The document “HiView User Manual” contains information about the GUI application HiView. This
application offers you the possibility to use the graphical user interface without other applications such
as a Web browser or an installed Java Runtime Environment (JRE).

The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
 ActiveX control for SCADA integration
 Auto-topology discovery
 Browser interface
 Client/server structure
 Event handling
 Event log
 Simultaneous configuration of multiple devices
 Graphical user interface with network layout
 SNMP/OPC gateway

RM CLI HiOS-2A GRS1040 33


Release 6.1 09/2016
About this Manual

34 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Command reference

1 Command reference

RM CLI HiOS-2A GRS1040 35


Release 6.1 09/2016
Command reference

36 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Address Conflict Detection (ACD)

2 Address Conflict Detection (ACD)

RM CLI HiOS-2A GRS1040 37


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.1 address-conflict

2.1 address-conflict

Configure the address conflict settings.

2.1.1 address-conflict operation


Enable or disable the address conflict component.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict operation

 no address-conflict operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no address-conflict operation

2.1.2 address-conflict detection-mode


Configure the detection mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict detection-mode <P-1>
Paramete Value Meaning
r
P-1 active-and-passive Configure active and passive detection. During the ip address
configuration, if you set the detection to 'active', then the
device sends ARP or NDP probes into the network, and if you set
the detection to 'passive', then the device listens continuously
on the network.
active-only Configure only active detection. During ip address configuration
'active' the device sends only one ARP or NDP probe into the
network.
passive-only Configure passive detection. The device listens passively on the
network to verify that another device does not have the same ip
address assigned.

38 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.1 address-conflict

2.1.3 address-conflict detection-ongoing


Enable or disable the ongoing detection. If enabled, the device sends periodic ARP or NDP probes.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict detection-ongoing

 no address-conflict detection-ongoing
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no address-conflict detection-ongoing

2.1.4 address-conflict delay


The maximum detection delay time in milliseconds. Time gap between ARP or NDP probes.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict delay <P-1>
Paramete Value Meaning
r
P-1 20..500 Time gap between consecutive ARP or NDP probes ([ms], default
200).

2.1.5 address-conflict release-delay


Delay in seconds to the next ARP or NDP probe cycle after an ip address conflict was detected.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict release-delay <P-1>
Paramete Value Meaning
r
P-1 3..3600 Delay between consecutive probe cycles after a conflict was
detected ([sec], default 15).

RM CLI HiOS-2A GRS1040 39


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.1 address-conflict

2.1.6 address-conflict max-protection


Maximum number of frequent address protections.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict max-protection <P-1>
Paramete Value Meaning
r
P-1 0..100 Maximum number of frequent address protections (default 1).

2.1.7 address-conflict protect-interval


Delay in milliseconds between two consecutive address protections.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict protect-interval <P-1>
Paramete Value Meaning
r
P-1 20..10000 Delay between two consecutive protections ([ms], default 10000).

2.1.8 address-conflict trap-status


If enabled, this trap reports an address conflict.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: address-conflict trap-status

 no address-conflict trap-status
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no address-conflict trap-status

40 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.2 mac-address-conflict

2.2 mac-address-conflict

Enable/Disable sending a trap if a packet with the MAC of this device is detected in the network.

2.2.1 mac-address-conflict operation


Enable or disable the MAC address conflict component.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac-address-conflict operation

 no mac-address-conflict operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mac-address-conflict operation

RM CLI HiOS-2A GRS1040 41


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.3 show

2.3 show

Display device options and settings.

2.3.1 show address-conflict global


Displays the component mode.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show address-conflict global

2.3.2 show address-conflict detected


Displays the last detected address conflict.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show address-conflict detected

2.3.3 show address-conflict fault-state


Displays the current conflict status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show address-conflict fault-state

42 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.3 show

2.3.4 show mac-address-conflict global


Displays the component mode.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-address-conflict global

RM CLI HiOS-2A GRS1040 43


Release 6.1 09/2016
Address Conflict Detection (ACD)
2.3 show

44 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)

3 Access Control List (ACL)

RM CLI HiOS-2A GRS1040 45


Release 6.1 09/2016
Access Control List (ACL)
3.1 mac

3.1 mac

Set MAC parameters.

3.1.1 mac access-list extended name


Create a MAC access-list.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac access-list extended name <P-1> deny src <P-2> dst <P-3>
[ethertype <P-4>] [vlan <P-5> <P-6>] [cos <P-7>] [log] [time-range <P-8>]
permit src <P-9> dst <P-10> [ethertype <P-11>] [vlan <P-12> <P-13>] [cos
<P-14>] [time-range <P-15>] [assign-queue <P-16>] [mirror <P-17>] [rate-
limit <P-18> <P-19>] [redirect <P-20>] [rate-limit <P-21> <P-22>]
deny: Create a new rule for the current MAC access-list: Specify packets to reject.
src: Specify the source MAC and Mask.
dst: Specify the destination MAC and Mask
[ethertype]: Specify the EtherType
[vlan]: Configure a match condition based on a VLAN ID.
[cos]: Configure a match condition based on a COS value(VLAN priority).
[log]: Enable logging.
[time-range]: Activate the rule at an absolute time or periodically.
permit: Create a new rule for the current MAC access-list: Specify packets to forward.
src: Specify source MAC and Mask
dst: Specify the destination MAC and Mask
[ethertype]: Specify the Ethertype
[vlan]: Configure a match condition based on a VLAN ID.
[cos]: Set COS field
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[mirror]: Set Mirror Interface.
[rate-limit]: Set rate limit and burst size.
[redirect]: Set Redirect Interface.
[rate-limit]: Set rate limit and burst size.
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 any Enter for any source mac address and mask.
srcmac-macmask Enter source MAC and source MAC mask.
P-3 any Enter for any destination mac address and mask.
destmac-macmask Enter destination MAC and destination MAC mask.

46 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.1 mac

Paramete Value Meaning


r
P-4 0x0600-0xffff Ethertype value
appletalk Appletalk
arp ARP
ibmsna IBMSNA
ipv4 IPv4
ipv6 IPv6
ipx-old IPX-OLD
mplsmcast MPLS Multicast
mplsucast MPLS Unicast
netbios NetBIOS
novell NOVELL
pppoe PPPoE
rarp RARP
P-5 eq Specify VLAN value.
P-6 1..4042 Enter the VLAN ID.
P-7 0..7 COS
P-8 string <name> Time-range name
P-9 any Enter for any source mac address and mask.
srcmac-macmask Enter source MAC and source MAC mask.
P-10 any Enter for any destination mac address and mask.
destmac-macmask Enter destination MAC and destination MAC mask.
P-11 0x0600-0xffff Ethertype value
appletalk Appletalk
arp ARP
ibmsna IBMSNA
ipv4 IPv4
ipv6 IPv6
ipx-old IPX-OLD
mplsmcast MPLS Multicast
mplsucast MPLS Unicast
netbios NetBIOS
novell NOVELL
pppoe PPPoE
rarp RARP
P-12 eq Specify VLAN value.
P-13 1..4042 Enter the VLAN ID.
P-14 0..7 COS
P-15 string <name> Time-range name
P-16 0..7 User priority (VLAN priority).
P-17 slot no./port no.
P-18 0..10000000 Committed rate value, specified in kbps.
P-19 0..128 Committed burst size value, specified in kbytes.
P-20 slot no./port no.
P-21 0..10000000 Committed rate value, specified in kbps.
P-22 0..128 Committed burst size value, specified in kbytes.

RM CLI HiOS-2A GRS1040 47


Release 6.1 09/2016
Access Control List (ACL)
3.1 mac

3.1.2 mac access-list extended rename


Rename an existing MAC access-list
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac access-list extended rename <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 string <name> ACL name.

3.1.3 mac access-list extended del


Delete a MAC access-list.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac access-list extended del <P-1>
Paramete Value Meaning
r
P-1 string <name> ACL name.

3.1.4 mac access-group name


Associate an ACL identified by name with a VLAN ID.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac access-group name <P-1> vlan <P-2> <P-3> [sequence <P-4>]
vlan: Vlan ID
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 1..4042 Enter the VLAN ID.
P-3 in Inbound direction.
out Outbound direction.
P-4 1..4294967295 Sequence

48 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.1 mac

 no mac access-group name


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mac access-group name <P-1> vlan [sequence]

3.1.5 mac access-group del


Deassociate an ACL identified by name with a VLAN ID.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac access-group del <P-1> vlan <P-2> <P-3> [sequence <P-4>]
vlan: Vlan ID
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 1..4042 Enter the VLAN ID.
P-3 in Inbound direction.
out Outbound direction.
P-4 1..4294967295 Sequence

 no mac access-group del


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mac access-group del <P-1> vlan [sequence]

RM CLI HiOS-2A GRS1040 49


Release 6.1 09/2016
Access Control List (ACL)
3.2 mac

3.2 mac

MAC interface commands.

3.2.1 mac access-group name


Associate a specific MAC access-list identified by name with an interface, in a given direction.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mac access-group name <P-1> <P-2> [sequence <P-3>]
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 in Inbound direction.
out Outbound direction.
P-3 1..4294967295 Sequence

 no mac access-group name


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mac access-group name <P-1> [sequence]

3.2.2 mac access-group del


Remove a specific MAC access-list identified by name from an interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mac access-group del <P-1> <P-2> [sequence <P-3>]
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 in Inbound direction.
out Outbound direction.
P-3 1..4294967295 Sequence

50 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.2 mac

 no mac access-group del


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mac access-group del <P-1> <P-2> [sequence]

RM CLI HiOS-2A GRS1040 51


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

3.3 ip

Set IP parameters.

3.3.1 ip access-list extended name


Create an IP access-list.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip access-list extended name <P-1> deny src <P-2> [<P-3> <P-4>] dst
<P-5> [<P-6> <P-7>] proto <P-8> [flag [<P-9>] [<P-10>] [<P-11>] [<P-12>]
[<P-13>] [<P-14>] [<P-15>]] [icmp-type <P-16>] [icmp-code <P-17>] [igmp-
type <P-18>] [fragments] [precedence <P-19>] [log] [time-range <P-20>]
[assign-queue <P-21>] [tos <P-22> <P-23>] [log] [time-range <P-24>]
[assign-queue <P-25>] [dscp <P-26>] [log] [time-range <P-27>] [assign-
queue <P-28>] every [log] [time-range <P-29>] [assign-queue <P-30>] permit
src <P-31> [<P-32> <P-33>] dst <P-34> [<P-35> <P-36>] proto <P-37> [flag
[<P-38>] [<P-39>] [<P-40>] [<P-41>] [<P-42>] [<P-43>] [<P-44>]] [icmp-type
<P-45>] [icmp-code <P-46>] [igmp-type <P-47>] [fragments] [precedence <P-
48>] [time-range <P-49>] [mirror <P-50>] [rate-limit <P-51> <P-52>]
[redirect <P-53>] [rate-limit <P-54> <P-55>] [tos <P-56> <P-57>] [time-
range <P-58>] [assign-queue <P-59>] [mirror <P-60>] [rate-limit <P-61> <P-
62>] [redirect <P-63>] [rate-limit <P-64> <P-65>] [dscp <P-66>] [time-range
<P-67>] [assign-queue <P-68>] [mirror <P-69>] [rate-limit <P-70> <P-71>]
[redirect <P-72>] [rate-limit <P-73> <P-74>] every [time-range <P-75>]
[assign-queue <P-76>] [mirror <P-77>] [rate-limit <P-78> <P-79>] [redirect
<P-80>] [rate-limit <P-81> <P-82>]
deny: Create a new rule for the current IP access-list: Specify packets to reject.
src: Specify the source IP and Mask
dst: Specify the destination IP and Mask
proto: Specify the protocol
[flag]: Specify TCP flag.
[icmp-type]: Specify ICMP type.
[icmp-code]: Specify ICMP code
[igmp-type]: Specify IGMP type.
[fragments]: Specify if rule matches on fragmented IP packets.
[precedence]: Precedence
[log]: Enable logging
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[tos]: TOS
[log]: Enable logging
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[dscp]: DSCP
[log]: Enable logging

52 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

[time-range]: Activate the rule at an absolute time or periodically.


[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
every: Every pachet regardless the content.
[log]: Enable logging
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
permit: Create a new rule for the current IP access-list: Specify packets to forward.
src: Specify the source IP and Mask
dst: Specify destination IP and Mask
proto: Specify the protocol
[flag]: Specify TCP flag.
[icmp-type]: Specify ICMP type.
[icmp-code]: Specify ICMP code
[igmp-type]: Specify IGMP type.
[fragments]: Specify if rule matches on fragmented IP packets.
[precedence]: Precedence
[time-range]: Activate the rule at an absolute time or periodically.
[mirror]: Set Mirror Interface
[rate-limit]: Set rate limit and burst size.
[redirect]: Set Redirect Interface
[rate-limit]: Set rate limit and burst size.
[tos]: TOS
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[mirror]: Set Mirror Interface
[rate-limit]: Set rate limit and burst size.
[redirect]: Set Redirect Interface
[rate-limit]: Set rate limit and burst size.
[dscp]: DSCP
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[mirror]: Set Mirror Interface
[rate-limit]: Set rate limit and burst size.
[redirect]: Set Redirect Interface
[rate-limit]: Set rate limit and burst size.
every: Every pachet regardless the content.
[time-range]: Activate the rule at an absolute time or periodically.
[assign-queue]: Configure the User Priority (VLAN priority)assignment attribute.
[mirror]: Set Mirror Interface
[rate-limit]: Set rate limit and burst size.
[redirect]: Set Redirect Interface
[rate-limit]: Set rate limit and burst size.
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 any Enter for any source ip address and mask.
a.b.c.d-e.f.g.h Source IP address and mask (mask in wild-card notation) e.g
192.168.1.1-0.0.0.255.
P-3 eq Specify value that port number must be equal to.
neq Specify value that port number must not be equal to.
lt Specify value that port number must be less than.
gt Specify value that port number must be greater than.

RM CLI HiOS-2A GRS1040 53


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

Paramete Value Meaning


r
P-4 domain Domain
echo Echo
ftp FTP
ftpdata FTP Data
http HTTP
smtp SMTP
snmp SNMP
telnet Telnet
tftp TFTP
www WWW
1-65535 Port number
P-5 any Enter for any destination ip address and mask.
a.b.c.d-e.f.g.h Destination IP address and mask (mask in wild-card notation) e.g
192.168.1.1-0.0.0.255.
P-6 eq Specify value that port number must be equal to.
neq Specify value that port number must not be equal to.
lt Specify value that port number must be less than.
gt Specify value that port number must be greater than.
P-7 domain Domain
echo Echo
ftp FTP
ftpdata FTP Data
http HTTP
smtp SMTP
snmp SNMP
telnet Telnet
tftp TFTP
www WWW
1-65535 Port number
P-8 icmp ICMP
igmp IGMP
ip-in-ip IP-in-IP
tcp TCP
udp UDP
ip Any IP protocol
1-255 Protocol number
P-9 -fin Match occurs if fin flag is not set in the TCP header.
+fin Match occurs if fin flag is set in the TCP header.
P-10 -syn Match occurs if syn flag is not set in the TCP header.
+syn Match occurs if syn flag is set in the TCP header.
P-11 -rst Match occurs if rst flag is not set in the TCP header.
+rst Match occurs if rst flag is set in the TCP header.
P-12 -psh Match occurs if psh flag is not set in the TCP header.
+psh Match occurs if psh flag is set in the TCP header.
P-13 -ack Match occurs if ack flag is not set in the TCP header.
+ack Match occurs if ack flag is set in the TCP header.
P-14 -urg Match occurs if urg flag is not set in the TCP header.
+urg Match occurs if urg flag is set in the TCP header.
P-15 established Match occurs if the specified RST and ACK bits are set in TCP
header.
P-16 0..255 ICMP type value.
P-17 0..255 ICMP code value.
P-18 0..255 IGMP code value.
P-19 0..7 IP Precedence
P-20 string <name> Time-range name
P-21 0..7 User priority (VLAN priority).
P-22 0..255 TOS

54 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

Paramete Value Meaning


r
P-23 0..255 TOS Mask
P-24 string <name> Time-range name
P-25 0..7 User priority (VLAN priority).
P-26 0..63 DSCP
P-27 string <name> Time-range name
P-28 0..7 User priority (VLAN priority).
P-29 string <name> Time-range name
P-30 0..7 User priority (VLAN priority).
P-31 any Enter for any source ip address and mask.
a.b.c.d-e.f.g.h Source IP address and mask (mask in wild-card notation) e.g
192.168.1.1-0.0.0.255.
P-32 eq Specify value that port number must be equal to.
neq Specify value that port number must not be equal to.
lt Specify value that port number must be less than.
gt Specify value that port number must be greater than.
P-33 domain Domain
echo Echo
ftp FTP
ftpdata FTP Data
http HTTP
smtp SMTP
snmp SNMP
telnet Telnet
tftp TFTP
www WWW
1-65535 Port number
P-34 any Enter for any destination ip address and mask.
a.b.c.d-e.f.g.h Destination IP address and mask (mask in wild-card notation) e.g
192.168.1.1-0.0.0.255.
P-35 eq Specify value that port number must be equal to.
neq Specify value that port number must not be equal to.
lt Specify value that port number must be less than.
gt Specify value that port number must be greater than.
P-36 domain Domain
echo Echo
ftp FTP
ftpdata FTP Data
http HTTP
smtp SMTP
snmp SNMP
telnet Telnet
tftp TFTP
www WWW
1-65535 Port number
P-37 icmp ICMP
igmp IGMP
ip-in-ip IP-in-IP
tcp TCP
udp UDP
ip Any IP protocol
1-255 Protocol number
P-38 -fin Match occurs if fin flag is not set in the TCP header.
+fin Match occurs if fin flag is set in the TCP header.
P-39 -syn Match occurs if syn flag is not set in the TCP header.
+syn Match occurs if syn flag is set in the TCP header.
P-40 -rst Match occurs if rst flag is not set in the TCP header.
+rst Match occurs if rst flag is set in the TCP header.

RM CLI HiOS-2A GRS1040 55


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

Paramete Value Meaning


r
P-41 -psh Match occurs if psh flag is not set in the TCP header.
+psh Match occurs if psh flag is set in the TCP header.
P-42 -ack Match occurs if ack flag is not set in the TCP header.
+ack Match occurs if ack flag is set in the TCP header.
P-43 -urg Match occurs if urg flag is not set in the TCP header.
+urg Match occurs if urg flag is set in the TCP header.
P-44 established Match occurs if the specified RST and ACK bits are set in TCP
header.
P-45 0..255 ICMP type value.
P-46 0..255 ICMP code value.
P-47 0..255 IGMP code value.
P-48 0..7 IP Precedence
P-49 string <name> Time-range name
P-50 slot no./port no.
P-51 0..10000000 Committed rate value, specified in kbps.
P-52 0..128 Committed burst size value, specified in kbytes.
P-53 slot no./port no.
P-54 0..10000000 Committed rate value, specified in kbps.
P-55 0..128 Committed burst size value, specified in kbytes.
P-56 0..255 TOS
P-57 0..255 TOS Mask
P-58 string <name> Time-range name
P-59 0..7 User priority (VLAN priority).
P-60 slot no./port no.
P-61 0..10000000 Committed rate value, specified in kbps.
P-62 0..128 Committed burst size value, specified in kbytes.
P-63 slot no./port no.
P-64 0..10000000 Committed rate value, specified in kbps.
P-65 0..128 Committed burst size value, specified in kbytes.
P-66 0..63 DSCP
P-67 string <name> Time-range name
P-68 0..7 User priority (VLAN priority).
P-69 slot no./port no.
P-70 0..10000000 Committed rate value, specified in kbps.
P-71 0..128 Committed burst size value, specified in kbytes.
P-72 slot no./port no.
P-73 0..10000000 Committed rate value, specified in kbps.
P-74 0..128 Committed burst size value, specified in kbytes.
P-75 string <name> Time-range name
P-76 0..7 User priority (VLAN priority).
P-77 slot no./port no.
P-78 0..10000000 Committed rate value, specified in kbps.
P-79 0..128 Committed burst size value, specified in kbytes.
P-80 slot no./port no.
P-81 0..10000000 Committed rate value, specified in kbps.
P-82 0..128 Committed burst size value, specified in kbytes.

56 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

 no ip access-list extended name


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip access-list extended name <P-1> deny src dst proto [flag]
[icmp-type] [icmp-code] [igmp-type] [fragments] [precedence] [log]
[time-range] [assign-queue] [tos] [log] [time-range] [assign-queue]
[dscp] [log] [time-range] [assign-queue] every [log] [time-range]
[assign-queue] permit src dst proto [flag] [icmp-type] [icmp-code]
[igmp-type] [fragments] [precedence] [time-range] [mirror] [rate-limit]
[redirect] [rate-limit] [tos] [time-range] [assign-queue] [mirror]
[rate-limit] [redirect] [rate-limit] [dscp] [time-range] [assign-queue]
[mirror] [rate-limit] [redirect] [rate-limit] every [time-range]
[assign-queue] [mirror] [rate-limit] [redirect] [rate-limit]

3.3.2 ip access-list extended rename


Rename an existing IP access-list.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip access-list extended rename <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 string <name> ACL name.

3.3.3 ip access-list extended del


Delete an IP access-list.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip access-list extended del <P-1>
Paramete Value Meaning
r
P-1 string <name> ACL name.

RM CLI HiOS-2A GRS1040 57


Release 6.1 09/2016
Access Control List (ACL)
3.3 ip

3.3.4 ip access-group name


Associate an ACL identified by name with a VLAN ID.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip access-group name <P-1> vlan <P-2> <P-3> [sequence <P-4>]
vlan: Vlan ID
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 1..4042 Enter the VLAN ID.
P-3 in Inbound direction.
out Outbound direction.
P-4 1..4294967295 Sequence

 no ip access-group name
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip access-group name <P-1> vlan [sequence]

3.3.5 ip access-group del


Deassociate an ACL identified by name with a VLAN ID.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip access-group del <P-1> vlan <P-2> <P-3> [sequence <P-4>]
vlan: Vlan ID
[sequence]: Indicate the sequence number
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 1..4042 Enter the VLAN ID.
P-3 in Inbound direction.
out Outbound direction.
P-4 1..4294967295 Sequence

 no ip access-group del
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip access-group del <P-1> vlan [sequence]

58 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.4 ip

3.4 ip

IP interface commands.

3.4.1 ip access-group name


Associate a specific IP access-list identified by name with an interface, in a given direction.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip access-group name <P-1> <P-2> [sequence <P-3>]
[sequence]: Indicate the order
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 in Inbound direction.
out Outbound direction.
P-3 1..4294967295 Sequence

 no ip access-group name
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip access-group name <P-1> <P-2> [sequence]

3.4.2 ip access-group del


Remove a specific IP access-list identified by name from an interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip access-group del <P-1> <P-2> [sequence <P-3>]
[sequence]: Indicate the order
Paramete Value Meaning
r
P-1 string <name> ACL name.
P-2 in Inbound direction.
out Outbound direction.
P-3 1..4294967295 Sequence

RM CLI HiOS-2A GRS1040 59


Release 6.1 09/2016
Access Control List (ACL)
3.4 ip

 no ip access-group del
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip access-group del <P-1> <P-2> [sequence]

60 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Access Control List (ACL)
3.5 show

3.5 show

Display device options and settings.

3.5.1 show access-list global


Display the next free index for both Mac and IPv4 based access-lists.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show access-list global

3.5.2 show access-list mac


Display all information for a specific MAC based access-list.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show access-list mac [<P-1> [<P-2>]]
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 1..1023 Access-list rule index.

3.5.3 show access-list ip


Display all information for a specific IP based access-list.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show access-list ip [<P-1> [<P-2>]]
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 1..1023 Access-list rule index.

RM CLI HiOS-2A GRS1040 61


Release 6.1 09/2016
Access Control List (ACL)
3.5 show

3.5.4 show access-list assignment ip


Display assignments of existing IP ACLs
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show access-list assignment ip <P-1>
Paramete Value Meaning
r
P-1 1000..1099 Access-list index.

3.5.5 show access-list assignment mac


Display assignments of existing MAC ACLs
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show access-list assignment mac <P-1>
Paramete Value Meaning
r
P-1 10000..10099 Access-list index.

62 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Application Lists

4 Application Lists

RM CLI HiOS-2A GRS1040 63


Release 6.1 09/2016
Application Lists
4.1 appllists

4.1 appllists

Configure an application list.

4.1.1 appllists set-authlist


Set an authentication list reference that shall be used by given application.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: appllists set-authlist <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <application> Name of an application list.
P-2 string <authlist_name> Name of referenced authentication list.

4.1.2 appllists enable


Activate a login application list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: appllists enable <P-1>
Paramete Value Meaning
r
P-1 string <application> Name of an application list.

4.1.3 appllists disable


Deactivate a login application list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: appllists disable <P-1>
Paramete Value Meaning
r
P-1 string <application> Name of an application list.

64 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Application Lists
4.2 show

4.2 show

Display device options and settings.

4.2.1 show appllists


Display ordered methods for application lists.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show appllists

RM CLI HiOS-2A GRS1040 65


Release 6.1 09/2016
Application Lists
4.2 show

66 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Authentication Lists

5 Authentication Lists

RM CLI HiOS-2A GRS1040 67


Release 6.1 09/2016
Authentication Lists
5.1 authlists

5.1 authlists

Configure an authentication list.

5.1.1 authlists add


Create a new login authentication list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authlists add <P-1>
Paramete Value Meaning
r
P-1 string <authlist_name> Name of an authentication list.

5.1.2 authlists delete


Delete an existing login authentication list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authlists delete <P-1>
Paramete Value Meaning
r
P-1 string <authlist_name> Name of an authentication list.

5.1.3 authlists set-policy


Set the policies of a login authentication list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authlists set-policy <P-1> <P-2> [<P-3> [<P-4> [<P-5> [<P-6>]]]]
Paramete Value Meaning
r
P-1 string <authlist_name> Name of an authentication list.

68 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Authentication Lists
5.1 authlists

Paramete Value Meaning


r
P-2 reject Authentication is rejected / not allowed
local Authentication by local user DB
radius Authentication by RADIUS server
ias Authentication by IAS server
cam Authentication by CAM server
ldap Authentication by remote server
P-3 reject Authentication is rejected / not allowed
local Authentication by local user DB
radius Authentication by RADIUS server
ias Authentication by IAS server
cam Authentication by CAM server
ldap Authentication by remote server
P-4 reject Authentication is rejected / not allowed
local Authentication by local user DB
radius Authentication by RADIUS server
ias Authentication by IAS server
cam Authentication by CAM server
ldap Authentication by remote server
P-5 reject Authentication is rejected / not allowed
local Authentication by local user DB
radius Authentication by RADIUS server
ias Authentication by IAS server
cam Authentication by CAM server
ldap Authentication by remote server
P-6 reject Authentication is rejected / not allowed
local Authentication by local user DB
radius Authentication by RADIUS server
ias Authentication by IAS server
cam Authentication by CAM server
ldap Authentication by remote server

5.1.4 authlists enable


Activate a login authentication list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authlists enable <P-1>
Paramete Value Meaning
r
P-1 string <authlist_name> Name of an authentication list.

RM CLI HiOS-2A GRS1040 69


Release 6.1 09/2016
Authentication Lists
5.1 authlists

5.1.5 authlists disable


Deactivate a login authentication list.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authlists disable <P-1>
Paramete Value Meaning
r
P-1 string <authlist_name> Name of an authentication list.

70 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Authentication Lists
5.2 show

5.2 show

Display device options and settings.

5.2.1 show authlists


Display ordered methods for authentication lists.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show authlists

RM CLI HiOS-2A GRS1040 71


Release 6.1 09/2016
Authentication Lists
5.2 show

72 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Auto Disable

6 Auto Disable

RM CLI HiOS-2A GRS1040 73


Release 6.1 09/2016
Auto Disable
6.1 auto-disable

6.1 auto-disable

Configure the Auto Disable condition settings.

6.1.1 auto-disable reason


Enables/disables port Recovery by reason on this device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: auto-disable reason <P-1>
Paramete Value Meaning
r
P-1 link-flap Enable/disable link-flap.
crc-error Enable/disable crc-error.
duplex-mismatch Enable/disable duplex-mismatch.
dhcp-snooping Enable/disable dhcp-snooping.
arp-rate Enable/disable arp-rate.
bpdu-rate Enable/disable bpdu-rate.
port-security Enable/disable MAC based port security.
overload-detection Enable/disable overload-detection.
speed-duplex Enable/disable link speed and duplex monitor.

 no auto-disable reason
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no auto-disable reason <P-1>

74 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Auto Disable
6.2 auto-disable

6.2 auto-disable

Configure the Auto Disable condition settings.

6.2.1 auto-disable timer


Timer value in seconds after a deactivated port is activated again. Possible values are: 30-4294967295.
A value of 0 disables the timer.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: auto-disable timer <P-1>
Paramete Value Meaning
r
P-1 xxx_30..4294967295 Timer value in seconds.

6.2.2 auto-disable reset


Reset the specific interface and reactivate the port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: auto-disable reset [<P-1>]
Paramete Value Meaning
r
P-1 port Press Enter to execute the command.

 no auto-disable reset
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no auto-disable reset [<P-1>]

RM CLI HiOS-2A GRS1040 75


Release 6.1 09/2016
Auto Disable
6.3 show

6.3 show

Display device options and settings.

6.3.1 show auto-disable brief


Display Auto Disable summary by interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show auto-disable brief

6.3.2 show auto-disable reasons


Display summary of Auto Disable error reasons.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show auto-disable reasons

76 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Cabletest

7 Cabletest

RM CLI HiOS-2A GRS1040 77


Release 6.1 09/2016
Cabletest
7.1 cable-test

7.1 cable-test

7.1.1 cable-test
Select port on which to perform the cable test.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: cable-test <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

78 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Class Of Service

8 Class Of Service

RM CLI HiOS-2A GRS1040 79


Release 6.1 09/2016
Class Of Service
8.1 classofservice

8.1 classofservice

Class of service configuration.

8.1.1 classofservice ip-dscp-mapping


ip-dscp-mapping configuration
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: classofservice ip-dscp-mapping <P-1> <P-2> <P-3>

80 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Class Of Service
8.1 classofservice

RM CLI HiOS-2A GRS1040 81


Release 6.1 09/2016
Class Of Service
8.1 classofservice

Paramete Value Meaning


r
P-1 af11
af12
af13
af21
af22
af23
af31
af32
af33
af41
af42
af43
be
cs0
cs1
cs2
cs3
cs4
cs5
cs6
cs7
ef
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

82 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Class Of Service
8.1 classofservice

Paramete Value Meaning


r
P-2 0..7 Enter the Traffic Class value.
P-3 0..3 Enter the Traffic Class value.

8.1.2 classofservice dot1p-mapping


Enter a VLAN priority and the traffic class it should be mapped to.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: classofservice dot1p-mapping <P-1> <P-2> <P-3>
Paramete Value Meaning
r
P-1 0..7 Enter the 802.1p priority.
P-2 0..7 Enter the Traffic Class value.
P-3 0..3 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 83


Release 6.1 09/2016
Class Of Service
8.2 classofservice

8.2 classofservice

Interface classofservice configuration.

8.2.1 classofservice trust


trust configuration
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: classofservice trust <P-1>
Paramete Value Meaning
r
P-1 untrusted Sets the class of service trust mode to untrusted
dot1p Sets the class of service trust mode to dot1p.
ip-dscp Sets the class of service trust mode to IP DSCP.

84 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Class Of Service
8.3 cos-queue

8.3 cos-queue

COS queue configuration

8.3.1 cos-queue strict


strict priority scheduler (default)
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: cos-queue strict <P-1> <P-2>
Paramete Value Meaning
r
P-1 0..7 Enter a Queue Id from 0 to 7.
P-2 0..3 Enter a number in the given range.

8.3.2 cos-queue weighted


weighted scheduler
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: cos-queue weighted <P-1> <P-2>
Paramete Value Meaning
r
P-1 0..7 Enter a Queue Id from 0 to 7.
P-2 0..3 Enter a number in the given range.

8.3.3 cos-queue max-bandwidth


Maximum/shaped bandwidth for the queues
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: cos-queue max-bandwidth <P-1> <P-2> <P-3>

RM CLI HiOS-2A GRS1040 85


Release 6.1 09/2016
Class Of Service
8.3 cos-queue

Paramete Value Meaning


r
P-1 0..3 Enter a number in the given range.
P-2 0..7 Enter a Queue Id from 0 to 7.
P-3 0..100 Enter a number in the given range.

8.3.4 cos-queue min-bandwidth


Minimum/guaranteed bandwidth for the queues when in weighted mode
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: cos-queue min-bandwidth <P-1> <P-2> <P-3>
Paramete Value Meaning
r
P-1 0..3 Enter a number in the given range.
P-2 0..7 Enter a Queue Id from 0 to 7.
P-3 0..100 Enter a number in the given range.

86 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Class Of Service
8.4 show

8.4 show

Display device options and settings.

8.4.1 show classofservice ip-dscp-mapping


Show ip-dscp-mapping configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show classofservice ip-dscp-mapping

8.4.2 show classofservice dot1p-mapping


Display a table containing the vlan priority to traffic class mappings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show classofservice dot1p-mapping

8.4.3 show classofservice trust


Show a table containing the trust mode of all interfaces.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show classofservice trust

RM CLI HiOS-2A GRS1040 87


Release 6.1 09/2016
Class Of Service
8.4 show

8.4.4 show cos-queue


Show cosqueue parameters
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show cos-queue

88 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Command Line Interface (CLI)

9 Command Line Interface (CLI)

RM CLI HiOS-2A GRS1040 89


Release 6.1 09/2016
Command Line Interface (CLI)
9.1 cli

9.1 cli

Set the CLI preferences.

9.1.1 cli serial-timeout


Set login timeout for serial line connection to CLI. Setting to 0 will disable the timeout. The value is active
after next login.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: cli serial-timeout <P-1>
Paramete Value Meaning
r
P-1 0..160 Enter a number in the given range. Setting to 0 will disable the
timeout.

9.1.2 cli prompt


Change the system prompt. Following wildcards are allowed: %d date, %t time, %i IP address, %m MAC
address ,%p product name
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: cli prompt <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters. Following
wildcards are allowed: %d date, %t time, %i IP address, %m MAC
address ,%p product name

90 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Command Line Interface (CLI)
9.1 cli

9.1.3 cli numlines


Screen size for 'more' (23 = default). Enter a 0 will disable the feature. The value is only valid for the
current session.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: cli numlines <P-1>
Paramete Value Meaning
r
P-1 0..250 Screen size for 'more' (23 = default). Enter a 0 will disable
the feature. The value is only valid for the current session.

9.1.4 cli banner operation


Enable or disable the CLI login banner.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: cli banner operation

 no cli banner operation


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: no cli banner operation

9.1.5 cli banner text


Set the text for the CLI login banner (C printf format syntax allowed: \\n \\t).
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: cli banner text <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 1024 characters (allowed
characters are from ASCII 32 to 127).

RM CLI HiOS-2A GRS1040 91


Release 6.1 09/2016
Command Line Interface (CLI)
9.2 show

9.2 show

Display device options and settings.

9.2.1 show cli global


Display CLI preferences.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show cli global

9.2.2 show cli command-tree


Show a list of all commands.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show cli command-tree

92 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Command Line Interface (CLI)
9.3 logging

9.3 logging

Logging configuration.

9.3.1 logging cli-command


Enable or disable the CLI command logging.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging cli-command

 no logging cli-command
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging cli-command

RM CLI HiOS-2A GRS1040 93


Release 6.1 09/2016
Command Line Interface (CLI)
9.4 show

9.4 show

Display device options and settings.

9.4.1 show logging cli-command


Show the CLI command logging preferences.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging cli-command

94 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Clock

10 Clock

RM CLI HiOS-2A GRS1040 95


Release 6.1 09/2016
Clock
10.1 clock

10.1 clock

Configure local and DST clock settings.

10.1.1 clock set


Edit current local time.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock set <P-1> <P-2>
Paramete Value Meaning
r
P-1 YYYY-MM-DD Local date (range: 2004-01-01 - 2037-12-31).
P-2 HH:MM:SS Local time.

10.1.2 clock timezone offset


Local time offset (in minutes) with respect to UTC (positive values for locations east of\nGreenwich).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock timezone offset <P-1>
Paramete Value Meaning
r
P-1 -780..840 Edit the timezone offset (in minutes).

10.1.3 clock timezone zone


Edit the timezone acronym (max. 4 characters).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock timezone zone <P-1>
Paramete Value Meaning
r
P-1 string Edit the timezone acronym (max 4 characters).

96 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Clock
10.1 clock

10.1.4 clock summer-time mode


Configure summer-time mode parameters.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock summer-time mode <P-1>
Paramete Value Meaning
r
P-1 disable Disable recurring summer-time mode.
recurring Enable recurring summer-time mode.
eu Enable recurring summer-time used in most parts of the European
Union.
usa Enable recurring summer-time used in most parts of the USA.

10.1.5 clock summer-time recurring start


Edit the starting date and time for daylight saving time.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock summer-time recurring start <P-1> <P-2> <P-3> <P-4>
Paramete Value Meaning
r
P-1 none
first
second
third
fourth
last
P-2 none
sun Sunday
mon Monday
tue Tuesday
wed Wednesday
thu Thursday
fri Friday
sat Saturday
P-3 none
jan January
feb February
mar March
apr April
may May
jun June
jul July
aug August
sep September
oct October
nov November
dec December
P-4 string <hh:mm> Present time in hh:mm format (00:00-23:59).

RM CLI HiOS-2A GRS1040 97


Release 6.1 09/2016
Clock
10.1 clock

10.1.6 clock summer-time recurring end


Edit the ending date and time for daylight saving time.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock summer-time recurring end <P-1> <P-2> <P-3> <P-4>
Paramete Value Meaning
r
P-1 none
first
second
third
fourth
last
P-2 none
sun Sunday
mon Monday
tue Tuesday
wed Wednesday
thu Thursday
fri Friday
sat Saturday
P-3 none
jan January
feb February
mar March
apr April
may May
jun June
jul July
aug August
sep September
oct October
nov November
dec December
P-4 string <hh:mm> Present time in hh:mm format (00:00-23:59).

10.1.7 clock summer-time zone


Edit timezone acronym for summer-time (max. 4 characters).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: clock summer-time zone <P-1>
Paramete Value Meaning
r
P-1 string Edit the timezone acronym (max 4 characters).

98 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Clock
10.2 show

10.2 show

Display device options and settings.

10.2.1 show clock


Display the current time information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show clock [summer-time]
[summer-time]: Display summer-time parameters.

RM CLI HiOS-2A GRS1040 99


Release 6.1 09/2016
Clock
10.2 show

100 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration

11 Configuration

RM CLI HiOS-2A GRS1040 101


Release 6.1 09/2016
Configuration
11.1 save

11.1 save

Save the configuration to the specified destination.

11.1.1 save profile


Save the configuration to the specific profile.
 Mode: All Privileged Modes
 Privilege Level: Operator
 Format: save profile <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

102 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.2 config

11.2 config

Configure the configuration saving settings.

11.2.1 config watchdog admin-state


Enable or disable the configuration undo feature.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: config watchdog admin-state

 no config watchdog admin-state


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no config watchdog admin-state

11.2.2 config watchdog timeout


Configure the configuration undo timeout (unit: seconds).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: config watchdog timeout <P-1>
Paramete Value Meaning
r
P-1 30..600 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 103


Release 6.1 09/2016
Configuration
11.2 config

11.2.3 config encryption password set


Set the configuration file password.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config encryption password set [<P-1>] [<P-2>]
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.
P-2 string Enter a user-defined text, max. 64 characters.

11.2.4 config encryption password clear


Clear the configuration file password.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config encryption password clear [<P-1>]
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.

11.2.5 config envm choose-active


Choose the active external non-volatile memory for copying firmware, logs, certificates etc. This does
not affect loading and saving of the configuration.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: config envm choose-active <P-1>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device

104 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.2 config

11.2.6 config envm log-device


Choose the active external non-volatile memory for persistent log files.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config envm log-device <P-1>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device

11.2.7 config envm auto-update


Allow automatic firmware updates with this memory device.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config envm auto-update <P-1>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device

 no config envm auto-update


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no config envm auto-update <P-1>

11.2.8 config envm sshkey-auto-update


Allow automatic ssh key updates with this memory device.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config envm sshkey-auto-update <P-1>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device

RM CLI HiOS-2A GRS1040 105


Release 6.1 09/2016
Configuration
11.2 config

 no config envm sshkey-auto-update


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no config envm sshkey-auto-update <P-1>

11.2.9 config envm config-save


Allow the configuration to be saved to this memory device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: config envm config-save <P-1>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device

 no config envm config-save


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no config envm config-save <P-1>

11.2.10 config envm load-priority


Configure the order of configuration load attempts from memory devices at boot time. If one load is
successful, then the device discards further attempts.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: config envm load-priority <P-1> <P-2>
Paramete Value Meaning
r
P-1 sd SD-Card
usb USB Storage Device
P-2 disable Config will not be loaded at all
first Config will be loaded first. If successful, no other config will
be tried.
second Config will be loaded if first one does not succeed.

106 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.2 config

11.2.11 config profile select


Select a configuration profile to be the active configuration.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config profile select <P-1> <P-2>
Paramete Value Meaning
r
P-1 nvm You can only select nvm for this command.
P-2 1..20 Index of the profile entry.

11.2.12 config profile delete


Delete a specific configuration profile.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config profile delete <P-1> num <P-2> profile <P-3>
num: Select the index of a profile to delete.
profile: Select the name of a profile to delete.
Paramete Value Meaning
r
P-1 nvm non-volatile memory
envm external non-volatile memory device
P-2 1..20 Index of the profile entry.
P-3 string Enter a user-defined text, max. 32 characters.

11.2.13 config fingerprint verify


Verify the fingerprint of the selected profile.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: config fingerprint verify <P-1> profile <P-2> <P-3> num <P-4> <P-5>
profile: Select the name of a profile to be verified.
num: Select the index number of a profile to be verified.
Paramete Value Meaning
r
P-1 nvm non-volatile memory
envm external non-volatile memory device
P-2 string Enter a user-defined text, max. 32 characters.
P-3 string Enter hash as 40 hexa-decimal characters.
P-4 1..20 Index of the profile entry.
P-5 string Enter hash as 40 hexa-decimal characters.

RM CLI HiOS-2A GRS1040 107


Release 6.1 09/2016
Configuration
11.3 copy

11.3 copy

Copy different kinds of items.

11.3.1 copy sysinfo system envm


Copy the system information to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy sysinfo system envm [filename <P-1>]
[filename]: Enter the filename (format xyz.html) to be saved in external non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

11.3.2 copy sysinfoall system envm


Copy the system information and the event log from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy sysinfoall system envm

11.3.3 copy firmware envm


Copy a firmware image to the device from external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy firmware envm <P-1> system
system: Copy a firmware image to the device from external non-volatile memory.
Paramete Value Meaning
r
P-1 string Filename.

108 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.3 copy

11.3.4 copy firmware remote


Copy a firmware image to the device from a server.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy firmware remote <P-1> system
system: Copy a firmware image to the device from a file server.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

11.3.5 copy config running-config nvm


Copy the running-config to non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy config running-config nvm [profile <P-1>]
[profile]: Save the configuration as a specific profile name.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

11.3.6 copy config running-config remote


Copy the running-config to a file server.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy config running-config remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

RM CLI HiOS-2A GRS1040 109


Release 6.1 09/2016
Configuration
11.3 copy

11.3.7 copy config nvm


Load a configuration from non-volatile memory to the running-config.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy config nvm [profile <P-1>] running-config remote <P-2>
[profile]: Load a configuration from a specific profile name.
running-config: (Re)-load a configuration from non-volatile memory to the running-config.
remote: Copy a configuration from non-volatile memory to a server.
Paramete Value Meaning
r
P-1 string Filename.
P-2 string Enter a user-defined text, max. 128 characters.

11.3.8 copy config envm


Copy a configuration from external non-volatile memory to non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy config envm [profile <P-1>] nvm
[profile]: Copy a specfic configuration profile from external non-volatile memory to non-volatile
memory.
nvm: Copy a specific profile from external non-volatile memory to non-volatile memory.
Paramete Value Meaning
r
P-1 string Filename.

11.3.9 copy config remote


Copy a configuration file to the device from a server.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy config remote <P-1> nvm [profile <P-2>] running-config
nvm: Copy a configuration file from a server to non-volatile memory.
[profile]: Copy a configuration from a server to a specific profile in non-volatile memory.
running-config: Copy a configuration file from a server to the running-config.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 32 characters.

110 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.3 copy

11.3.10 copy sfp-white-list remote


Copy the SFP WhiteList from server to the device.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy sfp-white-list remote <P-1> nvm
nvm: Copy the SFP WhiteList from server to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

11.3.11 copy sfp-white-list envm


Copy the SFP WhiteList from external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy sfp-white-list envm <P-1> nvm
nvm: Copy the SFP WhiteList from external non-volatile memory to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

RM CLI HiOS-2A GRS1040 111


Release 6.1 09/2016
Configuration
11.4 clear

11.4 clear

Clear several items.

11.4.1 clear config


Clear the running configuration.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear config

11.4.2 clear factory


Set the device back to the factory settings (use with care).
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear factory [erase-all]
[erase-all]: Set to factory settings and also erase file systems (use with extreme care).

11.4.3 clear sfp-white-list


Clear the SFP WhiteList.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear sfp-white-list

112 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.5 show

11.5 show

Display device options and settings.

11.5.1 show running-config xml


Show the currently running configuration (XML file).
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show running-config xml

11.5.2 show running-config script


Show the currently running configuration (CLI script).
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show running-config script [all]
[all]: Show the currently running configuration (CLI script).

RM CLI HiOS-2A GRS1040 113


Release 6.1 09/2016
Configuration
11.6 show

11.6 show

Display device options and settings.

11.6.1 show config envm settings


Show the settings of the external non-volatile memory.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config envm settings

11.6.2 show config envm properties


Show the properties of the external non-volatile memory.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config envm properties

11.6.3 show config envm active


Show the active external non-volatile memory.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config envm active

114 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Configuration
11.6 show

11.6.4 show config watchdog


Show the Auto Configuration Undo settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config watchdog

11.6.5 show config encryption


Show the settings for config encryption.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config encryption

11.6.6 show config profiles


Show the configuration profiles.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show config profiles <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 nvm non-volatile memory
envm external non-volatile memory device
P-2 1..20 Index of the profile entry.

11.6.7 show config status


Show the sync status of the running-config with non-volatile memory and ACA.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show config status

RM CLI HiOS-2A GRS1040 115


Release 6.1 09/2016
Configuration
11.7 swap

11.7 swap

Swap software images.

11.7.1 swap firmware system backup


Swap the main and backup images.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: swap firmware system backup

116 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection

12 Dynamic ARP Inspection

RM CLI HiOS-2A GRS1040 117


Release 6.1 09/2016
Dynamic ARP Inspection
12.1 ip

12.1 ip

Set IP parameters.

12.1.1 ip arp-inspection verify src-mac


If enabled verifies the source MAC address in the ethernet packet against the sender MAC address in
a ARP request/response packet body. If disabled does not perform this additional security check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection verify src-mac

 no ip arp-inspection verify src-mac


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip arp-inspection verify src-mac

12.1.2 ip arp-inspection verify dst-mac


If enabled verifies the destination MAC address in the (unicast) ethernet packet against the MAC
address in a ARP response packet body. If disabled does not perform this additional security check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection verify dst-mac

 no ip arp-inspection verify dst-mac


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip arp-inspection verify dst-mac

118 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.1 ip

12.1.3 ip arp-inspection verify ip


If enabled validates the sender protocol address (always) and the target protocol address (response) in
the ARP packet body to be a public unicast IP address. Such addresses exclude 0.0.0.0, multicast/
broadcast addresses, reserved addresses and loopback addresses. If disabled does not perform this
additional security check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection verify ip

 no ip arp-inspection verify ip
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip arp-inspection verify ip

12.1.4 ip arp-inspection access-list add


This command creates a new ARP ACL (and optionally activates it).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list add <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.
P-2 active Activate the option.
inactive Inactivate the option.

12.1.5 ip arp-inspection access-list delete


This command deletes an ARP ACL (and all rules associated with it).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list delete <P-1>
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.

RM CLI HiOS-2A GRS1040 119


Release 6.1 09/2016
Dynamic ARP Inspection
12.1 ip

12.1.6 ip arp-inspection access-list mode


This command activates or deactivates an ARP ACL.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list mode <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.
P-2 active Activate the option.
inactive Inactivate the option.

12.1.7 ip arp-inspection access-list rule add


This command creates a new ARP ACL rule, associated with an ACL name and a MAC/IP address.
Notice that the number of active ACL rules in an ACL is limited to 20.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list rule add <P-1> <P-2> <P-3> [<P-4>]
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.
P-2 aa:bb:cc:dd:ee:ff MAC address.
P-3 a.b.c.d IP address.
P-4 active Activate the option.
inactive Inactivate the option.

12.1.8 ip arp-inspection access-list rule delete


This command deletes an ARP ACL rule, associated with a ACL name and MAC/IP address.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list rule delete <P-1> <P-2> <P-3>
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.
P-2 aa:bb:cc:dd:ee:ff MAC address.
P-3 A.B.C.D IP address.

120 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.1 ip

12.1.9 ip arp-inspection access-list rule mode


This command activates or deactivates a configured ARP ACL rule, associated with a ACL name and
MAC/IP address.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list rule mode <P-1> <P-2> <P-3> <P-4>
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.
P-2 aa:bb:cc:dd:ee:ff MAC address.
P-3 A.B.C.D IP address.
P-4 active Activate the option.
inactive Inactivate the option.

RM CLI HiOS-2A GRS1040 121


Release 6.1 09/2016
Dynamic ARP Inspection
12.2 clear

12.2 clear

Clear several items.

12.2.1 clear ip arp-inspection statistics


This command clears the Dynamic ARP Inspection (DAI) statistics on all VLANs.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear ip arp-inspection statistics

122 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.3 ip

12.3 ip

IP commands.

12.3.1 ip arp-inspection mode


Enables or disables Dynamic ARP Inspection (DAI) on a VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip arp-inspection mode <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no ip arp-inspection mode
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no ip arp-inspection mode <P-1>

12.3.2 ip arp-inspection log


Enables or disables DAI logging on a VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip arp-inspection log <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no ip arp-inspection log
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no ip arp-inspection log <P-1>

RM CLI HiOS-2A GRS1040 123


Release 6.1 09/2016
Dynamic ARP Inspection
12.3 ip

12.3.3 ip arp-inspection bind-check


Enables or disables the DAI binding-check on a VLAN. If enabled, an ARP frame received on an
untrusted port (in a DAI enabled VLAN) is checked. This test starts when a ARP ACL exists but the
condition does not match in the rule table and the ACL strict flag is not set or when the ARP ACL not
exist.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip arp-inspection bind-check <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no ip arp-inspection bind-check
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no ip arp-inspection bind-check <P-1>

12.3.4 ip arp-inspection access-list strict


Enables or disables the strict DAI ACL check on a VLAN. If an ARP ACL is defined for the VLAN and
there is no match for the received ARP packet, then (if this option is enabled) the packet is dropped
without consulting the DHCP Snooping bindings database.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list strict <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no ip arp-inspection access-list strict


Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no ip arp-inspection access-list strict <P-1>

124 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.3 ip

12.3.5 ip arp-inspection access-list assign


(Un) Configure the ARP ACL used to filter ARP packets on a VLAN. If the ARP ACL name is omitted,
then no ACL is assigned to this VLAN. If the ARP ACL name does not exist in the ACL table, then it
depends on the DHCP Snooping bindings database and/or it's configured usage whether an ARP
packet is forwarded or dropped.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip arp-inspection access-list assign <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 string <acl-name> Name of ACL.

RM CLI HiOS-2A GRS1040 125


Release 6.1 09/2016
Dynamic ARP Inspection
12.4 ip

12.4 ip

IP interface commands.

12.4.1 ip arp-inspection trust


This command configures an interface as trusted or untrusted. Dynamic ARP Inspection (DAI) forwards
valid ARP packets on trusted interfaces without inspection. On un-trusted interfaces ARP packets will
be subject to ARP inspection.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip arp-inspection trust

 no ip arp-inspection trust
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip arp-inspection trust

12.4.2 ip arp-inspection auto-disable


Enables or disables the auto-disable feature for an interface, applicable when the ARP packet rate
exceeds the limit.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip arp-inspection auto-disable

 no ip arp-inspection auto-disable
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip arp-inspection auto-disable

126 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.4 ip

12.4.3 ip arp-inspection limit


This command configures an interface for a maximum ARP packet rate in a burst interval, or disables
it. If the rate of ARP packets exceed this limit in consecutive intervals then all further packets are
dropped. If that happens and additionally the auto-disable feature is enabled, then the port is disabled
automatically.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip arp-inspection limit <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 -1..300 Specifies the rate limit value (in packets per seconds, pps) for
Dynamic ARP Inspection (DAI) purposes. The value -1 switches
rate limiting off.
P-2 1..15 Specifies the burst interval value for Dynamic ARP Inspection
(DAI) purposes. Because this parameter is optional it leaves
unchanged if omitted.

RM CLI HiOS-2A GRS1040 127


Release 6.1 09/2016
Dynamic ARP Inspection
12.5 show

12.5 show

Display device options and settings.

12.5.1 show ip arp-inspection global


This command displays the global Dynamic ARP Inspection (DAI) configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection global

12.5.2 show ip arp-inspection statistics dropped


This command lists statistics for ARP packets dropped by Dynamic ARP Inspection (DAI).
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection statistics dropped

12.5.3 show ip arp-inspection statistics forwarded


This command lists statistics for ARP packets forwarded by Dynamic ARP Inspection (DAI).
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection statistics forwarded

128 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic ARP Inspection
12.5 show

12.5.4 show ip arp-inspection access-list names


This command displays a list of all existing ARP ACLs.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection access-list names

12.5.5 show ip arp-inspection access-list rules


This command displays all ACL rules of a dedicated ARP ACL.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection access-list rules <P-1>
Paramete Value Meaning
r
P-1 string <acl-name> Name of ACL.

12.5.6 show ip arp-inspection interfaces


This command shows the Dynamic ARP Inspection (DAI) status of all interfaces.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection interfaces

12.5.7 show ip arp-inspection vlan


This command displays the VLAN based Dynamic ARP Inspection (DAI) status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip arp-inspection vlan

RM CLI HiOS-2A GRS1040 129


Release 6.1 09/2016
Dynamic ARP Inspection
12.5 show

130 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Debugging

13 Debugging

RM CLI HiOS-2A GRS1040 131


Release 6.1 09/2016
Debugging
13.1 debug

13.1 debug

Different tools to assist in debugging the device.

13.1.1 debug tcpdump help


Display help file for the tcpdump tool.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump help

13.1.2 debug tcpdump start cpu


Start capture with default values.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump start cpu [filter <P-1>] [parms <P-2>]
[filter]: Start capture with values from a filter file.
[parms]: Start capture with the tcpdump parameters (for details see tcpdump help).
Paramete Value Meaning
r
P-1 string <filename> Enter a valid filename.
P-2 string Enter a user-defined text, max. 255 characters.

13.1.3 debug tcpdump stop


Abort capture of network traffic.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump stop

132 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Debugging
13.1 debug

13.1.4 debug tcpdump filter show


Display a known filter file.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump filter show <P-1>
Paramete Value Meaning
r
P-1 string <filename> Enter a valid filename.

13.1.5 debug tcpdump filter list


Display all available filter files.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump filter list

13.1.6 debug tcpdump filter delete


Delete a known filter file.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: debug tcpdump filter delete <P-1>
Paramete Value Meaning
r
P-1 string <filename> Enter a valid filename.

RM CLI HiOS-2A GRS1040 133


Release 6.1 09/2016
Debugging
13.2 show

13.2 show

Display device options and settings.

13.2.1 show debug logic-modules


List logic module information
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: show debug logic-modules

134 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Debugging
13.3 copy

13.3 copy

Copy different kinds of items.

13.3.1 copy tcpdumpcap nvm envm


Copy the capture file from non-volatile memory to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy tcpdumpcap nvm envm [<P-1>]
Paramete Value Meaning
r
P-1 string <filename> Enter a valid filename.

13.3.2 copy tcpdumpcap nvm remote


Copy the capture file from the device to a server.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy tcpdumpcap nvm remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

13.3.3 copy tcpdumpfilter remote


Copy the filter file from a server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy tcpdumpfilter remote <P-1> nvm <P-2>
nvm: Copy the filter file from a server to non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

RM CLI HiOS-2A GRS1040 135


Release 6.1 09/2016
Debugging
13.3 copy

Paramete Value Meaning


r
P-2 string <filename> Enter a valid filename.

13.3.4 copy tcpdumpfilter envm


Copy the capture filter from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy tcpdumpfilter envm <P-1> nvm [<P-2>]
nvm: Copy the capture filter from external non-volatile memory to non-volatile memory.
Paramete Value Meaning
r
P-1 string <filename> Enter a valid filename.
P-2 string <filename> Enter a valid filename.

13.3.5 copy tcpdumpfilter nvm


Copy the capture filter from non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy tcpdumpfilter nvm <P-1> envm [<P-2>] remote <P-3>
envm: Copy the capture filter from non-volatile memory to external non-volatile memory.
remote: Copy the capture file from non-volatile memory to a server.
Paramete Value Meaning
r
P-1 string Filename.
P-2 string <filename> Enter a valid filename.
P-3 string Enter a user-defined text, max. 128 characters.

136 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Monitoring

14 Device Monitoring

RM CLI HiOS-2A GRS1040 137


Release 6.1 09/2016
Device Monitoring
14.1 device-status

14.1 device-status

Configure various device conditions to be monitored.

14.1.1 device-status monitor link-failure


Enable or disable monitor state of network connection(s).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor link-failure

 no device-status monitor link-failure


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor link-failure

14.1.2 device-status monitor temperature


Enable or disable monitoring of the device temperature.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor temperature

 no device-status monitor temperature


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor temperature

138 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Monitoring
14.1 device-status

14.1.3 device-status monitor module-removal


Enable or disable monitoring the presence of modules.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor module-removal

 no device-status monitor module-removal


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor module-removal

14.1.4 device-status monitor envm-removal


Enable or disable monitoring the presence of the external non-volatile memory.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor envm-removal

 no device-status monitor envm-removal


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor envm-removal

14.1.5 device-status monitor envm-not-in-sync


Enable or disable monitoring synchronization between the external non-volatile memory\n and the
running configuration.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor envm-not-in-sync

RM CLI HiOS-2A GRS1040 139


Release 6.1 09/2016
Device Monitoring
14.1 device-status

 no device-status monitor envm-not-in-sync


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor envm-not-in-sync

14.1.6 device-status monitor ring-redundancy


Enable or disable monitoring if ring-redundancy is present.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor ring-redundancy

 no device-status monitor ring-redundancy


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor ring-redundancy

14.1.7 device-status monitor power-supply


Enable or disable monitoring the condition of the power supply(s).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status monitor power-supply <P-1>
Paramete Value Meaning
r
P-1 1..2 Number of power supply.

 no device-status monitor power-supply


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status monitor power-supply <P-1>

140 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Monitoring
14.1 device-status

14.1.8 device-status trap


Configure the device to send a trap when the device status changes.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status trap

 no device-status trap
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status trap

14.1.9 device-status module


Configure the monitoring of the specific module.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: device-status module <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

 no device-status module
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no device-status module <P-1>

RM CLI HiOS-2A GRS1040 141


Release 6.1 09/2016
Device Monitoring
14.2 device-status

14.2 device-status

Configure various device conditions to be monitored.

14.2.1 device-status link-alarm


Configure the monitor settings of the port link.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: device-status link-alarm

 no device-status link-alarm
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: no device-status link-alarm

142 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Monitoring
14.3 show

14.3 show

Display device options and settings.

14.3.1 show device-status monitor


Display the device monitoring configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status monitor

14.3.2 show device-status state


Display the current state of the device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status state

14.3.3 show device-status trap


Display the device trap information and configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status trap

RM CLI HiOS-2A GRS1040 143


Release 6.1 09/2016
Device Monitoring
14.3 show

14.3.4 show device-status events


Display occurred device status events.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status events

14.3.5 show device-status link-alarm


Display the monitor configurations of the network ports.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status link-alarm

14.3.6 show device-status module


Display the monitor configurations of the modules.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status module

14.3.7 show device-status all


Display the configurable device status settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show device-status all

144 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security

15 Device Security

RM CLI HiOS-2A GRS1040 145


Release 6.1 09/2016
Device Security
15.1 security-status

15.1 security-status

Configure the security status settings.

15.1.1 security-status monitor pwd-change


Sets the monitoring of default password change for\n'user' and 'admin'.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor pwd-change

 no security-status monitor pwd-change


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor pwd-change

15.1.2 security-status monitor pwd-min-length


Sets the monitoring of minimum length of the password\n(smaller 8).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor pwd-min-length

 no security-status monitor pwd-min-length


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor pwd-min-length

146 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.1 security-status

15.1.3 security-status monitor pwd-policy-config


Sets the monitoring whether the minimum password policy is configured. The device changes the
security status to the value "error" if the value for at least one of the following password rules is
0:\n"minimum upper cases","minimum lower cases","minimum numbers","minimum special characters".
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor pwd-policy-config

 no security-status monitor pwd-policy-config


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor pwd-policy-config

15.1.4 security-status monitor pwd-str-not-config


Sets the monitoring whether the password minimum\nstrength check is configured.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor pwd-str-not-config

 no security-status monitor pwd-str-not-config


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor pwd-str-not-config

15.1.5 security-status monitor pwd-policy-inactive


Sets the monitoring whether at least one user is\nconfigured with inactive policy check.\nThe device
changes the security status to the value "error" if the function "policy check" is inactive for at least 1 user
account.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor pwd-policy-inactive

RM CLI HiOS-2A GRS1040 147


Release 6.1 09/2016
Device Security
15.1 security-status

 no security-status monitor pwd-policy-inactive


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor pwd-policy-inactive

15.1.6 security-status monitor bypass-pwd-strength


Sets the monitoring whether at least one user is\nconfigured to bypass strength check.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor bypass-pwd-strength

 no security-status monitor bypass-pwd-strength


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor bypass-pwd-strength

15.1.7 security-status monitor telnet-enabled


Sets the monitoring of the activation of telnet on\nthe switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor telnet-enabled

 no security-status monitor telnet-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor telnet-enabled

148 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.1 security-status

15.1.8 security-status monitor http-enabled


Sets the monitoring of the activation of http on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor http-enabled

 no security-status monitor http-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor http-enabled

15.1.9 security-status monitor snmp-unsecure


Sets the monitoring of SNMP security\n(SNMP v1/v2 is enabled or v3 encryption is disabled).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor snmp-unsecure

 no security-status monitor snmp-unsecure


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor snmp-unsecure

15.1.10 security-status monitor sysmon-enabled


Sets the monitoring of the activation of System Monitor 1 on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor sysmon-enabled

RM CLI HiOS-2A GRS1040 149


Release 6.1 09/2016
Device Security
15.1 security-status

 no security-status monitor sysmon-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor sysmon-enabled

15.1.11 security-status monitor extnvm-upd-enabled


Sets the monitoring of activation of the configuration\n saving to external non volatile memory.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor extnvm-upd-enabled

 no security-status monitor extnvm-upd-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor extnvm-upd-enabled

15.1.12 security-status monitor no-link-enabled


Sets the monitoring of no link detection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor no-link-enabled

 no security-status monitor no-link-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor no-link-enabled

150 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.1 security-status

15.1.13 security-status monitor hidisc-write-enabled


Sets the monitoring of HiDiscovery write enabled.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor hidisc-write-enabled

 no security-status monitor hidisc-write-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor hidisc-write-enabled

15.1.14 security-status monitor extnvm-load-unsecure


Sets the monitoring of security of the configuration loading from extnvm.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor extnvm-load-unsecure

 no security-status monitor extnvm-load-unsecure


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor extnvm-load-unsecure

15.1.15 security-status monitor iec61850-mms-enabled


Sets the monitoring of the activation of IEC 61850 MMS on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor iec61850-mms-enabled

RM CLI HiOS-2A GRS1040 151


Release 6.1 09/2016
Device Security
15.1 security-status

 no security-status monitor iec61850-mms-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor iec61850-mms-enabled

15.1.16 security-status monitor https-certificate


Sets the monitoring whether auto generated self-signed HTTPS certificate is in use.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor https-certificate

 no security-status monitor https-certificate


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor https-certificate

15.1.17 security-status monitor modbus-tcp-enabled


Sets the monitoring of the activation of Modbus/TCP server on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor modbus-tcp-enabled

 no security-status monitor modbus-tcp-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor modbus-tcp-enabled

152 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.1 security-status

15.1.18 security-status monitor ethernet-ip-enabled


Sets the monitoring of the activation of EtherNet/IP protocol on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor ethernet-ip-enabled

 no security-status monitor ethernet-ip-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor ethernet-ip-enabled

15.1.19 security-status monitor profinet-io-enabled


Sets the monitoring of the activation of PROFINET protocol on the switch.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status monitor profinet-io-enabled

 no security-status monitor profinet-io-enabled


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status monitor profinet-io-enabled

15.1.20 security-status trap


Configure if a trap is sent when the security status\nchanges.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: security-status trap

RM CLI HiOS-2A GRS1040 153


Release 6.1 09/2016
Device Security
15.1 security-status

 no security-status trap
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no security-status trap

154 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.2 security-status

15.2 security-status

Configure the security status interface settings.

15.2.1 security-status no-link


Configure the monitoring of the specific ports.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: security-status no-link

 no security-status no-link
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: no security-status no-link

RM CLI HiOS-2A GRS1040 155


Release 6.1 09/2016
Device Security
15.3 show

15.3 show

Display device options and settings.

15.3.1 show security-status monitor


Display the security status monitoring settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status monitor

15.3.2 show security-status state


Display the current security status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status state

15.3.3 show security-status no-link


Display the settings of the monitoring of the specific\nnetwork ports.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status no-link

156 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Device Security
15.3 show

15.3.4 show security-status trap


Display the security status trap information and settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status trap

15.3.5 show security-status events


Display occurred security status events.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status events

15.3.6 show security-status all


Display all security status settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show security-status all

RM CLI HiOS-2A GRS1040 157


Release 6.1 09/2016
Device Security
15.3 show

158 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)

16 Dynamic Host Configuration Protocol


(DHCP)

RM CLI HiOS-2A GRS1040 159


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.1 dhcp-server

16.1 dhcp-server

Modify DHCP Server parameters.

16.1.1 dhcp-server operation


Enable or disable the DHCP server on this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dhcp-server operation

 no dhcp-server operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dhcp-server operation

160 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.2 dhcp-server

16.2 dhcp-server

Modify DHCP Server parameters.

16.2.1 dhcp-server operation


Enable or disable the DHCP server globally.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-server operation

 no dhcp-server operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dhcp-server operation

16.2.2 dhcp-server pool add


Add a pool
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-server pool add <P-1> dynamic <P-2> <P-3> static <P-4>
dynamic: Add a dynamic pool (one or more IPs).
static: Add a static pool (one IP).
Paramete Value Meaning
r
P-1 1..128 Pool ID.
P-2 A.B.C.D IP address.
P-3 A.B.C.D IP address.
P-4 A.B.C.D IP address.

RM CLI HiOS-2A GRS1040 161


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.2 dhcp-server

16.2.3 dhcp-server pool modify


Modify the dynamic address pool
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-server pool modify <-1> mode interface <-2> mac <-3> clientid
<-4> remoteid <-5> circuitid <-6> relay <-7> vlan <-8> leasetime <-9>
option configpath <-10> gateway <-11> netmask <-12> wins <-13> dns <-14>
hostname <-15> hhrschsancsashanhh-device
mode: Pool mode settings.
interface: Interface mode.
mac: MAC mode.
clientid: Clientid mode.
remoteid: Remoteid mode.
circuitid: Circuitid mode.
relay: Relay mode.
vlan: VLAN mode.
leasetime: Enter the leasetime in seconds.
option: Configuration option.
configpath: Configpath in 'tftp://<servername>/<file>' format.
gateway: Default gateway.
netmask: Option netmask.
wins: Option wins.
dns: Option dns.
hostname: Option hostname.
hhrschsancsashanhh-device: Set this pool to HHrschsancsashasnHH devices only.
Paramete Value Meaning
r
P-1 1..128 Pool ID.
P-2 slot no./port no.
P-3 none Remove MAC mode.
aa:bb:cc:dd:ee:ff MAC address.
P-4 none Remove ID mode.
xx:xx:...:xx Enter ID in hexadecimal format.
P-5 none Remove ID mode.
xx:xx:...:xx Enter ID in hexadecimal format.
P-6 none Remove ID mode.
xx:xx:...:xx Enter ID in hexadecimal format.
P-7 none Remove relay mode.
ipaddr Enter IP address of the relay.
P-8 -1..4042 VLAN ID. A value of -1 corresponds to management vlan (the
default), any other value (1-4042) represents a specific VLAN
P-9 infinite Infinite leasetime.
seconds Leasetime in seconds.
P-10 tftp://s tftp://<servername>/<file> Configuration path; empty string
("") to clear value.

P-11 A.B.C.D IP address.


P-12 a.b.c.d IP subnet mask.
P-13 A.B.C.D IP address.
P-14 A.B.C.D IP address.
P-15 string Enter a user-defined text, max. 64 characters.

162 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.2 dhcp-server

 no dhcp-server pool modify


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dhcp-server pool modify mode interface mac clientid remoteid
circuitid relay vlan leasetime option configpath gateway netmask wins
dns hostname hhrschsancsashanhh-device

16.2.4 dhcp-server pool mode


Pool enable.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-server pool mode <P-1>
Paramete Value Meaning
r
P-1 1..128 Pool ID.

 no dhcp-server pool mode


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dhcp-server pool mode <P-1>

16.2.5 dhcp-server pool delete


Pool delete.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-server pool delete <P-1>
Paramete Value Meaning
r
P-1 1..128 Pool ID.

RM CLI HiOS-2A GRS1040 163


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.3 show

16.3 show

Display device options and settings.

16.3.1 show dhcp-server operation


Display DHCP Server global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-server operation

16.3.2 show dhcp-server pool


Show DHCP Server pool entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-server pool [<P-1>]
Paramete Value Meaning
r
P-1 1..128 Pool ID.

16.3.3 show dhcp-server interface


Show DHCP Server per interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-server interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

164 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.3 show

16.3.4 show dhcp-server lease


Show DHCP Server lease entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-server lease

RM CLI HiOS-2A GRS1040 165


Release 6.1 09/2016
Dynamic Host Configuration Protocol (DHCP)
16.3 show

166 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Layer 2 Relay

17 DHCP Layer 2 Relay

RM CLI HiOS-2A GRS1040 167


Release 6.1 09/2016
DHCP Layer 2 Relay
17.1 dhcp-l2relay

17.1 dhcp-l2relay

Configure DHCP Layer 2 Relay.

17.1.1 dhcp-l2relay mode


Enables or disables DHCP Layer 2 Relay globally.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dhcp-l2relay mode

 no dhcp-l2relay mode
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dhcp-l2relay mode

168 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Layer 2 Relay
17.2 dhcp-l2relay

17.2 dhcp-l2relay

Group of commands that configure DHCP Layer 2 Relay on existing VLANs.

17.2.1 dhcp-l2relay mode


Enables or disables DHCP Layer 2 Relay on a VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay mode <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no dhcp-l2relay mode
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no dhcp-l2relay mode

17.2.2 dhcp-l2relay circuit-id


This commands enables setting the Option-82 Circuit ID in DHCP messages to an interface descriptor.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay circuit-id <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no dhcp-l2relay circuit-id
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no dhcp-l2relay circuit-id <P-1>

RM CLI HiOS-2A GRS1040 169


Release 6.1 09/2016
DHCP Layer 2 Relay
17.2 dhcp-l2relay

17.2.3 dhcp-l2relay remote-id ip


This commands sets the Option-82 Remote ID to the IP address of device (if any assigned, else fails).
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay remote-id ip <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

17.2.4 dhcp-l2relay remote-id mac


This commands sets the Option-82 Remote ID to the MAC address of device.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay remote-id mac <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

17.2.5 dhcp-l2relay remote-id client-id


This commands sets the Option-82 Remote ID to the system name (sysName) of device.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay remote-id client-id <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

170 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Layer 2 Relay
17.2 dhcp-l2relay

17.2.6 dhcp-l2relay remote-id other


This commands sets the Option-82 Remote ID manually. If it is omitted then only the Circuit ID is
inserted into a relayed DHCP message.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: dhcp-l2relay remote-id other <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 string <remote-id> Option 82 Remote ID

RM CLI HiOS-2A GRS1040 171


Release 6.1 09/2016
DHCP Layer 2 Relay
17.3 dhcp-l2relay

17.3 dhcp-l2relay

Configure DHCP Layer 2 Relay for an interface (list/range)

17.3.1 dhcp-l2relay mode


Enables or disables DHCP Layer 2 Relay on an interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dhcp-l2relay mode

 no dhcp-l2relay mode
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dhcp-l2relay mode

17.3.2 dhcp-l2relay trust


This command configures an interface as trusted (typically connected to a DHCP server) or untrusted.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dhcp-l2relay trust

 no dhcp-l2relay trust
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dhcp-l2relay trust

172 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Layer 2 Relay
17.4 clear

17.4 clear

Clear several items.

17.4.1 clear dhcp-l2relay statistics


This command clears the DHCP Layer 2 Relay statistics.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear dhcp-l2relay statistics

RM CLI HiOS-2A GRS1040 173


Release 6.1 09/2016
DHCP Layer 2 Relay
17.5 show

17.5 show

Display device options and settings.

17.5.1 show dhcp-l2relay global


This command displays the global DHCP Layer 2 Relay configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-l2relay global

17.5.2 show dhcp-l2relay statistics


This command displays interface statistics specific to DHCP Layer 2 Relay.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-l2relay statistics

17.5.3 show dhcp-l2relay interfaces


This command displays the DHCP Layer 2 Relay status of all interfaces.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-l2relay interfaces

174 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Layer 2 Relay
17.5 show

17.5.4 show dhcp-l2relay vlan


This command displays the VLAN based DHCP Layer 2 Relay status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dhcp-l2relay vlan

RM CLI HiOS-2A GRS1040 175


Release 6.1 09/2016
DHCP Layer 2 Relay
17.5 show

176 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping

18 DHCP Snooping

RM CLI HiOS-2A GRS1040 177


Release 6.1 09/2016
DHCP Snooping
18.1 ip

18.1 ip

Set IP parameters.

18.1.1 ip dhcp-snooping verify-mac


If enabled verifies the source MAC address in the ethernet packet against the client hardware address
in the received DHCP Message. If disabled does not perform this additional security check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping verify-mac

 no ip dhcp-snooping verify-mac
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping verify-mac

18.1.2 ip dhcp-snooping mode


Enable or disable DHCP Snooping.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping mode

 no ip dhcp-snooping mode
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping mode

178 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping
18.1 ip

18.1.3 ip dhcp-snooping database storage


This command specifies a location for the persistent DHCP Snooping bindings database. This can be
a local file or a remote file on a given host.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping database storage <P-1>
Paramete Value Meaning
r
P-1 local Save persistent DHCP Snooping bindings database to a local file.
tftp-loc Save persistent DHCP Snooping bindings database to a remote
file: <tftp-loc> := tftp://<ip-addr>/<filename>.

18.1.4 ip dhcp-snooping database write-delay


This command configures the interval in seconds at which the DHCP Snooping binding database will
be saved (persistent).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping database write-delay <P-1>
Paramete Value Meaning
r
P-1 15..86400 Interval in seconds at which the persistent DHCP Snooping
binding database will be saved. The interval value ranges from
15 to 86400 seconds.

18.1.5 ip dhcp-snooping binding add


This command creates a new static DHCP Snooping binding (and optionally an associated dynamic IP
Source Guard binding) between a MAC address and an IP address, for a specific VLAN at a particular
interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping binding add <P-1> <P-2> <P-3> <P-4> [<P-5>]
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 A.B.C.D IP address.
P-3 slot no./port no.
P-4 1..4042 Enter the VLAN ID.
P-5 active Activate the option.
inactive Inactivate the option.

RM CLI HiOS-2A GRS1040 179


Release 6.1 09/2016
DHCP Snooping
18.1 ip

18.1.6 ip dhcp-snooping binding delete all


This command deletes all static DHCP Snooping bindings (and optionally all associated dynamic IP
Source Guard bindings) at all interfaces.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping binding delete all

18.1.7 ip dhcp-snooping binding delete interface


This command deletes all static DHCP Snooping bindings (and optionally all associated dynamic IP
Source Guard bindings), associated with a particular interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping binding delete interface <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

18.1.8 ip dhcp-snooping binding delete mac


This command deletes one DHCP Snooping binding (and optionally the associated dynamic IP Source
Guard binding), associated with a MAC address.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping binding delete mac <P-1>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.

180 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping
18.1 ip

18.1.9 ip dhcp-snooping binding mode


This command activates or deactivates a configured static DHCP Snooping binding, associated with a
MAC address.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping binding mode <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 active Activate the option.
inactive Inactivate the option.

RM CLI HiOS-2A GRS1040 181


Release 6.1 09/2016
DHCP Snooping
18.2 clear

18.2 clear

Clear several items.

18.2.1 clear ip dhcp-snooping bindings


This command clears all dynamic DHCP Snooping (and IP Source Guard) bindings on all interfaces or
on a specific interface.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear ip dhcp-snooping bindings [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

18.2.2 clear ip dhcp-snooping statistics


This command clears the DHCP Snooping statistics.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear ip dhcp-snooping statistics

182 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping
18.3 ip

18.3 ip

IP commands.

18.3.1 ip dhcp-snooping mode


Enables or disables DHCP Snooping on a VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping mode <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no ip dhcp-snooping mode
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping mode <P-1>

RM CLI HiOS-2A GRS1040 183


Release 6.1 09/2016
DHCP Snooping
18.4 ip

18.4 ip

IP interface commands.

18.4.1 ip dhcp-snooping trust


This command configures an interface as trusted (typically connected to a DHCP server) or un-trusted.
DHCP Snooping forwards valid DHCP client messages on trusted interfaces. On un-trusted interfaces
the application compares the receive interface with the clients interface in the binding database.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping trust

 no ip dhcp-snooping trust
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping trust

18.4.2 ip dhcp-snooping log


This command configures an interface to log invalid DHCP messages, or not to log.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping log

 no ip dhcp-snooping log
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping log

184 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping
18.4 ip

18.4.3 ip dhcp-snooping auto-disable


Enables or disables the auto-disable feature for an interface, applicable when the DHCP packet rate
exceeds the limit.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping auto-disable

 no ip dhcp-snooping auto-disable
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip dhcp-snooping auto-disable

18.4.4 ip dhcp-snooping limit


This command configures an interface for a maximum DHCP packet rate in a burst interval, or disables
it. If the rate of DHCP packets exceed this limit in consecutive intervals then all further packets are
dropped. If that happens and additionally the auto-disable feature is enabled, then the port is disabled
automatically.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip dhcp-snooping limit <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 -1..150 Specifies the rate limit value (in packets per seconds, pps) for
DHCP snooping purposes. The value -1 switches rate limiting off.
P-2 1..15 Specifies the burst interval value for DHCP snooping purposes.
Because this parameter is optional it leaves unchanged if
omitted.

RM CLI HiOS-2A GRS1040 185


Release 6.1 09/2016
DHCP Snooping
18.5 show

18.5 show

Display device options and settings.

18.5.1 show ip dhcp-snooping global


This command displays the global DHCP Snooping configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip dhcp-snooping global

18.5.2 show ip dhcp-snooping statistics


This command displays statistics for DHCP Snooping security violations on untrusted ports.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip dhcp-snooping statistics

18.5.3 show ip dhcp-snooping interfaces


This command shows the DHCP Snooping status of all interfaces.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip dhcp-snooping interfaces

186 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DHCP Snooping
18.5 show

18.5.4 show ip dhcp-snooping vlan


This command displays the VLAN based DHCP Snooping status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip dhcp-snooping vlan

18.5.5 show ip dhcp-snooping bindings


This command displays the DHCP Snooping binding entries from the static and/or dynamic bindings
table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip dhcp-snooping bindings [<P-1>] [interface <P-2>] [vlan <P-3>]
[interface]: Restrict the output based on a specific interface.
[vlan]: Restrict the output based on VLAN.
Paramete Value Meaning
r
P-1 static Restrict the output based on static bindings.
dynamic Restrict the output based on dynamic bindings.
P-2 slot no./port no.
P-3 1..4042 Enter the VLAN ID.

RM CLI HiOS-2A GRS1040 187


Release 6.1 09/2016
DHCP Snooping
18.5 show

188 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)

19 Differentiated Services (DiffServ)

RM CLI HiOS-2A GRS1040 189


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.1 diffserv

19.1 diffserv

Enable or disable DiffServ.


 Mode: Global Config Mode
 Privilege Level: Operator
 Format: diffserv

190 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.2 class-map

19.2 class-map

Manage DiffServ classes.

19.2.1 class-map name


Configure a Diffserv class.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: class-map name <P-1> match any ethertype <P-2> cos <P-3> secondary-
cos <P-4> destination-address <P-5> <P-6> <P-7> source-address <P-8> <P-9>
<P-10> dstip <P-11> <P-12> srcip <P-13> <P-14> dstl4port <P-15> srcl4port
<P-16> ip dscp <P-17> precedence <P-18> tos <P-19> <P-20> protocol <P-21>
vlan <P-22> secondary-vlan <P-23> class-map <P-24> <P-25>
match: Add a match rule for the class.
any: Match any packet.
ethertype: Add a match condition based on the ethertype value.
cos: Add a match condition based on the COS value.
secondary-cos: Add a match condition based on the secondary COS value.
destination-address: Add a match condition based on the destination mac address.
source-address: Add a match condition based on the source mac address.
dstip: Add a match condition based on the destination IPv4 address.
srcip: Add a match condition based on the source IP address.
dstl4port: Add a match condition based on the layer 4 destination port.
srcl4port: Add a match condition based on the layer 4 source port.
ip: Add a match condition based on IP DSCP, precedence or TOS fields.
dscp: Add a match condition based on the IP DSCP field.
precedence: Add a match condition based on the IP precedence field.
tos: Add a match condition based on the IP TOS field.
protocol: Add a match condition based on the IP protocol field.
vlan: Add a match condition based on the VLAN field.
secondary-vlan: Add a match condition based on the secondary VLAN field.
class-map: Add/remove a set of match condition defined for another class.
Paramete Value Meaning
r
P-1 string Enter the DiffServ class name, max. 31 characters.

RM CLI HiOS-2A GRS1040 191


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.2 class-map

Paramete Value Meaning


r
P-2 0x0600-0xffff ethertype
appletalk appletalk
arp arp
ibmsna ibmsna
ipv4 ipv4
ipv6 ipv6
ipx ipx
mplsmcast mplsmcast
mplsucast mplsucast
netbios netbios
novell novell
pppoe pppoe
rarp rarp
P-3 0..7 COS value.
P-4 0..7 COS value.
P-5 mac mac.
P-6 aa:bb:cc:dd:ee:ff MAC address.
P-7 mac MAC mask.
P-8 mac mac.
P-9 aa:bb:cc:dd:ee:ff MAC address.
P-10 mac MAC mask.
P-11 A.B.C.D IP address.
P-12 <a.b.c.d> IP subnet mask.
P-13 A.B.C.D IP address.
P-14 <a.b.c.d> IP subnet mask.
P-15 domain domain
echo echo
ftp ftp
ftpdata ftpdata
http http
smtp smtp
snmp snmp
telnet telnet
tftp tftp
www www
0-65535 Port number
P-16 domain domain
echo echo
ftp ftp
ftpdata ftpdata
http http
smtp smtp
snmp snmp
telnet telnet
tftp tftp
www www
0-65535 Port number

192 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.2 class-map

Paramete Value Meaning


r
P-17 0-63 Decimal value
af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-18 0..7 Ip precedence value.
P-19 string <00-ff> Tos bits/mask.
P-20 string <00-ff> Tos bits/mask.
P-21 icmp icmp
igmp igmp
ip ip
tcp tcp
udp udp
0-255 Protocol number
P-22 1..4042 Enter the VLAN ID.
P-23 1..4042 Enter the VLAN ID.
P-24 string Enter the DiffServ class name, max. 31 characters.
P-25 enable Enable the option.
disable Disable the option.

19.2.2 class-map rename


Rename an existing class.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: class-map rename <P-1> <P-2>
Paramete Value Meaning
r
P-1 string Enter the DiffServ class name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.

RM CLI HiOS-2A GRS1040 193


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.2 class-map

19.2.3 class-map match-all


Create a new match-all class.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: class-map match-all <P-1>
Paramete Value Meaning
r
P-1 string Enter the DiffServ class name, max. 31 characters.

19.2.4 class-map remove


Remove a Diffserv class.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: class-map remove <P-1>
Paramete Value Meaning
r
P-1 string Enter the DiffServ class name, max. 31 characters.

194 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3 policy-map

Manage DiffServ policies.

19.3.1 policy-map create


Create a DiffServ policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map create <P-1> { in | out }
Paramete Value Meaning
r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 in Traffic direction in.
P-2 out Traffic direction out.

19.3.2 policy-map name class add


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class add <string>
class: Manage DiffServ policy-class instances.
add: Add a policy-class instance.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.

RM CLI HiOS-2A GRS1040 195


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.3 policy-map name class name assign-queue


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
assign-queue <0..7>
class: Manage DiffServ policy-class instances.
name: Configure a policy-class instance.
assign-queue: Modify the queue id to which the associated traffic stream is assigned.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 0..7 Assign queue id.

19.3.4 policy-map name class name conform-color


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
conform-color <string>
class: Manage DiffServ policy-class instances.
name: Configure a policy-class instance.
conform-color: Enable color-aware traffic policing and define the conform-color class.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 string Enter the DiffServ class name, max. 31 characters.

19.3.5 policy-map name class name drop


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
drop
class: Manage DiffServ policy-class instances.

196 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

name: Configure a policy-class instance.


drop: All packets for the associated traffic stream are dropped at ingress.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.

19.3.6 policy-map name class name mark


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
mark {cos <0..7> |
cos-as-sec-cos |
ip-dscp <af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef>|
ip-precedence <0..7>}
class: Manage DiffServ policy-class instances.
name: Configure a policy-class instance.
mark: Add a mark attribute.
cos: Marks all packets with the specified COS value.
cos-as-sec-cos: Use secondary COS as COS.
ip-dscp: Marks all packets with the specified IP DSCP value.
ip-precedence: Marks all packets with the specified IP precedence value.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 0..7 COS value.

RM CLI HiOS-2A GRS1040 197


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-4 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-5 0..7 Ip precedence value.

19.3.7 policy-map name class name mirror


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
mirror < 1/1 | 1/2 | 1/3 | 1/4 | 2/1 |
2/2 | 2/3 | 2/4 | 3/1 | 3/2 |
3/3 | 3/4 | 4/1 | 4/2 | 4/3 |
4/4 | 5/1 | 5/2 | 5/3 | 5/4 >
class: Manage DiffServ policy-class instances.
name: Configure a policy-class instance.
mirror: All incoming packets for the associated traffic stream are copied to a specific egress interface.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.

198 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-3 1/1 slot 1 / port 1
1/2 slot 1 / port 2
1/3 slot 1 / port 3
1/4 slot 1 / port 4
2/1 slot 2 / port 1
2/2 slot 2 / port 2
2/3 slot 2 / port 3
2/4 slot 2 / port 4
3/1 slot 3 / port 1
3/2 slot 3 / port 2
3/3 slot 3 / port 3
3/4 slot 3 / port 4
4/1 slot 4 / port 1
4/2 slot 4 / port 2
4/3 slot 4 / port 3
4/4 slot 4 / port 4
5/1 slot 5 / port 1
5/2 slot 5 / port 2
5/3 slot 5 / port 3
5/4 slot 5 / port 4
lag/1 lag instance 1
lag/2 lag instance 2

19.3.8 policy-map name class name police-simple conform


action drop violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple
< 1..4294967295> <1..128> conform-action
drop violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-simple: Establish the traffic policing style for the specified class.

RM CLI HiOS-2A GRS1040 199


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

conform-action: Conform action.


violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 COS value.
P-6 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-7 0..7 Ip precedence value.
P-8 0..7 COS value.

200 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.9 policy-map name class name police-simple conform


action set-cos-as-sec-cos violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action set-cos-as-sec-cos
violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 COS value.

RM CLI HiOS-2A GRS1040 201


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-6 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-7 0..7 Ip precedence value.
P-8 0..7 COS value.

19.3.10 policy-map name class name police-simple conform


action set-cos-transmit violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action set-cos-transmit <0..7>
violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.

202 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

name: Configure a policy-class instance.


police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 COS value.
P-6 0..7 COS value.
P-7 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-8 0..7 Ip precedence value.
P-9 0..7 COS value.

RM CLI HiOS-2A GRS1040 203


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.11 policy-map name class name police-simple conform


action set-dscp-transmit violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef>
violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).

204 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-5 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-6 0..7 COS value.
P-7 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-8 0..7 Ip precedence value.
P-9 0..7 COS value.

RM CLI HiOS-2A GRS1040 205


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.12 policy-map name class name police-simple conform


action set-prec-transmit violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action set-prec-transmit <0..7>
violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 Ip precedence value..
P-6 0..7 COS value.

206 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-7 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-8 0..7 Ip precedence value.
P-9 0..7 COS value.

19.3.13 policy-map name class name police-simple conform


action set-sec-cos-transmit violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action set-sec-cos-transmit <0..7>
violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.

RM CLI HiOS-2A GRS1040 207


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

name: Configure a policy-class instance.


police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 COS value.
P-6 0..7 COS value.
P-7 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-8 0..7 Ip precedence value.
P-9 0..7 COS value.

208 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.14 policy-map name class name police-simple conform


action transmit violate-action
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-simple <1..4294967295> <1..128>
conform-action transmit violate-action
{drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-simple: Establish the traffic policing style for the specified class.
conform-action: Conform action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 0..7 COS value.

RM CLI HiOS-2A GRS1040 209


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

Paramete Value Meaning


r
P-6 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-7 0..7 Ip precedence value.
P-8 0..7 COS value.

19.3.15 policy-map name class name police-two-rate


conform-action ... exceed-action ... violate-action ...
Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
police-two-rate <1..4294967295> <1..128>
<1..4294967295> <1..128>
conform-action *)
exceed-action *)
violate-action *)

*){drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|

210 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
police-two-rate: Establish the two-rate traffic policing style for the specified class.
conform-action: Conform action.
exceed-action: Exceed action.
violate-action: Violate action.
drop: Drop.
set-cos-as-sec-cos: set-cos-as-sec-cos
set-cos-transmit: set-cos-transmit
set-sec-cos-transmit: set-sec-cos-transmit
set-prec-transmit: set-prec-transmit
set-dscp-transmit: set-dscp-transmit
transmit: transmit

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1..4294967295 Data rate (Kbps).
P-4 1..128 Burst size (KB).
P-5 1..4294967295 Data rate (Kbps).
P-6 1..128 Burst size (KB).
P-7 0..7 COS value.
P-8 af11 af11
af12 af12
af13 af13
af21 af21
af22 af22
af23 af23
af31 af31
af32 af32
af33 af33
af41 af41
af42 af42
af43 af43
be be
cs0 cs0
cs1 cs1
cs2 cs2
cs3 cs3
cs4 cs4
cs5 cs5
cs6 cs6
cs7 cs7
ef ef
P-9 0..7 Ip precedence value.
P-10 0..7 COS value.

RM CLI HiOS-2A GRS1040 211


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.16 policy-map name class name redirect


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class name <string>
redirect < 1/1 | 1/2 | 1/3 | 1/4 | 2/1 |
2/2 | 2/3 | 2/4 | 3/1 | 3/2 |
3/3 | 3/4 | 4/1 | 4/2 | 4/3 |
4/4 | 5/1 | 5/2 | 5/3 | 5/4 |
lag/1 | lag/2 >

class: Manage DiffServ policy-class instances.


name: Configure a policy-class instance.
remove: Remove a policy-class instance.
redirect: All incoming packets for the associated traffic stream are redirected to a specific egress
interface.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.
P-3 1/1 slot 1 / port 1
1/2 slot 1 / port 2
1/3 slot 1 / port 3
1/4 slot 1 / port 4
2/1 slot 2 / port 1
2/2 slot 2 / port 2
2/3 slot 2 / port 3
2/4 slot 2 / port 4
3/1 slot 3 / port 1
3/2 slot 3 / port 2
3/3 slot 3 / port 3
3/4 slot 3 / port 4
4/1 slot 4 / port 1
4/2 slot 4 / port 2
4/3 slot 4 / port 3
4/4 slot 4 / port 4
5/1 slot 5 / port 1
5/2 slot 5 / port 2
5/3 slot 5 / port 3
5/4 slot 5 / port 4
lag/1 lag instance 1
lag/1 lag instance 1

212 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.3 policy-map

19.3.17 policy-map name class remove


Configure a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map name <string> class remove <string>
class: Manage DiffServ policy-class instances.
remove: Remove a policy-class instance.

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ class name, max. 31 characters.

19.3.18 policy-map rename


Rename an existing DiffServ policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map rename <string> <string>
Paramete Value Meaning
r
P-1 string Enter the DiffServ policy name, max. 31 characters.
P-2 string Enter the DiffServ policy name, max. 31 characters.

19.3.19 policy-map remove


Remove a Diffserv policy.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: policy-map remove <string>
Paramete Value Meaning
r
P-1 string Enter the DiffServ policy name, max. 31 characters.

RM CLI HiOS-2A GRS1040 213


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.4 service-policy

19.4 service-policy

Assign/detach a DiffServ traffic conditioning policy to/from all interfaces.


 Mode: Global Config Mode
 Privilege Level: Operator
 Format: service-policy

214 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.5 service-policy

19.5 service-policy

Assign/detach a DiffServ traffic conditioning policy to/from an interface.


 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: service-policy

RM CLI HiOS-2A GRS1040 215


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.6 show

19.6 show

Display device options and settings.

19.6.1 show diffserv global


Show DiffServ global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show diffserv global

19.6.2 show diffserv service brief


Display DiffServ policy summary information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show diffserv service brief

19.6.3 show diffserv service interface


Display policy service information for the specified interface and direction.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show diffserv service interface <P-1> <P-2>
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 in Traffic direction in

216 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.6 show

19.6.4 show class-map


Show existing DiffServ classes or display information for a specified class.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show class-map [<P-1>]
Paramete Value Meaning
r
P-1 string Enter the DiffServ class name, max. 31 characters.

19.6.5 show policy-map all


Show all Diffserv policies.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show policy-map all

19.6.6 show policy-map interface


Show the policies attached to the specified interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show policy-map interface <P-1> <P-2>
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 in Traffic direction in

19.6.7 show policy-map name


Show information for the specified policy.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show policy-map name <P-1>

RM CLI HiOS-2A GRS1040 217


Release 6.1 09/2016
Differentiated Services (DiffServ)
19.6 show

Paramete Value Meaning


r
P-1 string Enter the DiffServ policy name, max. 31 characters.

19.6.8 show service-policy


Display a summary of policy-oriented statistics information for all interfaces in the specified direction.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show service-policy <P-1>
Paramete Value Meaning
r
P-1 in Traffic direction in

218 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Domain Name System (DNS)

20 Domain Name System (DNS)

RM CLI HiOS-2A GRS1040 219


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1 dns

Set DNS parameters.

20.1.1 dns cache adminstate


Enable or disable DNS cache.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns cache adminstate

 no dns cache adminstate


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dns cache adminstate

20.1.2 dns cache flush


Flush the DNS cache.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns cache flush <P-1>
Paramete Value Meaning
r
P-1 action Flush the DNS cache.

220 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1.3 dns client adminstate


Enable or disable DNS Client.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client adminstate

 no dns client adminstate


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dns client adminstate

20.1.4 dns client cache adminstate


Enable or disable DNS client cache.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client cache adminstate

 no dns client cache adminstate


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dns client cache adminstate

20.1.5 dns client cache flush


Flush the DNS client cache.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client cache flush <P-1>
Paramete Value Meaning
r
P-1 action Flush the DNS cache.

RM CLI HiOS-2A GRS1040 221


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1.6 dns client domain-name


DNS Client default domain name.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client domain-name <P-1>
Paramete Value Meaning
r
P-1 string Hostname.

20.1.7 dns client host add


Add a new DNS client host entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client host add <P-1> name <P-2> ip <P-3>
name: Enter the DNS host name.
ip: Enter the DNS host address.
Paramete Value Meaning
r
P-1 1..64 DNS Client hosts index.
P-2 string Hostname.
P-3 a.b.c.d IP address.

20.1.8 dns client host delete


Delete a DNS host entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client host delete <P-1>
Paramete Value Meaning
r
P-1 1..64 DNS Client hosts index.

222 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1.9 dns client host modify


Mofify a DNS client host entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client host modify <P-1> name <P-2> ip <P-3> status <P-4>
name: Enter the DNS host name.
ip: Enter the DNS host address.
status: Enter the status of the DNS host.
Paramete Value Meaning
r
P-1 1..64 DNS Client hosts index.
P-2 string Hostname.
P-3 a.b.c.d IP address.
P-4 enable Enable the option.
disable Disable the option.

20.1.10 dns client source


DNS Client configuration source.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client source <P-1>
Paramete Value Meaning
r
P-1 user Use the DNS servers defined by the user.
mgmt-dhcp Use the DNS servers received by DHCP on the management
interface.
provider

20.1.11 dns client servers add


Add a new DNS server.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client servers add <P-1> ip <P-2>
ip: Enter the DNS server address.
Paramete Value Meaning
r
P-1 1..4 DNS Client servers index.
P-2 a.b.c.d IP address.

RM CLI HiOS-2A GRS1040 223


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1.12 dns client servers delete


Delete a DNS server.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client servers delete <P-1>
Paramete Value Meaning
r
P-1 1..4 DNS Client servers index.

20.1.13 dns client servers modify


Modify a DNS server entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client servers modify <P-1> ip <P-2> status <P-3> operation <P-4>
ip: Change the DNS server address.
status: Change the status of this DNS server.
operation: Change the status of this DNS server.
Paramete Value Meaning
r
P-1 1..4 DNS Client servers index.
P-2 a.b.c.d IP address.
P-3 enable Enable the option.
disable Disable the option.
P-4 enable Enable the option.
disable Disable the option.

20.1.14 dns client servers enable


Activate a DNS server entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client servers enable <P-1>
Paramete Value Meaning
r
P-1 1..4 DNS Client servers index.

224 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Domain Name System (DNS)
20.1 dns

20.1.15 dns client servers disable


Deactivate a DNS server entry.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client servers disable <P-1>
Paramete Value Meaning
r
P-1 1..4 DNS Client servers index.

20.1.16 dns client timeout


Set the timeout before retransmitting a request to the server.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client timeout <P-1>
Paramete Value Meaning
r
P-1 0..3600 The timeout before retransmitting a request to the server
(default: 3).

20.1.17 dns client retry


Set the number of times the request is retransmitted.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dns client retry <P-1>
Paramete Value Meaning
r
P-1 0..100 The number of times the request is retransmitted (default: 2).

RM CLI HiOS-2A GRS1040 225


Release 6.1 09/2016
Domain Name System (DNS)
20.2 show

20.2 show

Display device options and settings.

20.2.1 show dns client hosts


Show the DNS Client hosts table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dns client hosts

20.2.2 show dns client info


Show DNS Client related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dns client info

20.2.3 show dns client servers


Show the DNS Client servers.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dns client servers [<P-1>]
Paramete Value Meaning
r
P-1 extern Show the DNS Client servers received from external sources.

226 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DoS Mitigation

21 DoS Mitigation

RM CLI HiOS-2A GRS1040 227


Release 6.1 09/2016
DoS Mitigation
21.1 dos

21.1 dos

Manage DoS Mitigation

21.1.1 dos tcp-null


Enables TCP Null scan protection - all TCP flags and TCP sequence number zero.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-null

 no dos tcp-null
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-null

21.1.2 dos tcp-xmas


Enables TCP XMAS scan protection - TCP FIN, URG, PSH equal 1 and SEQ equals 0.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-xmas

 no dos tcp-xmas
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-xmas

228 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DoS Mitigation
21.1 dos

21.1.3 dos tcp-syn-fin


Enables TCP SYN/FIN scan protection - TCP with SYN and FIN flags set.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-syn-fin

 no dos tcp-syn-fin
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-syn-fin

21.1.4 dos tcp-min-header


Enables TCP minimal header size check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-min-header

 no dos tcp-min-header
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-min-header

21.1.5 dos icmp-fragmented


Enables fragmented ICMP protection.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos icmp-fragmented

RM CLI HiOS-2A GRS1040 229


Release 6.1 09/2016
DoS Mitigation
21.1 dos

 no dos icmp-fragmented
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos icmp-fragmented

21.1.6 dos icmp payload-check


Enables ICMP max payload size protection for IPv4 and IPv6.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos icmp payload-check

 no dos icmp payload-check


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos icmp payload-check

21.1.7 dos icmp payload-size


Configures maximum ICMP payload size (default: 512).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos icmp payload-size <P-1>
Paramete Value Meaning
r
P-1 0..1472 Max. ICMP payload size (default: 512)

230 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DoS Mitigation
21.1 dos

21.1.8 dos ip-land


Enables LAND attack protection - source IP equals destination IP.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos ip-land <P-1>
Paramete Value Meaning
r
P-1 enable Enable the option.
disable Disable the option.

21.1.9 dos tcp-offset


Enables TCP offset check - ingress TCP packets with fragment offset 1 are dropped.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-offset

 no dos tcp-offset
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-offset

21.1.10 dos tcp-syn


Enables TCP source port smaller than 1024 protection.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos tcp-syn

 no dos tcp-syn
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos tcp-syn

RM CLI HiOS-2A GRS1040 231


Release 6.1 09/2016
DoS Mitigation
21.1 dos

21.1.11 dos l4-port


Enables UDP or TCP source port equals destination port check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos l4-port

 no dos l4-port
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos l4-port

21.1.12 dos icmp-smurf-attack


Enables ICMP smurf attack protection check.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dos icmp-smurf-attack

 no dos icmp-smurf-attack
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dos icmp-smurf-attack

232 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
DoS Mitigation
21.2 show

21.2 show

Display device options and settings.

21.2.1 show dos


Show DoS Mitigation parameters
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dos

RM CLI HiOS-2A GRS1040 233


Release 6.1 09/2016
DoS Mitigation
21.2 show

234 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)

22 IEEE 802.1x (Dot1x)

RM CLI HiOS-2A GRS1040 235


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.1 dot1x

22.1 dot1x

Configure 802.1X parameters.

22.1.1 dot1x dynamic-vlan


Creates VLANs dynamically when a RADIUS-assigned VLAN does not exist.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dot1x dynamic-vlan

 no dot1x dynamic-vlan
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dot1x dynamic-vlan

22.1.2 dot1x system-auth-control


Enable or disable 802.1X authentication support on the switch.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dot1x system-auth-control

 no dot1x system-auth-control
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dot1x system-auth-control

236 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.1 dot1x

22.1.3 dot1x monitor


Enable or disable 802.1X monitor mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: dot1x monitor

 no dot1x monitor
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no dot1x monitor

RM CLI HiOS-2A GRS1040 237


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.2 dot1x

22.2 dot1x

Configure 802.1X interface parameters.

22.2.1 dot1x guest-vlan


Configure a VLAN as 802.1X guest VLAN.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x guest-vlan <P-1>
Paramete Value Meaning
r
P-1 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.

22.2.2 dot1x max-req


Configure the maximum number of requests to be sent.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x max-req <P-1>
Paramete Value Meaning
r
P-1 1..10 Maximum number of requests (default: 2).

22.2.3 dot1x max-users


Configure the maximum number of supplicants on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x max-users <P-1>
Paramete Value Meaning
r
P-1 1..16 Maximum number of supplicants on a port (default: 16).

238 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.2 dot1x

22.2.4 dot1x mac-auth-bypass


Configure MAC-Authentication bypass for the port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x mac-auth-bypass

 no dot1x mac-auth-bypass
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dot1x mac-auth-bypass

22.2.5 dot1x port-control


Set the authentication mode on the specified port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x port-control <P-1>
Paramete Value Meaning
r
P-1 auto Port is actually controlled by protocol.
force-authorized Port is authorized unconditionally (default).
force-unauthorized Port is unauthorized unconditionally.
multi-client If more than one client is attached to the port, then each client
needs to authenticate separately.

22.2.6 dot1x re-authentication


Enable or disable re-authentication for the given interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x re-authentication

RM CLI HiOS-2A GRS1040 239


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.2 dot1x

 no dot1x re-authentication
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dot1x re-authentication

22.2.7 dot1x unauthenticated-vlan


Configure a VLAN as 802.1X unauthenticated VLAN.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x unauthenticated-vlan <P-1>
Paramete Value Meaning
r
P-1 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.

22.2.8 dot1x timeout guest-vlan-period


Configure the guest-vlan period value.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout guest-vlan-period <P-1>
Paramete Value Meaning
r
P-1 1..300 Guest-vlan timeout in seconds (default: 90).

22.2.9 dot1x timeout reauth-period


Configure the re-authentication period.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout reauth-period <P-1>
Paramete Value Meaning
r
P-1 1..65535 Timeout in seconds.

240 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.2 dot1x

22.2.10 dot1x timeout quiet-period


Configure the quiet period value.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout quiet-period <P-1>
Paramete Value Meaning
r
P-1 0..65535 Quiet period in seconds (default: 60).

22.2.11 dot1x timeout tx-period


Configure the transmit timeout period.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout tx-period <P-1>
Paramete Value Meaning
r
P-1 1..65535 Timeout in seconds.

22.2.12 dot1x timeout supp-timeout


Configure the supplicant timeout period.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout supp-timeout <P-1>
Paramete Value Meaning
r
P-1 1..65535 Timeout in seconds.

22.2.13 dot1x timeout server-timeout


Configure the server timeout period.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x timeout server-timeout <P-1>

RM CLI HiOS-2A GRS1040 241


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.2 dot1x

Paramete Value Meaning


r
P-1 1..65535 Timeout in seconds.

22.2.14 dot1x initialize


Begins the initialization sequence on the specified port (port-control mode must be 'auto').
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x initialize

 no dot1x initialize
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dot1x initialize

22.2.15 dot1x re-authenticate


Begins the re-authentication sequence on the specified port (port-control mode must be 'auto').
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: dot1x re-authenticate

 no dot1x re-authenticate
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no dot1x re-authenticate

242 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.3 show

22.3 show

Display device options and settings.

22.3.1 show dot1x global


Display global 802.1X configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x global

22.3.2 show dot1x auth-history


Display 802.1X authentication events and information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x auth-history [<P-1> [<P-2>]]
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 1..4294967294 802.1X history log entry index. This can be specified only if
interface is provided.\nParameter Usage:[ <slot/port> [index] ]

22.3.3 show dot1x detail


Display the detailed 802.1X configuration for the specified port.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x detail <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 243


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.3 show

22.3.4 show dot1x summary


Display summary information of the 802.1X configuration for a specified port or all ports.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x summary [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

22.3.5 show dot1x clients


Display 802.1X client information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x clients [<P-1>]
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.

22.3.6 show dot1x statistics


Display the 802.1X statistics for the specified port.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show dot1x statistics <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

244 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.4 clear

22.4 clear

Clear several items.

22.4.1 clear dot1x statistics port


Resets the 802.1X statistics for specified port.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear dot1x statistics port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

22.4.2 clear dot1x statistics all


Resets the 802.1X statistics for all ports.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear dot1x statistics all

22.4.3 clear dot1x auth-history port


Clears the 802.1X authentication history for specified port.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear dot1x auth-history port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 245


Release 6.1 09/2016
IEEE 802.1x (Dot1x)
22.4 clear

22.4.4 clear dot1x auth-history all


Clears the 802.1X authentication history for all ports.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear dot1x auth-history all

246 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)

23 IEEE 802.3ad (Dot3ad)

RM CLI HiOS-2A GRS1040 247


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.1 link-aggregation

23.1 link-aggregation

Configure 802.3ad link aggregation parameters to increase bandwidth and provide redundancy by
combining connections.

23.1.1 link-aggregation add


Create a new Link Aggregation Group to increase bandwidth and provide link redundancy. If desired,
enter a name up to 15 alphanumeric characters in length.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: link-aggregation add <P-1>
Paramete Value Meaning
r
P-1 lag/<lagport> lag/<lagport> Enter a lag interface in lag/lagport format.

23.1.2 link-aggregation modify


Modify the parameters for the specified Link Aggregation Group.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: link-aggregation modify <P-1> name <P-2> addport <P-3> deleteport <P-
4> adminmode linktrap static hashmode <P-5> min-links <P-6>
name: Modify the name of the specified Link Aggregation Group.
addport: Add the specified port to the Link Aggregation Group.
deleteport: Delete the specified port from the Link Aggregation Group.
adminmode: Modify the administration mode of the specified Link Aggregation Group. To activate the
group, enable the administration mode.
linktrap: Enable/Disable link trap notifications for the specified Link Aggregation Group
static: Enable or disable static capability for the specified Link Aggregation Group on a device. When
enabled, LACP automatically helps prevent loops and allows non-link aggregation partners to support
LACP.
hashmode: Set the hash mode to be used by the load balancing algorithm for specified Link
Aggregation Group.
min-links: Set the minimum links for the specified Link Aggregation Group.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 string Enter a user-defined text, max. 15 characters.
P-3 slot no./port no.

248 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.1 link-aggregation

Paramete Value Meaning


r
P-4 slot no./port no.
P-5 src-mac Source MAC, VLAN, EtherType, and incoming port associated with
the packet.
dst-mac Destination MAC, VLAN, EtherType, and incoming port associated
with the packet.
src-dst-mac Source/Destination MAC, VLAN, EtherType, and incoming port
associated with the packet.
src-ip Source IP and Source TCP/UDP fields of the packet.
dst-ip Destination IP and Destination TCP/UDP Port fields of the
packet.
src-dst-ip Source/Destination IP and source/destination TCP/UDP Port
fields of the packet.
P-6 slot no./port no.

 no link-aggregation modify
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no link-aggregation modify <P-1> name addport deleteport adminmode
linktrap static hashmode min-links

23.1.3 link-aggregation delete


Delete the Link Aggregation Group to divide the group into individual connections.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: link-aggregation delete <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

23.1.4 link-aggregation hashmode


Set the hash mode to be used by the load balancing algorithm for all Link Aggregation Groups.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: link-aggregation hashmode <P-1>

RM CLI HiOS-2A GRS1040 249


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.1 link-aggregation

Paramete Value Meaning


r
P-1 src-mac Source MAC, VLAN, EtherType, and incoming port associated with
the packet.
dst-mac Destination MAC, VLAN, EtherType, and incoming port associated
with the packet.
src-dst-mac Source/Destination MAC, VLAN, EtherType, and incoming port
associated with the packet.
src-ip Source IP and Source TCP/UDP fields of the packet.
dst-ip Destination IP and Destination TCP/UDP Port fields of the
packet.
src-dst-ip Source/Destination IP and source/destination TCP/UDP Port
fields of the packet.

250 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

23.2 lacp

Configure lacp parameters.

23.2.1 lacp admin-key


Configure the administrative value of the key on this LAG.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp admin-key <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.2 lacp collector-max-delay


Configure the collector max delay on this LAG (default is 0).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp collector-max-delay <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.3 lacp lacpmode


Activate/deactivate LACP on an interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp lacpmode

RM CLI HiOS-2A GRS1040 251


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

 no lacp lacpmode
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp lacpmode

23.2.4 lacp actor admin key


Configure the value of the LACP actor admin key on this port(default 0).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp actor admin key <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.5 lacp actor admin state lacp-activity


Enable/disable the LACP activity on the actor admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp actor admin state lacp-activity

 no lacp actor admin state lacp-activity


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp actor admin state lacp-activity

252 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

23.2.6 lacp actor admin state lacp-timeout


Enable/disable the LACP timeout on the actor admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp actor admin state lacp-timeout

 no lacp actor admin state lacp-timeout


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp actor admin state lacp-timeout

23.2.7 lacp actor admin state aggregation


Enable/disable the aggregation on the actor admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp actor admin state aggregation

 no lacp actor admin state aggregation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp actor admin state aggregation

23.2.8 lacp actor admin port priority


Set LACP actor port priority value (default 128).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp actor admin port priority <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

RM CLI HiOS-2A GRS1040 253


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

23.2.9 lacp partner admin key


Configure the administrative value of the LACP key for the protocol partner on this LAG (default 0).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin key <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.10 lacp partner admin state lacp-activity


Enable/disable the LACP activity on the partner admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin state lacp-activity

 no lacp partner admin state lacp-activity


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp partner admin state lacp-activity

23.2.11 lacp partner admin state lacp-timeout


Enable/disable the LACP timeout on the partner admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin state lacp-timeout

 no lacp partner admin state lacp-timeout


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp partner admin state lacp-timeout

254 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

23.2.12 lacp partner admin state aggregation


Enable/disable the state aggregation on the partner admin state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin state aggregation

 no lacp partner admin state aggregation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lacp partner admin state aggregation

23.2.13 lacp partner admin port priority


Set LACP partener port priority value (default 128).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin port priority <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.14 lacp partner admin port id


Set LACP partener port value (default 0).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin port id <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

RM CLI HiOS-2A GRS1040 255


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.2 lacp

23.2.15 lacp partner admin system-priority


Configure the partener system priority.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin system-priority <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

23.2.16 lacp partner admin system-id


Configure the MAC address representing the administrative value of the LAG ports protocol partner
system ID default (00:00:00:00:00:00).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lacp partner admin system-id <P-1>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.

256 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.3 show

23.3 show

Display device options and settings.

23.3.1 show link-aggregation port


Show LAG configuration of a single port.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-aggregation port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

23.3.2 show link-aggregation statistics


Show ports LAG statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-aggregation statistics [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

23.3.3 show link-aggregation members


Show the member ports for specified LAG.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-aggregation members <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 257


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.3 show

23.3.4 show lacp interface


Show LAG iterfaces attributes.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lacp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

23.3.5 show lacp mode


Show lacp mode.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lacp mode [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

23.3.6 show lacp actor


Show Link Aggregation Control protocol actor attributes.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lacp actor [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

23.3.7 show lacp partner operational


Show Operational partner attributes.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lacp partner operational [<P-1>]

258 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.3 show

Paramete Value Meaning


r
P-1 slot no./port no.

23.3.8 show lacp partner admin


Show administrative partner attributes.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lacp partner admin [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 259


Release 6.1 09/2016
IEEE 802.3ad (Dot3ad)
23.3 show

260 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Ethernet IP

24 Ethernet IP

RM CLI HiOS-2A GRS1040 261


Release 6.1 09/2016
Ethernet IP
24.1 ethernet-ip

24.1 ethernet-ip

Enable or disable the EtherNet/IP operation on this device. If disabled, the EtherNet/IP protocol is
deactivated, but the EtherNet/IP MIBs can be accessed.

24.1.1 ethernet-ip operation


Enable or disable the EtherNet-IP(TM) operation on this device. If disabled, the EtherNet/IP protocol is
deactivated, but the EtherNet/IP MIBs can be accessed.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ethernet-ip operation

 no ethernet-ip operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ethernet-ip operation

24.1.2 ethernet-ip write-access


Enable or disable the write-access of the EtherNet/IP protocol. - Possible security risk, as EtherNet/IP
communication is not authenticated - .
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ethernet-ip write-access

 no ethernet-ip write-access
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ethernet-ip write-access

262 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Ethernet IP
24.2 show

24.2 show

Display device options and settings.

24.2.1 show ethernet-ip


Show the Ethernet-ip settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ethernet-ip

RM CLI HiOS-2A GRS1040 263


Release 6.1 09/2016
Ethernet IP
24.3 copy

24.3 copy

Copy different kinds of items.

24.3.1 copy eds-ethernet-ip system remote


Copy the EDS file from the device to a file server
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy eds-ethernet-ip system remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

24.3.2 copy eds-ethernet-ip system envm


Copy the EDS file from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy eds-ethernet-ip system envm

264 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Filtering Database (FDB)

25 Filtering Database (FDB)

RM CLI HiOS-2A GRS1040 265


Release 6.1 09/2016
Filtering Database (FDB)
25.1 mac-filter

25.1 mac-filter

25.1.1 mac-filter
Static MAC filter configuration.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac-filter <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 Enter the VLAN ID.

 no mac-filter
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mac-filter <P-1> <P-2>

266 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Filtering Database (FDB)
25.2 bridge

25.2 bridge

Bridge configuration.

25.2.1 bridge aging-time


Aging time configuration.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: bridge aging-time <P-1>
Paramete Value Meaning
r
P-1 10..500000 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 267


Release 6.1 09/2016
Filtering Database (FDB)
25.3 show

25.3 show

Display device options and settings.

25.3.1 show mac-filter-table static


Displays the MAC address filter table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-filter-table static

268 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Filtering Database (FDB)
25.4 show

25.4 show

Display device options and settings.

25.4.1 show bridge aging-time


Address aging time.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show bridge aging-time

RM CLI HiOS-2A GRS1040 269


Release 6.1 09/2016
Filtering Database (FDB)
25.5 show

25.5 show

Display device options and settings.

25.5.1 show mac-addr-table


Displays the MAC address table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-addr-table [<P-1>]
Paramete Value Meaning
r
P-1 a:b:c:d:e:f Enter a MAC address.
1..4042 Enter a VLAN ID.

270 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Filtering Database (FDB)
25.6 clear

25.6 clear

Clear several items.

25.6.1 clear mac-addr-table


Clears the MAC address table.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear mac-addr-table

RM CLI HiOS-2A GRS1040 271


Release 6.1 09/2016
Filtering Database (FDB)
25.6 clear

272 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)

26 GARP VLAN and Multicast


Registration Protocol (GVRP and
GMRP)

RM CLI HiOS-2A GRS1040 273


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.1 garp

26.1 garp

Configure GARP protocols, GVRP for dynamic VLAN registration and GMRP for dynamic MAC
registration.

26.1.1 garp gvrp operation


Enable or disable GVRP globally. When enabled, the device distributes VLAN membership information
on GVRP enable active ports. GVRP-aware devices use the information to dynamically create VLAN
members and update the local VLAN member database.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: garp gvrp operation

 no garp gvrp operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no garp gvrp operation

26.1.2 garp gmrp operation


Enable or disable GMRP globally. Devices use GMRP information for dynamic registration of group
membership and individual MAC addresses with end devices and switches that support extended
filtering services, within the connected LAN.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: garp gmrp operation

 no garp gmrp operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no garp gmrp operation

274 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.1 garp

26.1.3 garp gmrp forward-unknown


Configure if unknown multicast packets are forwarded. The setting can be discard or flood.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: garp gmrp forward-unknown <P-1>
Paramete Value Meaning
r
P-1 flood Unknown multicast frames will be flooded.
discard Unknown multicast frames will be discarded.

RM CLI HiOS-2A GRS1040 275


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.2 garp

26.2 garp

Configure GARP parameters and protocols, GVRP for dynamic VLAN registration and GMRP for
dynamic MAC registration on a port.

26.2.1 garp interface join-time


Set the GARP join time-interval. The join timer controls the interval between join message transmissions
sent to applicant state machines. An instance of this timer is required on a per-Port, per-GARP
participant basis.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp interface join-time <P-1>
Paramete Value Meaning
r
P-1 10..100 Join time-interval in centi-seconds.

26.2.2 garp interface leave-time


Set the GARP leave time-interval. The leave timer controls the period of time that the registrar state
machine waits in the leave state before transiting to the empty state. An instance of the timer is required
for each state machine in the leave state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp interface leave-time <P-1>
Paramete Value Meaning
r
P-1 20..600 Leave time-interval in centi-seconds.

276 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.2 garp

26.2.3 garp interface leave-all-time


Set the GARP leave-all time-interval. The leave all timer controls the frequency with which the leaveall
state machine generates leaveall PDUs. The timer is required on a per-Port, per-GARP Participant
basis.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp interface leave-all-time <P-1>
Paramete Value Meaning
r
P-1 200..6000 Leave-All time-interval in centi-seconds.

26.2.4 garp gvrp operation


Enable or disable GVRP on the port. When enabled, globally and on this port, the device distributes
VLAN membership information to GVRP aware devices connected to this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp gvrp operation

 no garp gvrp operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no garp gvrp operation

26.2.5 garp gmrp operation


Enable or disable GMRP on the interface, with GMRP enabled globally and on this interface, the device
sends and receives GMRP messages on this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp gmrp operation

RM CLI HiOS-2A GRS1040 277


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.2 garp

 no garp gmrp operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no garp gmrp operation

26.2.6 garp gmrp forward-all-groups


Configure forward-all behavior for GMRP on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: garp gmrp forward-all-groups

 no garp gmrp forward-all-groups


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no garp gmrp forward-all-groups

278 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.3 show

26.3 show

Display device options and settings.

26.3.1 show garp interface


Show the global configuration of GARP per interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

26.3.2 show garp gvrp global


Display the GVRP global configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gvrp global

26.3.3 show garp gvrp interface


Display the GVRP interface configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gvrp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 279


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.3 show

26.3.4 show garp gvrp statistics interface


Display the GVRP interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gvrp statistics interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

26.3.5 show garp gmrp global


Display the GMRP global configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gmrp global

26.3.6 show garp gmrp interface


Display the GMRP interface configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gmrp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

26.3.7 show garp gmrp statistics interface


Display the GMRP interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show garp gmrp statistics interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

280 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.4 show

26.4 show

Display device options and settings.

26.4.1 show mac-filter-table gmrp


Display GMRP entries in the MFDB table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-filter-table gmrp

RM CLI HiOS-2A GRS1040 281


Release 6.1 09/2016
GARP VLAN and Multicast Registration Protocol (GVRP and GMRP)
26.4 show

282 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HiDiscovery

27 HiDiscovery

RM CLI HiOS-2A GRS1040 283


Release 6.1 09/2016
HiDiscovery
27.1 network

27.1 network

Configure the inband and outband connectivity.

27.1.1 network hidiscovery operation


Enable/disable the HiDiscovery protocol on this device.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network hidiscovery operation <P-1>
Paramete Value Meaning
r
P-1 enable Enable the HiDiscovery protocol.
disable Disable the HiDiscovery protocol.

 no network hidiscovery operation


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: no network hidiscovery operation <P-1>

27.1.2 network hidiscovery mode


Set the access level for HiDiscovery.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network hidiscovery mode <P-1>
Paramete Value Meaning
r
P-1 read-write Allow detection and configuration.
read-only Allow only detection, no configuration.

284 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HiDiscovery
27.1 network

27.1.3 network hidiscovery blinking


Enable/disable the HiDiscovery blinking sequence on this device. This preference is not saved in
configuration
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network hidiscovery blinking

 no network hidiscovery blinking


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: no network hidiscovery blinking

27.1.4 network hidiscovery relay


Enable/disable the HiDiscovery relay status.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network hidiscovery relay

 no network hidiscovery relay


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: no network hidiscovery relay

RM CLI HiOS-2A GRS1040 285


Release 6.1 09/2016
HiDiscovery
27.2 show

27.2 show

Display device options and settings.

27.2.1 show network hidiscovery


Show the HiDiscovery settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show network hidiscovery

286 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HIPER-Ring

28 HIPER-Ring

RM CLI HiOS-2A GRS1040 287


Release 6.1 09/2016
HIPER-Ring
28.1 hiper-ring

28.1 hiper-ring

Configure the HIPER Ring settings.

28.1.1 hiper-ring operation


Enable or disable the HIPER Ring operation.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: hiper-ring operation

 no hiper-ring operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no hiper-ring operation

28.1.2 hiper-ring mode


Configure the HIPER Ring mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: hiper-ring mode <P-1>
Paramete Value Meaning
r
P-1 client The device will be in the role of a ring client (ring-switch).

288 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HIPER-Ring
28.1 hiper-ring

28.1.3 hiper-ring primary-port


Configure the primary ring port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: hiper-ring primary-port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

28.1.4 hiper-ring secondary-port


Configure the secondary ring port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: hiper-ring secondary-port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 289


Release 6.1 09/2016
HIPER-Ring
28.2 show

28.2 show

Display device options and settings.

28.2.1 show hiper-ring global


Display the HIPER Ring global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show hiper-ring global

290 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Hypertext Transfer Protocol (HTTP)

29 Hypertext Transfer Protocol (HTTP)

RM CLI HiOS-2A GRS1040 291


Release 6.1 09/2016
Hypertext Transfer Protocol (HTTP)
29.1 http

29.1 http

Set HTTP parameters.

29.1.1 http port


Set the HTTP port number.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: http port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of the HTTP server (default: 80).

29.1.2 http server


Enable or disable the HTTP server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: http server

 no http server
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no http server

292 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Hypertext Transfer Protocol (HTTP)
29.2 show

29.2 show

Display device options and settings.

29.2.1 show http


Show HTTP server information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show http

RM CLI HiOS-2A GRS1040 293


Release 6.1 09/2016
Hypertext Transfer Protocol (HTTP)
29.2 show

294 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HTTP Secure (HTTPS)

30 HTTP Secure (HTTPS)

RM CLI HiOS-2A GRS1040 295


Release 6.1 09/2016
HTTP Secure (HTTPS)
30.1 https

30.1 https

Set HTTPS parameters.

30.1.1 https server


Enable or disable the HTTPS server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: https server

 no https server
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no https server

30.1.2 https port


Set the HTTPS port number.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: https port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of the web server (default: 443).

296 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HTTP Secure (HTTPS)
30.1 https

30.1.3 https certificate


Generate/Delete HTTPS X509/PEM certificate.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: https certificate <P-1>
Paramete Value Meaning
r
P-1 generate Generates the item
delete Deletes the item

RM CLI HiOS-2A GRS1040 297


Release 6.1 09/2016
HTTP Secure (HTTPS)
30.2 copy

30.2 copy

Copy different kinds of items.

30.2.1 copy httpscert remote


Copy X509/PEM certificate from a server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy httpscert remote <P-1> nvm
nvm: Copy HTTPS certificate (PEM) from a server to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

30.2.2 copy httpscert envm


Copy X509/PEM certificate from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy httpscert envm <P-1> nvm
nvm: Copy X509/PEM certificate from external non-volatile memory to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

298 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
HTTP Secure (HTTPS)
30.3 show

30.3 show

Display device options and settings.

30.3.1 show https


Show HTTPS server information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show https

RM CLI HiOS-2A GRS1040 299


Release 6.1 09/2016
HTTP Secure (HTTPS)
30.3 show

300 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Integrated Authentification Server (IAS)

31 Integrated Authentification Server


(IAS)

RM CLI HiOS-2A GRS1040 301


Release 6.1 09/2016
Integrated Authentification Server (IAS)
31.1 ias-users

31.1 ias-users

Manage IAS Users and User Accounts.

31.1.1 ias-users add


Add a new IAS user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ias-users add <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

31.1.2 ias-users delete


Delete an existing IAS user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ias-users delete <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

31.1.3 ias-users enable


Enable IAS user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ias-users enable <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

302 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Integrated Authentification Server (IAS)
31.1 ias-users

31.1.4 ias-users disable


Disable IAS user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ias-users disable <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

31.1.5 ias-users password


Change IAS user password.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ias-users password <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 string Enter a user-defined text, max. 64 characters.

RM CLI HiOS-2A GRS1040 303


Release 6.1 09/2016
Integrated Authentification Server (IAS)
31.2 show

31.2 show

Display device options and settings.

31.2.1 show ias-users


Display IAS users and user accounts information.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show ias-users

304 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEC 61850 MMS Server

32 IEC 61850 MMS Server

RM CLI HiOS-2A GRS1040 305


Release 6.1 09/2016
IEC 61850 MMS Server
32.1 iec61850-mms

32.1 iec61850-mms

Configure the IEC61850 MMS Server settings.

32.1.1 iec61850-mms operation


Enable or disable the IEC61850 MMS Server. The MMS server facilitates real-time distribution of data
and supervisory control functions for substations.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: iec61850-mms operation

 no iec61850-mms operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no iec61850-mms operation

32.1.2 iec61850-mms write-access


Enable or disable the Write-Access on IEC61850 bridge objects via MMS. Write services allow the MMS
client to access application content. - Possible security risk, as MMS communication is not
authenticated -
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: iec61850-mms write-access

 no iec61850-mms write-access
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no iec61850-mms write-access

306 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IEC 61850 MMS Server
32.1 iec61850-mms

32.1.3 iec61850-mms port


Defines the port number of the IEC61850 MMS server (default: 102).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: iec61850-mms port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of the IEC61850 MMS server (default: 102).

32.1.4 iec61850-mms max-sessions


Defines the maximum number of concurrent IEC61850 MMS sessions (default: 5).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: iec61850-mms max-sessions <P-1>
Paramete Value Meaning
r
P-1 1..15 Maximum number of concurrent IEC61850 MMS sessions (default: 5).

32.1.5 iec61850-mms technical-key


Defines the IEC61850 MMS Technical Key (default: KEY).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: iec61850-mms technical-key <P-1>
Paramete Value Meaning
r
P-1 string Enter a IEC61850-7-2 Ed. VisibleString, max. 32 characters. The
following characters are allowed: VisibleString ( FROM
('A'|'a'|'B'|'b'|'C'|'c'|'D'|'d'|'E'|'e'|'F'|'f'|
'G'|'g'|'H'|'h'|'I'|'i'|'J'|'j'|'K'|'k'|'L'|'l'|
'M'|'m'|'N'|'n'|'O'|'o'|'P'|'p'|'Q'|'q'|'R'|'r'|
'S'|'s'|'T'|'t'|'U'|'u'|'V'|'v'|'W'|'w'|'X'|'x'|
'Y'|'y'|'Z'|'z'|'_'|'0'|'1'|'2'|'3'|'4'|'5'|'6'| '7'|'8'|'9')

RM CLI HiOS-2A GRS1040 307


Release 6.1 09/2016
IEC 61850 MMS Server
32.2 show

32.2 show

Display device options and settings.

32.2.1 show iec61850-mms


Show the IEC61850 MMS Server settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show iec61850-mms

308 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)

33 Internet Group Management Protocol


(IGMP)

RM CLI HiOS-2A GRS1040 309


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.1 ip

33.1 ip

Set IP parameters.

33.1.1 ip igmp operation


Enable or disable IGMP globally on the device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip igmp operation

 no ip igmp operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip igmp operation

310 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.2 ip

33.2 ip

IP interface commands.

33.2.1 ip igmp operation


Enables or disables IGMP on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp operation

 no ip igmp operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip igmp operation

33.2.2 ip igmp version


Configure IGMP version.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp version <P-1>
Paramete Value Meaning
r
P-1 1..3 Enter igmp version (default: 3).

RM CLI HiOS-2A GRS1040 311


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.2 ip

33.2.3 ip igmp robustness


Configure IGMP router robustness.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp robustness <P-1>
Paramete Value Meaning
r
P-1 1..255 Enter igmp query robustness (default: 2).

33.2.4 ip igmp querier query-interval


Configure IGMP query interval in seconds.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp querier query-interval <P-1>
Paramete Value Meaning
r
P-1 1..3600 Enter igmp query interval (default: 125).

33.2.5 ip igmp querier last-member-interval


Configure last member query interval in tenths of seconds.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp querier last-member-interval <P-1>
Paramete Value Meaning
r
P-1 1..255 Enter igmp last member query interval (default: 10).

33.2.6 ip igmp querier max-response-time


Configure maximum response time in tenths of seconds.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip igmp querier max-response-time <P-1>

312 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.2 ip

Paramete Value Meaning


r
P-1 1..255 Enter igmp query maximum response time (default: 100).

RM CLI HiOS-2A GRS1040 313


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.3 show

33.3 show

Display device options and settings.

33.3.1 show ip igmp global


Display IGMP global configuration.
 Mode: Command is in all modes available.
 Privilege Level: Operator
 Format: show ip igmp global

33.3.2 show ip igmp interface


Display IGMP interface information.
 Mode: Command is in all modes available.
 Privilege Level: Operator
 Format: show ip igmp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

33.3.3 show ip igmp membership


Display interfaces subscribed to the multicast group.
 Mode: Command is in all modes available.
 Privilege Level: Operator
 Format: show ip igmp membership

314 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.3 show

33.3.4 show ip igmp groups


Display the subscribed multicast groups.
 Mode: Command is in all modes available.
 Privilege Level: Operator
 Format: show ip igmp groups

33.3.5 show ip igmp statistics


Display IGMP statistical information.
 Mode: Command is in all modes available.
 Privilege Level: Operator
 Format: show ip igmp statistics [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 315


Release 6.1 09/2016
Internet Group Management Protocol (IGMP)
33.3 show

316 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Proxy

34 IGMP Proxy

RM CLI HiOS-2A GRS1040 317


Release 6.1 09/2016
IGMP Proxy
34.1 ip

34.1 ip

Set IP parameters.

34.1.1 ip igmp-proxy interface


This command enables/disables IGMP Proxy on the router and configures the host interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip igmp-proxy interface <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

 no ip igmp-proxy interface
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip igmp-proxy interface <P-1>

34.1.2 ip igmp-proxy report-interval


Sets the unsolicited report interval in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip igmp-proxy report-interval <P-1>
Paramete Value Meaning
r
P-1 1..260 Enter a number in the given range.

318 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Proxy
34.2 show

34.2 show

Display device options and settings.

34.2.1 show ip igmp-proxy global


Displays a summary of the host interface status parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip igmp-proxy global

34.2.2 show ip igmp-proxy groups


Displays informations about the subscribed multicast groups that IGMP Proxy reported.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip igmp-proxy groups

34.2.3 show ip igmp-proxy source-list


Displays the source-list of each subscribed multicast group that IGMP Proxy reported.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip igmp-proxy source-list

RM CLI HiOS-2A GRS1040 319


Release 6.1 09/2016
IGMP Proxy
34.2 show

320 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping

35 IGMP Snooping

RM CLI HiOS-2A GRS1040 321


Release 6.1 09/2016
IGMP Snooping
35.1 igmp-snooping

35.1 igmp-snooping

Configure IGMP snooping.

35.1.1 igmp-snooping mode


Enable or disable IGMP snooping.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping mode

 no igmp-snooping mode
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no igmp-snooping mode

35.1.2 igmp-snooping querier mode


Enable or disable IGMP snooping querier on the system.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping querier mode

 no igmp-snooping querier mode


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no igmp-snooping querier mode

322 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.1 igmp-snooping

35.1.3 igmp-snooping querier query-interval


Sets the IGMP querier query interval time (1-1800) in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping querier query-interval <P-1>
Paramete Value Meaning
r
P-1 1..1800 Enter a number in the given range.

35.1.4 igmp-snooping querier timer-expiry


Sets the IGMP querier timer expiration period (60-300) in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping querier timer-expiry <P-1>
Paramete Value Meaning
r
P-1 60..300 Enter a number in the given range.

35.1.5 igmp-snooping querier version


Sets the IGMP version (1-3) of the query.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping querier version <P-1>
Paramete Value Meaning
r
P-1 1..3 IGMP snooping querier's protocol version(1 to 3,default: 2).

RM CLI HiOS-2A GRS1040 323


Release 6.1 09/2016
IGMP Snooping
35.1 igmp-snooping

35.1.6 igmp-snooping forward-unknown


Configure if and how unknown multicasts are forwarded.The setting can be discard, flood or query-
ports.The default is flood.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: igmp-snooping forward-unknown <P-1>
Paramete Value Meaning
r
P-1 discard Unknown multicast frames will be discarded.
flood Unknown multicast frames will be flooded.
query-ports Unknown multicast frames will be forwarded only to query ports.

324 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.2 igmp-snooping

35.2 igmp-snooping

Configure IGMP snooping.

35.2.1 igmp-snooping vlan-id


Configure the VLAN parameters.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: igmp-snooping vlan-id <P-1> mode fast-leave groupmembership-interval
<P-2> maxresponse <P-3> mcrtrexpiretime <P-4> querier mode address <P-5>
forward-known <P-6> forward-all <P-7> static-query-port <P-8> automatic-
mode <P-9>
mode: Enable or disable IGMP snooping per VLAN.
fast-leave: Enable or disable IGMP snooping fast-leave per VLAN.
groupmembership-interval: Set IGMP group membership interval time (2-3600) in seconds per
VLAN.
maxresponse: Set the igmp maximum response time (1-25) in seconds per VLAN.
mcrtrexpiretime: Sets the multicast router present expiration time (0-3600) in seconds per VLAN.
querier: Set IGMP snooping querier on the system.
mode: Enable or disable IGMP snooping querier per VLAN.
address: Set IGMP snooping querier address on the system using a VLAN.
forward-known: Sets the mode how known multicast packets will be treated.The default value is
registered-ports-only(2).
forward-all: Enable or disable IGMP snooping forward-all.
static-query-port: Enable or disable IGMP snooping static-query-port.
automatic-mode: Enable or disable IGMP snooping automatic-mode.
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 2..3600 Enter a number in the given range.
P-3 1..25 Enter a number in the given range.
P-4 0..3600 Enter a number in the given range.
P-5 a.b.c.d IP address.
P-6 query-and-registered- Addition of query ports to multicast filter portmasks.
ports
registered-ports-only No addition of query ports to multicast filter portmasks.
P-7 slot no./port no.
P-8 slot no./port no.
P-9 slot no./port no.

RM CLI HiOS-2A GRS1040 325


Release 6.1 09/2016
IGMP Snooping
35.2 igmp-snooping

 no igmp-snooping vlan-id
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no igmp-snooping vlan-id <P-1> mode fast-leave groupmembership-
interval maxresponse mcrtrexpiretime querier mode address forward-known
forward-all <P-7> static-query-port <P-8> automatic-mode <P-9>

326 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.3 igmp-snooping

35.3 igmp-snooping

Configure IGMP snooping.

35.3.1 igmp-snooping mode


Enable or disable IGMP snooping per interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping mode

 no igmp-snooping mode
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no igmp-snooping mode

35.3.2 igmp-snooping fast-leave


Enable or disable IGMP snooping fast-leave per interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping fast-leave

 no igmp-snooping fast-leave
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no igmp-snooping fast-leave

RM CLI HiOS-2A GRS1040 327


Release 6.1 09/2016
IGMP Snooping
35.3 igmp-snooping

35.3.3 igmp-snooping groupmembership-interval


Set IGMP group membership interval time (2-3600) in seconds per interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping groupmembership-interval <P-1>
Paramete Value Meaning
r
P-1 2..3600 Enter a number in the given range.

35.3.4 igmp-snooping maxresponse


Set the igmp maximum response time (1-25) in seconds per interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping maxresponse <P-1>
Paramete Value Meaning
r
P-1 1..25 Enter a number in the given range.

35.3.5 igmp-snooping mcrtrexpiretime


Sets the multicast router present expiration time (0-3600) in seconds per interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping mcrtrexpiretime <P-1>
Paramete Value Meaning
r
P-1 0..3600 Enter a number in the given range.

35.3.6 igmp-snooping static-query-port


Configures the interface as a static query interface in all VLANs.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: igmp-snooping static-query-port

328 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.3 igmp-snooping

 no igmp-snooping static-query-port
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no igmp-snooping static-query-port

RM CLI HiOS-2A GRS1040 329


Release 6.1 09/2016
IGMP Snooping
35.4 show

35.4 show

Display device options and settings.

35.4.1 show igmp-snooping global


Show IGMP snooping global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping global

35.4.2 show igmp-snooping interface


Show IGMP snooping interface information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

35.4.3 show igmp-snooping vlan


Show IGMP snooping VLAN information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping vlan [<P-1>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

330 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.4 show

35.4.4 show igmp-snooping querier global


Show IGMP snooping querier information per VLAN.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping querier global

35.4.5 show igmp-snooping querier vlan


Show IGMP snooping querier VLAN information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping querier vlan [<P-1>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

35.4.6 show igmp-snooping enhancements vlan


Show IGMP snooping VLAN information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping enhancements vlan [<P-1>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

35.4.7 show igmp-snooping enhancements unknown-


filtering
Show unknown multicast filtering information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping enhancements unknown-filtering

RM CLI HiOS-2A GRS1040 331


Release 6.1 09/2016
IGMP Snooping
35.4 show

35.4.8 show igmp-snooping statistics global


Show number of control packets processed by CPU.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping statistics global

35.4.9 show igmp-snooping statistics interface


Show number of control packets processed by CPU per interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show igmp-snooping statistics interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

332 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IGMP Snooping
35.5 show

35.5 show

Display device options and settings.

35.5.1 show mac-filter-table igmp-snooping


Display IGMP snooping entries in the MFDB table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-filter-table igmp-snooping

RM CLI HiOS-2A GRS1040 333


Release 6.1 09/2016
IGMP Snooping
35.6 clear

35.6 clear

Clear several items.

35.6.1 clear igmp-snooping


Clear all IGMP snooping entries.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear igmp-snooping

334 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface

36 Interface

RM CLI HiOS-2A GRS1040 335


Release 6.1 09/2016
Interface
36.1 shutdown

36.1 shutdown

36.1.1 shutdown
Enable or disable the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: shutdown

 no shutdown
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no shutdown

336 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.2 auto-negotiate

36.2 auto-negotiate

36.2.1 auto-negotiate
Enable or disable automatic negotiation on the interface. The cable crossing settings have no effect if
auto-negotiation is enabled. In this case cable crossing is always set to auto. Cable crossing is set to
the value chosen by the user if auto-negotiation is disabled.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: auto-negotiate

 no auto-negotiate
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no auto-negotiate

RM CLI HiOS-2A GRS1040 337


Release 6.1 09/2016
Interface
36.3 auto-power-down

36.3 auto-power-down

36.3.1 auto-power-down
Set the auto-power-down mode on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: auto-power-down <P-1>
Paramete Value Meaning
r
P-1 auto-power-save The port goes in a low power mode.
no-power-save The port does not use the automatic power save mode.

338 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.4 cable-crossing

36.4 cable-crossing

36.4.1 cable-crossing
Cable crossing settings on the interface. The cable crossing settings have no effect if auto-negotiation
is enabled. In this case cable crossing is always set to auto. Cable crossing is set to the value chosen
by the user if auto-negotiation is disabled.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: cable-crossing <P-1>
Paramete Value Meaning
r
P-1 mdi The port does not use the crossover mode.
mdix The port uses the crossover mode.
auto-mdix The port uses the auto crossover mode.

RM CLI HiOS-2A GRS1040 339


Release 6.1 09/2016
Interface
36.5 linktraps

36.5 linktraps

36.5.1 linktraps
Enable/disable link up/down traps on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: linktraps

 no linktraps
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no linktraps

340 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.6 link-loss-alert

36.6 link-loss-alert

Configure Link Loss Alert on the interface.

36.6.1 link-loss-alert operation


Enable or disable Link Loss Alert on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: link-loss-alert operation

 no link-loss-alert operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no link-loss-alert operation

RM CLI HiOS-2A GRS1040 341


Release 6.1 09/2016
Interface
36.7 speed

36.7 speed

36.7.1 speed
Sets the speed and duplex setting for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: speed <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 10 10 MBit/s.
100 100 MBit/s.
1000 1000 MBit/s.
P-2 full full duplex.
half half duplex.

342 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.8 name

36.8 name

36.8.1 name
Set or remove a descriptive name for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: name <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.

RM CLI HiOS-2A GRS1040 343


Release 6.1 09/2016
Interface
36.9 power-state

36.9 power-state

36.9.1 power-state
Enable or disable the power state on the interface. The interface power state settings have no effect if
the interface admin state is enabled.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: power-state

 no power-state
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no power-state

344 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.10 mac-filter

36.10 mac-filter

36.10.1 mac-filter
static mac filter configuration
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mac-filter <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 Enter the VLAN ID.

 no mac-filter
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mac-filter <P-1> <P-2>

RM CLI HiOS-2A GRS1040 345


Release 6.1 09/2016
Interface
36.11 led-signaling

36.11 led-signaling

Enable or disable Port LED signaling.

36.11.1 led-signaling operation


Enable or disable Port LED signaling.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: led-signaling operation

 no led-signaling operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no led-signaling operation

346 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.12 show

36.12 show

Display device options and settings.

36.12.1 show port


Show interface parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 347


Release 6.1 09/2016
Interface
36.13 show

36.13 show

Display device options and settings.

36.13.1 show link-loss-alert


Show link-loss-alert parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-loss-alert [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

348 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface
36.14 show

36.14 show

Display device options and settings.

36.14.1 show led-signaling operation


Show Port LED signaling operation.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show led-signaling operation

RM CLI HiOS-2A GRS1040 349


Release 6.1 09/2016
Interface
36.14 show

350 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface Statistics

37 Interface Statistics

RM CLI HiOS-2A GRS1040 351


Release 6.1 09/2016
Interface Statistics
37.1 utilization

37.1 utilization

Configure the interface utilization parameters.

37.1.1 utilization control-interval


Add interval time to monitor the bandwidth utilization of the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: utilization control-interval <P-1>
Paramete Value Meaning
r
P-1 1..3600 Add interval time to monitor the bandwidth utilization.

37.1.2 utilization alarm-threshold lower


Lower threshold value
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: utilization alarm-threshold lower <P-1>
Paramete Value Meaning
r
P-1 0..10000 Add alarm threshold lower value for monitoring bandwidth
utilization in hundredths of a percent.

37.1.3 utilization alarm-threshold upper


Upper threshold value
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: utilization alarm-threshold upper <P-1>

352 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface Statistics
37.1 utilization

Paramete Value Meaning


r
P-1 0..10000 Add alarm threshold upper value for monitoring bandwidth
utilization in hundredths of a percent.

RM CLI HiOS-2A GRS1040 353


Release 6.1 09/2016
Interface Statistics
37.2 clear

37.2 clear

Clear several items.

37.2.1 clear port-statistics


Clear all statistics counter.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear port-statistics

354 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Interface Statistics
37.3 show

37.3 show

Display device options and settings.

37.3.1 show interface counters


Show Table with interface counters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show interface counters

37.3.2 show interface layout


Show interface layout of the device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show interface layout

37.3.3 show interface utilization


Show interface utilization.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show interface utilization [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 355


Release 6.1 09/2016
Interface Statistics
37.3 show

37.3.4 show interface statistics


Show summary interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show interface statistics [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

37.3.5 show interface ether-stats


Show detailed interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show interface ether-stats [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

356 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern

38 Intern

RM CLI HiOS-2A GRS1040 357


Release 6.1 09/2016
Intern
38.1 help

38.1 help

Display help for various special keys.


 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: help

358 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.2 logout

38.2 logout

Exit this session.


 Mode: Command is in all modes available.
 Privilege Level: any
 Format: logout

RM CLI HiOS-2A GRS1040 359


Release 6.1 09/2016
Intern
38.3 history

38.3 history

Show a list of previously run commands.


 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: history

360 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.4 vlan-mode

38.4 vlan-mode

38.4.1 vlan-mode
Enter VLAN Configuration Mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: vlan-mode <P-1>
Paramete Value Meaning
r
P-1 all Select all VLAN configured.
vlan Enter single VLAN.
vlan range Enter VLAN range separated by hyphen e.g 1-4.
vlan list Enter VLAN list separated by comma e.g 2,4,6,... .
complex range Enter VLAN range and several VLAN separated by comma for a list
and hyphen for ranges e.g 2-4,6-9,11.

RM CLI HiOS-2A GRS1040 361


Release 6.1 09/2016
Intern
38.5 exit

38.5 exit

Exit from vlan mode.


 Mode: VLAN Mode
 Privilege Level: Operator
 Format: exit

362 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.6 end

38.6 end

Exit to exec mode.


 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: end

RM CLI HiOS-2A GRS1040 363


Release 6.1 09/2016
Intern
38.7 serviceshell

38.7 serviceshell

Enter system mode.

38.7.1 serviceshell deactivate


Disable the service shell access permanently (Cannot be undone).
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: serviceshell deactivate

364 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.8 serviceshell-f

38.8 serviceshell-f

Enter system mode.

38.8.1 serviceshell-f deactivate


Disable the service shell access permanently (Cannot be undone).
 Mode: Factory Mode
 Privilege Level: Administrator
 Format: serviceshell-f deactivate

RM CLI HiOS-2A GRS1040 365


Release 6.1 09/2016
Intern
38.9 traceroute

38.9 traceroute

Trace route to a specified host.

38.9.1 traceroute maxttl


Set max TTL value.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: traceroute <P-1> maxttl <P-2> [initttl <P-3>] [interval <P-4>] [count
<P-5>] [maxFail <P-6>] [size <P-7>] [port <P-8>]
[initttl]: Initial TTL value.
[interval]: Timeout until probe failure.
[count]: Number of probes for each TTL.
[maxFail]: Maximum number of consecutive probes that can fail.
[size]: Size of payload in bytes.
[port]: UDP destination port.
Paramete Value Meaning
r
P-1 string Hostname or IP address.
P-2 1..255 Enter a number in the given range.
P-3 0..255 Enter a number in the given range.
P-4 1..60 Enter a number in the given range.
P-5 1..10 Enter a number in the given range.
P-6 0..255 Enter a number in the given range.
P-7 0..65507 Enter a number in the given range.
P-8 1..65535 Enter port number between 1 and 65535

366 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.10 traceroute

38.10 traceroute

Trace route to a specified host.

38.10.1 traceroute source


Source address for traceroute command.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: traceroute <P-1> source <P-2>
Paramete Value Meaning
r
P-1 string Hostname or IP address.
P-2 A.B.C.D IP address.

RM CLI HiOS-2A GRS1040 367


Release 6.1 09/2016
Intern
38.11 reboot

38.11 reboot

Reset the device (cold start).

38.11.1 reboot after


Schedule reboot after specified time.
 Mode: All Privileged Modes
 Privilege Level: any
 Format: reboot after <P-1>
Paramete Value Meaning
r
P-1 0..2147483 Enter Seconds Between 0 to 2147483. Setting 0 will clear
scheduled Reboot if configured.

368 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.12 ping

38.12 ping

38.12.1 ping
Send ICMP echo packets to a specified IP address.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: ping <P-1>
Paramete Value Meaning
r
P-1 string Hostname or IP address.

RM CLI HiOS-2A GRS1040 369


Release 6.1 09/2016
Intern
38.13 ping

38.13 ping

Send ICMP echo packets to a specified host or IP address.

38.13.1 ping source


Source address for ping command.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: ping <P-1> source <P-2>
Paramete Value Meaning
r
P-1 string Hostname or IP address.
P-2 A.B.C.D IP address.

370 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Intern
38.14 show

38.14 show

Display device options and settings.

38.14.1 show reboot


Display Configured reboot in seconds
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show reboot

38.14.2 show serviceshell


Display the service shell access.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show serviceshell

RM CLI HiOS-2A GRS1040 371


Release 6.1 09/2016
Intern
38.14 show

372 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)

39 Open Shortest Path First (OSPF)

RM CLI HiOS-2A GRS1040 373


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1 ip

Set IP parameters.

39.1.1 ip ospf area


Configure the OSPF router area. A router area is a sub-division of an OSPF autonomous system and
you identify an area by an area-id. OSPF networks, routers, and links that have the same area-id form
a logical set.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf area <P-1> range add <P-2> <P-3> <P-4> modify <P-5> <P-6>
<P-7> <P-8> delete <P-9> <P-10> <P-11> add delete stub add <P-12> modify
<P-13> summarylsa <P-14> default-cost <P-15> delete <P-16> virtual-link add
<P-17> delete <P-18> modify <P-19> authentication type <P-20> key <P-21>
key-id <P-22> hello-interval <P-23> dead-interval <P-24> transmit-delay
<P-25> retransmit-interval <P-26> nssa add <P-27> delete <P-28> modify
translator role <P-29> stability-interval <P-30> summary no-redistribute
default-info originate [metric <P-31>] [metric-type <P-32>]
range: Configure the range for the area. You summarize the networks within this range into a single
routing domain.
add: Create a router area.
modify: Modify the parameters of a router area.
delete: Delete a specific router area.
add: Create a new area.
delete: Delete a existing area.
stub: Configure the preferences for a stub area. You shield stub areas from external route
advertisements, but the area receives advertisements from networks that belong to other areas of the
same autonomous system.
add: Create a stub area. The command also allows you to convert an existing area to a stub area.
modify: Modify the stub area parameters.
summarylsa: Configure the summary LSA mode for a stub area. When enabled, the router both
summarizes and propagates summary LSAs.
default-cost: Set the default cost for the stub area.
delete: Remove a stub area. After removal, the area receives external route advertisements.
virtual-link: Configure a virtual link. You use the virtual link to connect the router to the backbone
area (0.0.0.0) through a non-backbone area or to connect two parts of a partitioned backbone area
(0.0.0.0) through a non-backbone area.
add: Add a virtual neighbor.
delete: Delete a virtual neighbor.
modify: Modify the parameters of a virtual neighbor.
authentication: Configure the authentication type. The device authenticates the OSPF protocol
exchanges in the OSPF packet header which includes an authentication type field.
type: Configure the authentication type. Authentication types are 0 for null authentication, 1 for simple
password authentication, and 2 for cryptographic authentication.
key: Configure the authentication key.

374 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

key-id: Configure the authentication key-id for md5 authentication. This field identifies the algorithm
and secret key used to create the message digest appended to the OSPF packet.
hello-interval: Configure the OSPF hello-interval for the virtual link, in seconds. The hello timer
controls the time interval between sending two consecutive hello packets. Set this value to the same
hello-interval value of the virtual neighbors.
dead-interval: Configure the OSPF dead-interval for the virtual link, in seconds. If the timer expires
without the router receiving hello packets from a virtual neighbor, the router declares the neighbor router
as down. Set the timer to at least four times the value of the hello-interval.
transmit-delay: Configure the OSPF transmit-delay for the virtual link, in seconds. Transmit delay
is the time that you estimate it takes to transmit a link-state update packet over the virtual link.
retransmit-interval: Configure the OSPF retransmit-interval for the virtual link, in seconds. The
retransmit interval is the time between two consecutive link-state advertisement transmissions. Link-
state advertisements contain such information as database descriptions and link-state request packets
for adjacencies belonging to virtual link.
nssa: Configure a NSSA(Not-So-Stubby-Area).
add: Add a NSSA.
delete: Delete a NSSA.
modify: Modify the parameters of a NSSA.
translator: Configure the NSSA translator related parameters.
role: Configure the NSSA translator role.
stability-interval: Configure the translator stability interval for the NSSA, in seconds.
summary: Configure the import summary for the specified NSSA.
no-redistribute: Configure route redistribution for the specified NSSA.
default-info: Configure the nssa default information origination parameters.
originate: Configuration whether a Type-7 LSA should be originated into the NSSA.
[metric]: Configure the metric for the NSSA.
[metric-type]: Configure the metric type for default information.
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-3 A.B.C.D IP address.
P-4 a.b.c.d IP subnet mask.
P-5 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-6 A.B.C.D IP address.
P-7 a.b.c.d IP subnet mask.
P-8 advertise Set as advertise.
do-not-advertise Set as do-not-advertise.
P-9 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-10 A.B.C.D IP address.
P-11 a.b.c.d IP subnet mask.
P-12 0 Configure the TOS (0 is for Normal Service).
P-13 0 Configure the TOS (0 is for Normal Service).
P-14 no-area-summary Disable the router from sending area link state advertisement
summaries.
send-area-summary Enable the router to send area link state advertisement
summaries. The router floods LSAs within the area using
multicast. Every topology change starts a new flood of LSAs.
P-15 0..16777215 Configure the default cost.
P-16 0 Configure the TOS (0 is for Normal Service).
P-17 A.B.C.D IP address.
P-18 A.B.C.D IP address.
P-19 A.B.C.D IP address.

RM CLI HiOS-2A GRS1040 375


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

Paramete Value Meaning


r
P-20 none Configure the authentication type as none (Key and key ID is not
required).
simple Configure the authentication type as simple (Key ID is not
required).
md5 Configure the authentication type as md5 for the interface.
P-21 string <key> Configure the authentication key.
P-22 0..255 Enter a number in the given range.
P-23 1..65535 Enter a number between 1 and 65535
P-24 1..65535 Enter a number between 1 and 65535
P-25 0..3600 Enter a number in the given range.
P-26 0..3600 Enter a number in the given range.
P-27 import-nssa Configure the area as NSSA only.
P-28 import-external Change the area to support external LSAs also.
P-29 always Configure the NSSA translator role as always. When used as a
border router, the router translates LSAs regardless of the
translator states of the other NSSA border routers.
candidate Configure the NSSA translator role as a candidate. When used as
a border router, the router participates in the translator
election process. The router maintains a list of reachable NSSA
border routers.
P-30 0..65535 Enter a number between 0 and 65535
P-31 1..16777214 Configure the metric value.
P-32 ospf-metric Set the metric type as ospf Metric.
comparable-cost Set the metric type as comparable cost.
non-comparable Set the metric type as non-comparable.

 no ip ospf area
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf area <P-1> range add modify delete add delete stub add
modify summarylsa default-cost delete virtual-link add delete modify
authentication type key key-id hello-interval dead-interval transmit-
delay retransmit-interval nssa add delete modify translator role
stability-interval summary no-redistribute default-info originate
[metric] [metric-type]

39.1.2 ip ospf trapflags all


Set all trapflags at once.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf trapflags all <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

376 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

 no ip ospf trapflags all


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf trapflags all <P-1>

39.1.3 ip ospf operation


Enable or disable the OSPF admin mode. When enabled, the device initiates the OSPF process if the
OSPF function is active on at least one interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf operation

 no ip ospf operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf operation

39.1.4 ip ospf 1583compatability


Enable or disable the 1583compatibility for calculating routes external to the autonomous system. When
enabled, the router is compatible with the preference rules defined in RFC1583, section 16.4.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf 1583compatability

 no ip ospf 1583compatability
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf 1583compatability

RM CLI HiOS-2A GRS1040 377


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1.5 ip ospf default-metric


Configure the default metric for re-distributed routes, when OSPF redistributes routes from other
protocols.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf default-metric <P-1>
Paramete Value Meaning
r
P-1 1..16777214 Configure the default metric for redistributed routes.

 no ip ospf default-metric
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf default-metric <P-1>

39.1.6 ip ospf router-id


Configure the router ID to uniquely identify this OSPF router in the autonomous system.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf router-id <P-1>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.

39.1.7 ip ospf external-lsdb-limit


Configure the OSPF external lsdb limitation, which is the maximum number of non-default AS-external-
LSA entries that the router stores in the link-state database. When the value -1 is configured, you disable
the limitation.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf external-lsdb-limit <P-1>
Paramete Value Meaning
r
P-1 -1..2147483647 Configure the external lsdb limit.

378 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1.8 ip ospf exit-overflow


Configure the OSPF exit overflow interval, in seconds. After the timer expires the router will attempt to
leave the overflow-state. To disable the exit overflow interval function set the value to 0.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf exit-overflow <P-1>
Paramete Value Meaning
r
P-1 0..2147483647 Configure the exit overflow interval.

39.1.9 ip ospf spf-delay


Configure the SPF delay, in seconds. The Shortest Path First (SPF) delay is the time that the device
waits for the network to stabilize before calculating the shortest path tree, after a topology change.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf spf-delay <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

39.1.10 ip ospf spf-holdtime


Configure the minimum time between two consecutive SPF calculations, in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf spf-holdtime <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter a number between 0 and 65535

RM CLI HiOS-2A GRS1040 379


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1.11 ip ospf auto-cost


Set the auto cost reference bandwidth of the router interfaces for ospf metric calculations. The default
reference bandwidth is 100 Mbps.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf auto-cost <P-1>
Paramete Value Meaning
r
P-1 1..4294967 Configure the auto cost for OSPF calculation.

39.1.12 ip ospf distance intra


Enter the preference type as intra. Use intra-area routing when the device routes packets solely within
an area, such as an internal router.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf distance intra <P-1>
Paramete Value Meaning
r
P-1 1..255 Enter the value.

39.1.13 ip ospf distance inter


Enter the preference type as inter. Use inter-area routing when the device routes packets into or out of
an area, such as an area border router.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf distance inter <P-1>
Paramete Value Meaning
r
P-1 1..255 Enter the value.

380 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1.14 ip ospf distance external


Enter the preference type as external. Use external-area routing when the device routes packets into or
out of an autonomous system, such as an autonomous system boundary router (ASBR).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf distance external <P-1>
Paramete Value Meaning
r
P-1 1..255 Enter the value.

39.1.15 ip ospf re-distribute


Configure the OSPF route re-distribution. An ASBR is able to translate information from other OSPF
processes in separate areas and routes from other sources, such as static routes or other dynamic
routing protocols, into the OSPF protocol.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf re-distribute <P-1> [metric <P-2>] [metric-type <P-3>] [tag
<P-4>] [subnets <P-5>]
[metric]: Configure the OSPF route re-distribution metric parameters.
[metric-type]: Configure the OSPF route redistribution metric-type.
[tag]: Configure the OSPF route redistribution tag parameters.
[subnets]: Allow the router to redistribute subnets into OSPF.
Paramete Value Meaning
r
P-1 connected Select the source protocol as connected.
static Select the source protocol as static.
rip Select the source protocol as RIP.
P-2 0..16777214 Configure the metric.
P-3 1..2 Configure the metric type.
P-4 0..4294967295 Configure the tag.
P-5 enable Enable the option.
disable Disable the option.

 no ip ospf re-distribute
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf re-distribute <P-1> [metric] [metric-type] [tag]
[subnets]

RM CLI HiOS-2A GRS1040 381


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

39.1.16 ip ospf distribute-list


Configure the distribute list for the routes from other source protocols.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf distribute-list <P-1> <P-2> <P-3>
Paramete Value Meaning
r
P-1 out Configure as out to re-distribute routes with ACL rules
P-2 connected Select the source protocol as connected.
static Select the source protocol as static.
rip Select the source protocol as RIP.
P-3 <1000..1099> Enter the access list number.

 no ip ospf distribute-list
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf distribute-list <P-1> <P-2> <P-3>

39.1.17 ip ospf default-info originate


Originate the OSPF default information.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip ospf default-info originate [always] [metric <P-1>] [metric-type
<P-2>]
[always]: Always advertise the 0.0.0.0/0.0.0.0 route information.
[metric]: Configure the metric for default information.
[metric-type]: Configure the metric type for default information.
Paramete Value Meaning
r
P-1 1..16777214 Configure the metric value.
P-2 external-type1 Set the metric type for default information as external type-1.
The type 1 value sets the metric to the sum of the internal and
external OSPF metrics.
external-type2 Set the metric type for default information as external type-2.
The type 2 value sets the metric to the sum of external OSPF
metrics from the source AS to the destination AS.

382 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.1 ip

 no ip ospf default-info originate


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no ip ospf default-info originate [always] [metric <P-1>] [metric-
type]

RM CLI HiOS-2A GRS1040 383


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.2 ip

39.2 ip

IP interface commands.

39.2.1 ip ospf operation


Enable or disable OSPF on port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf operation

 no ip ospf operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip ospf operation

39.2.2 ip ospf area-id


Configure the router ID that uniquely identifies the area to which the interface is connected. If a tie
occurs during the designated router election the router with the higher router ID is the designated router.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf area-id <P-1>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.

384 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.2 ip

39.2.3 ip ospf link-type


Configure the OSPF link type.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf link-type <P-1>
Paramete Value Meaning
r
P-1 broadcast Configure the link-type as broadcast for the interface. In
broadcast networks, routers discover their neighbors
dynamically using the OSPF hello protocol.
nbma Configure the link-type as Non-Broadcast Multi-Access for the
interface. The nbma mode, emulates OSPF operation over a
broadcast network. The nbma mode is the most efficient way to
run OSPF over non-broadcast networks, both in terms of the LSDB
size and the amount of routing protocol traffic. However, this
mode requires direct communication between every router in the
nbma network.
point-to-point Configure the link-type as point-to-point for the interface. Use
the point-to-point link-type in a network that joins a single
pair of routers.
point-to-multipoint Configure the link-type as point-to-multipoint for the
interface. In the point-to-multipoint mode, OSPF treats each
router-to-router link over non-broadcast networks as if they
were point-to-point links.

39.2.4 ip ospf priority


Configure the OSPF router priority which the router uses in multi-access networks for the designated
router election algorithm. The router with the higher router priority is the designated router. A value of 0
declares the router as ineligible for designated router elections.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf priority <P-1>
Paramete Value Meaning
r
P-1 0..255 Configure the priority.

39.2.5 ip ospf transmit-delay


Configure the OSPF transmit-delay for the interface, in seconds. The transmit-delay is the time that you
estimate it takes to transmit a link-state update packet over the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf transmit-delay <P-1>

RM CLI HiOS-2A GRS1040 385


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.2 ip

Paramete Value Meaning


r
P-1 0..3600 Enter a number in the given range.

39.2.6 ip ospf retransmit-interval


Configure the OSPF retransmit-interval for the interface, in seconds. The retransmit-interval is the
interval after which link-state advertisements containing database description and link-state request
packets, are re-transmitted for adjacencies belonging to this interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf retransmit-interval <P-1>
Paramete Value Meaning
r
P-1 0..3600 Enter a number in the given range.

39.2.7 ip ospf hello-interval


Configure the OSPF hello-interval for the interface, in seconds. The hello timer controls the time interval
between two consecutive hello packets. Set this value to the same hello-interval value of the neighbor.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf hello-interval <P-1>
Paramete Value Meaning
r
P-1 1..65535 Enter a number between 1 and 65535

39.2.8 ip ospf dead-interval


Configure the OSPF dead-interval for the interface, in seconds. If the timer expires without the router
receiving hello packets from the neighbor, the router declares the neighbor router as down. Set the timer
to at least four times the value of the hello-interval.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf dead-interval <P-1>

386 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.2 ip

Paramete Value Meaning


r
P-1 1..65535 Enter a number between 1 and 65535

39.2.9 ip ospf cost


Configure the OSPF cost for the interface. The cost of a specific interface indicates the overhead
required to send packets across the link. If set to 0, OSPF calculates the cost from the reference
bandwidth and the interface speed.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf cost <P-1>
Paramete Value Meaning
r
P-1 <1..65535> Configure the cost for the specified interface.
auto Automatic calculation from reference bandwidth and link speed.

39.2.10 ip ospf mtu-ignore


Enable/Disable OSPF MTU mismatch on interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf mtu-ignore

 no ip ospf mtu-ignore
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip ospf mtu-ignore

RM CLI HiOS-2A GRS1040 387


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.2 ip

39.2.11 ip ospf authentication type


Configure authentication type.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf authentication type <P-1>
Paramete Value Meaning
r
P-1 none Configure the authentication type as none (Key and key ID is not
required).
simple Configure the authentication type as simple (Key ID is not
required).
md5 Configure the authentication type as md5 for the interface.

39.2.12 ip ospf authentication key


Configure authentication key.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf authentication key <P-1>
Paramete Value Meaning
r
P-1 string <key> Configure the authentication key.

39.2.13 ip ospf authentication key-id


Configure authentication key-id for md5 authentication.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip ospf authentication key-id <P-1>
Paramete Value Meaning
r
P-1 0..255 Enter a number in the given range.

388 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.3 show

39.3 show

Display device options and settings.

39.3.1 show ip ospf global


Display OSPF global configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf global

39.3.2 show ip ospf area


Display OSPF area related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf area [<P-1>]
Paramete Value Meaning
r
P-1 A.B.C.D IP address.

39.3.3 show ip ospf stub


Display OSPF stub area related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf stub

RM CLI HiOS-2A GRS1040 389


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.3 show

39.3.4 show ip ospf database internal


Display the internal LSA database information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf database internal

39.3.5 show ip ospf database external


Display the external LSA database information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf database external

39.3.6 show ip ospf range


Display OSPF area range information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf range

39.3.7 show ip ospf interface


Display OSPF interface related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

390 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.3 show

39.3.8 show ip ospf virtual-link


Display OSPF virtual-link related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf virtual-link <P-1> <P-2>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 A.B.C.D IP address.

39.3.9 show ip ospf virtual-neighbor


Display OSPF Virtual-link neighbor information
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf virtual-neighbor

39.3.10 show ip ospf neighbor


Display OSPF neighbor related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf neighbor [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

39.3.11 show ip ospf statistics


Display OSPF statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf statistics

RM CLI HiOS-2A GRS1040 391


Release 6.1 09/2016
Open Shortest Path First (OSPF)
39.3 show

39.3.12 show ip ospf re-distribute


Display OSPF re-distribute related information
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf re-distribute <P-1>
Paramete Value Meaning
r
P-1 connected Select the source protocol as connected.
static Select the source protocol as static.
rip Select the source protocol as RIP.

39.3.13 show ip ospf nssa


Display OSPF NSSA related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf nssa <P-1>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.

39.3.14 show ip ospf route


Display OSPF routes.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip ospf route

392 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IP Source Guard (IPSG)

40 IP Source Guard (IPSG)

RM CLI HiOS-2A GRS1040 393


Release 6.1 09/2016
IP Source Guard (IPSG)
40.1 ip

40.1 ip

Set IP parameters.

40.1.1 ip source-guard binding add


This command creates a new static IPSG binding between a MAC address and an IP address, for a
specific VLAN at a particular interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip source-guard binding add <P-1> <P-2> <P-3> <P-4> [<P-5>]
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 A.B.C.D IP address.
P-3 slot no./port no.
P-4 1..4042 Enter the VLAN ID.
P-5 active Activate the option.
inactive Inactivate the option.

40.1.2 ip source-guard binding delete all


This command deletes all static IP Source Guard (IPSG) bindings (at all interfaces).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip source-guard binding delete all

40.1.3 ip source-guard binding delete interface


This command deletes all static IP Source Guard (IPSG) bindings, associated with a particular interface.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip source-guard binding delete interface <P-1>

394 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IP Source Guard (IPSG)
40.1 ip

Paramete Value Meaning


r
P-1 slot no./port no.

40.1.4 ip source-guard binding delete index


This command deletes one static IP Source Guard (IPSG) binding, associated with a MAC address, IP
address, interface and VLAN.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip source-guard binding delete index <P-1> <P-2> <P-3> <P-4>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 A.B.C.D IP address.
P-3 slot no./port no.
P-4 1..4042 Enter the VLAN ID.

40.1.5 ip source-guard binding mode


This command activates or deactivates a configured static IPSG binding.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ip source-guard binding mode <P-1> <P-2> <P-3> <P-4> <P-5>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 A.B.C.D IP address.
P-3 slot no./port no.
P-4 1..4042 Enter the VLAN ID.
P-5 active Activate the option.
inactive Inactivate the option.

RM CLI HiOS-2A GRS1040 395


Release 6.1 09/2016
IP Source Guard (IPSG)
40.2 clear

40.2 clear

Clear several items.

40.2.1 clear ip source-guard bindings


This command clears all dynamic IPSG bindings on all interfaces or on a specific interface.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear ip source-guard bindings [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

396 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IP Source Guard (IPSG)
40.3 ip

40.3 ip

IP interface commands.

40.3.1 ip source-guard mode


This command configures an interface for IP source guarding (IPSG).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip source-guard mode

 no ip source-guard mode
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no ip source-guard mode

40.3.2 ip source-guard verify-mac


This command configures an interface for additional MAC address verification, when performing IP
source guarding (IPSG). This option cannot be enabled unless IPSG is enabled. Once it is enabled, it
can only be disabled by disabling IPSG at this interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: ip source-guard verify-mac

RM CLI HiOS-2A GRS1040 397


Release 6.1 09/2016
IP Source Guard (IPSG)
40.4 show

40.4 show

Display device options and settings.

40.4.1 show ip source-guard interfaces


This command shows the IP Source Guard (IPSG) status of all interfaces.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip source-guard interfaces

40.4.2 show ip source-guard bindings


This command displays the IPSG binding entries from the static and/or dynamic bindings table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ip source-guard bindings [<P-1>] [interface <P-2>] [vlan <P-3>]
[interface]: Restrict the output based on a specific interface.
[vlan]: Restrict the output based on VLAN.
Paramete Value Meaning
r
P-1 static Restrict the output based on static bindings.
dynamic Restrict the output based on dynamic bindings.
P-2 slot no./port no.
P-3 1..4042 Enter the VLAN ID.

398 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IP Subnet VLAN

41 IP Subnet VLAN

RM CLI HiOS-2A GRS1040 399


Release 6.1 09/2016
IP Subnet VLAN
41.1 vlan

41.1 vlan

Creation and configuration of VLANS.

41.1.1 vlan association subnet


Configure Subnet association to VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan association subnet <P-1> <P-2> <P-3>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 A.B.C.D IP address.
P-3 1..4042 Enter the VLAN ID.

 no vlan association subnet


Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no vlan association subnet <P-1> <P-2> <P-3>

400 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
IP Subnet VLAN
41.2 show

41.2 show

Display device options and settings.

41.2.1 show vlan association subnet


Display Subnet association to VLAN entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan association subnet [<P-1>]
Paramete Value Meaning
r
P-1 a.b.c.d-e.f.g.h IP address and mask e.g. 192.168.1.1-255.255.255.0 .

RM CLI HiOS-2A GRS1040 401


Release 6.1 09/2016
IP Subnet VLAN
41.2 show

402 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)

42 Internet Protocol Version 4 (IPv4)

RM CLI HiOS-2A GRS1040 403


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)
42.1 network

42.1 network

Configure the inband and outband connectivity.

42.1.1 network protocol


Select DHCP, BOOTP or none as the network configuration protocol.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network protocol <P-1>
Paramete Value Meaning
r
P-1 none No network config protocol
bootp BOOTP
dhcp DHCP

42.1.2 network parms


Set network address, netmask and gateway
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network parms <P-1> <P-2> [<P-3>]
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 A.B.C.D IP address.
P-3 A.B.C.D IP address.

404 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)
42.2 clear

42.2 clear

Clear several items.

42.2.1 clear arp-table-switch


Clear the agent's ARP table (cache).
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear arp-table-switch

RM CLI HiOS-2A GRS1040 405


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)
42.3 show

42.3 show

Display device options and settings.

42.3.1 show network parms


Show network settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show network parms

406 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)
42.4 show

42.4 show

Display device options and settings.

42.4.1 show arp


Show ARP table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show arp

RM CLI HiOS-2A GRS1040 407


Release 6.1 09/2016
Internet Protocol Version 4 (IPv4)
42.4 show

408 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Ring Coupling

43 Ring Coupling

RM CLI HiOS-2A GRS1040 409


Release 6.1 09/2016
Ring Coupling
43.1 ring-coupling

43.1 ring-coupling

Configure the ring/net coupling settings.

43.1.1 ring-coupling add


Create a new Ring/Network coupling configuration. The configuration consists of default parameters
and the operation is disabled. The interface specified as parameter represents the coupling port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ring-coupling add <P-1> [mode <P-2>] [net-coupling <P-3>]
[redundancy-mode <P-4>] [control-port <P-5>] [partner-port <P-6>]
[mode]: Configure operating mode.
[net-coupling]: Configure the Ring/Network coupling mode as either network or ring-only.
[redundancy-mode]: Configure the redundancy mode as either extended or normal.
[control-port]: Configure the control port (<slot/port>). The control port is only used for outband
configurations.
[partner-port]: Configure the partner coupling port(<slot/port>, The partner couling port is only
used for the for the single configuration mode.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 single Configure the operating mode of the ring coupling to single.
Both of the coupling ports are local to the switch, switch
performs master and slave functions.
dual-master-inband Configure the operating mode of the ring coupling to dual-
master-inband. The second coupling port is on a remote switch,
local switch is master, communication over network.
dual-master-outband Configure the operating mode of the ring coupling to dual-
master-outband. The second coupling port is on a remote switch,
local switch is master, communication over dedicated control
port.
dual-slave-inband Configure the operating mode of the ring coupling to dual-slave-
inband. The second coupling port is on a remote switch, local
switch is slave, communication over network.
dual-slave-outband Configure the operating mode of the ring coupling to dual-slave-
outband. The second coupling port is on a remote switch, local
switch is slave, communication over dedicated control port.
P-3 ring-only Select the ring coupling mode for a ring network. Both of the
network segments that are coupled are HIPER rings.
network Select the ring coupling mode for a bus or mesh network. The
network segment adjacent to the switches that handle the ring
coupling is not a HIPER ring.
P-4 normal Select the ring coupling mode for normal redundancy mode. The
slave does not respond to a failure in the remote ring or
network.
extended Select the ring coupling mode for extended redundancy mode The
slave responds to a failure in the remote ring or network.
P-5 slot no./port no.
P-6 slot no./port no.

410 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Ring Coupling
43.1 ring-coupling

43.1.2 ring-coupling delete


Delete the Ring/Network coupling configuration with the coupling-port index.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ring-coupling delete <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

43.1.3 ring-coupling modify


Modify the Ring/Network coupling configuration with the coupling-port index.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ring-coupling modify <P-1> mode <P-2> control-port <P-3> partner-
port <P-4> net-coupling <P-5> redundancy-mode <P-6>
mode: Modify the operating mode.
control-port: Modify the control port (<slot/port>). The control port is only used for outband
configurations.
partner-port: Modify the partner coupling port(<slot/port>). The partner coupling port is only used
for single configuration.
net-coupling: Configure the Ring/Network coupling mode as either network or ring-only.
redundancy-mode: Configure the redundancy mode as either extended or normal.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 single Configure the operating mode of the ring coupling to single.
Both of the coupling ports are local to the switch, switch
performs master and slave functions.
dual-master-inband Configure the operating mode of the ring coupling to dual-
master-inband. The second coupling port is on a remote switch,
local switch is master, communication over network.
dual-master-outband Configure the operating mode of the ring coupling to dual-
master-outband. The second coupling port is on a remote switch,
local switch is master, communication over dedicated control
port.
dual-slave-inband Configure the operating mode of the ring coupling to dual-slave-
inband. The second coupling port is on a remote switch, local
switch is slave, communication over network.
dual-slave-outband Configure the operating mode of the ring coupling to dual-slave-
outband. The second coupling port is on a remote switch, local
switch is slave, communication over dedicated control port.
P-3 slot no./port no.
P-4 slot no./port no.
P-5 ring-only Select the ring coupling mode for a ring network. Both of the
network segments that are coupled are HIPER rings.
network Select the ring coupling mode for a bus or mesh network. The
network segment adjacent to the switches that handle the ring
coupling is not a HIPER ring.

RM CLI HiOS-2A GRS1040 411


Release 6.1 09/2016
Ring Coupling
43.1 ring-coupling

Paramete Value Meaning


r
P-6 normal Select the ring coupling mode for normal redundancy mode. The
slave does not respond to a failure in the remote ring or
network.
extended Select the ring coupling mode for extended redundancy mode The
slave responds to a failure in the remote ring or network.

43.1.4 ring-coupling enable


Enable the Ring/Network coupling configuration with the coupling-port index.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ring-coupling enable <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

43.1.5 ring-coupling disable


Disable the Ring/Network coupling configuration with the coupling-port index.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: ring-coupling disable <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

412 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Ring Coupling
43.2 show

43.2 show

Display device options and settings.

43.2.1 show ring-coupling global


Display the ring coupling settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ring-coupling global

43.2.2 show ring-coupling status


Display the ring coupling states.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ring-coupling status

RM CLI HiOS-2A GRS1040 413


Release 6.1 09/2016
Ring Coupling
43.2 show

414 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
License Manager

44 License Manager

RM CLI HiOS-2A GRS1040 415


Release 6.1 09/2016
License Manager
44.1 license

44.1 license

Configure licensing settings.

44.1.1 license level


Sets the software level of the device. The change needs a config save and a reboot to take effect.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: license level <P-1>
Paramete Value Meaning
r
P-1 default Default software level of the device
2S Software Layer 2 Standard
2A Software Layer 2 Advanced
3S Software Layer 3 Standard

416 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
License Manager
44.2 show

44.2 show

Display device options and settings.

44.2.1 show license global


Display global information about the license of device software.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show license global

RM CLI HiOS-2A GRS1040 417


Release 6.1 09/2016
License Manager
44.2 show

418 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Backup

45 Link Backup

RM CLI HiOS-2A GRS1040 419


Release 6.1 09/2016
Link Backup
45.1 link-backup

45.1 link-backup

Configure Link Backup parameters.

45.1.1 link-backup operation


Enable or disable Link Backup.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: link-backup operation

 no link-backup operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no link-backup operation

420 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Backup
45.2 link-backup

45.2 link-backup

Configure Link Backup parameters.

45.2.1 link-backup add


Add a Link Backup interface pair.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: link-backup add <P-1> [failback-time <P-2>] [description <P-3>]
[failback-time]: FailBack time in seconds for the interface pair.
[description]: Description for the interface pair.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 0..3600 FailBack time interval.(default: 30)
P-3 string Enter a user-defined text, max. 256 characters.

45.2.2 link-backup delete


Delete the associated backup interface.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: link-backup delete <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 421


Release 6.1 09/2016
Link Backup
45.2 link-backup

45.2.3 link-backup modify


Modify a Link Backup interface pair.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: link-backup modify <P-1> [failback-status <P-2>] [failback-time <P-
3>] [description <P-4>] [status <P-5>]
[failback-status]: Modify failback status.(default: enabled)
[failback-time]: Modify failback time.(default: 30)
[description]: Description for the interface pair.
[status]: Enable or disable a Link Backup interface pair entry.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 enable Enable the option.
disable Disable the option.
P-3 0..3600 FailBack time interval.(default: 30)
P-4 string Enter a user-defined text, max. 256 characters.
P-5 enable Enable the option.
disable Disable the option.

422 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Backup
45.3 show

45.3 show

Display device options and settings.

45.3.1 show link-backup operation


Display Link Backup global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-backup operation

45.3.2 show link-backup pairs


Display Link Backup interface pairs.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show link-backup pairs [<P-1>] [<P-2>]
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 slot no./port no.

RM CLI HiOS-2A GRS1040 423


Release 6.1 09/2016
Link Backup
45.3 show

424 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)

46 Link Layer Discovery Protocol (LLDP)

RM CLI HiOS-2A GRS1040 425


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.1 lldp

46.1 lldp

Configure of Link Layer Discovery Protocol.

46.1.1 lldp operation


Enable or disable the LLDP operational state.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp operation

 no lldp operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no lldp operation

46.1.2 lldp config chassis admin-state


Enable or disable the LLDP operational state.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis admin-state <P-1>
Paramete Value Meaning
r
P-1 enable Enable the option.
disable Disable the option.

426 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.1 lldp

46.1.3 lldp config chassis notification-interval


Enter the LLDP notification interval in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis notification-interval <P-1>
Paramete Value Meaning
r
P-1 5..3600 Enter a number in the given range.

46.1.4 lldp config chassis re-init-delay


Enter the LLDP re-initialization delay in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis re-init-delay <P-1>
Paramete Value Meaning
r
P-1 1..10 Enter a number in the given range.

46.1.5 lldp config chassis tx-delay


Enter the LLDP transmit delay in seconds (tx-delay smaller than (0.25 × tx-interval))
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis tx-delay <P-1>
Paramete Value Meaning
r
P-1 1..8192 Enter a number in the given range (tx-delay smaller than (0.25
× tx-interval)

RM CLI HiOS-2A GRS1040 427


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.1 lldp

46.1.6 lldp config chassis tx-hold-multiplier


Enter the LLDP transmit hold multiplier.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis tx-hold-multiplier <P-1>
Paramete Value Meaning
r
P-1 2..10 Enter a number in the given range.

46.1.7 lldp config chassis tx-interval


Enter the LLDP transmit interval in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp config chassis tx-interval <P-1>
Paramete Value Meaning
r
P-1 5..32768 Enter a number in the given range.

428 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.2 show

46.2 show

Display device options and settings.

46.2.1 show lldp global


Display the LLDP global configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp global

46.2.2 show lldp port


Display port specific LLDP configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

46.2.3 show lldp remote-data


Remote information collected with LLDP.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp remote-data [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 429


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3 lldp

Configure of Link Layer Discovery Protocol on a port.

46.3.1 lldp admin-state


Configure how the interface processes LLDP frames.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp admin-state <P-1>
Paramete Value Meaning
r
P-1 tx-only Interface will only transmit LLDP frames. Received frames are
not processed.
rx-only Interface will only receive LLDP frames. Frames are not
transmitted.
tx-and-rx Interface will transmit and receive LLDP frames. This is the
default setting.
disable Interface will neither transmit nor process received LLDP
frames.

46.3.2 lldp fdb-mode


Configure the LLDP FDB mode for this interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp fdb-mode <P-1>
Paramete Value Meaning
r
P-1 lldp-only Collected remote data will be based on received LLDP frames
only.
mac-only Collected remote data will be based on the switch's FDB entries
only.
both Collected remote data will be based on received LLDP frames as
well as on the switch's FDB entries.
auto-detect As long as no LLDP frames are received, the collected remote
data will be based on the switch's FDB entries only. After the
first LLDP frame is received, the remote data will be based on
received LLDP frames only. This is the default setting.

430 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3.3 lldp max-neighbors


Enter the LLDP max neighbors for interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp max-neighbors <P-1>
Paramete Value Meaning
r
P-1 1..50 Enter a number in the given range.

46.3.4 lldp notification


Enable or disable the LLDP notification operation for interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp notification

 no lldp notification
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp notification

46.3.5 lldp tlv inline-power


Enable or disable inline-power TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv inline-power <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

 no lldp tlv inline-power


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv inline-power <P-1>

RM CLI HiOS-2A GRS1040 431


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3.6 lldp tlv link-aggregation


Enable or disable link-aggregation TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv link-aggregation <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

 no lldp tlv link-aggregation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv link-aggregation <P-1>

46.3.7 lldp tlv mac-phy-config-state


Enable or disable mac-phy-config-state TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv mac-phy-config-state <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

 no lldp tlv mac-phy-config-state


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv mac-phy-config-state <P-1>

46.3.8 lldp tlv max-frame-size


Enable or disable max-frame-size TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv max-frame-size <P-1>

432 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

Paramete Value Meaning


r
P-1 [cr] Enable the Bit.

 no lldp tlv max-frame-size


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv max-frame-size <P-1>

46.3.9 lldp tlv mgmt-addr


Enable or disable mgmt-addr TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv mgmt-addr

 no lldp tlv mgmt-addr


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv mgmt-addr

46.3.10 lldp tlv port-desc


Enable or disable port description TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv port-desc <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

RM CLI HiOS-2A GRS1040 433


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

 no lldp tlv port-desc


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv port-desc <P-1>

46.3.11 lldp tlv port-vlan


Enable or disable port-vlan TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv port-vlan

 no lldp tlv port-vlan


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv port-vlan

46.3.12 lldp tlv protocol


Enable or disable protocol TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv protocol

 no lldp tlv protocol


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv protocol

434 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3.13 lldp tlv sys-cap


Enable or disable system capabilities TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv sys-cap <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

 no lldp tlv sys-cap


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv sys-cap <P-1>

46.3.14 lldp tlv sys-desc


Enable or disable system description TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv sys-desc <P-1>
Paramete Value Meaning
r
P-1 [cr] Enable the Bit.

 no lldp tlv sys-desc


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv sys-desc <P-1>

46.3.15 lldp tlv sys-name


Enable or disable system name TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv sys-name <P-1>

RM CLI HiOS-2A GRS1040 435


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

Paramete Value Meaning


r
P-1 [cr] Enable the Bit.

 no lldp tlv sys-name


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv sys-name <P-1>

46.3.16 lldp tlv vlan-name


Enable or disable vlan name TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv vlan-name

 no lldp tlv vlan-name


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv vlan-name

46.3.17 lldp tlv protocol-based-vlan


Enable or disable protocol-based vlan TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv protocol-based-vlan

 no lldp tlv protocol-based-vlan


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv protocol-based-vlan

436 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3.18 lldp tlv igmp


Enable or disable igmp TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv igmp

 no lldp tlv igmp


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv igmp

46.3.19 lldp tlv portsec


Enable or disable portsec TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv portsec

 no lldp tlv portsec


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv portsec

46.3.20 lldp tlv ptp


Enable or disable PTP TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv ptp

RM CLI HiOS-2A GRS1040 437


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

 no lldp tlv ptp


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv ptp

46.3.21 lldp tlv pnio


Enable or disable PROFINET TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv pnio

 no lldp tlv pnio


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv pnio

46.3.22 lldp tlv pnio-alias


Enable or disable PROFINET alias TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv pnio-alias

 no lldp tlv pnio-alias


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv pnio-alias

438 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

46.3.23 lldp tlv pnio-mrp


Enable or disable PROFINET MRP TLV transmission.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp tlv pnio-mrp

 no lldp tlv pnio-mrp


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp tlv pnio-mrp

RM CLI HiOS-2A GRS1040 439


Release 6.1 09/2016
Link Layer Discovery Protocol (LLDP)
46.3 lldp

440 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED

47 Media Endpoint Discovery LLDP-MED

RM CLI HiOS-2A GRS1040 441


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED
47.1 lldp

47.1 lldp

Configure of Link Layer Discovery Protocol on a port.

47.1.1 lldp med confignotification


Enable or disable LLDP-MED notification send for this interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp med confignotification

 no lldp med confignotification


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp med confignotification

47.1.2 lldp med transmit-tlv capabilities


Include/Exclude LLDP MED capabilities TLV.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp med transmit-tlv capabilities

 no lldp med transmit-tlv capabilities


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp med transmit-tlv capabilities

442 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED
47.1 lldp

47.1.3 lldp med transmit-tlv network-policy


Include/Exclude LLDP network policy TLV.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: lldp med transmit-tlv network-policy

 no lldp med transmit-tlv network-policy


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no lldp med transmit-tlv network-policy

RM CLI HiOS-2A GRS1040 443


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED
47.2 lldp

47.2 lldp

Configure of Link Layer Discovery Protocol.

47.2.1 lldp med faststartrepeatcount


Configure LLDP-MED fast start repeat count.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: lldp med faststartrepeatcount <P-1>
Paramete Value Meaning
r
P-1 1..10 Enter a value representing the number of LLDP PDUs that will be
transmitted.Default is 3.

444 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED
47.3 show

47.3 show

Display device options and settings.

47.3.1 show lldp med global


Display a summary of the current LLDP-MED configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp med global

47.3.2 show lldp med interface


Display the current LLDP-MED configuration on a specific port.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp med interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

47.3.3 show lldp med local-device


Display detailed information about the LLDP-MED data
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp med local-device <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 445


Release 6.1 09/2016
Media Endpoint Discovery LLDP-MED
47.3 show

47.3.4 show lldp med remote-device detail


Display LLDP-MED detail configuration for a remote device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp med remote-device detail <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

47.3.5 show lldp med remote-device summary


Display LLDP-MED summary configuration for a remote device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show lldp med remote-device summary [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

446 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging

48 Logging

RM CLI HiOS-2A GRS1040 447


Release 6.1 09/2016
Logging
48.1 logging

48.1 logging

Logging configuration.

48.1.1 logging audit-trail


Add a comment for the audit trail.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging audit-trail <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 80 characters.

48.1.2 logging buffered severity


Configure the minimum severity level to be logged to the high priority buffer.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging buffered severity <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

448 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

48.1.3 logging host add


Add a new logging host.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging host add <P-1> addr <P-2> <P-3> [transport <P-4>] [port <P-
5>] [severity <P-6>] [type <P-7>]
addr: Enter the IP address of the server.
[transport]: Configure the type of transport used for syslog server transmission.
[port]: Enter the port used for syslog server transmission.
[severity]: Configure the minimum severity level to be sent to this syslog server.
[type]: Configure the type of log messages to be sent to the syslog server.
Paramete Value Meaning
r
P-1 1..8 Syslog server entry index
P-2 string Hostname or IP address.
P-3 a.b.c.d IP address.
P-4 udp The UDP-based transmission.
tls The TLS-based transmission.
P-5 1..65535 Port number to be used
P-6 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug
P-7 systemlog the system event log entries
audittrail the audit trail log entries

48.1.4 logging host delete


Delete a logging host.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging host delete <P-1>
Paramete Value Meaning
r
P-1 1..8 Syslog server entry index

RM CLI HiOS-2A GRS1040 449


Release 6.1 09/2016
Logging
48.1 logging

48.1.5 logging host enable


Enable a logging host.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging host enable <P-1>
Paramete Value Meaning
r
P-1 1..8 Syslog server entry index

48.1.6 logging host disable


Disable a logging host.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging host disable <P-1>
Paramete Value Meaning
r
P-1 1..8 Syslog server entry index

48.1.7 logging host modify


Modify an existing logging host.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging host modify <P-1> [addr <P-2> <P-3>] [transport <P-4>] [port
<P-5>] [severity <P-6>] [type <P-7>]
[addr]: Enter the IP address of the server.
[transport]: Configure the type of transport used for syslog server transmission.
[port]: Enter the port used for syslog server transmission.
[severity]: Configure the minimum severity level to be sent to this syslog server.
[type]: Configure the type of log messages to be sent to the syslog server.
Paramete Value Meaning
r
P-1 1..8 Syslog server entry index
P-2 string Hostname or IP address.
P-3 a.b.c.d IP address.
P-4 udp The UDP-based transmission.
tls The TLS-based transmission.
P-5 1..65535 Port number to be used

450 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

Paramete Value Meaning


r
P-6 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug
P-7 systemlog the system event log entries
audittrail the audit trail log entries

48.1.8 logging syslog operation


Enable or disable the syslog client.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging syslog operation

 no logging syslog operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging syslog operation

48.1.9 logging current-console operation


Enable or disable logging messages to the current remote console.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging current-console operation
RM CLI HiOS-2A GRS1040 451
Release 6.1 09/2016
Logging
48.1 logging

 no logging current-console operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging current-console operation

48.1.10 logging current-console severity


Configure the minimum severity level to be sent to the current remote console.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging current-console severity <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

48.1.11 logging console operation


Enable or disable logging to the local V.24 console.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging console operation

452 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

 no logging console operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging console operation

48.1.12 logging console severity


Configure the minimum severity level to be logged to the V.24 console.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging console severity <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

48.1.13 logging persistent operation


Enable or disable persistent logging. This feature is only available when an ENVM is connected to the
device. The logging information is saved on the selected ENVM.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging persistent operation

RM CLI HiOS-2A GRS1040 453


Release 6.1 09/2016
Logging
48.1 logging

 no logging persistent operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging persistent operation

48.1.14 logging persistent numfiles


Enter the maximum number of log files.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging persistent numfiles <P-1>
Paramete Value Meaning
r
P-1 0..25 number of logfiles

48.1.15 logging persistent filesize


Enter the maximum size of a log file.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging persistent filesize <P-1>
Paramete Value Meaning
r
P-1 0..4096 Maximum persistent logfile size on the non-volatile memory in
kBytes

48.1.16 logging persistent severity-level


Configure the minimum severity level to be logged into files.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging persistent severity-level <P-1>

454 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

Paramete Value Meaning


r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

48.1.17 logging email operation


Enable or disable logging email-alert globally.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email operation

 no logging email operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging email operation

48.1.18 logging email from-addr


Configure mail address used by device to send email-alert.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email from-addr <P-1>

RM CLI HiOS-2A GRS1040 455


Release 6.1 09/2016
Logging
48.1 logging

Paramete Value Meaning


r
P-1 string Enter a valid email address

48.1.19 logging email duration


Periodic timer (in minutes) to send an non-critical logs in mail.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email duration <P-1>
Paramete Value Meaning
r
P-1 30..1440 Time duration in minutes

48.1.20 logging email severity urgent


Urgent severity level
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email severity urgent <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

456 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

48.1.21 logging email severity non-urgent


Non-urgent severity level
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email severity non-urgent <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

48.1.22 logging email to-addr add


Create a destination address entry with default values
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email to-addr add <P-1> [addr <P-2>] [msgtype <P-3>]
[addr]: Create an entry with specified address
[msgtype]: Create an entry with specified message type
Paramete Value Meaning
r
P-1 1..10 Destination address entry index
P-2 string Enter a valid email address
P-3 urgent Urgent message type
non-urgent Non-urgent message type

RM CLI HiOS-2A GRS1040 457


Release 6.1 09/2016
Logging
48.1 logging

48.1.23 logging email to-addr delete


Delete a destination address
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email to-addr delete <P-1>
Paramete Value Meaning
r
P-1 1..10 Destination address entry index

48.1.24 logging email to-addr modify


Modify a destination address
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email to-addr modify <P-1> [addr <P-2>] [msgtype <P-3>]
[addr]: Modify the destination address
[msgtype]: Modify the message type
Paramete Value Meaning
r
P-1 1..10 Destination address entry index
P-2 string Enter a valid email address
P-3 urgent Urgent message type
non-urgent Non-urgent message type

48.1.25 logging email mail-server add


Add a server entry to SMTP address table
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email mail-server add <P-1> [addr <P-2>] [security <P-3>]
[username <P-4>] [password <P-5>] [port <P-6>] [timeout <P-7>] [description
<P-8>]
[addr]: SMTP server address
[security]: Security mode used in SMTP server.
[username]: Login ID to access SMTP server.
[password]: Password to access SMTP server.
[port]: SMTP server port number.
[timeout]: SMTP server connection timeout
[description]: SMTP server description

458 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

Paramete Value Meaning


r
P-1 1..5 SMTP server index
P-2 string Hostname or IP address.
P-3 none Security mode none
tlsv1 Security mode TLSv1
P-4 string Enter a user-defined text, max. 32 characters.
P-5 string Enter a user-defined text, max. 32 characters.
P-6 1..65535 Port number to be used
P-7 1..15 SMTP server timeout range
P-8 string Enter a user-defined text, max. 1024 characters (allowed
characters are from ASCII 32 to 127).

48.1.26 logging email mail-server delete


Delete a server entry from SMTP address table
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email mail-server delete <P-1>
Paramete Value Meaning
r
P-1 1..5 SMTP server index

48.1.27 logging email mail-server modify


Modify an SMTP server entry
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email mail-server modify <P-1> [addr <P-2>] [security <P-3>]
[username <P-4>] [password <P-5>] [port <P-6>] [timeout <P-7>] [description
<P-8>]
[addr]: SMTP server address
[security]: Security mode used in SMTP server.
[username]: Login ID to access SMTP server.
[password]: Password to access SMTP server.
[port]: SMTP server port number.
[timeout]: SMTP Timeout
[description]: SMTP server description
Paramete Value Meaning
r
P-1 1..5 SMTP server index
P-2 string Hostname or IP address.

RM CLI HiOS-2A GRS1040 459


Release 6.1 09/2016
Logging
48.1 logging

Paramete Value Meaning


r
P-3 none Security mode none
tlsv1 Security mode TLSv1
P-4 string Enter a user-defined text, max. 32 characters.
P-5 string Enter a user-defined text, max. 32 characters.
P-6 1..65535 Port number to be used
P-7 1..15 SMTP server timeout range
P-8 string Enter a user-defined text, max. 1024 characters (allowed
characters are from ASCII 32 to 127).

48.1.28 logging email subject add


Create an email subject entry
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email subject add <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 urgent Urgent message type
non-urgent Non-urgent message type
P-2 string <string> Enter the email subject (Within double quotations if
subject includes space)

48.1.29 logging email subject delete


Delete an email subject entry
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email subject delete <P-1>
Paramete Value Meaning
r
P-1 urgent Urgent message type
non-urgent Non-urgent message type

460 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.1 logging

48.1.30 logging email subject modify


Modify an email subject entry
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email subject modify <P-1> <P-2>
Paramete Value Meaning
r
P-1 urgent Urgent message type
non-urgent Non-urgent message type
P-2 string <string> Enter the email subject (Within double quotations if
subject includes space)

48.1.31 logging email test msgtype


Configure the message type for test mail.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging email test msgtype <P-1> <P-2>
Paramete Value Meaning
r
P-1 urgent Urgent message type
non-urgent Non-urgent message type
P-2 string Enter a user-defined text, max. 255 characters.

RM CLI HiOS-2A GRS1040 461


Release 6.1 09/2016
Logging
48.2 show

48.2 show

Display device options and settings.

48.2.1 show logging buffered


Display buffered (in-memory) log entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging buffered [<P-1>]
Paramete Value Meaning
r
P-1 string <filter> Enter a comma separated list of severity ranges,
numbers or enum strings are allowed. Example: 0-1,informational-
debug

48.2.2 show logging traplogs


Display trap log entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging traplogs

48.2.3 show logging console


Display console logging configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging console

462 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.2 show

48.2.4 show logging persistent


Display persistent logging configurations.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging persistent [logfiles]
[logfiles]: List the persistent log files.

48.2.5 show logging syslog


Display current syslog operational setting.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging syslog

48.2.6 show logging host


Display a list of logging hosts currently configured.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging host

48.2.7 show logging email statistics


Display the statistics of email logging.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging email statistics

RM CLI HiOS-2A GRS1040 463


Release 6.1 09/2016
Logging
48.2 show

48.2.8 show logging email global


Display global settings of email logging feature.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging email global

48.2.9 show logging email to-addr


Display list of destination addresses configured.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging email to-addr [<P-1>]
Paramete Value Meaning
r
P-1 1..10 Destination address entry index

48.2.10 show logging email subject


Display the subject entries configured.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging email subject [<P-1>]
Paramete Value Meaning
r
P-1 urgent Urgent message type
non-urgent Non-urgent message type

48.2.11 show logging email mail-server


Display SMTP server settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging email mail-server [<P-1>]

464 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.2 show

Paramete Value Meaning


r
P-1 1..5 SMTP server index

RM CLI HiOS-2A GRS1040 465


Release 6.1 09/2016
Logging
48.3 copy

48.3 copy

Copy different kinds of items.

48.3.1 copy eventlog buffered envm


Copy a buffered log from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy eventlog buffered envm <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

48.3.2 copy eventlog buffered remote


Copy a buffered log from the device to a file server.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy eventlog buffered remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

48.3.3 copy eventlog persistent


Copy the persistent logs from the device to an envm or a file server.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy eventlog persistent <P-1> envm <P-2> remote <P-3>
envm: Copy the persistent log from the device to external non-volatile memory.
remote: Copy the persistent logs from the device to a file server.

466 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.3 copy

Paramete Value Meaning


r
P-1 string Enter a user-defined text, max. 32 characters.
P-2 string Enter a user-defined text, max. 32 characters.
P-3 string Enter a user-defined text, max. 128 characters.

48.3.4 copy traplog system envm


Copy the traplog from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy traplog system envm <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

48.3.5 copy traplog system remote


Copy the traplog from the device to a file server
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy traplog system remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

48.3.6 copy audittrail system envm


Copy the audit trail from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator, Auditor
 Format: copy audittrail system envm <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

RM CLI HiOS-2A GRS1040 467


Release 6.1 09/2016
Logging
48.3 copy

48.3.7 copy audittrail system remote


Copy the audit trail from the device to a file server.
 Mode: Privileged Exec Mode
 Privilege Level: Operator, Auditor
 Format: copy audittrail system remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

48.3.8 copy mailcacert remote


Copy CA certificate file (*.pem) from the remote AD server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy mailcacert remote <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from the remote AD server to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

48.3.9 copy mailcacert envm


Copy CA certificate file (*.pem) from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy mailcacert envm <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from external non-volatile memory to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

468 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.3 copy

48.3.10 copy syslogcacert remote


Copy CA certificate file (*.pem) from the remote AD server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy syslogcacert remote <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from the remote AD server to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

48.3.11 copy syslogcacert envm


Copy CA certificate file (*.pem) from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy syslogcacert envm <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from external non-volatile memory to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

RM CLI HiOS-2A GRS1040 469


Release 6.1 09/2016
Logging
48.4 clear

48.4 clear

Clear several items.

48.4.1 clear logging buffered


Clear buffered log from memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear logging buffered

48.4.2 clear logging persistent


Clear persistent log from memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear logging persistent

48.4.3 clear logging email statistics


Clear email statistics
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear logging email statistics

470 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Logging
48.4 clear

48.4.4 clear eventlog


Clear the event log entries from memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear eventlog

RM CLI HiOS-2A GRS1040 471


Release 6.1 09/2016
Logging
48.4 clear

472 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MAC Notification

49 MAC Notification

RM CLI HiOS-2A GRS1040 473


Release 6.1 09/2016
MAC Notification
49.1 mac

49.1 mac

Set MAC parameters.

49.1.1 mac notification operation


Enable or disable MAC notification globally.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac notification operation

 no mac notification operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mac notification operation

49.1.2 mac notification interval


Set MAC notification interval in seconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mac notification interval <P-1>
Paramete Value Meaning
r
P-1 0..2147483647 Enter a number in the given range.

474 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MAC Notification
49.2 mac

49.2 mac

MAC interface commands.

49.2.1 mac notification operation


Enable or disable MAC notification on this interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mac notification operation

 no mac notification operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mac notification operation

RM CLI HiOS-2A GRS1040 475


Release 6.1 09/2016
MAC Notification
49.3 show

49.3 show

Display device options and settings.

49.3.1 show mac notification global


Displays MAC notification global information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac notification global

49.3.2 show mac notification interface


Displays MAC notification interface information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac notification interface

476 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MAC VLAN

50 MAC VLAN

RM CLI HiOS-2A GRS1040 477


Release 6.1 09/2016
MAC VLAN
50.1 vlan

50.1 vlan

Creation and configuration of VLANS.

50.1.1 vlan association mac


Configure an association between a MAC address and a VLAN.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan association mac <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 Enter the VLAN ID.

 no vlan association mac


Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no vlan association mac <P-1> <P-2>

478 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MAC VLAN
50.2 show

50.2 show

Display device options and settings.

50.2.1 show vlan association mac


Displays the association MAC address and VLAN table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan association mac [<P-1>]
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff Enter a MAC address.
1..4042 Enter a VLAN ID.

RM CLI HiOS-2A GRS1040 479


Release 6.1 09/2016
MAC VLAN
50.2 show

480 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Management Access

51 Management Access

RM CLI HiOS-2A GRS1040 481


Release 6.1 09/2016
Management Access
51.1 network

51.1 network

Configure the inband and outband connectivity.

51.1.1 network management access web timeout


Set the web interface idle timeout.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access web timeout <P-1>
Paramete Value Meaning
r
P-1 0..160 Idle timeout of a session in minutes (default: 5).

51.1.2 network management access add


Add a new entry with index.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access add <P-1> [ip <P-2>] [mask <P-3>] [http
<P-4>] [https <P-5>] [snmp <P-6>] [telnet <P-7>] [iec61850-mms <P-8>]
[modbus-tcp <P-9>] [ssh <P-10>] [ethernet-ip <P-11>] [profinet-io <P-12>]
[ip]: Configure IP address which should have access to management.
[mask]: Configure network mask to allow a subnet for management access.
[http]: Configure if HTTP is allowed to have management access.
[https]: Configure if HTTPS is allowed to have management access.
[snmp]: Configure if SNMP is allowed to have management access.
[telnet]: Configure if TELNET is allowed to have management access.
[iec61850-mms]: Configure if IEC61850-MMS is allowed to have management access.
[modbus-tcp]: Configure if Modbus TCP/IP is allowed to have management access.
[ssh]: Configure if SSH is allowed to have management access.
[ethernet-ip]: Configure if EtherNet/IP is allowed to have management access.
[profinet-io]: Configure if PROFINET is allowed to have management access.
Paramete Value Meaning
r
P-1 1..16 Pool entry index.
P-2 a.b.c.d IP address.
P-3 0..32 Prefix length netmask.
P-4 enable Enable the option.
disable Disable the option.

482 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Management Access
51.1 network

Paramete Value Meaning


r
P-5 enable Enable the option.
disable Disable the option.
P-6 enable Enable the option.
disable Disable the option.
P-7 enable Enable the option.
disable Disable the option.
P-8 enable Enable the option.
disable Disable the option.
P-9 enable Enable the option.
disable Disable the option.
P-10 enable Enable the option.
disable Disable the option.
P-11 enable Enable the option.
disable Disable the option.
P-12 enable Enable the option.
disable Disable the option.

51.1.3 network management access delete


Delete an entry with index.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access delete <P-1>
Paramete Value Meaning
r
P-1 1..16 Pool entry index.

51.1.4 network management access modify


Modify an entry with index.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access modify <P-1> ip <P-2> mask <P-3> http <P-
4> https <P-5> snmp <P-6> telnet <P-7> iec61850-mms <P-8> modbus-tcp <P-9>
ssh <P-10> ethernet-ip <P-11> profinet-io <P-12>
ip: Configure ip-address which should have access to management.
mask: Configure network mask to allow a subnet for management access.
http: Configure if HTTP is allowed to have management access.
https: Configure if HTTPS is allowed to have management access.
snmp: Configure if SNMP is allowed to have management access.
telnet: Configure if TELNET is allowed to have management access.

RM CLI HiOS-2A GRS1040 483


Release 6.1 09/2016
Management Access
51.1 network

iec61850-mms: Configure if IEC61850-MMS is allowed to have management access.


modbus-tcp: Configure if Modbus TCP/IP is allowed to have management access.
ssh: Configure if SSH is allowed to have management access.
ethernet-ip: Configure if EtherNet/IP is allowed to have management access.
profinet-io: Configure if PROFINET is allowed to have management access.
Paramete Value Meaning
r
P-1 1..16 Pool entry index.
P-2 a.b.c.d IP address.
P-3 0..32 Prefix length netmask.
P-4 enable Enable the option.
disable Disable the option.
P-5 enable Enable the option.
disable Disable the option.
P-6 enable Enable the option.
disable Disable the option.
P-7 enable Enable the option.
disable Disable the option.
P-8 enable Enable the option.
disable Disable the option.
P-9 enable Enable the option.
disable Disable the option.
P-10 enable Enable the option.
disable Disable the option.
P-11 enable Enable the option.
disable Disable the option.
P-12 enable Enable the option.
disable Disable the option.

51.1.5 network management access operation


Enable/Disable operation for RMA.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access operation

 no network management access operation


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: no network management access operation

484 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Management Access
51.1 network

51.1.6 network management access status


Activate/Deactivate an entry.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: network management access status <P-1>
Paramete Value Meaning
r
P-1 1..16 Pool entry index.

 no network management access status


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: no network management access status <P-1>

RM CLI HiOS-2A GRS1040 485


Release 6.1 09/2016
Management Access
51.2 show

51.2 show

Display device options and settings.

51.2.1 show network management access global


Show global restricted management access preferences.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show network management access global

51.2.2 show network management access rules


Show restricted management access rules.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show network management access rules [<P-1>]
Paramete Value Meaning
r
P-1 1..16 Pool entry index.

486 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Modbus

52 Modbus

RM CLI HiOS-2A GRS1040 487


Release 6.1 09/2016
Modbus
52.1 modbus-tcp

52.1 modbus-tcp

Configure Modbus TCP/IP server settings.

52.1.1 modbus-tcp operation


Enable or disable the Modbus TCP/IP server.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: modbus-tcp operation

 no modbus-tcp operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no modbus-tcp operation

52.1.2 modbus-tcp write-access


Enable or disable the write-access on Modbus TCP/IP registers. - Possible security risk, as Modbus
TCP/IP communication is not authenticated - .
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: modbus-tcp write-access

 no modbus-tcp write-access
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no modbus-tcp write-access

488 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Modbus
52.1 modbus-tcp

52.1.3 modbus-tcp port


Defines the port number of the Modbus TCP/IP server (default: 502).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: modbus-tcp port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Enter port number between 1 and 65535

52.1.4 modbus-tcp max-sessions


Defines the maximum number of concurrent Modbus TCP/IP sessions (default: 5).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: modbus-tcp max-sessions <P-1>
Paramete Value Meaning
r
P-1 1..5 Maximum number of concurrent Modbus TCP/IP server sessions
(default: 5).

RM CLI HiOS-2A GRS1040 489


Release 6.1 09/2016
Modbus
52.2 show

52.2 show

Display device options and settings.

52.2.1 show modbus-tcp


Show the Modbus TCP/IP server settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show modbus-tcp

490 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Redundancy Protocol (MRP)

53 Media Redundancy Protocol (MRP)

RM CLI HiOS-2A GRS1040 491


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.1 mrp

53.1 mrp

Configure the MRP settings.

53.1.1 mrp domain modify advanced-mode


Configure the MRM Advanced Mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify advanced-mode <P-1>
Paramete Value Meaning
r
P-1 enable Enable the option.
disable Disable the option.

53.1.2 mrp domain modify manager-priority


Configure the MRM priority.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify manager-priority <P-1>
Paramete Value Meaning
r
P-1 0..65535 Enter the MRM priority (default: 32768).

53.1.3 mrp domain modify mode


Configure the role of the MRP device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify mode <P-1>

492 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.1 mrp

Paramete Value Meaning


r
P-1 client The device will be in the role of a ring client (MRC).
manager The device will be in the role of a ring manager (MRM).

53.1.4 mrp domain modify name


Configure the logical name of the MRP domain.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify name <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 255 characters.

53.1.5 mrp domain modify operation


Enable or disable the MRP function.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify operation <P-1>
Paramete Value Meaning
r
P-1 enable Enable the option.
disable Disable the option.

53.1.6 mrp domain modify port primary


Configure the primary ringport.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify port primary <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 493


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.1 mrp

53.1.7 mrp domain modify port secondary


Configure the secondary ringport.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify port secondary <P-1> [fixed-backup <P-2>]
[fixed-backup]: Enable or disable the secondary ringport of the manager to be the backup port
permanently.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 enable Enable the option.
disable Disable the option.

53.1.8 mrp domain modify recovery-delay


Configure the MRM Recovery Delay.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify recovery-delay <P-1>
Paramete Value Meaning
r
P-1 500ms Maximum recovery delay of 500ms in the MRP domain.
200ms Maximum recovery delay of 200ms in the MRP domain.
30ms Maximum recovery delay of 30ms in the MRP domain.
10ms Maximum recovery delay of 10ms in the MRP domain.

53.1.9 mrp domain modify round-trip-delay


Configure the round-trip-delay counters.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify round-trip-delay <P-1>
Paramete Value Meaning
r
P-1 reset Reset the round-trip-delay counters.

494 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.1 mrp

53.1.10 mrp domain modify vlan


Configure the VLAN identifier of the MRP domain.\n(VLAN ID 0 means that no VLAN is used).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain modify vlan <P-1>
Paramete Value Meaning
r
P-1 0..4042 VLAN identifier of the MRP domain.\n(VLAN ID 0 means that no
VLAN is used).

53.1.11 mrp domain add default-domain


Default MRP domain ID.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain add default-domain

53.1.12 mrp domain add domain-id


MRP domain ID. Format: 16 bytes in decimal notation.\n(Example:
1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain add domain-id <P-1>
Paramete Value Meaning
r
P-1 string <domain id> MRP domain ID. Format: 16 bytes in decimal
notation.\n(Example: 1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).

53.1.13 mrp domain delete


Delete the current MRP domain.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp domain delete

RM CLI HiOS-2A GRS1040 495


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.1 mrp

53.1.14 mrp operation


Enable or disable MRP.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp operation

 no mrp operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mrp operation

496 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.2 show

53.2 show

Display device options and settings.

53.2.1 show mrp


Show MRP settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp

RM CLI HiOS-2A GRS1040 497


Release 6.1 09/2016
Media Redundancy Protocol (MRP)
53.2 show

498 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE

54 MRP IEEE

RM CLI HiOS-2A GRS1040 499


Release 6.1 09/2016
MRP IEEE
54.1 mrp-ieee

54.1 mrp-ieee

Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.

54.1.1 mrp-ieee global join-time


Set the IEEE multiple registration protocol join time-interval. The join timer controls the interval between
join message transmissions sent to applicant state machines. An instance of this timer is required on a
per-Port, per-MRP participant basis.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee global join-time <P-1>
Paramete Value Meaning
r
P-1 10..100 Join time-interval in centi-seconds.

54.1.2 mrp-ieee global leave-time


Set the IEEE multiple registration protocol leave time-interval. The leave timer controls the period of time
that the registrar state machine waits in the leave state before transiting to the empty state. An instance
of the timer is required for each state machine in the leave state.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee global leave-time <P-1>
Paramete Value Meaning
r
P-1 20..600 Leave time-interval in centi-seconds.

500 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE
54.1 mrp-ieee

54.1.3 mrp-ieee global leave-all-time


Set the IEEE multiple registration protocol leave-all time-interval. The leave all timer controls the
frequency with which the leaveall state machine generates leaveall PDUs. The timer is required on a
per-Port, per-MRP Participant basis.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee global leave-all-time <P-1>
Paramete Value Meaning
r
P-1 200..6000 Leave-All time-interval in centi-seconds.

RM CLI HiOS-2A GRS1040 501


Release 6.1 09/2016
MRP IEEE
54.2 show

54.2 show

Display device options and settings.

54.2.1 show mrp-ieee global interface


Show the global configuration of IEEE multiple registration protocol per interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee global interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

502 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MMRP

55 MRP IEEE MMRP

RM CLI HiOS-2A GRS1040 503


Release 6.1 09/2016
MRP IEEE MMRP
55.1 mrp-ieee

55.1 mrp-ieee

Configure IEEE MRP protocols.

55.1.1 mrp-ieee mmrp vlan-id


Configure the VLAN parameters.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: mrp-ieee mmrp vlan-id <P-1> forward-all <P-2> forbidden-servicereq
<P-3>
forward-all: Enable or disable 'Forward All Groups' in a given Vlan for a given interface.
forbidden-servicereq: Enable or disable the mmrp feature 'Forbidden Service Requirement' in a
given Vlan for a given interface.
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 slot no./port no.
P-3 slot no./port no.

 no mrp-ieee mmrp vlan-id


Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no mrp-ieee mmrp vlan-id <P-1> forward-all <P-2> forbidden-
servicereq <P-3>

504 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MMRP
55.2 show

55.2 show

Display device options and settings.

55.2.1 show mrp-ieee mmrp global


Display the IEEE MMRP global configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp global

55.2.2 show mrp-ieee mmrp interface


Display the IEEE MMRP interface configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

55.2.3 show mrp-ieee mmrp statistics global


Display the IEEE MMRP global statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp statistics global

RM CLI HiOS-2A GRS1040 505


Release 6.1 09/2016
MRP IEEE MMRP
55.2 show

55.2.4 show mrp-ieee mmrp statistics interface


Display the IEEE MMRP interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp statistics interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

55.2.5 show mrp-ieee mmrp service-requirement forward-


all vlan
Show Forward-All setting for port in given VLAN.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp service-requirement forward-all vlan [<P-1>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

55.2.6 show mrp-ieee mmrp service-requirement forbidden


vlan
Show Forward-All setting for port in given VLAN.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mmrp service-requirement forbidden vlan [<P-1>]
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

506 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MMRP
55.3 mrp-ieee

55.3 mrp-ieee

Configure IEEE MRP protocols, MVRP for dynamic VLAN registration and MMRP for dynamic MAC
registration.

55.3.1 mrp-ieee mmrp operation


Enable or disable MMRP globally. Devices use MMRP information for dynamic registration of group
membership and individual MAC addresses with end devices and switches that support extended
filtering services, within the connected LAN.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp-ieee mmrp operation

 no mrp-ieee mmrp operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mrp-ieee mmrp operation

55.3.2 mrp-ieee mmrp periodic-machine


Enable or disable MMRP periodic state machine globally. When enabled, the periodic state machine
sends extra MMRP messages when the periodic timer expires.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp-ieee mmrp periodic-machine

 no mrp-ieee mmrp periodic-machine


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mrp-ieee mmrp periodic-machine

RM CLI HiOS-2A GRS1040 507


Release 6.1 09/2016
MRP IEEE MMRP
55.4 clear

55.4 clear

Clear several items.

55.4.1 clear mrp-ieee mmrp


Clear the IEEE MMRP global and port statistic tables.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear mrp-ieee mmrp

508 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MMRP
55.5 mrp-ieee

55.5 mrp-ieee

Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.

55.5.1 mrp-ieee mmrp operation


Enable or disable MMRP on the interface, with MMRP enabled globally and on this interface, the device
sends and receives MMRP messages on this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee mmrp operation

 no mrp-ieee mmrp operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mrp-ieee mmrp operation

55.5.2 mrp-ieee mmrp restrict-register


Enable or disable restriction of dynamic mac address registration using IEEE MMRP on the port. When
enabled, the dynamic registration of mac address attributes is allowed only if the attribute has already
been statically registered on the device.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee mmrp restrict-register

 no mrp-ieee mmrp restrict-register


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mrp-ieee mmrp restrict-register

RM CLI HiOS-2A GRS1040 509


Release 6.1 09/2016
MRP IEEE MMRP
55.6 show

55.6 show

Display device options and settings.

55.6.1 show mac-filter-table mmrp


Display MMRP entries in the MFDB table.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mac-filter-table mmrp

510 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MVRP

56 MRP IEEE MVRP

RM CLI HiOS-2A GRS1040 511


Release 6.1 09/2016
MRP IEEE MVRP
56.1 mrp-ieee

56.1 mrp-ieee

Configure IEEE MRP protocols, MVRP for dynamic VLAN registration and MMRP for dynamic MAC
registration.

56.1.1 mrp-ieee mvrp operation


Enable or disable IEEE MVRP globally. When enabled, the device distributes VLAN membership
information on MVRP enable active ports. MVRP-aware devices use the information to dynamically
create VLAN members and update the local VLAN member database.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp-ieee mvrp operation

 no mrp-ieee mvrp operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mrp-ieee mvrp operation

56.1.2 mrp-ieee mvrp periodic-machine


Enable or disable IEEE MVRP periodic state machine globally. When enabled, the device sends MVRP
messages to the connected MVRP-aware devices when the periodic timer expires.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: mrp-ieee mvrp periodic-machine

 no mrp-ieee mvrp periodic-machine


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no mrp-ieee mvrp periodic-machine

512 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MVRP
56.2 mrp-ieee

56.2 mrp-ieee

Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.

56.2.1 mrp-ieee mvrp operation


Enable or disable IEEE MVRP on the port. When enabled, globally and on this port, the device
distributes VLAN membership information to MVRP aware devices connected to this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee mvrp operation

 no mrp-ieee mvrp operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mrp-ieee mvrp operation

56.2.2 mrp-ieee mvrp restrict-register


Enable or disable restriction of dynamic VLAN registration using IEEE MVRP on the port. When
enabled, the dynamic registration of VLAN attributes is allowed only if the attribute has already been
statically registered on the device.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mrp-ieee mvrp restrict-register

 no mrp-ieee mvrp restrict-register


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no mrp-ieee mvrp restrict-register

RM CLI HiOS-2A GRS1040 513


Release 6.1 09/2016
MRP IEEE MVRP
56.3 show

56.3 show

Display device options and settings.

56.3.1 show mrp-ieee mvrp global


Display the IEEE MVRP global configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mvrp global

56.3.2 show mrp-ieee mvrp interface


Display the IEEE MVRP interface configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mvrp interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

56.3.3 show mrp-ieee mvrp statistics global


Display the IEEE MVRP global statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mvrp statistics global

514 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
MRP IEEE MVRP
56.3 show

56.3.4 show mrp-ieee mvrp statistics interface


Display the IEEE MVRP interface statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mrp-ieee mvrp statistics interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 515


Release 6.1 09/2016
MRP IEEE MVRP
56.4 clear

56.4 clear

Clear several items.

56.4.1 clear mrp-ieee mvrp


Clear the IEEE MVRP global and port statistic tables.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear mrp-ieee mvrp

516 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Out-of-band Management

57 Out-of-band Management

RM CLI HiOS-2A GRS1040 517


Release 6.1 09/2016
Out-of-band Management
57.1 network

57.1 network

Configure the inband and outband connectivity.

57.1.1 network out-of-band operation


Enable or disable the out-of-band management.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network out-of-band operation

 no network out-of-band operation


Disable the option
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: no network out-of-band operation

57.1.2 network out-of-band protocol


Select DHCP or none as the out-of-band configuration protocol.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network out-of-band protocol <P-1>
Paramete Value Meaning
r
P-1 none No out-of-band config protocol.
dhcp DHCP

518 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Out-of-band Management
57.1 network

57.1.3 network out-of-band parms


Set out-of-band IP address, subnet mask and gateway.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network out-of-band parms <P-1> <P-2> [<P-3>]
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 A.B.C.D IP address.
P-3 A.B.C.D IP address.

RM CLI HiOS-2A GRS1040 519


Release 6.1 09/2016
Out-of-band Management
57.2 show

57.2 show

Display device options and settings.

57.2.1 show network out-of-band


Show out-of-band management configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show network out-of-band

520 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Protocol Based VLAN

58 Protocol Based VLAN

RM CLI HiOS-2A GRS1040 521


Release 6.1 09/2016
Protocol Based VLAN
58.1 vlan

58.1 vlan

Creation and configuration of VLANS.

58.1.1 vlan protocol group add


Add a new group or add protocols to an existing group.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan protocol group add <P-1> name <P-2> vlan-id <P-3> ethertype <P-
4>
name: Assign a group name .
vlan-id: Associate a VLAN ID to a group.
ethertype: Add protocols to an existing group. Before adding protocols to a group please create one.
Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.
P-2 string Enter a user-defined text, max. 256 characters.
P-3 1..4042 Enter the VLAN ID.
P-4 string <protocol-list> Enter a comma-separated list of mnemonics or
values, max. 256 chars (eg.: 1536-65535, ip, arp, ipx).
Hexadecimal values are entered with a leading \'0x\', eg. 0x600-
0xffff.

 no vlan protocol group add


Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no vlan protocol group add name vlan-id ethertype <P-4>

58.1.2 vlan protocol group modify


Modify a protocol group.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan protocol group modify <P-1> [name <P-2>] [vlan-id <P-3>]
[ethertype <P-4>]
[name]: Modify the group name.
[vlan-id]: Modify the VLAN ID of a group.

522 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Protocol Based VLAN
58.1 vlan

[ethertype]: Modify ethertypes from a protocol group.


Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.
P-2 string Enter a user-defined text, max. 256 characters.
P-3 1..4042 Enter the VLAN ID.
P-4 string <protocol-list> Enter a comma-separated list of mnemonics or
values, max. 256 chars (eg.: 1536-65535, ip, arp, ipx).
Hexadecimal values are entered with a leading \'0x\', eg. 0x600-
0xffff.

58.1.3 vlan protocol group delete


Delete a protocol group.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan protocol group delete <P-1> [ethertype <P-2>]
[ethertype]: Remove ethertypes from a protocol group.
Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.
P-2 string <protocol-list> Enter a comma-separated list of mnemonics or
values, max. 256 chars (eg.: 1536-65535, ip, arp, ipx).
Hexadecimal values are entered with a leading \'0x\', eg. 0x600-
0xffff.

RM CLI HiOS-2A GRS1040 523


Release 6.1 09/2016
Protocol Based VLAN
58.2 vlan

58.2 vlan

Configure 802.1Q port parameters for VLANs.

58.2.1 vlan protocol group add


Add this interface to a group.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan protocol group add <P-1>
Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.

58.2.2 vlan protocol group delete


Remove this interface from a group.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan protocol group delete <P-1>
Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.

524 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Protocol Based VLAN
58.3 show

58.3 show

Display device options and settings.

58.3.1 show vlan protocol


Display protocol based VLANs summary information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan protocol [<P-1>]
Paramete Value Meaning
r
P-1 1..128 Protocol based VLANs group index.

RM CLI HiOS-2A GRS1040 525


Release 6.1 09/2016
Protocol Based VLAN
58.3 show

526 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Power Over Ethernet (PoE)

59 Power Over Ethernet (PoE)

RM CLI HiOS-2A GRS1040 527


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.1 inlinepower

59.1 inlinepower

Configure the global inline power settings.

59.1.1 inlinepower operation


Configure the global inline power administrative setting (enable or disable, default: enable).
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: inlinepower operation

 no inlinepower operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no inlinepower operation

59.1.2 inlinepower slot


Configure the inline power notification (trap), threshold and power budget per slot
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: inlinepower slot <P-1> budget <P-2> threshold <P-3> trap
budget: Configure the inline power budget per slot
threshold: Configure the inline power notification (trap) threshold per slot.
trap: Configure the inline power notification (trap) setting per slot.
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 0..65507 Enter a number in the given range.
P-3 1..99 Enter a number in the given range.

528 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.1 inlinepower

 no inlinepower slot
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no inlinepower slot budget threshold trap

59.1.3 inlinepower threshold


Configure the global inline power notification (trap) threshold.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: inlinepower threshold <P-1>
Paramete Value Meaning
r
P-1 1..99 Enter a number in the given range.

59.1.4 inlinepower trap


Configure the global inline power notification (trap) setting .
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: inlinepower trap

 no inlinepower trap
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no inlinepower trap

RM CLI HiOS-2A GRS1040 529


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.2 inlinepower

59.2 inlinepower

Configure inline power interface settings.

59.2.1 inlinepower allowed-classes


Configure the interface-related inline power allowed classes.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower allowed-classes <P-1>
Paramete Value Meaning
r
P-1 0..4 Enter a number in the given range.

 no inlinepower allowed-classes
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no inlinepower allowed-classes <P-1>

59.2.2 inlinepower auto-shutdown-end


Configure the interface-related inline power autoshutdown end time.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower auto-shutdown-end <P-1>
Paramete Value Meaning
r
P-1 string Enter 5 alpha numerical characters (format 00:00).

530 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.2 inlinepower

59.2.3 inlinepower auto-shutdown-start


Configure the interface-related inline power autoshutdown start time.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower auto-shutdown-start <P-1>
Paramete Value Meaning
r
P-1 string Enter 5 alpha numerical characters (format 00:00).

59.2.4 inlinepower auto-shutdown-timer


Configure the interface-related inline power autoshutdown timer functionality.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower auto-shutdown-timer

 no inlinepower auto-shutdown-timer
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no inlinepower auto-shutdown-timer

59.2.5 inlinepower operation


Configure the interface-related inline power administrative setting (enable or disable, default: enable).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower operation

 no inlinepower operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no inlinepower operation

RM CLI HiOS-2A GRS1040 531


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.2 inlinepower

59.2.6 inlinepower name


Configure the interface-related inline power interface name.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower name <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

59.2.7 inlinepower priority


Configure the inline power priority for this interface. In case of power scarcity, inline power on interfaces
configured with the lowest priority is dropped first. Possible values are: critical, high or low, default:
low. The highest priority is critical.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower priority <P-1>
Paramete Value Meaning
r
P-1 crit. Set this interfaces' inline power priority to critical
(highest).
high Set this interfaces' inline power priority to high.
low Set this interfaces' inline power priority to low. This is the
default setting.

59.2.8 inlinepower fast-startup


Enable or disable fast startup.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower fast-startup

 no inlinepower fast-startup
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no inlinepower fast-startup

532 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.2 inlinepower

59.2.9 inlinepower power-limit


Configure the interface related inline maximum power that is reserved for a connected powered device
(PD). The power limit is ignored if it is set to 0 or it is exceeded by the maximum observed power
consumption.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: inlinepower power-limit <P-1>
Paramete Value Meaning
r
P-1 xxx_0.000..30.000 PoE power limit in watts (e.g. 12.54).

RM CLI HiOS-2A GRS1040 533


Release 6.1 09/2016
Power Over Ethernet (PoE)
59.3 show

59.3 show

Display device options and settings.

59.3.1 show inlinepower global


Show the inline power global settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show inlinepower global

59.3.2 show inlinepower port


Display interface-related inline power settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show inlinepower port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

59.3.3 show inlinepower slot


Display slot-related inline power settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show inlinepower slot [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

534 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor

60 Port Monitor

RM CLI HiOS-2A GRS1040 535


Release 6.1 09/2016
Port Monitor
60.1 port-monitor

60.1 port-monitor

Configure the Port Monitor condition settings.

60.1.1 port-monitor operation


Enable or disable the port monitor.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: port-monitor operation

 no port-monitor operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no port-monitor operation

536 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

60.2 port-monitor

Configure the Port Monitor condition settings.

60.2.1 port-monitor condition crc-fragments interval


Configure the measure interval in seconds (5-180s) for CRC-Fragment detection. Default 10.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition crc-fragments interval <P-1>
Paramete Value Meaning
r
P-1 5..180 Enter a number in the given range.

60.2.2 port-monitor condition crc-fragments count


Configure the CRC-Fragment counter in parts per million (1-1000000 [ppm]). Default 1000 [ppm].
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition crc-fragments count <P-1>
Paramete Value Meaning
r
P-1 1..1000000 Enter a number in the given range.

60.2.3 port-monitor condition crc-fragments mode


Enable or disable CRC-Fragments condition to trigger an action.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition crc-fragments mode

RM CLI HiOS-2A GRS1040 537


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

 no port-monitor condition crc-fragments mode


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor condition crc-fragments mode

60.2.4 port-monitor condition link-flap interval


Configure the measure interval in seconds (1-180s) for Link Flap detection. Default 10.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition link-flap interval <P-1>
Paramete Value Meaning
r
P-1 1..180 Enter a number in the given range.

60.2.5 port-monitor condition link-flap count


Configure the Link Flap counter (1-100). Default 5.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition link-flap count <P-1>
Paramete Value Meaning
r
P-1 1..100 Enter a number in the given range.

60.2.6 port-monitor condition link-flap mode


Enable or disable link-flap condition to trigger an action.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition link-flap mode

538 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

 no port-monitor condition link-flap mode


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor condition link-flap mode

60.2.7 port-monitor condition duplex-mismatch mode


Enable or disable duplex mismatch detection condition to trigger an action.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition duplex-mismatch mode

 no port-monitor condition duplex-mismatch mode


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor condition duplex-mismatch mode

60.2.8 port-monitor condition overload-detection traffic-


type
Configure Overload detection condition traffic type.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection traffic-type <P-1>
Paramete Value Meaning
r
P-1 all All packets.
bc Broadcast packets.
bc-mc Broadcast and multicast packets.

RM CLI HiOS-2A GRS1040 539


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

60.2.9 port-monitor condition overload-detection unit


Configure Overload detection condition threshold type.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection unit <P-1>
Paramete Value Meaning
r
P-1 pps Packets per second.
kbps Kilobits per second.

60.2.10 port-monitor condition overload-detection upper-


threshold
Configure Overload detection condition threshold type upper-threshold.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection upper-threshold <P-1>
Paramete Value Meaning
r
P-1 0..10000000 Enter a number in the given range.

60.2.11 port-monitor condition overload-detection lower-


threshold
Configure Overload detection condition threshold type lower-threshold.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection lower-threshold <P-1>
Paramete Value Meaning
r
P-1 0..10000000 Enter a number in the given range.

540 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

60.2.12 port-monitor condition overload-detection polling-


interval
Configure Overload detection condition detection interval.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection polling-interval <P-1>
Paramete Value Meaning
r
P-1 1..20 Enter a number in the given range.

60.2.13 port-monitor condition overload-detection mode


Enable or disable Overload-Detection condition to trigger an action.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition overload-detection mode

 no port-monitor condition overload-detection mode


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor condition overload-detection mode

60.2.14 port-monitor condition speed-duplex mode


Enable or disable link speed and duplex condition to trigger an action.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition speed-duplex mode

 no port-monitor condition speed-duplex mode


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor condition speed-duplex mode

RM CLI HiOS-2A GRS1040 541


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

60.2.15 port-monitor condition speed-duplex speed


Set speed-duplex combination.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition speed-duplex speed [<P-1>] [<P-2>] [<P-3>]
[<P-4>] [<P-5>] [<P-6>] [<P-7>]
Paramete Value Meaning
r
P-1 [hdx10] 10 Mbit/s - half duplex
P-2 [fdx10] 10 Mbit/s - full duplex
P-3 [hdx100] 100 Mbit/s - half duplex
P-4 [fdx100] 100 Mbit/s - full duplex
P-5 [hdx-1000] 1000 Mbit/s - half duplex
P-6 [fdx-1000] 1000 Mbit/s - full duplex
P-7 [fdx-2500] 2500 Mbit/s - full duplex

60.2.16 port-monitor condition speed-duplex clear


Clear the allowed speed-duplex combination list.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor condition speed-duplex clear

60.2.17 port-monitor action


Enable or disable interface on port condition.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor action <P-1>
Paramete Value Meaning
r
P-1 port-disable Disable interface on port condition.
trap-only Send only a trap.
auto-disable Enable or disable interface on port condition by AUTODIS.

542 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor
60.2 port-monitor

60.2.18 port-monitor reset


Reset the port monitor.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-monitor reset [<P-1>]
Paramete Value Meaning
r
P-1 port Press Enter to execute the command.

 no port-monitor reset
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-monitor reset [<P-1>]

RM CLI HiOS-2A GRS1040 543


Release 6.1 09/2016
Port Monitor
60.3 show

60.3 show

Display device options and settings.

60.3.1 show port-monitor operation


Display the Port Monitor operation.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor operation

60.3.2 show port-monitor brief


Display the Port Monitor summary.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor brief

60.3.3 show port-monitor overload-detection counters


Display the overload-detection counters of last interval.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor overload-detection counters

544 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Monitor
60.3 show

60.3.4 show port-monitor overload-detection port


Display the Port Monitor overload detection interface details.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor overload-detection port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

60.3.5 show port-monitor speed-duplex


Display the Port Monitor link speed and duplex interface settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor speed-duplex [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

60.3.6 show port-monitor port


Display the Port Monitor interface details.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

60.3.7 show port-monitor link-flap


Display the link-flaps counts for a specific interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor link-flap <P-1>

RM CLI HiOS-2A GRS1040 545


Release 6.1 09/2016
Port Monitor
60.3 show

Paramete Value Meaning


r
P-1 slot no./port no.

60.3.8 show port-monitor crc-fragments


Display CRC-Fragments counts for a specific interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-monitor crc-fragments <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

546 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Security

61 Port Security

RM CLI HiOS-2A GRS1040 547


Release 6.1 09/2016
Port Security
61.1 port-security

61.1 port-security

Port MAC locking/security

61.1.1 port-security operation


Enable/Disable Port MAC locking/security
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: port-security operation

 no port-security operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no port-security operation

548 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Security
61.2 port-security

61.2 port-security

Port MAC locking/security

61.2.1 port-security operation


Enable/Disable Port MAC locking/security for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security operation

 no port-security operation
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-security operation

61.2.2 port-security max-dynamic


Set dynamic limit for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security max-dynamic <P-1>
Paramete Value Meaning
r
P-1 0..600 maximum number of dynamically locked MAC addresses allowed

RM CLI HiOS-2A GRS1040 549


Release 6.1 09/2016
Port Security
61.2 port-security

61.2.3 port-security max-static


Set Static Limit for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security max-static <P-1>
Paramete Value Meaning
r
P-1 0..64 maximum number of statically locked MAC addresses allowed

61.2.4 port-security mac-address add


Add Static MAC address to the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security mac-address add <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 VLAN ID

61.2.5 port-security mac-address move


Make dynamic MAC addresses static for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security mac-address move

61.2.6 port-security mac-address delete


Remove Static MAC address from the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security mac-address delete <P-1> <P-2>

550 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Security
61.2 port-security

Paramete Value Meaning


r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 VLAN ID

61.2.7 port-security violation-traps


SNMP violation traps for the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: port-security violation-traps operation [frequency <P-1>]
operation: Enable/Disable SNMP violation traps for the interface.
[frequency]: The minimum seconds between two successive violation traps on this port.
Paramete Value Meaning
r
P-1 0..3600 time in seconds

 no port-security violation-traps
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no port-security violation-traps operation [frequency]

RM CLI HiOS-2A GRS1040 551


Release 6.1 09/2016
Port Security
61.3 show

61.3 show

Display device options and settings.

61.3.1 show port-security global


Port Security global status
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-security global

61.3.2 show port-security interface


Display port-security (port MAC locking) information for system.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-security interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

61.3.3 show port-security dynamic


Display dynamically learned MAC addresses
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-security dynamic <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

552 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Port Security
61.3 show

61.3.4 show port-security static


Display statically locked MAC addresses
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-security static <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

61.3.5 show port-security violation


Display port security violation information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show port-security violation <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 553


Release 6.1 09/2016
Port Security
61.3 show

554 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Profinet IO

62 Profinet IO

RM CLI HiOS-2A GRS1040 555


Release 6.1 09/2016
Profinet IO
62.1 profinet

62.1 profinet

Configures the PROFINET functionality on this device.

62.1.1 profinet operation


Enables or disables the PROFINET functionality on this device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: profinet operation

 no profinet operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no profinet operation

62.1.2 profinet name-of-station


Sets the name of the station.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: profinet name-of-station <P-1>
Paramete Value Meaning
r
P-1 string Enter the name of the station, alphanumeric ascii string, max.
240 characters.

556 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Profinet IO
62.2 profinet

62.2 profinet

Configures the PROFINET functionality on this device.

62.2.1 profinet dcp-mode


Sets the PROFINET DCP mode on an interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: profinet dcp-mode <P-1>
Paramete Value Meaning
r
P-1 none Sets the PROFINET DCP mode on an interface to none (neither
ingress or egress). The agent does not respond to frames
received on this interface. The interface does not forward
frames received on other interfaces.
ingress Sets the PROFINET DCP mode on an interface to ingress only. The
agent responds to frames received on this interface. The
interface does not forward frames received on other interfaces.
egress Sets the PROFINET DCP mode on an interface to egress only. The
agent does not respond to frames received on this interface. The
interface forwards frames received on other interfaces.
both Sets the PROFINET DCP mode on an interface to both (ingress and
egress). The agent responds to frames received on this
interface. The interface forwards frames received on other
interfaces.

RM CLI HiOS-2A GRS1040 557


Release 6.1 09/2016
Profinet IO
62.3 copy

62.3 copy

Copy different kinds of items.

62.3.1 copy gsdml-profinet system remote


Copy the GSDML file from the device to the file server
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy gsdml-profinet system remote <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

62.3.2 copy gsdml-profinet system envm


Copy the GSDML file from the device to external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: copy gsdml-profinet system envm

558 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Profinet IO
62.4 show

62.4 show

Display device options and settings.

62.4.1 show profinet global


Show the PROFINET global settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show profinet global

62.4.2 show profinet port


Show the port-related PROFINET settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show profinet port

RM CLI HiOS-2A GRS1040 559


Release 6.1 09/2016
Profinet IO
62.4 show

560 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)

63 Precision Time Protocol (PTP)

RM CLI HiOS-2A GRS1040 561


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1 ptp

Enable or disable the Precision Time Protocol (IEEE 1588-2008).

63.1.1 ptp operation


Enable or disable the Precision Time Protocol (IEEE 1588-2008).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp operation

 no ptp operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp operation

63.1.2 ptp clock-mode


Configure PTPv2 (IEEE1588-2008) clock mode. \nIf the clock mode is changed, PTP will be initialized.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp clock-mode <P-1>
Paramete Value Meaning
r
P-1 v2-boundary-clock
v2-transparent-clock

562 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1.3 ptp sync-lower-bound


Configure the lower bound for the PTP clock synchronization status \n(unit: nanoseconds). If the
absolute value of the offset \nto the master clock is smaller than the lower bound, \nthe clock's status is
set to synchronized (true).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp sync-lower-bound <P-1>
Paramete Value Meaning
r
P-1 1..999999999

63.1.4 ptp sync-upper-bound


Configure the upper bound for the PTP clock synchronization status \n(unit: nanoseconds). If the
absolute value of the offset \nto the master clock is bigger than the upper bound, \nthe clock's status is
set to unsynchronized (false).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp sync-upper-bound <P-1>
Paramete Value Meaning
r
P-1 31..1000000000

63.1.5 ptp management


Enable or disable PTP management via PTP management messages.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp management

 no ptp management
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp management

RM CLI HiOS-2A GRS1040 563


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1.6 ptp v2-transparent-clock syntonization


Enable or disable the syntonization (frequency synchronization) of the transparent-clock.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock syntonization

 no ptp v2-transparent-clock syntonization


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp v2-transparent-clock syntonization

63.1.7 ptp v2-transparent-clock network-protocol


Configure the network-protocol of the transparent-clock.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock network-protocol <P-1>
Paramete Value Meaning
r
P-1 ieee802.3
udp-ipv4

63.1.8 ptp v2-transparent-clock multi-domain


Enable or disable the transparent-clock to process only the primary-domain or all domain numbers.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock multi-domain

 no ptp v2-transparent-clock multi-domain


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp v2-transparent-clock multi-domain

564 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1.9 ptp v2-transparent-clock sync-local-clock


Enable or disable synchronization of the local clock (also enables syntonization).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock sync-local-clock

 no ptp v2-transparent-clock sync-local-clock


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp v2-transparent-clock sync-local-clock

63.1.10 ptp v2-transparent-clock delay-mechanism


Configure the delay mechanism of the transparent-clock.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock delay-mechanism <P-1>
Paramete Value Meaning
r
P-1 e2e
p2p
e2e-optimized
disable

63.1.11 ptp v2-transparent-clock primary-domain


Configure the primary-domain (for syntonization) of the transparent-clock.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock primary-domain <P-1>
Paramete Value Meaning
r
P-1 0..255 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 565


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1.12 ptp v2-transparent-clock vlan


VLAN in which PTP packets are send. With a value of none all packets are send untagged.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock vlan <P-1>
Paramete Value Meaning
r
P-1 vlanId Send ptp to vlanId Use 0 for priority only tagged frames
none Send all ptp packets untagged

63.1.13 ptp v2-transparent-clock vlan-priority


VLAN priority of tagged ptp packets.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock vlan-priority <P-1>
Paramete Value Meaning
r
P-1 0..7

63.1.14 ptp v2-boundary-clock domain


Configure the PTP domain number (0..255)
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock domain <P-1>
Paramete Value Meaning
r
P-1 0..255 Enter a number in the given range.

566 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

63.1.15 ptp v2-boundary-clock priority1


Configure the priority1 value (0..255) for the BMCA
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock priority1 <P-1>
Paramete Value Meaning
r
P-1 0..255 Enter a number in the given range.

63.1.16 ptp v2-boundary-clock priority2


Configure the priority2 value (0..255) for the BMCA
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock priority2 <P-1>
Paramete Value Meaning
r
P-1 0..255 Enter a number in the given range.

63.1.17 ptp v2-boundary-clock utc-offset


Configure the current UTC offset (TAI - UTC) in seconds.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock utc-offset <P-1>
Paramete Value Meaning
r
P-1 -32768..32767

63.1.18 ptp v2-boundary-clock utc-offset-valid


Configure the UTC offset valid flag
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock utc-offset-valid <P-1>

RM CLI HiOS-2A GRS1040 567


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.1 ptp

Paramete Value Meaning


r
P-1 true True
false False

 no ptp v2-boundary-clock utc-offset-valid


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ptp v2-boundary-clock utc-offset-valid <P-1>

568 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

63.2 ptp

Enable or disable the Precision Time Protocol (IEEE 1588-2008) on a port.

63.2.1 ptp v2-transparent-clock operation


Enable or disable the sending and receiving / processing of PTP synchronization messages.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock operation

 no ptp v2-transparent-clock operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: no ptp v2-transparent-clock operation

63.2.2 ptp v2-transparent-clock asymmetry


Set the asymmetry of the link connected to this interface
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock asymmetry <P-1>
Paramete Value Meaning
r
P-1 -
2000000000..20000000
00

RM CLI HiOS-2A GRS1040 569


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

63.2.3 ptp v2-transparent-clock pdelay-interval


Configure the Peer Delay Interval in seconds {1|2|4|8|16|32}. \nThis interval is used if delay-mechanism
is set to p2p
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-transparent-clock pdelay-interval <P-1>
Paramete Value Meaning
r
P-1 1
2
4
8
16
32

63.2.4 ptp v2-boundary-clock operation


Enable or disable the sending and receiving/processing of PTP synchronization messages.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock operation

 no ptp v2-boundary-clock operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: no ptp v2-boundary-clock operation

63.2.5 ptp v2-boundary-clock pdelay-interval


Configure the Peer Delay Interval in seconds {1|2|4|8|16|32}. \nThis interval is used if delay-mechanism
is set to p2p
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock pdelay-interval <P-1>

570 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

Paramete Value Meaning


r
P-1 1
2
4
8
16
32

63.2.6 ptp v2-boundary-clock announce-interval


Configure the Announce Interval in seconds {1|2|4|8|16}.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock announce-interval <P-1>
Paramete Value Meaning
r
P-1 1
2
4
8
16

63.2.7 ptp v2-boundary-clock sync-interval


Configure the Sync Interval in seconds {0.25|0.5|1|2}.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock sync-interval <P-1>
Paramete Value Meaning
r
P-1 0.25
0.5
1
2

RM CLI HiOS-2A GRS1040 571


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

63.2.8 ptp v2-boundary-clock announce-timeout


Configure the Announce Receipt Timeout (2..10).
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock announce-timeout <P-1>
Paramete Value Meaning
r
P-1 2..10

63.2.9 ptp v2-boundary-clock asymmetry


Set the asymmetry of the link connected to this interface
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock asymmetry <P-1>
Paramete Value Meaning
r
P-1 -
2000000000..20000000
00

63.2.10 ptp v2-boundary-clock v1-compatibility-mode


Set the PTPv1 Hardware compatibility mode {auto|on|off}.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock v1-compatibility-mode <P-1>
Paramete Value Meaning
r
P-1 on
off
auto

572 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

63.2.11 ptp v2-boundary-clock delay-mechanism


Configure the delay mechanism of the boundary-clock.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock delay-mechanism <P-1>
Paramete Value Meaning
r
P-1 e2e
p2p
disable

63.2.12 ptp v2-boundary-clock network-protocol


Configure the network-protocol
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock network-protocol <P-1>
Paramete Value Meaning
r
P-1 ieee802.3
udp-ipv4

63.2.13 ptp v2-boundary-clock vlan-priority


VLAN priority of tagged ptp packets.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock vlan-priority <P-1>
Paramete Value Meaning
r
P-1 0..7

RM CLI HiOS-2A GRS1040 573


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.2 ptp

63.2.14 ptp v2-boundary-clock vlan


VLAN in which PTP packets are send. With a value of none all packets are send untagged.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: ptp v2-boundary-clock vlan <P-1>
Paramete Value Meaning
r
P-1 vlanId Send ptp to vlanId Use 0 for priority only tagged frames
none Send all ptp packets untagged

574 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.3 show

63.3 show

Display device options and settings.

63.3.1 show ptp


Show PTP parameters and status
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ptp [global] [v2-boundary-clock] [v2-transparent-clock] [port]
[v2-transparent-clock] [v2-boundary-clock]
[global]: Show PTP global status
[v2-boundary-clock]: Show PTP Boundary Clock status
[v2-transparent-clock]: Show PTP Transparent Clock status
[port]: Show PTP port values
[v2-transparent-clock]: Show the PTP Transparent Clock port values
[v2-boundary-clock]: Show the PTP Boundary Clock port values.

RM CLI HiOS-2A GRS1040 575


Release 6.1 09/2016
Precision Time Protocol (PTP)
63.3 show

576 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Password Management

64 Password Management

RM CLI HiOS-2A GRS1040 577


Release 6.1 09/2016
Password Management
64.1 passwords

64.1 passwords

Manage password policies and options.

64.1.1 passwords min-length


Set minimum password length for user passwords.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords min-length <P-1>
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.

64.1.2 passwords max-login-attempts


Set maximum login attempts for the users.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords max-login-attempts <P-1>
Paramete Value Meaning
r
P-1 0..5 Enter a number in the given range.

64.1.3 passwords min-uppercase-chars


Set minimum upper case characters for user passwords.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords min-uppercase-chars <P-1>
Paramete Value Meaning
r
P-1 0..16 Enter a number in the given range.

578 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Password Management
64.1 passwords

64.1.4 passwords min-lowercase-chars


Set minimum lower case characters for user passwords.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords min-lowercase-chars <P-1>
Paramete Value Meaning
r
P-1 0..16 Enter a number in the given range.

64.1.5 passwords min-numeric-chars


Set minimum numeric characters for user passwords.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords min-numeric-chars <P-1>
Paramete Value Meaning
r
P-1 0..16 Enter a number in the given range.

64.1.6 passwords min-special-chars


Set minimum special characters for user passwords.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: passwords min-special-chars <P-1>
Paramete Value Meaning
r
P-1 0..16 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 579


Release 6.1 09/2016
Password Management
64.2 show

64.2 show

Display device options and settings.

64.2.1 show passwords


Display password policies and options.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show passwords

580 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Radius

65 Radius

RM CLI HiOS-2A GRS1040 581


Release 6.1 09/2016
Radius
65.1 authorization

65.1 authorization

Configure authorization parameters.

65.1.1 authorization network radius


Enable or disable the switch to accept VLAN assignment by the RADIUS server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: authorization network radius

 no authorization network radius


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no authorization network radius

582 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Radius
65.2 radius

65.2 radius

Configure RADIUS parameters.

65.2.1 radius accounting mode


Enable or disable RADIUS accounting function.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius accounting mode

 no radius accounting mode


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no radius accounting mode

65.2.2 radius server attribute 4


Specifies the RADIUS client to use the NAS-IP Address attribute in the RADIUS requests.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server attribute 4 <P-1>
Paramete Value Meaning
r
P-1 A.B.C.D IP address.

RM CLI HiOS-2A GRS1040 583


Release 6.1 09/2016
Radius
65.2 radius

65.2.3 radius server acct add


Add a RADIUS accounting server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server acct add <P-1> ip <P-2> [name <P-3>] [port <P-4>]
ip: RADIUS accounting server IP address.
[name]: RADIUS accounting server name.
[port]: RADIUS accounting server port (default: 1813).
Paramete Value Meaning
r
P-1 1..8 Next RADIUS server valid index (it can be seen with '#show radius
global' command).
P-2 string Hostname or IP address.
P-3 string Enter a user-defined text, max. 32 characters.
P-4 1..65535 Enter port number between 1 and 65535

65.2.4 radius server acct delete


Delete a RADIUS accounting server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server acct delete <P-1>
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

65.2.5 radius server acct modify


Change a RADIUS accounting server parameters.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server acct modify <P-1> [name <P-2>] [port <P-3>] [status
<P-4>] [secret [<P-5>]] [encrypted <P-6>]
[name]: RADIUS accounting server name.
[port]: RADIUS accounting server port (default: 1813).
[status]: Enable or disable a RADIUS accounting server entry.
[secret]: Configure the shared secret for the RADIUS accounting server.
[encrypted]: Configure the encrypted shared secret.
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.
P-2 string Enter a user-defined text, max. 32 characters.

584 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Radius
65.2 radius

Paramete Value Meaning


r
P-3 1..65535 Enter port number between 1 and 65535
P-4 enable Enable the option.
disable Disable the option.
P-5 string Enter a user-defined text, max. 128 characters.
P-6 string Enter a user-defined text, max. 128 characters.

65.2.6 radius server auth add


Add a RADIUS authentication server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server auth add <P-1> ip <P-2> [name <P-3>] [port <P-4>]
ip: RADIUS authentication server IP address.
[name]: RADIUS authentication server name.
[port]: RADIUS authentication server port (default: 1812).
Paramete Value Meaning
r
P-1 1..8 Next RADIUS server valid index (it can be seen with '#show radius
global' command).
P-2 string Hostname or IP address.
P-3 string Enter a user-defined text, max. 32 characters.
P-4 1..65535 Enter port number between 1 and 65535

65.2.7 radius server auth delete


Delete a RADIUS authentication server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server auth delete <P-1>
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

RM CLI HiOS-2A GRS1040 585


Release 6.1 09/2016
Radius
65.2 radius

65.2.8 radius server auth modify


Change a RADIUS authentication server parameters.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server auth modify <P-1> [name <P-2>] [port <P-3>] [msgauth
<P-4>] [primary <P-5>] [status <P-6>] [secret [<P-7>]] [encrypted <P-8>]
[name]: RADIUS authentication server name.
[port]: RADIUS authentication server port (default: 1812).
[msgauth]: Enable or disable the message authenticator attribute for this server.
[primary]: Configure the primary RADIUS server.
[status]: Enable or disable a RADIUS authentication server entry.
[secret]: Configure the shared secret for the RADIUS authentication server.
[encrypted]: Configure the encrypted shared secret.
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.
P-2 string Enter a user-defined text, max. 32 characters.
P-3 1..65535 Enter port number between 1 and 65535
P-4 enable Enable the option.
disable Disable the option.
P-5 enable Enable the option.
disable Disable the option.
P-6 enable Enable the option.
disable Disable the option.
P-7 string Enter a user-defined text, max. 128 characters.
P-8 string Enter a user-defined text, max. 128 characters.

65.2.9 radius server retransmit


Configure the retransmit value for the RADIUS server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server retransmit <P-1>
Paramete Value Meaning
r
P-1 1..15 Maximum number of retransmissions (default: 4).

586 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Radius
65.2 radius

65.2.10 radius server timeout


Configure the RADIUS server timeout value.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: radius server timeout <P-1>
Paramete Value Meaning
r
P-1 1..30 Timeout in seconds (default: 5).

RM CLI HiOS-2A GRS1040 587


Release 6.1 09/2016
Radius
65.3 show

65.3 show

Display device options and settings.

65.3.1 show radius global


Display global RADIUS configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show radius global

65.3.2 show radius auth servers


Display all configured RADIUS authentication servers.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show radius auth servers [<P-1>]
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

65.3.3 show radius auth statistics


Display RADIUS authentication server statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show radius auth statistics <P-1>
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

588 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Radius
65.3 show

65.3.4 show radius acct statistics


Display RADIUS accounting server statistics.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show radius acct statistics <P-1>
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

65.3.5 show radius acct servers


Display all configured RADIUS accounting servers.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show radius acct servers [<P-1>]
Paramete Value Meaning
r
P-1 1..8 RADIUS server index.

RM CLI HiOS-2A GRS1040 589


Release 6.1 09/2016
Radius
65.4 clear

65.4 clear

Clear several items.

65.4.1 clear radius


Clear the RADIUS statistics.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: clear radius <P-1>
Paramete Value Meaning
r
P-1 statistics Clear the RADIUS statistics.

590 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)

66 Redundant Coupling Protocol (RCP)

RM CLI HiOS-2A GRS1040 591


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)
66.1 redundant-coupling

66.1 redundant-coupling

Set RCP parameters.

66.1.1 redundant-coupling operation


This command enables/disables the RCP.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling operation

 no redundant-coupling operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no redundant-coupling operation

66.1.2 redundant-coupling timeout


Set RCP timeout in miliseconds.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling timeout <P-1>
Paramete Value Meaning
r
P-1 5..60000 Enter a number in the given range.

592 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)
66.1 redundant-coupling

66.1.3 redundant-coupling role


Set the desired role of the current device inside the RCP.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling role <P-1>
Paramete Value Meaning
r
P-1 master Set this device as master RCP device.
slave Set this device as slave RCP device.
auto Let the RCP decide the role of this device.

66.1.4 redundant-coupling port primary inner


Set a port as primary ring inner port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling port primary inner <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

66.1.5 redundant-coupling port primary outer


Set a port as primary ring outer port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling port primary outer <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 593


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)
66.1 redundant-coupling

66.1.6 redundant-coupling port secondary inner


Set a port as secondary ring inner port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling port secondary inner <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

66.1.7 redundant-coupling port secondary outer


Set a port as secondary ring outer port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: redundant-coupling port secondary outer <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

594 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)
66.2 show

66.2 show

Display device options and settings.

66.2.1 show redundant-coupling global


Show the global configuration of the RCP.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show redundant-coupling global

66.2.2 show redundant-coupling status


Show the status of the RCP.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show redundant-coupling status

66.2.3 show redundant-coupling partner


Show information about the coupling partner device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show redundant-coupling partner

RM CLI HiOS-2A GRS1040 595


Release 6.1 09/2016
Redundant Coupling Protocol (RCP)
66.2 show

596 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Authentication

67 Remote Authentication

RM CLI HiOS-2A GRS1040 597


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1 ldap

Configure LDAP settings.

67.1.1 ldap operation


Enable or disable the remote authentication operation.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap operation

 no ldap operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ldap operation

67.1.2 ldap cache-timeout


Configure LDAP user cache entry timeout.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap cache-timeout <P-1>
Paramete Value Meaning
r
P-1 1..1440 Enter a number in the given range.

598 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1.3 ldap flush-user-cache


Flush LDAP user cache.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap flush-user-cache <P-1>
Paramete Value Meaning
r
P-1 action Flush the LDAP user cache.

67.1.4 ldap role-policy


Configure LDAP user role selection policy.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap role-policy <P-1>
Paramete Value Meaning
r
P-1 highest Use the role mapping with the highest user role.
first Use the first matching role mapping table entry.

67.1.5 ldap basedn


Base distinguished name for LDAP query at the external AD server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap basedn <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 255 characters.

RM CLI HiOS-2A GRS1040 599


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1.6 ldap search-attr


Search attribute for LDAP query at the external AD server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap search-attr <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.

67.1.7 ldap bind-user


Bind-account user name for LDAP query at the external AD server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap bind-user <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 255 characters.

67.1.8 ldap bind-passwd


Bind-account user password for LDAP query at the external AD server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap bind-passwd <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.

67.1.9 ldap default-domain


Default domain used for users without a domain name.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap default-domain <P-1>

600 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Authentication
67.1 ldap

Paramete Value Meaning


r
P-1 string Enter a user-defined text, max. 64 characters.

67.1.10 ldap client server add


Add a LDAP client server connection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap client server add <P-1> <P-2> <P-3> [port <P-4>] [security <P-
5>] [description <P-6>]
[port]: Set the port number of the external LDAP server.
[security]: Set the security settings for the connection to external LDAP server.
[description]: Description of the external LDAP server.
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.
P-2 string_ActiveDir Hostname or IP address.
P-3 a.b.c.d IP address.
P-4 1..65535 Port number of LDAP Server.
P-5 none
ssl
startTLS
P-6 string Enter a user-defined text, max. 100 characters.

67.1.11 ldap client server delete


Delete a LDAP client server connection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap client server delete <P-1>
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 601


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1.12 ldap client server enable


Enable a LDAP client server connection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap client server enable <P-1>
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

67.1.13 ldap client server disable


Disable a LDAP client server connection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap client server disable <P-1>
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

67.1.14 ldap client server modify


Modify a LDAP client server connection.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap client server modify <P-1> [addr <P-2> <P-3>] [port <P-4>]
[security <P-5>] [description <P-6>]
[addr]: Modify the host address of the external LDAP server.
[port]: Modify the port number of the external LDAP server.
[security]: Modify the security settings for the connection to external LDAP server.
[description]: Modify the description of the external LDAP server.
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.
P-2 string_ActiveDir Hostname or IP address.
P-3 a.b.c.d IP address.
P-4 1..65535 Port number of LDAP Server.
P-5 none
ssl
startTLS
P-6 string Enter a user-defined text, max. 100 characters.

602 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1.15 ldap mapping add


Add a LDAP mapping entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap mapping add <P-1> access-role <P-2> mapping-type <P-3> mapping-
parameter <P-4>
access-role: Access role type.
mapping-type: Role mapping type.
mapping-parameter: Role mapping parameter.
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.
P-2 slot no./port no.
P-3 attribute
group
P-4 string Enter a user-defined text, max. 255 characters.

67.1.16 ldap mapping delete


Delete a LDAP role mapping entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap mapping delete <P-1>
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.

67.1.17 ldap mapping enable


Activate a LDAP role mapping entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap mapping enable <P-1>
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 603


Release 6.1 09/2016
Remote Authentication
67.1 ldap

67.1.18 ldap mapping disable


Deactivate a LDAP role mapping entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ldap mapping disable <P-1>
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.

604 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Authentication
67.2 show

67.2 show

Display device options and settings.

67.2.1 show ldap global


Show LDAP configuration parameters and information.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show ldap global

67.2.2 show ldap client server


Show LDAP client server connections.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show ldap client server [<P-1>]
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

67.2.3 show ldap mapping


Show LDAP role mapping entries.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show ldap mapping [<P-1>]
Paramete Value Meaning
r
P-1 1..64 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 605


Release 6.1 09/2016
Remote Authentication
67.3 copy

67.3 copy

Copy different kinds of items.

67.3.1 copy ldapcacert remote


Copy CA certificate file (*.pem) from the remote AD server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy ldapcacert remote <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from the remote AD server to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

67.3.2 copy ldapcacert envm


Copy CA certificate file (*.pem) from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy ldapcacert envm <P-1> nvm [<P-2>]
nvm: Copy CA certificate file (*.pem) from external non-volatile memory to the device.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 100 characters.

606 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Monitoring (RMON)

68 Remote Monitoring (RMON)

RM CLI HiOS-2A GRS1040 607


Release 6.1 09/2016
Remote Monitoring (RMON)
68.1 rmon-alarm

68.1 rmon-alarm

Create a RMON alarm action.

68.1.1 rmon-alarm add


Add RMON alarm.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: rmon-alarm add <P-1> [mib-variable <P-2>] [rising-threshold <P-3>]
[falling-threshold <P-4>]
[mib-variable]: MIB variable
[rising-threshold]: Rising threshold
[falling-threshold]: Falling threshold
Paramete Value Meaning
r
P-1 1..150 Enter an index that uniquely identifies an entry in the alarm
table.
P-2 string Enter an object identifier of the particular variable to be
sampled, max. 32 characters.
P-3 1..2147483647 Enter the rising threshold for the sampled statistic.
P-4 1..2147483647 Enter the falling threshold for the sampled statistic.

68.1.2 rmon-alarm enable


Enable RMON alarm.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: rmon-alarm enable <P-1>
Paramete Value Meaning
r
P-1 1..150 Enter an index that uniquely identifies an entry in the alarm
table.

608 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Monitoring (RMON)
68.1 rmon-alarm

68.1.3 rmon-alarm disable


Disable RMON alarm.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: rmon-alarm disable <P-1>
Paramete Value Meaning
r
P-1 1..150 Enter an index that uniquely identifies an entry in the alarm
table.

68.1.4 rmon-alarm delete


Delete RMON alarm.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: rmon-alarm delete <P-1>
Paramete Value Meaning
r
P-1 1..150 Enter an index that uniquely identifies an entry in the alarm
table.

68.1.5 rmon-alarm modify


Modify RMON alarm parameters.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: rmon-alarm modify <P-1> [mib-variable <P-2>] [rising-threshold <P-
3>] [falling-threshold <P-4>] [interval <P-5>] [sample-type <P-6>]
[startup-alarm <P-7>] [rising-event <P-8>] [falling-event <P-9>]
[mib-variable]: Enter the alarm mib variable.
[rising-threshold]: Enter the alarm rising threshold.
[falling-threshold]: Enter the alarm falling-threshold.
[interval]: Enter the alarm interval in seconds over which the data is sampled.
[sample-type]: Enter the alarm method of sampling the selected variable.
[startup-alarm]: Enter the alarm type.
[rising-event]: Enter the alarm rising-event index.
[falling-event]: Enter the alarm falling-event index.
Paramete Value Meaning
r
P-1 1..150 Enter an index that uniquely identifies an entry in the alarm
table.

RM CLI HiOS-2A GRS1040 609


Release 6.1 09/2016
Remote Monitoring (RMON)
68.1 rmon-alarm

Paramete Value Meaning


r
P-2 string Enter an object identifier of the particular variable to be
sampled, max. 32 characters.
P-3 1..2147483647 Enter the rising threshold for the sampled statistic.
P-4 1..2147483647 Enter the falling threshold for the sampled statistic.
P-5 1..2147483647 Enter the interval in seconds over which the data is sampled and
compared with the rising and falling thresholds.
P-6 absoluteValue Variable is compared directly with the thresholds.
deltaValue Variable is subtracted from the current value and the difference
compared with the thresholds.
P-7 risingAlarm Single rising alarm generated when the sample is greater than
or equal to the rising threshold.
fallingAlarm Single falling alarm generated when the sample is less than or
equal to the falling threshold.
risingOrFallingAlarm Single Rising alarm generated when the sample is greater than
or equal to risingThreshold and single falling alarm generated
when the sample is less than or equal to fallingThreshold.
P-8 1..65535 Enter the index of the eventEntry that is used when a rising
threshold is crossed.
P-9 1..65535 Enter the index of the eventEntry that is used when a falling
threshold is crossed.

610 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Remote Monitoring (RMON)
68.2 show

68.2 show

Display device options and settings.

68.2.1 show rmon statistics


Show RMON statistics configuration.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show rmon statistics [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

68.2.2 show rmon alarm


Display configuration on RMON alarms.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show rmon alarm

RM CLI HiOS-2A GRS1040 611


Release 6.1 09/2016
Remote Monitoring (RMON)
68.2 show

612 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Script File

69 Script File

RM CLI HiOS-2A GRS1040 613


Release 6.1 09/2016
Script File
69.1 script

69.1 script

CLI Script File.

69.1.1 script apply


Executes the CLI script file available in the device.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: script apply <P-1>
Paramete Value Meaning
r
P-1 string Filename.

69.1.2 script validate


Only validates the CLI script file available in the device.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: script validate <P-1>
Paramete Value Meaning
r
P-1 string Filename.

69.1.3 script list system


List all the script files available in the device memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: script list system

614 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Script File
69.1 script

69.1.4 script list envm


List all the script files available in external non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: script list envm

69.1.5 script delete


Delete the CLI script files.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: script delete [<P-1>]
Paramete Value Meaning
r
P-1 string Filename.

RM CLI HiOS-2A GRS1040 615


Release 6.1 09/2016
Script File
69.2 copy

69.2 copy

Copy different kinds of items.

69.2.1 copy script envm


Copy script file from external non-volatile memory to specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script envm <P-1> running-config nvm <P-2>
running-config: Copy script file from external non-volatile memory to the running-config.
nvm: Copy script file from external non-volatile memory to the non-volatile memory.
Paramete Value Meaning
r
P-1 string Filename.
P-2 string Enter a user-defined text, max. 32 characters.

69.2.2 copy script remote


Copy script file from server to specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script remote <P-1> running-config nvm <P-2>
running-config: Copy script file from file server to running-config.
nvm: Copy script file to non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.
P-2 string Enter a user-defined text, max. 32 characters.

616 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Script File
69.2 copy

69.2.3 copy script nvm


Copy Script file from non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script nvm <P-1> running-config envm <P-2> remote <P-3>
running-config: Copy Script file from non-volatile system memory to running-config.
envm: Copy Script file to external non-volatile memory device.
remote: Copy Script file to file server.
Paramete Value Meaning
r
P-1 string Filename.
P-2 string Enter a user-defined text, max. 32 characters.
P-3 string Enter a user-defined text, max. 128 characters.

69.2.4 copy script running-config nvm


Copy running configuration to non-volatile memory.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script running-config nvm <P-1> [all]
[all]: Copy all running configuration to non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

69.2.5 copy script running-config envm


Copy running configuration to external non-volatile memory device.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script running-config envm <P-1> [all]
[all]: Copy all running configuration to external non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 32 characters.

RM CLI HiOS-2A GRS1040 617


Release 6.1 09/2016
Script File
69.2 copy

69.2.6 copy script running-config remote


Copy running configuration to a file server.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy script running-config remote <P-1> [all]
[all]: Copy all running configuration to file server.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

618 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Script File
69.3 show

69.3 show

Display device options and settings.

69.3.1 show script envm


Displays the content of the CLI script file present in the envm.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show script envm <P-1>
Paramete Value Meaning
r
P-1 string Filename.

69.3.2 show script system


Displays the content of the CLI script file present in the device.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show script system <P-1>
Paramete Value Meaning
r
P-1 string Filename.

RM CLI HiOS-2A GRS1040 619


Release 6.1 09/2016
Script File
69.3 show

620 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Selftest

70 Selftest

RM CLI HiOS-2A GRS1040 621


Release 6.1 09/2016
Selftest
70.1 selftest

70.1 selftest

Configure the selftest settings.

70.1.1 selftest action


Configure the action that a selftest component should take.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: selftest action <P-1> <P-2>
Paramete Value Meaning
r
P-1 task Configure the action for task errors.
resource Configure the action for lack of resources.
software Configure the action for broken software integrity.
hardware Configure the action for detected hardware errors.
P-2 log-only Write a message to the logging file.
send-trap Send a trap to the management station.
reboot Reboot the device.

70.1.2 selftest ramtest


Enable or disable the RAM selftest on cold start of the device. When disabled the device booting time
is reduced.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: selftest ramtest

 no selftest ramtest
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no selftest ramtest

622 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Selftest
70.1 selftest

70.1.3 selftest system-monitor


Enable or disable the System Monitor 1 access during the boot phase. Please note: If the System
Monitor is disabled it is possible to loose access to the device permanently in case of loosing
administrator password or mis-configuration.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: selftest system-monitor

 no selftest system-monitor
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no selftest system-monitor

70.1.4 selftest boot-default-on-error


Enable or disable loading of the default configuration in case there is any error loading the configuration
during boot phase. If disabled the system will be halted.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: selftest boot-default-on-error

 no selftest boot-default-on-error
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no selftest boot-default-on-error

RM CLI HiOS-2A GRS1040 623


Release 6.1 09/2016
Selftest
70.2 show

70.2 show

Display device options and settings.

70.2.1 show selftest action


Displays the actions of the device takes if an error occurs.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show selftest action

70.2.2 show selftest settings


Displays the selftest settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show selftest settings

624 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
sFlow

71 sFlow

RM CLI HiOS-2A GRS1040 625


Release 6.1 09/2016
sFlow
71.1 sflow

71.1 sflow

Configure sFlow

71.1.1 sflow receiver


Configure sflow receiver.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sflow receiver <P-1> owner <P-2> [ip <P-3>] [timeout <P-4>] timeout
<P-5> maxdatagram <P-6> ip <P-7> port <P-8>
owner: Configure sflow owner.
[ip]: Configure sflow receiver IP address.
[timeout]: Configure sflow receiver timeout.
timeout: Configure sflow receiver timeout.
maxdatagram: Configure sflow maximum size of the receiver datagram.
ip: Configure sflow receiver IP address.
port: Configure sflow receiver port.
Paramete Value Meaning
r
P-1 1..8 Enter a sFlow receiver index.
P-2 string Enter receiver owner string, max. 127 characters.
P-3 a.b.c.d IP address.
P-4 -1..2147483647 Enter timeout: -1:no timeout, 0:reset configuration, 1 -
2147483647
P-5 -1..2147483647 Enter timeout: -1:no timeout, 0:reset configuration, 1 -
2147483647
P-6 200..3996 Enter maximum datagram size between 200 and 3996.
P-7 a.b.c.d IP address.
P-8 1..65535 Enter port number between 1 and 65535

626 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
sFlow
71.2 sflow

71.2 sflow

Configure sflow sampler and poller.

71.2.1 sflow poller receiver


Set a receiver for this poller.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: sflow poller receiver <P-1> [interval <P-2>]
[interval]: Set an interval for this poller.
Paramete Value Meaning
r
P-1 0..8 Enter a sFlow receiver index, 0 to reset configuration.
P-2 0..86400 Enter poller interval between 0 and 86400. Enter 0 to disable
the poller.

71.2.2 sflow poller interval


Set an interval for this poller.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: sflow poller interval <P-1>
Paramete Value Meaning
r
P-1 0..86400 Enter poller interval between 0 and 86400. Enter 0 to disable
the poller.

71.2.3 sflow sampler receiver


Set a receiver for this sampler.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: sflow sampler receiver <P-1> [rate <P-2>]

RM CLI HiOS-2A GRS1040 627


Release 6.1 09/2016
sFlow
71.2 sflow

[rate]: Configure sflow sampler rate.


Paramete Value Meaning
r
P-1 0..8 Enter a sFlow receiver index, 0 to reset configuration.
P-2 0 Disable sampling
256-65535 Set sampling rate

71.2.4 sflow sampler rate


Configure sflow sampler rate.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: sflow sampler rate <P-1>
Paramete Value Meaning
r
P-1 0 Disable sampling
256-65535 Set sampling rate

71.2.5 sflow sampler maxheadersize


Configure sflow sampler maximum header size.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: sflow sampler maxheadersize <P-1>
Paramete Value Meaning
r
P-1 20..256 Enter maximum header size between 20 and 256

628 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
sFlow
71.3 show

71.3 show

Display device options and settings.

71.3.1 show sflow agent


Display sflow agent settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sflow agent

71.3.2 show sflow receivers


Display sflow receiver settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sflow receivers [<P-1>]
Paramete Value Meaning
r
P-1 1..8 Enter a sFlow receiver index.

71.3.3 show sflow pollers


Display sflow poller settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sflow pollers

RM CLI HiOS-2A GRS1040 629


Release 6.1 09/2016
sFlow
71.3 show

71.3.4 show sflow samplers


Display sflow sampler settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sflow samplers

630 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Small Form-factor Pluggable (SFP)

72 Small Form-factor Pluggable (SFP)

RM CLI HiOS-2A GRS1040 631


Release 6.1 09/2016
Small Form-factor Pluggable (SFP)
72.1 show

72.1 show

Display device options and settings.

72.1.1 show sfp


Show info about plugged in SFP modules
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sfp [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

632 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Signal Contact

73 Signal Contact

RM CLI HiOS-2A GRS1040 633


Release 6.1 09/2016
Signal Contact
73.1 signal-contact

73.1 signal-contact

Configure the signal contact settings.

73.1.1 signal-contact mode


Configure the Signal Contact mode setting.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> mode <P-2>
Paramete Value Meaning
r
P-1 signal contact no.
P-2 manual The signal contact's status is determined by the\nassociated
manual setting (subcommand 'state').
monitor The signal contact's status is determined by the\nassociated
monitor settings.
device-status The signal contact's status is determined by the\ndevice status.
security-status The signal contact's status is determined by the\nsecurity
status.
dev-sec-status The signal contact's status is determined by the\ndevice status
and security status.

73.1.2 signal-contact monitor link-failure


Sets the monitoring of the network connection(s).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor link-failure
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact monitor link-failure


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor link-failure

634 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Signal Contact
73.1 signal-contact

73.1.3 signal-contact monitor module-removal


Sets the monitoring of the module removal.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor module-removal
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact monitor module-removal


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor module-removal

73.1.4 signal-contact monitor envm-not-in-sync


Sets the monitoring whether the external non-volatile memory device\nis in sync with the running
configuration.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor envm-not-in-sync
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact monitor envm-not-in-sync


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor envm-not-in-sync

RM CLI HiOS-2A GRS1040 635


Release 6.1 09/2016
Signal Contact
73.1 signal-contact

73.1.5 signal-contact monitor envm-removal


Sets the monitoring of the external non-volatile memory device removal.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor envm-removal
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact monitor envm-removal


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor envm-removal

73.1.6 signal-contact monitor temperature


Sets the monitoring of the device temperature.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor temperature
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact monitor temperature


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor temperature

73.1.7 signal-contact monitor ring-redundancy


Sets the monitoring of the ring-redundancy.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor ring-redundancy

636 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Signal Contact
73.1 signal-contact

Paramete Value Meaning


r
P-1 signal contact no.

 no signal-contact monitor ring-redundancy


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor ring-redundancy

73.1.8 signal-contact monitor power-supply


Sets the monitoring of the power supply(s).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> monitor power-supply <P-2>
Paramete Value Meaning
r
P-1 signal contact no.
P-2 1..2 Number of power supply.

 no signal-contact monitor power-supply


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> monitor power-supply <P-2>

73.1.9 signal-contact state


Configure the Signal Contact manual state (only takes\nimmediate effect in manual mode).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> state <P-2>
Paramete Value Meaning
r
P-1 signal contact no.
P-2 open Open the signal contact (only takes effect\nin the manual mode).
close Close the signal contact (only takes effect\nin the manual
mode).

RM CLI HiOS-2A GRS1040 637


Release 6.1 09/2016
Signal Contact
73.1 signal-contact

73.1.10 signal-contact trap


Configure if a trap is sent when the Signal Contact\nchanges state (in monitor mode).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> trap
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact trap
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> trap

73.1.11 signal-contact module


Configure the monitoring of the specific module.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> module <P-2>
Paramete Value Meaning
r
P-1 signal contact no.
P-2 slot no./port no.

 no signal-contact module
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> module <P-2>

638 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Signal Contact
73.2 signal-contact

73.2 signal-contact

Configure the signal contact interface settings.

73.2.1 signal-contact link-alarm


Configure the monitoring of the specific network ports.
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: signal-contact <P-1> link-alarm
Paramete Value Meaning
r
P-1 signal contact no.

 no signal-contact link-alarm
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Administrator
 Format: no signal-contact <P-1> link-alarm

RM CLI HiOS-2A GRS1040 639


Release 6.1 09/2016
Signal Contact
73.3 show

73.3 show

Display device options and settings.

73.3.1 show signal-contact


Display signal contact settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show signal-contact <P-1> mode monitor state trap link-alarm module
events all
mode: Display the signal contact mode.
monitor: Display the signal contact monitor settings.
state: Display the signal contact state (open/close).\nNote: This covers the signal contact`s
administrative\nsetting as well as its actual state.
trap: Display the signal contact trap information and settings.
link-alarm: Display the settings of the monitoring of the specific\nnetwork ports.
module: Display the settings of the monitoring of the specific\nmodules.
events: Display occurred device status events.
all: Display all signal contact settings for the specified\nsignal contact.
Paramete Value Meaning
r
P-1 signal contact no.

640 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Slot

74 Slot

RM CLI HiOS-2A GRS1040 641


Release 6.1 09/2016
Slot
74.1 slot

74.1 slot

Configure module status.

74.1.1 slot operation


Enable or disable slot
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: slot <P-1> operation
Paramete Value Meaning
r
P-1 slot no./port no.

 no slot operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no slot <P-1> operation

74.1.2 slot module


Remove a virtual module
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: slot <P-1> module <P-2>
Paramete Value Meaning
r
P-1 slot no./port no.
P-2 remove-virtual Remove a virtual module

642 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Slot
74.2 show

74.2 show

Display device options and settings.

74.2.1 show slot


Show module parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show slot [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 643


Release 6.1 09/2016
Slot
74.2 show

644 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Switched Monitoring (SMON)

75 Switched Monitoring (SMON)

RM CLI HiOS-2A GRS1040 645


Release 6.1 09/2016
Switched Monitoring (SMON)
75.1 monitor

75.1 monitor

Configure port mirroring.

75.1.1 monitor session


Configure port mirroring.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: monitor session <P-1> destination interface <P-2> remote vlan <P-3>
source interface <P-4> direction <P-5> operation vlan <P-6> remote vlan <P-
7> mode
destination: Configure the probe interface.
interface: Configure interface.
remote: Destination RSPAN configuration.
vlan: Set the destination RSPAN VLAN used to tag the mirrored frames.
source: Configure the source interface.
interface: Configure interface
direction: Select interface.
operation: Enable/disable mirroring on an interface.
vlan: Set the VLAN to mirror.
remote: Source RSPAN configuration.
vlan: Set the source RSPAN VLAN on which mirrored frames are expected.
mode: Enable/Disable port mirroring session. Note: does\nnot affect the source or destination
interfaces.
Paramete Value Meaning
r
P-1 1 Monitor session index.
P-2 slot no./port no.
P-3 integer VLAN Mirror Remote VLAN ID List.
P-4 slot no./port no.
P-5 none None.
tx Packets that are transmitted on the source interfaces are copied
to the destination interface.
rx Packets that are received on the source interfaces are copied
to the destination interface.
txrx Packets that are transmitted or received on the source
interfaces are copied to the destination interface.
P-6 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.
P-7 integer VLAN Mirror Remote VLAN ID List.

646 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Switched Monitoring (SMON)
75.1 monitor

 no monitor session
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no monitor session <P-1> destination interface remote vlan source
interface <P-4> direction operation vlan remote vlan mode

RM CLI HiOS-2A GRS1040 647


Release 6.1 09/2016
Switched Monitoring (SMON)
75.2 rspan-vlan

75.2 rspan-vlan

75.2.1 rspan-vlan
Set the VLAN used by RSPAN. The VLAN must already be created.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: rspan-vlan <P-1>
Paramete Value Meaning
r
P-1 integer VLAN Mirror Remote VLAN ID List.

648 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Switched Monitoring (SMON)
75.3 show

75.3 show

Display device options and settings.

75.3.1 show monitor session


Display port monitor session settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show monitor session <P-1>
Paramete Value Meaning
r
P-1 1 Monitor session index.

RM CLI HiOS-2A GRS1040 649


Release 6.1 09/2016
Switched Monitoring (SMON)
75.4 clear

75.4 clear

Clear several items.

75.4.1 clear monitor session


Delete configuration for this session.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: clear monitor session <P-1>
Paramete Value Meaning
r
P-1 1 Monitor session index.

650 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Management Protocol (SNMP)

76 Simple Network Management Protocol


(SNMP)

RM CLI HiOS-2A GRS1040 651


Release 6.1 09/2016
Simple Network Management Protocol (SNMP)
76.1 snmp

76.1 snmp

Configure of SNMP versions and traps.

76.1.1 snmp access version v1


Enable or disable SNMP version V1.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp access version v1

 no snmp access version v1


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp access version v1

76.1.2 snmp access version v2


Enable or disable SNMP version V2.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp access version v2

 no snmp access version v2


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp access version v2

652 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Management Protocol (SNMP)
76.1 snmp

76.1.3 snmp access version v3


Enable or disable SNMP version V3.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp access version v3

 no snmp access version v3


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp access version v3

76.1.4 snmp access port


Configure the SNMP access port.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp access port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of the SNMP server (default: 161).

76.1.5 snmp access snmp-over-802


Configure SNMPover802.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp access snmp-over-802

 no snmp access snmp-over-802


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp access snmp-over-802

RM CLI HiOS-2A GRS1040 653


Release 6.1 09/2016
Simple Network Management Protocol (SNMP)
76.2 show

76.2 show

Display device options and settings.

76.2.1 show snmp access


Show SNMP access configuration settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show snmp access

654 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
SNMP Community

77 SNMP Community

RM CLI HiOS-2A GRS1040 655


Release 6.1 09/2016
SNMP Community
77.1 snmp

77.1 snmp

Configure of SNMP versions and traps.

77.1.1 snmp community ro


SNMP v1/v2 read-only community.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp community ro

77.1.2 snmp community rw


SNMP v1/v2 read-write community.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp community rw

656 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
SNMP Community
77.2 show

77.2 show

Display device options and settings.

77.2.1 show snmp community


Display SNMP v1/2 community.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show snmp community

RM CLI HiOS-2A GRS1040 657


Release 6.1 09/2016
SNMP Community
77.2 show

658 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
SNMP Logging

78 SNMP Logging

RM CLI HiOS-2A GRS1040 659


Release 6.1 09/2016
SNMP Logging
78.1 logging

78.1 logging

Logging configuration.

78.1.1 logging snmp-request get operation


Enable or disable logging of SNMP GET or SET requests.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging snmp-request get operation <P-1>
Paramete Value Meaning
r
P-1 enable Enable logging of SNMP GET or SET requests.
disable Disable logging of SNMP GET or SET requests.

 no logging snmp-request get operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging snmp-request get operation <P-1>

78.1.2 logging snmp-request get severity


Define severity level.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging snmp-request get severity <P-1>

660 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
SNMP Logging
78.1 logging

Paramete Value Meaning


r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

78.1.3 logging snmp-request set operation


Enable or disable logging of SNMP GET or SET requests.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging snmp-request set operation <P-1>
Paramete Value Meaning
r
P-1 enable Enable logging of SNMP GET or SET requests.
disable Disable logging of SNMP GET or SET requests.

 no logging snmp-request set operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no logging snmp-request set operation <P-1>

RM CLI HiOS-2A GRS1040 661


Release 6.1 09/2016
SNMP Logging
78.1 logging

78.1.4 logging snmp-request set severity


Define severity level.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: logging snmp-request set severity <P-1>
Paramete Value Meaning
r
P-1 emergency System is unusable. System failure has occurred.
alert Action must be taken immediately. Unrecoverable failure of a
component. System failure likely.
critical Recoverable failure of a component that may lead to system
failure.
error Error conditions. Recoverable failure of a component.
warning Minor failure, e.g. misconfiguration of a component.
notice Normal but significant conditions.
informational Informational messages.
debug Debug-level messages.
0 Same as emergency
1 Same as alert
2 Same as critical
3 Same as error
4 Same as warning
5 Same as notice
6 Same as informational
7 Same as debug

662 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
SNMP Logging
78.2 show

78.2 show

Display device options and settings.

78.2.1 show logging snmp


Show the SNMP logging settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show logging snmp

RM CLI HiOS-2A GRS1040 663


Release 6.1 09/2016
SNMP Logging
78.2 show

664 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)

79 Simple Network Time Protocol (SNTP)

RM CLI HiOS-2A GRS1040 665


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1 sntp

Configure SNTP settings.

79.1.1 sntp client operation


Enable or disable the SNTP client
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client operation

 no sntp client operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp client operation

79.1.2 sntp client operating-mode


Set the operating mode of the SNTP client. \nIn unicast-mode, the client sends a request to the SNTP
Server. \nIn broadcast-mode, the client waits for a broadcast message from the SNTP Server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client operating-mode <P-1>
Paramete Value Meaning
r
P-1 unicast Set the operating mode to unicast.
broadcast Set the operating mode to broadcast.

666 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1.3 sntp client request-interval


Set the SNTP client request interval in seconds. \nThe request-interval is only used in the operating-
mode unicast.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client request-interval <P-1>
Paramete Value Meaning
r
P-1 5..3600 Enter a number in the given range.

79.1.4 sntp client broadcast-rcv-timeout


Set the SNTP client broadcast receive timeout in seconds. \nThe broadcast receive timeout is only used
in the operating-mode broadcast.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client broadcast-rcv-timeout <P-1>
Paramete Value Meaning
r
P-1 128..2048 Enter a number in the given range.

79.1.5 sntp client disable-after-sync


If this option is activated, the SNTP client disables itself \nonce it is synchronized to a SNTP server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client disable-after-sync

 no sntp client disable-after-sync


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp client disable-after-sync

RM CLI HiOS-2A GRS1040 667


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1.6 sntp client server add


Add a SNTP client server connection
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client server add <P-1> <P-2> [port <P-3>] [description <P-4>]
[port]: Set the port number of the external time server.
[description]: Description of the external time server
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.
P-2 string Hostname or IP address.
P-3 1..65535 Port number of SNTP Server (default 123).
P-4 string Enter a user-defined text, max. 32 characters.

79.1.7 sntp client server delete


delete a SNTP client server connection
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client server delete <P-1>
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

79.1.8 sntp client server mode


Enable or disable a SNTP client server connection
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp client server mode <P-1>
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

 no sntp client server mode


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp client server mode <P-1>

668 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1.9 sntp server operation


Enable or disable the SNTP server
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server operation

 no sntp server operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp server operation

79.1.10 sntp server port


Set the local socket port number used to listen for client requests.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of SNTP Server (default 123).

79.1.11 sntp server only-if-synchronized


Set the disabling of the SNTP server function,\nif it is not synchronized to another external time
reference
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server only-if-synchronized

 no sntp server only-if-synchronized


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp server only-if-synchronized

RM CLI HiOS-2A GRS1040 669


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1.12 sntp server broadcast operation


Enable or disable the SNTP server broadcast mode
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server broadcast operation

 no sntp server broadcast operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no sntp server broadcast operation

79.1.13 sntp server broadcast address


Set the SNTP server's broadcast or multicast IP address\n(default: 0.0.0.0 (none)).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server broadcast address <P-1>
Paramete Value Meaning
r
P-1 a.b.c.d IP address.

79.1.14 sntp server broadcast port


Set the destination socket port number used to send\nbroadcast or multicast messages to the client.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server broadcast port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of SNTP Server (default 123).

670 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.1 sntp

79.1.15 sntp server broadcast interval


Set the SNTP server's interval in seconds for sending\nbroadcast or multicast messages.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server broadcast interval <P-1>
Paramete Value Meaning
r
P-1 64..1024 Enter a number in the given range.

79.1.16 sntp server broadcast vlan


Set the SNTP server's broadcast VLAN ID used for sending\nbroadcast or multicast messages.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: sntp server broadcast vlan <P-1>
Paramete Value Meaning
r
P-1 0..4042 Enter the VLAN ID. Entering of ID 0 uses the management VLAN ID.

RM CLI HiOS-2A GRS1040 671


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.2 show

79.2 show

Display device options and settings.

79.2.1 show sntp global


Show SNTP configuration parameters and information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sntp global

79.2.2 show sntp client status


Show SNTP client status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sntp client status

79.2.3 show sntp client server


Show SNTP client server connections.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sntp client server [<P-1>]
Paramete Value Meaning
r
P-1 1..4 Enter a number in the given range.

672 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.2 show

79.2.4 show sntp server status


Show SNTP server configuration parameters and information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sntp server status

79.2.5 show sntp server broadcast


Show SNTP server broadcast configuration parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sntp server broadcast

RM CLI HiOS-2A GRS1040 673


Release 6.1 09/2016
Simple Network Time Protocol (SNTP)
79.2 show

674 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree

80 Spanning Tree

RM CLI HiOS-2A GRS1040 675


Release 6.1 09/2016
Spanning Tree
80.1 spanning-tree

80.1 spanning-tree

Enable or disable the Spanning Tree protocol.

80.1.1 spanning-tree operation


Enable or disable the function.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree operation

 no spanning-tree operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no spanning-tree operation

80.1.2 spanning-tree bpdu-filter


Enable or disable the BPDU filter on the edge ports.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree bpdu-filter

 no spanning-tree bpdu-filter
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no spanning-tree bpdu-filter

676 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree
80.1 spanning-tree

80.1.3 spanning-tree bpdu-guard


Enable or disable the BPDU guard on the edge ports.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree bpdu-guard

 no spanning-tree bpdu-guard
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no spanning-tree bpdu-guard

80.1.4 spanning-tree bpdu-migration-check


Force the specified port to transmit RST or MST BPDUs.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree bpdu-migration-check <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

80.1.5 spanning-tree forceversion


Set the force protocol version parameter.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree forceversion <P-1>
Paramete Value Meaning
r
P-1 stp Spanning Tree Protocol (STP).
rstp Rapid Spanning Tree Protocol (RSTP).

RM CLI HiOS-2A GRS1040 677


Release 6.1 09/2016
Spanning Tree
80.1 spanning-tree

80.1.6 spanning-tree forward-time


Set the Bridge Forward Delay parameter [s].
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree forward-time <P-1>
Paramete Value Meaning
r
P-1 4..30 Enter the bridge forward delay as an integer.

80.1.7 spanning-tree hello-time


Set the Hello Time parameter [s].
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree hello-time <P-1>
Paramete Value Meaning
r
P-1 1..2 Set the Hello Time parameter (unit: seconds).

80.1.8 spanning-tree hold-count


Set the bridge hold count parameter.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree hold-count <P-1>
Paramete Value Meaning
r
P-1 1..40 Set bridge hold count parameter.

80.1.9 spanning-tree max-age


Set the bridge Max Age parameter.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree max-age <P-1>

678 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree
80.1 spanning-tree

Paramete Value Meaning


r
P-1 6..40 Set the bridge Max Age parameter.

80.1.10 spanning-tree ring-only-mode operation


Enable or disable the RSTP Ring Only Mode.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree ring-only-mode operation

 no spanning-tree ring-only-mode operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no spanning-tree ring-only-mode operation

80.1.11 spanning-tree ring-only-mode first-port


Configure the first ring port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree ring-only-mode first-port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

80.1.12 spanning-tree ring-only-mode second-port


Configure the second ring port.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree ring-only-mode second-port <P-1>

RM CLI HiOS-2A GRS1040 679


Release 6.1 09/2016
Spanning Tree
80.1 spanning-tree

Paramete Value Meaning


r
P-1 slot no./port no.

80.1.13 spanning-tree mst


MST instance related configuration.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: spanning-tree mst

680 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree
80.2 spanning-tree

80.2 spanning-tree

Enable or disable the Spanning Tree protocol on a port.

80.2.1 spanning-tree mode


Enable or disable the function.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree mode

 no spanning-tree mode
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree mode

80.2.2 spanning-tree bpdu-flood


Enable or disable BPDU flooding on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree bpdu-flood

 no spanning-tree bpdu-flood
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree bpdu-flood

RM CLI HiOS-2A GRS1040 681


Release 6.1 09/2016
Spanning Tree
80.2 spanning-tree

80.2.3 spanning-tree edge-auto


Enable or disable auto edge detection on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree edge-auto

 no spanning-tree edge-auto
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree edge-auto

80.2.4 spanning-tree edge-port


Enable or disable edge port usage on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree edge-port

 no spanning-tree edge-port
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree edge-port

80.2.5 spanning-tree guard-loop


Enable or disable the loop guard on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree guard-loop

682 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree
80.2 spanning-tree

 no spanning-tree guard-loop
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree guard-loop

80.2.6 spanning-tree guard-root


Enable or disable the root guard on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree guard-root

 no spanning-tree guard-root
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree guard-root

80.2.7 spanning-tree guard-tcn


Enable or disable the TCN guard on a port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree guard-tcn

 no spanning-tree guard-tcn
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no spanning-tree guard-tcn

RM CLI HiOS-2A GRS1040 683


Release 6.1 09/2016
Spanning Tree
80.2 spanning-tree

80.2.8 spanning-tree cost


Specify the port path cost for STP, RSTP and CIST.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree cost <P-1>
Paramete Value Meaning
r
P-1 0..200000000 Specify the port path cost.

80.2.9 spanning-tree priority


Specify the port priority for STP, RSTP and CIST.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: spanning-tree priority <P-1>
Paramete Value Meaning
r
P-1 0..240 Specify the port priority.

684 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Spanning Tree
80.3 show

80.3 show

Display device options and settings.

80.3.1 show spanning-tree global


Display the Common and Internal Spanning Tree information and settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show spanning-tree global

80.3.2 show spanning-tree mst instance


Display summarized information and settings for all ports in an MST instance.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show spanning-tree mst instance

80.3.3 show spanning-tree mst port


Display summarized information and settings for all ports in an MST instance.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show spanning-tree mst port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

RM CLI HiOS-2A GRS1040 685


Release 6.1 09/2016
Spanning Tree
80.3 show

80.3.4 show spanning-tree port


Spanning Tree information and settings for an interface.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show spanning-tree port <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.

686 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Subring Management

81 Subring Management

RM CLI HiOS-2A GRS1040 687


Release 6.1 09/2016
Subring Management
81.1 sub-ring

81.1 sub-ring

Sub-ring manager operations.

81.1.1 sub-ring operation


Enable or disable the global sub-ring manager functionality on this device.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring operation

 no sub-ring operation
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no sub-ring operation

81.1.2 sub-ring add


Creates a new sub-ring domain with the value id.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring add <P-1> [mode <P-2>] [vlan <P-3>] [port <P-4>] [name <P-
5>] [mrp-domain <P-6>]
[mode]: Set operating mode for the sub-ring domain with the value id.
[vlan]: Set vlan id for the sub-ring domain with the value id.
[port]: Set the port for the sub-ring domain with the value id.
[name]: Set name for the sub-ring domain with the value id.
[mrp-domain]: MRP domain ID. Format: 16 bytes in decimal notation.\n(Example:
1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.
P-2 manager The entity takes on the role of a Sub-Ring Manager.
redundant-manager The entity takes on the role of the Sub-Ring Manager and blocks
the ring port if the sub-ring is closed.
single-manager The single-manager has both ends of a sub-ring connected to its
ports and blocks one of these ends if the sub-ring is closed.

688 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Subring Management
81.1 sub-ring

Paramete Value Meaning


r
P-3 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.
P-4 slot no./port no.
P-5 string Enter a user-defined text, max. 255 characters.
P-6 string <domain id> MRP domain ID. Format: 16 bytes in decimal
notation.\n(Example: 1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).

81.1.3 sub-ring delete


Deletes the subring domain with the value id.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring delete <P-1>
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.

81.1.4 sub-ring enable


Enable the sub-ring domain with the value id.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring enable <P-1>
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.

81.1.5 sub-ring disable


Disable the sub-ring domain with the value id.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring disable <P-1>
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.

RM CLI HiOS-2A GRS1040 689


Release 6.1 09/2016
Subring Management
81.1 sub-ring

81.1.6 sub-ring modify


Modify parameters of the sub-ring domain with the value id.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: sub-ring modify <P-1> [mode <P-2>] [vlan <P-3>] [port <P-4>] [name
<P-5>] [mrp-domain <P-6>]
[mode]: Set operating mode for the sub-ring domain with the value id.
[vlan]: Set vlan id for the sub-ring domain with the value id.
[port]: Set the port for the sub-ring domain with the value id.
[name]: Set name for the sub-ring domain with the value id.
[mrp-domain]: MRP domain ID. Format: 16 bytes in decimal notation.\n(Example:
1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.
P-2 manager The entity takes on the role of a Sub-Ring Manager.
redundant-manager The entity takes on the role of the Sub-Ring Manager and blocks
the ring port if the sub-ring is closed.
single-manager The single-manager has both ends of a sub-ring connected to its
ports and blocks one of these ends if the sub-ring is closed.
P-3 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.
P-4 slot no./port no.
P-5 string Enter a user-defined text, max. 255 characters.
P-6 string <domain id> MRP domain ID. Format: 16 bytes in decimal
notation.\n(Example: 1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16).

690 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Subring Management
81.2 show

81.2 show

Display device options and settings.

81.2.1 show sub-ring global


Show Sub-ring global parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sub-ring global

81.2.2 show sub-ring ring


Show Sub-ring detailed parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show sub-ring ring [<P-1>]
Paramete Value Meaning
r
P-1 1..40000 SRM Domain Id.

RM CLI HiOS-2A GRS1040 691


Release 6.1 09/2016
Subring Management
81.2 show

692 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Secure Shell (SSH)

82 Secure Shell (SSH)

RM CLI HiOS-2A GRS1040 693


Release 6.1 09/2016
Secure Shell (SSH)
82.1 ssh

82.1 ssh

Set SSH parameters.

82.1.1 ssh server


Enable or disable the SSH server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh server

 no ssh server
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no ssh server

82.1.2 ssh timeout


Set the SSH connection idle timeout in minutes (default: 5).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh timeout <P-1>
Paramete Value Meaning
r
P-1 0..160 Idle timeout of a session in minutes (default: 5).

694 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Secure Shell (SSH)
82.1 ssh

82.1.3 ssh port


Set the SSH server port number (default: 22).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Port number of the SSH server (default: 22).

82.1.4 ssh max-sessions


Set the maximum number of concurrent SSH sessions (default: 5).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh max-sessions <P-1>
Paramete Value Meaning
r
P-1 1..5 Maximum number of concurrent SSH sessions.

82.1.5 ssh outbound max-sessions


Set the maximum number of concurrent outbound SSH sessions (default: 5).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh outbound max-sessions <P-1>
Paramete Value Meaning
r
P-1 1..5 Maximum number of concurrent SSH sessions.

82.1.6 ssh outbound timeout


Set the SSH connection idle timeout in minutes (default: 5).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh outbound timeout <P-1>

RM CLI HiOS-2A GRS1040 695


Release 6.1 09/2016
Secure Shell (SSH)
82.1 ssh

Paramete Value Meaning


r
P-1 0..160 Idle timeout of a session in minutes (default: 5).

82.1.7 ssh key rsa


Generate or delete RSA key
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh key rsa <P-1>
Paramete Value Meaning
r
P-1 generate Generates the item
delete Deletes the item

82.1.8 ssh key dsa


Generate or delete DSA key
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: ssh key dsa <P-1>
Paramete Value Meaning
r
P-1 generate Generates the item
delete Deletes the item

696 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Secure Shell (SSH)
82.2 copy

82.2 copy

Copy different kinds of items.

82.2.1 copy sshkey remote


Copy the SSH key from a server to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy sshkey remote <P-1> nvm
nvm: Copy the SSH key from a server to non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

82.2.2 copy sshkey envm


Copy the SSH key from external non-volatile memory to the specified destination.
 Mode: Privileged Exec Mode
 Privilege Level: Administrator
 Format: copy sshkey envm <P-1> nvm
nvm: Copy the SSH key from external non-volatile memory to non-volatile memory.
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 128 characters.

RM CLI HiOS-2A GRS1040 697


Release 6.1 09/2016
Secure Shell (SSH)
82.3 show

82.3 show

Display device options and settings.

82.3.1 show ssh


Show SSH server and client information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show ssh

698 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Storm Control

83 Storm Control

RM CLI HiOS-2A GRS1040 699


Release 6.1 09/2016
Storm Control
83.1 storm-control

83.1 storm-control

Configure the global storm-control settings.

83.1.1 storm-control flow-control


Enable or disable flow control globally.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: storm-control flow-control

 no storm-control flow-control
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no storm-control flow-control

700 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Storm Control
83.2 traffic-shape

83.2 traffic-shape

Traffic shape commands.

83.2.1 traffic-shape bw
Set threshold value
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: traffic-shape bw <P-1>
Paramete Value Meaning
r
P-1 0..100 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 701


Release 6.1 09/2016
Storm Control
83.3 mtu

83.3 mtu

83.3.1 mtu
Set the MTU size (without VLAN tag size, because the VLAN tag is ignored for size calculation).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mtu <P-1>
Paramete Value Meaning
r
P-1 1518..12288 Enter a number in the given range.

702 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Storm Control
83.4 mtu

83.4 mtu

83.4.1 mtu
Set the MTU size (without VLAN tag size, because the VLAN tag is ignored for size calculation).
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: mtu <P-1>
Paramete Value Meaning
r
P-1 1518..12288 Enter a number in the given range.

RM CLI HiOS-2A GRS1040 703


Release 6.1 09/2016
Storm Control
83.5 storm-control

83.5 storm-control

Storm control commands

83.5.1 storm-control flow-control


Enable or disable flow control (802.3x) for this port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control flow-control

 no storm-control flow-control
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no storm-control flow-control

83.5.2 storm-control ingress unit


Set unit.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress unit <P-1>
Paramete Value Meaning
r
P-1 percent Metering unit expressed in percentage of bandwidth.
pps Metering unit expressed in packets per second.

704 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Storm Control
83.5 storm-control

83.5.3 storm-control ingress unicast operation


Enable/disable ingress unicast storm control.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress unicast operation

 no storm-control ingress unicast operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no storm-control ingress unicast operation

83.5.4 storm-control ingress unicast threshold


Set threshold value.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress unicast threshold <P-1>
Paramete Value Meaning
r
P-1 0..14880000 Enter a number in the given range. If the configured unit is
percent enter a number in (0..100) range.

83.5.5 storm-control ingress multicast operation


enable/disable ingress multicast storm control.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress multicast operation

 no storm-control ingress multicast operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no storm-control ingress multicast operation

RM CLI HiOS-2A GRS1040 705


Release 6.1 09/2016
Storm Control
83.5 storm-control

83.5.6 storm-control ingress multicast threshold


Set threshold value.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress multicast threshold <P-1>
Paramete Value Meaning
r
P-1 0..14880000 Enter a number in the given range. If the configured unit is
percent enter a number in (0..100) range.

83.5.7 storm-control ingress broadcast operation


Enable/disable ingress broadcast storm control.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress broadcast operation

 no storm-control ingress broadcast operation


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no storm-control ingress broadcast operation

83.5.8 storm-control ingress broadcast threshold


Set threshold value.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: storm-control ingress broadcast threshold <P-1>
Paramete Value Meaning
r
P-1 0..14880000 Enter a number in the given range. If the configured unit is
percent enter a number in (0..100) range.

706 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Storm Control
83.6 show

83.6 show

Display device options and settings.

83.6.1 show storm-control flow-control


Global flow control status.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show storm-control flow-control

83.6.2 show storm-control ingress


Show storm control ingress parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show storm-control ingress [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

83.6.3 show traffic-shape


Show Traffic Shape Parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show traffic-shape

RM CLI HiOS-2A GRS1040 707


Release 6.1 09/2016
Storm Control
83.6 show

83.6.4 show mtu


Show mtu Parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show mtu

708 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
System

84 System

RM CLI HiOS-2A GRS1040 709


Release 6.1 09/2016
System
84.1 system

84.1 system

Set system related values e.g. name of the device, location of the device, contact data for the person
responsible for the device, and pre-login banner text.

84.1.1 system name


Edit the name of the device. The system name consists of an alphanumeric ASCII character string with
0..255 characters.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: system name <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 255 characters.

84.1.2 system location


Edit the location of the device. The system location consists of an alphanumeric ASCII character string
with 0..255 characters.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: system location <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 255 characters.

84.1.3 system contact


Edit the contact information for the person responsible for the device. The contact data consists of an
alphanumeric ASCII character string with 0..255 characters.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: system contact <P-1>

710 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
System
84.1 system

Paramete Value Meaning


r
P-1 string Enter a user-defined text, max. 255 characters.

84.1.4 system port-led-mode


Configure the port led signalling (frontpanel or servicepanel).
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: system port-led-mode <P-1>
Paramete Value Meaning
r
P-1 portpanel Set LED control to portpanel.
servicepanel Set LED control to servicepanel.

84.1.5 system pre-login-banner operation


Enable or disable the pre-login banner. You use the pre-login banner to display a greeting or information
to users before they login to the device.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: system pre-login-banner operation

 no system pre-login-banner operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no system pre-login-banner operation

RM CLI HiOS-2A GRS1040 711


Release 6.1 09/2016
System
84.1 system

84.1.6 system pre-login-banner text


Edit the text for the pre-login banner (C printf format syntax allowed: \\n\\t) The device allows you to edit
an alphanumeric ASCII character string with up to 512 characters.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: system pre-login-banner text <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 512 characters (allowed
characters are from ASCII 32 to 127).

84.1.7 system resources operation


Enable or disable the measurement operation.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: system resources operation

 no system resources operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no system resources operation

712 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
System
84.2 temperature

84.2 temperature

Configure the upper and lower temperature limits of the device. The device allows you to set the
threshold as an integer from -99 through 99. You configure the temperatures in degrees Celsius.

84.2.1 temperature upper-limit


Configure the upper temperature limit.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: temperature upper-limit <P-1>
Paramete Value Meaning
r
P-1 -99..99 Upper temperature threshold ([C], default 70).

84.2.2 temperature lower-limit


Configure the lower temperature limit.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: temperature lower-limit <P-1>
Paramete Value Meaning
r
P-1 -99..99 Lower temperature threshold ([C], default 0).

RM CLI HiOS-2A GRS1040 713


Release 6.1 09/2016
System
84.3 show

84.3 show

Display device options and settings.

84.3.1 show eventlog


Show event log notice and warning entries with time stamp.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show eventlog

84.3.2 show system info


Show system related information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system info

84.3.3 show system port-led-mode


Display led control settings.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system port-led-mode

714 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
System
84.3 show

84.3.4 show system pre-login-banner


Show pre-login banner status and text.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system pre-login-banner

84.3.5 show system flash-status


Show the flash memory statistics of the device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system flash-status

84.3.6 show system temperature limits


Show temperature limits.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system temperature limits

84.3.7 show system temperature extremes


Show minimum and maximum recorded temperature.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system temperature extremes

RM CLI HiOS-2A GRS1040 715


Release 6.1 09/2016
System
84.3 show

84.3.8 show system temperature histogram


Show the temperature histogram of the device.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system temperature histogram

84.3.9 show system temperature counters


Display number of 20 centigrade C variations in maximum one hour period.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system temperature counters

84.3.10 show system resources


Display the system resources information (cpu utilization, memory and network cpu utilization).
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show system resources

84.3.11 show psu slot


Display power supply slots
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show psu slot

716 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
System
84.3 show

84.3.12 show psu unit


Display information for power supply units.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show psu unit

RM CLI HiOS-2A GRS1040 717


Release 6.1 09/2016
System
84.3 show

718 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Telnet

85 Telnet

RM CLI HiOS-2A GRS1040 719


Release 6.1 09/2016
Telnet
85.1 telnet

85.1 telnet

Set Telnet parameters.

85.1.1 telnet server


Enable or disable the telnet server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: telnet server

 no telnet server
Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no telnet server

85.1.2 telnet timeout


Set the idle timeout for a telnet connection in minutes.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: telnet timeout <P-1>
Paramete Value Meaning
r
P-1 0..160 Idle timeout of a session in minutes (default: 5).

720 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Telnet
85.1 telnet

85.1.3 telnet port


Set the listening port for the telnet server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: telnet port <P-1>
Paramete Value Meaning
r
P-1 1..65535 Set the listening port for the telnet server.

85.1.4 telnet max-sessions


Set the maximum number of sessions for the telnet server.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: telnet max-sessions <P-1>
Paramete Value Meaning
r
P-1 1..5 Set the maximum number of connections for the telnet server.

RM CLI HiOS-2A GRS1040 721


Release 6.1 09/2016
Telnet
85.2 telnet

85.2 telnet

85.2.1 telnet
Establish a telnet connection to a remote host.
 Mode: "User Mode" and "Privileged Exec Mode"
 Privilege Level: Guest
 Format: telnet <P-1> [<P-2>] [<P-3>] [<P-4>] [<P-5>]
Paramete Value Meaning
r
P-1 string Hostname or IP address.
P-2 1..65535 Enter port number between 1 and 65535
P-3 debug Display the current Telnet options.
P-4 line Set the outbound Telnet operational mode as linemode (only takes
effect for the serial connection).
P-5 echo Enable local echo (only takes effect for the serial connection).

722 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Telnet
85.3 show

85.3 show

Display device options and settings.

85.3.1 show telnet


Show telnet server information.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show telnet

RM CLI HiOS-2A GRS1040 723


Release 6.1 09/2016
Telnet
85.3 show

724 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Time Range

86 Time Range

RM CLI HiOS-2A GRS1040 725


Release 6.1 09/2016
Time Range
86.1 time

86.1 time

Create or delete time range.

86.1.1 time range


Create or delete time range.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: time range <P-1> [absolute] [start <P-2> <P-3> <P-4> <P-5>] [end <P-
6> <P-7> <P-8> <P-9>] [periodic <P-10> <P-11>] to [<P-12>] <P-13>
[absolute]: Create or delete absolute time entry.
[start]: Set start time and date.
[end]: Set end time and date.
[periodic]: Create or delete periodic time entry. It must not overlap with any other periodic entry
defined for this time range.
to: Set end of periodic time entry.
Paramete Value Meaning
r
P-1 string Enter the time range name, max. 31 characters.
P-2 hh:mm Time of day, in 24-hour format.
P-3 1..31 Day of the month.
P-4 jan January
feb February
mar March
apr April
may May
jun June
jul July
aug August
sep September
oct October
nov November
dec December
P-5 1993..2035 Year.
P-6 hh:mm Time of day, in 24-hour format.
P-7 1..31 Day of the month.

726 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Time Range
86.1 time

Paramete Value Meaning


r
P-8 jan January
feb February
mar March
apr April
may May
jun June
jul July
aug August
sep September
oct October
nov November
dec December
P-9 1993..2035 Year.
P-10 sunday Sunday
monday Monday
tuesday Tuesday
wednesday Wednesday
thursday Thursday
friday Friday
saturday Saturday
daily Daily
weekdays Weekdays
weekend Weekend
list of days A comma-separated combination of days
P-11 hh:mm Time of day, in 24-hour format.
P-12 sunday Sunday
monday Monday
tuesday Tuesday
wednesday Wednesday
thursday Thursday
friday Friday
saturday Saturday
P-13 hh:mm Time of day, in 24-hour format.

 no time range
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no time range <P-1> [absolute] [start] [end] [periodic] to [<P-
12>] <P-13>

RM CLI HiOS-2A GRS1040 727


Release 6.1 09/2016
Time Range
86.2 show

86.2 show

Display device options and settings.

86.2.1 show time-range


Show time range and all its time entries.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show time-range [<P-1>]
Paramete Value Meaning
r
P-1 string Enter the time range name, max. 31 characters.

728 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Traps

87 Traps

RM CLI HiOS-2A GRS1040 729


Release 6.1 09/2016
Traps
87.1 snmp

87.1 snmp

Configure of SNMP versions and traps.

87.1.1 snmp trap operation


Global enable/disable SNMP trap.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp trap operation

 no snmp trap operation


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp trap operation

87.1.2 snmp trap mode


Enable/disable SNMP trap entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp trap mode <P-1>
Paramete Value Meaning
r
P-1 string <name> Trap name (1 to 32 characters)

 no snmp trap mode


Disable the option
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: no snmp trap mode <P-1>

730 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Traps
87.1 snmp

87.1.3 snmp trap delete


Delete SNMP trap entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp trap delete <P-1>
Paramete Value Meaning
r
P-1 string <name> Trap name (1 to 32 characters)

87.1.4 snmp trap add


Add SNMP trap entry.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: snmp trap add <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <name> Trap name (1 to 32 characters)
P-2 <a.b.c.d> a.b.c.d Single IP address.
a.b.c.d:n a.b.c.d:n Address with port.

RM CLI HiOS-2A GRS1040 731


Release 6.1 09/2016
Traps
87.2 show

87.2 show

Display device options and settings.

87.2.1 show snmp traps


Display SNMP traps.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show snmp traps

732 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
User Management

88 User Management

RM CLI HiOS-2A GRS1040 733


Release 6.1 09/2016
User Management
88.1 show

88.1 show

Display device options and settings.

88.1.1 show custom-role global


Display the common information of custom role.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show custom-role global [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

88.1.2 show custom-role commands


Display the included and excluded commands.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show custom-role commands [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

734 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Users

89 Users

RM CLI HiOS-2A GRS1040 735


Release 6.1 09/2016
Users
89.1 users

89.1 users

Manage Users and User Accounts.

89.1.1 users add


Add a new user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users add <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

89.1.2 users delete


Delete an existing user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users delete <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

89.1.3 users enable


Enable user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users enable <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

736 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Users
89.1 users

89.1.4 users disable


Disable user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users disable <P-1>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).

89.1.5 users password


Change user password.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users password <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 string Enter a user-defined text, max. 64 characters.

89.1.6 users snmpv3 authentication


Specify authentication setting for a user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users snmpv3 authentication <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 md5 MD5 as SNMPv3 user authentication mode.
sha1 SHA1 as SNMPv3 user authentication mode.

RM CLI HiOS-2A GRS1040 737


Release 6.1 09/2016
Users
89.1 users

89.1.7 users snmpv3 encryption


Specify encryption settings for a user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users snmpv3 encryption <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 none SNMPv3 encryption method is none.
des DES as SNMPv3 encryption method.
aescfb128 AES-128 as SNMPv3 encryption method.

89.1.8 users access-role


Specify snmpv3 access role for a user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users access-role <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 slot no./port no.

89.1.9 users lock-status


Set the lockout status of a specified user.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users lock-status <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 unlock Unlock specific user. User can login again.

738 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Users
89.1 users

89.1.10 users password-policy-check


Set password policy check option. The device checks the "minimum password length", regardless of the
setting for this option.
 Mode: Global Config Mode
 Privilege Level: Administrator
 Format: users password-policy-check <P-1> <P-2>
Paramete Value Meaning
r
P-1 string <user> User name (up to 32 characters).
P-2 enable Enable the option.
disable Disable the option.

RM CLI HiOS-2A GRS1040 739


Release 6.1 09/2016
Users
89.2 show

89.2 show

Display device options and settings.

89.2.1 show users


Display users and user accounts information.
 Mode: Command is in all modes available.
 Privilege Level: Administrator
 Format: show users

740 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Virtual LAN (VLAN)

90 Virtual LAN (VLAN)

RM CLI HiOS-2A GRS1040 741


Release 6.1 09/2016
Virtual LAN (VLAN)
90.1 name

90.1 name

90.1.1 name
Assign a name to a VLAN
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: name <P-1> <P-2>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 string Enter a user-defined text, max. 32 characters.

742 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Virtual LAN (VLAN)
90.2 vlan-unaware-mode

90.2 vlan-unaware-mode

90.2.1 vlan-unaware-mode
Enable or disable VLAN unaware mode.
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan-unaware-mode

 no vlan-unaware-mode
Disable the option
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: no vlan-unaware-mode

RM CLI HiOS-2A GRS1040 743


Release 6.1 09/2016
Virtual LAN (VLAN)
90.3 vlan

90.3 vlan

Creation and configuration of VLANS.

90.3.1 vlan add


Create a VLAN
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan add <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.3.2 vlan delete


Delete a VLAN
 Mode: VLAN Database Mode
 Privilege Level: Operator
 Format: vlan delete <P-1>
Paramete Value Meaning
r
P-1 2..4042 Enter VLAN ID. VLAN ID 1 can not be deleted or created

744 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Virtual LAN (VLAN)
90.4 vlan

90.4 vlan

Configure 802.1Q port parameters for VLANs.

90.4.1 vlan acceptframe


Configure how to handle tagged/untagged frames received.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan acceptframe <P-1>
Paramete Value Meaning
r
P-1 all Untagged frames or priority frames received on this interface
are accepted and \n assigned the value of the interface
VLAN ID for this port.
vlanonly Only frames received with a VLAN tag will be forwarded. All other
frames will be dropped.

90.4.2 vlan ingressfilter


Enable/Disable application of Ingress Filtering Rules.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan ingressfilter

 no vlan ingressfilter
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no vlan ingressfilter

RM CLI HiOS-2A GRS1040 745


Release 6.1 09/2016
Virtual LAN (VLAN)
90.4 vlan

90.4.3 vlan priority


Configure the priority for untagged frames.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan priority <P-1>
Paramete Value Meaning
r
P-1 0..7 Enter a number in the given range.

90.4.4 vlan pvid


Configure the VLAN id for a specific port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan pvid <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.4.5 vlan tagging


Enable or disable tagging for a specific VLAN port.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan tagging <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

 no vlan tagging
Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no vlan tagging <P-1>

746 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Virtual LAN (VLAN)
90.4 vlan

90.4.6 vlan participation include


vlan participation to include
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan participation include <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.4.7 vlan participation exclude


vlan participation to exclude
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan participation exclude <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.4.8 vlan participation auto


vlan participation to auto
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: vlan participation auto <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

RM CLI HiOS-2A GRS1040 747


Release 6.1 09/2016
Virtual LAN (VLAN)
90.5 show

90.5 show

Display device options and settings.

90.5.1 show vlan id


Display configuration of a single specified VLAN.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan id <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.5.2 show vlan brief


Show general VLAN parameters.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan brief

90.5.3 show vlan port


Show VLAN configuration of a single port.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan port [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

748 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Virtual LAN (VLAN)
90.5 show

90.5.4 show vlan member current


Show membership of ports in static VLAN or dynamically created.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan member current

90.5.5 show vlan member static


Show membership of ports in static VLAN.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show vlan member static

RM CLI HiOS-2A GRS1040 749


Release 6.1 09/2016
Virtual LAN (VLAN)
90.6 network

90.6 network

Configure the inband and outband connectivity.

90.6.1 network management vlan


Configure the management VLAN ID of the switch.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network management vlan <P-1>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.

90.6.2 network management priority dot1p


Configure the management VLAN priority of the switch.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network management priority dot1p <P-1>
Paramete Value Meaning
r
P-1 0..7 Enter a number in the given range.

90.6.3 network management priority ip-dscp


Configure the management VLAN ip-dscp priority of the switch.
 Mode: Privileged Exec Mode
 Privilege Level: Operator
 Format: network management priority ip-dscp <P-1>
Paramete Value Meaning
r
P-1 0..63 Enter a number in the given range.

750 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Voice VLAN

91 Voice VLAN

RM CLI HiOS-2A GRS1040 751


Release 6.1 09/2016
Voice VLAN
91.1 voice

91.1 voice

Configure voice VLAN.

91.1.1 voice vlan


Enable or disable the voice VLAN feature.
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: voice vlan

 no voice vlan
Disable the option
 Mode: Global Config Mode
 Privilege Level: Operator
 Format: no voice vlan

752 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Voice VLAN
91.2 voice

91.2 voice

Configure voice VLAN.

91.2.1 voice vlan vlan-id


Set and configure the vlan-id interface mode.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan vlan-id <P-1> [dot1p <P-2>]
[dot1p]: Set and configure the vlan id and dot1p interface mode.
Paramete Value Meaning
r
P-1 0..4042 Enter the VLAN ID. Entering of ID 0 disables the feature.
P-2 0 priority 0
1 priority 1
2 priority 2
3 priority 3
4 priority 4
5 priority 5
6 priority 6
7 priority 7
255 default

91.2.2 voice vlan dot1p


Set and configure the dot1p voice vlan interface mode.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan dot1p <P-1>
Paramete Value Meaning
r
P-1 0 priority 0
1 priority 1
2 priority 2
3 priority 3
4 priority 4
5 priority 5
6 priority 6
7 priority 7
255 default

RM CLI HiOS-2A GRS1040 753


Release 6.1 09/2016
Voice VLAN
91.2 voice

91.2.3 voice vlan none


Configure the none voice VLAN interface mode.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan none

91.2.4 voice vlan untagged


Configure the untagged voice VLAN interface mode.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan untagged

91.2.5 voice vlan disable


Disable voice VLAN on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan disable

91.2.6 voice vlan auth


Set voice VLAN Authentication Mode on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan auth

 no voice vlan auth


Disable the option
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: no voice vlan auth

754 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Voice VLAN
91.2 voice

91.2.7 voice vlan data priority


Trust/Untrust data traffic on the interface.
 Mode: Interface Range Mode
 Privilege Level: Operator
 Format: voice vlan data priority <P-1>
Paramete Value Meaning
r
P-1 trust Trust data traffic on an interface.
untrust Untrust data traffic on an interface.

RM CLI HiOS-2A GRS1040 755


Release 6.1 09/2016
Voice VLAN
91.3 show

91.3 show

Display device options and settings.

91.3.1 show voice vlan global


Display the current global Voice VLAN admin mode.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show voice vlan global

91.3.2 show voice vlan interface


Display a summary of the current Voice VLAN configuration for a specific port or for all ports.
 Mode: Command is in all modes available.
 Privilege Level: Guest
 Format: show voice vlan interface [<P-1>]
Paramete Value Meaning
r
P-1 slot no./port no.

756 RM CLI HiOS-2A GRS1040


Release 6.1 09/2016
Further Support

A Further Support

 Technical Questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You will find the addresses of our partners on the Internet at
http://www.hirschmann.com
Contact our support at
https://hirschmann-support.belden.eu.com

You can contact us


in the EMEA region at
 Tel.: +49 (0)1805 14-1538
 E-mail: hac.support@belden.com
in the America region at
 Tel.: +1 (717) 217-2270
 E-mail: inet-support.us@belden.com
in the Asia-Pacific region at
 Tel.: +65 6854 9860
 E-mail: inet-ap@belden.com

 Hirschmann Competence Center


The Hirschmann Competence Center is ahead of its competitors:
 Consulting incorporates comprehensive technical advice, from system evaluation through
network planning to project planning.
 Training offers you an introduction to the basics, product briefing and user training with
certification.
The current technology and product training courses can be found at http://www.hicomcenter.com
 Support ranges from the first installation through the standby service to maintenance concepts.

With the Hirschmann Competence Center, you have decided against making any compromises. Our
client-customized package leaves you free to choose the service components you want to use.
Internet:
http://www.hicomcenter.com

RM CLI HiOS-2A GRS1040 757


Release 6.1 09/2016
User Manual
Configuration
HiOS-2A GRS1040 (Greyhound Switch)

UM Config HiOS-2A GRS1040 Technical support


Release 7.0 11/2017 https://hirschmann-support.belden.eu.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.

© 2017 Hirschmann Automation and Control GmbH

Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.

The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.

Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.

You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).

Hirschmann Automation and Control GmbH


Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

Rel. 7.0 - 11/2017 – 10.01.2018


Contents

Contents

Safety instructions 9

About this Manual 11

Key 13

Introduction 15

1 User interfaces 17
1.1 Graphical user interface 18
1.2 Command line interface 19
1.2.1 Preparing the data connection 19
1.2.2 CLI access using Telnet 19
1.2.3 CLI using SSH (Secure Shell) 22
1.2.4 CLI using the V.24 port 24
1.3 System monitor 26
1.3.1 Functional scope 26
1.3.2 Starting the System Monitor 26

2 Specifying the IP parameters 29


2.1 IP parameter basics 30
2.1.1 IP address (version 4) 30
2.1.2 Netmask 31
2.1.3 Classless Inter-Domain Routing 33
2.2 Specifying the IP parameters using the CLI 34
2.3 Specifying the IP parameters using HiDiscovery 36
2.4 Specifying the IP parameters using the graphical user interface 38
2.5 Specifying the IP parameters using BOOTP 39
2.6 Specifying the IP parameters using DHCP 40
2.7 Management address conflict detection 42
2.7.1 Active and passive detection 42

3 Access to the device 43


3.1 Authentication lists 44
3.1.1 Applications 44
3.1.2 Policies 44
3.1.3 Managing authentication lists 45
3.1.4 Adjust the settings 45
3.2 User management 47
3.2.1 Access roles 47
3.2.2 Managing user accounts 48
3.2.3 Default setting 48
3.2.4 Changing default passwords 49
3.2.5 Setting up a new user account 49
3.2.6 Deactivating the user account 51
3.2.7 Adjusting policies for passwords 51
3.3 LDAP 53
3.3.1 Coordination with the server administrator 53
3.3.2 Example configuration 54
3.4 SNMP access 57

UM Config HiOS-2A GRS1040 3


Release 7.0 11/2017
Contents

3.4.1 SNMPv1/v2 access 57


3.4.2 SNMPv3 access 57
3.5 Service Shell 59
3.6 Out of Band 61

4 Managing configuration profiles 63


4.1 Detecting changed settings 64
4.2 Saving the settings 65
4.2.1 Saving the configuration profile in the device 65
4.2.2 Backup the configuration profile on a remote server 66
4.2.3 Saving the configuration profile in external memory 67
4.2.4 Exporting a configuration profile 68
4.3 Loading settings 69
4.3.1 Activating a configuration profile 69
4.3.2 Loading the configuration profile from the external memory 70
4.3.3 Importing a configuration profile 71
4.4 Reset the device to the factory defaults 73
4.4.1 Using the graphical user interface or CLI 73
4.4.2 Using the System Monitor 73

5 Loading software updates 75


5.1 Software update from the PC 76
5.2 Software update from a server 77
5.3 Software update from the external memory 78
5.3.1 Manually—initiated by the administrator 78
5.3.2 Automatically—initiated by the device 78
5.4 Loading an older software 80

6 Configuring the ports 81


6.1 Enabling/disabling the port 82
6.2 Selecting the operating mode 83
6.3 Deactivating the module slots 84
6.4 Link monitoring 85
6.4.1 Example 85
6.5 2.5G Support 86
6.5.1 Example 86

7 Assistance in the protection from unauthorized access 87


7.1 Changing the SNMPv1/v2 community 88
7.2 Disabling SNMPv1/v2 89
7.3 Disabling HTTP 90
7.4 Disabling Telnet 91
7.5 Disabling the HiDiscovery access 92
7.6 Activating the IP access restriction 93
7.7 Adjusting the session timeouts 95

8 Controlling the data traffic 97


8.1 Helping protect against unauthorized access 98
8.2 ACL 99
8.2.1 Creating and editing IPv4 rules 100

4 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Contents

8.2.2 Creating and configuring an IP ACL using the CLI 101


8.2.3 Creating and editing MAC rules 102
8.2.4 Creating and configuring a MAC ACL using the CLI 103
8.2.5 Assigning ACL groups to ports or VLANs 103
8.3 MAC authentication bypass 105

9 Synchronizing the system time in the network 107


9.1 Basic settings 108
9.1.1 Setting the time 108
9.1.2 Automatic daylight saving time changeover 109
9.2 SNTP 110
9.2.1 Preparation 111
9.2.2 Defining settings of the SNTP client 112
9.2.3 Specifying SNTP server settings 112
9.3 PTP 114
9.3.1 Types of clocks 114
9.3.2 Best Master Clock algorithm 115
9.3.3 Delay measurement 116
9.3.4 PTP domains 116
9.3.5 Using PTP 117

10 Network load control 119


10.1 Direct packet distribution 120
10.1.1Learning MAC addresses 121
10.1.2Aging of learned MAC addresses 121
10.1.3Static address entries 121
10.2 Multicasts 123
10.2.1Example of a Multicast application 123
10.2.2IGMP snooping 123
10.3 Rate limiter 128
10.4 QoS/Priority 129
10.4.1Description of prioritization 129
10.4.2Handling of received priority information 130
10.4.3VLAN tagging 131
10.4.4IP ToS (Type of Service) 132
10.4.5Handling of traffic classes 132
10.4.6Queue management 133
10.4.7Management prioritization 135
10.4.8Setting prioritization 136
10.5 Differentiated services 140
10.5.1DiffServ example 141
10.6 Flow control 143
10.6.1Halfduplex or fullduplex link 144
10.6.2Setting up the Flow Control 144

11 VLANs 145
11.1 Examples of VLANs 146
11.1.1Example 1 146
11.1.2Example 2 149
11.2 Guest / Unauthenticated VLAN 153
11.3 RADIUS VLAN assignment 155
11.4 Creating a Voice VLAN 156
11.5 MAC based VLANs 157
11.6 IP subnet based VLANs 158

UM Config HiOS-2A GRS1040 5


Release 7.0 11/2017
Contents

11.7 Protocol-based VLAN 159


11.8 VLAN unaware mode 160

12 Redundancy 161
12.1 Network Topology vs. Redundancy Protocols 162
12.1.1Network topologies 163
12.1.2Redundancy Protocols 164
12.1.3Combinations of Redundancies 164
12.2 Media Redundancy Protocol (MRP) 166
12.2.1Network Structure 166
12.2.2Reconfiguration time 167
12.2.3Advanced mode 167
12.2.4Prerequisites for MRP 167
12.2.5Example Configuration 168
12.2.6MRP over LAG 172
12.3 Spanning Tree 175
12.3.1Basics 176
12.3.2Rules for Creating the Tree Structure 179
12.3.3Examples 181
12.3.4The Rapid Spanning Tree Protocol 184
12.3.5Configuring the device 187
12.3.6Guards 189
12.3.7Ring only mode 192
12.4 Link Aggregation 193
12.4.1Methods of Operation 193
12.4.2Link Aggregation Example 194
12.5 Link Backup 196
12.5.1Fail Back Description 196
12.5.2Example Configuration 197
12.6 HIPER Ring Client 198
12.6.1VLANS on the HIPER Ring 198
12.6.2HIPER Ring over LAG 199
12.7 FuseNet ™ 200
12.8 Subring 201
12.8.1Subring description 201
12.8.2Subring example 203
12.8.3Subring example configuration 204
12.9 Subring with LAG 206
12.9.1Example 206
12.10Ring/Network Coupling 209
12.10.1Methods of Ring/Network Coupling 209
12.10.2Prepare the Ring/Network Coupling 210
12.11RCP 223
12.11.1Example Configuration 224

13 Operation diagnosis 229


13.1 Sending SNMP traps 230
13.1.1List of SNMP traps 231
13.1.2SNMP traps for configuration activity 231
13.1.3SNMP trap setting 232
13.1.4ICMP messaging 232
13.2 Monitoring the Device Status 233
13.2.1Events which can be monitored 233
13.2.2Configuring the Device Status 234
13.2.3Displaying the Device Status 235

6 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Contents

13.3 Security Status 236


13.3.1Events which can be monitored 236
13.3.2Configuring the Security Status 237
13.3.3Displaying the Security Status 238
13.4 Out-of-Band signaling 239
13.4.1Controlling the Signal contact 239
13.4.2Monitoring the Device and Security Statuses 240
13.5 Port status indication 243
13.6 Port event counter 244
13.6.1Detecting non-matching duplex modes 244
13.7 Auto-Disable 246
13.8 Displaying the SFP status 248
13.9 Topology discovery 249
13.9.1Displaying the Topology discovery results 249
13.9.2LLDP-Med 250
13.10Detecting loops 251
13.11Email Notification 252
13.11.1Specify the sender address 252
13.11.2Specify the triggering events 252
13.11.3Change the send interval 253
13.11.4Specify the recipients 254
13.11.5Specify the mail server 254
13.11.6Enable/disable the function 255
13.11.7Send a test email 255
13.12Reports 257
13.12.1Global settings 257
13.12.2Syslog 259
13.12.3System Log 260
13.12.4Syslog over TLS 260
13.12.5Audit Trail 261
13.13Network analysis with TCPdump 263
13.14Monitoring the data traffic 264
13.14.1Port Mirroring 264
13.14.2VLAN mirroring 265
13.14.3Remote SPAN 267
13.15Self-test 277
13.16Copper cable test 279
13.17Network monitoring with sFlow 280

14 Advanced functions of the device 283


14.1 Using the device as a DHCP server 284
14.1.1IP Addresses assigned per port or per VLAN 284
14.1.2DHCP server static IP address example 285
14.1.3DHCP server dynamic IP address range example 285
14.2 DHCP L2 Relay 287
14.2.1Circuit and Remote IDs 287
14.2.2DHCP L2 Relay configuration 288
14.3 Using the device as a DNS client 290
14.3.1Configuring a DNS server example 290
14.4 GARP 292
14.4.1Configuring GMRP 292
14.4.2Configuring GVRP 293
14.5 MRP-IEEE 294

UM Config HiOS-2A GRS1040 7


Release 7.0 11/2017
Contents

14.5.1MRP operation 294


14.5.2MRP timers 295
14.5.3MMRP 295
14.5.4MVRP 297
14.6 CLI client 299

15 Industry Protocols 301


15.1 IEC 61850/MMS 302
15.1.1Switch model for IEC 61850 302
15.1.2Integration into a Control System 303
15.2 Modbus TCP 305
15.2.1Client/Server Modbus TCP/IP Mode 305
15.2.2Supported Functions and Memory Mapping 306
15.2.3Example Configuration 308
15.3 EtherNet/IP 310
15.3.1Integration into a Control System 310
15.3.2EtherNet/IP Entity Parameters 312
15.4 PROFINET 321
15.4.1Integration into a Control System 323
15.4.2PROFINET Parameter 329

A Setting up the configuration environment 333


A.1 Setting up a DHCP/BOOTP server 334
A.2 Setting up a DHCP server with Option 82 338
A.3 Preparing access via SSH 341
A.3.1 Generating a key on the device 341
A.3.2 Loading your own key onto the device 341
A.3.3 Preparing the SSH client program 343
A.4 HTTPS certificate 345
A.4.1 HTTPS certificate management 345
A.4.2 Access through HTTPS 346

B Appendix 347
B.1 Literature references 348
B.2 Maintenance 349
B.3 Management Information Base (MIB) 350
B.4 List of RFCs 352
B.5 Underlying IEEE Standards 354
B.6 Underlying IEC Norms 355
B.7 Underlying ANSI Norms 356
B.8 Technical Data 357
B.9 Copyright of integrated Software 358
B.10 Abbreviations used 359

C Index 361

D Further support 365

E Readers’ Comments 366

8 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Safety instructions

Safety instructions

WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.

Failure to follow these instructions can result in death, serious injury, or equipment damage.

UM Config HiOS-2A GRS1040 9


Release 7.0 11/2017
Safety instructions

10 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
About this Manual

About this Manual

The “Configuration” user manual contains the information you need to start operating the device. It takes
you step by step from the first startup operation through to the basic settings for operation in your
environment.

The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.

The “Graphical User Interface” reference manual contains detailed information on using the graphical
user interface to operate the individual functions of the device.

The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.

The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
 Auto-topology discovery
 Browser interface
 Client/server structure
 Event handling
 Event log
 Simultaneous configuration of multiple devices
 Graphical user interface with network layout
 SNMP/OPC gateway

UM Config HiOS-2A GRS1040 11


Release 7.0 11/2017
About this Manual

12 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Key

Key

The designations used in this manual have the following meanings:

 List
 Work step
 Subheading
Link Cross-reference with link
Note: A note emphasizes an important fact or draws your attention to a dependency.
Courier ASCII representation in the graphical user interface

Execution in the Graphical User Interface

Execution in the Command Line Interface

UM Config HiOS-2A GRS1040 13


Release 7.0 11/2017
Key

14 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Introduction

Introduction

The device has been developed for use in a harsh industrial environment. Accordingly, the installation
process has been kept simple. Thanks to the selected default settings, you only have to enter a few
settings before starting to operate the device.

UM Config HiOS-2A GRS1040 15


Release 7.0 11/2017
Introduction

16 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces

1 User interfaces

The device allows you to specify the settings of the device using the following user interfaces.
User interface Can be reached through … Prerequisite
Graphical User Interface (GUI) Ethernet (In-Band) Web browser
Command Line Interface (CLI) Ethernet (In-Band) Terminal emulation software
V.24 (Out-of-Band)
System monitor V.24 (Out-of-Band) Terminal emulation software
Table 1: User interfaces for accessing the management of the device

UM Config HiOS-2A GRS1040 17


Release 7.0 11/2017
User interfaces
1.1 Graphical user interface

1.1 Graphical user interface

 System requirements
To open the graphical user interface, you need the desktop version of a Web browser with HTML5
and JavaScript support.

Note: Third-party software such as Web browsers validate certificates based on criteria such as their
expiration date and current cryptographic parameter recommendations. Old certificates can cause
errors, for example, when they expire or cryptographic recommendations change. Upload your own,
up-to-date certificate or regenerate the certificate with the latest firmware to solve validation conflicts
with third-party software.

 Starting the graphical user interface


The prerequisite for starting the graphical user interface is that the IP parameters are configured in
the device. See “Specifying the IP parameters” on page 29.
 Start your Web browser.
 Write the IP address of the device in the address field of the Web browser.
Use the following form: https://xxx.xxx.xxx.xxx
The Web browser sets up the connection to the device and displays the Login page.
 If you want to change the language of the graphical user interface, click the appropriate link in the
top right corner of the Login page.
 Enter the user name.
 Enter the password.
 Click the Login button.
The Web browser displays the graphical user interface.

18 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces
1.2 Command line interface

1.2 Command line interface

The Command Line Interface enables you to use the functions of the device through a local or remote
connection.
The Command Line Interface provides IT specialists with a familiar environment for configuring IT
devices. As an experienced user or administrator, you have knowledge about the basics and about
using Hirschmann devices.

1.2.1 Preparing the data connection


Information for assembling and starting up your device can be found in the “Installation” user manual.
 Connect the device with the network. The network parameters must be set correctly for the data
connection to be successful.
You can access the user interface of the Command Line Interface for example, with the freeware
program PuTTY .
This program is provided on the product CD.
 Install the PuTTY program on your computer.

1.2.2 CLI access using Telnet

 Telnet connection using Windows

Note: Telnet is only installed as standard in Windows versions before Windows Vista.
 Start the Command Prompt program on your computer.
 Enter the command telnet <IP_address>.

UM Config HiOS-2A GRS1040 19


Release 7.0 11/2017
User interfaces
1.2 Command line interface

Figure 1: Command Prompt : Setting up the Telnet connection to the device

 Telnet connection using PuTTY


 Start the PuTTY program on your computer.

Figure 2: PuTTY input screen

 In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
 To select the connection type, select the Telnet radio button in the Connection type range.
 Click the Open button to set up the data connection to your device.

CLI appears on the screen with a window for entering the user name. The device enables up to 5
users to have access to the Command Line Interface at the same time.
User: admin
Password:*******

Figure 3: Login screen in CLI

20 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces
1.2 Command line interface

Note: Change the password during the first startup procedure.


 Enter the user name. The default user name is admin. Press the <Enter> key.
 Enter the password. The default password is private. Press the <Enter> key. The device offers
the possibility to change the user name and the password later in the Command Line Interface.
These entries are case-sensitive.

The device displays the CLI start screen with the command prompt:
(GRS) >

Figure 4: Start screen of CLI

UM Config HiOS-2A GRS1040 21


Release 7.0 11/2017
User interfaces
1.2 Command line interface

1.2.3 CLI using SSH (Secure Shell)


 Start the PuTTY program on your computer.

Figure 5: PuTTY input screen

 In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
 To specify the connection type, select the SSH radio button in the Connection type range.
 After selecting and setting the required parameters, the device enables you to set up the data
connection using SSH.
Click the Open button to set up the data connection to your device. Depending on the device and the
time at which SSH was configured, setting up the connection takes up to a minute.

When you first login to your device, towards the end of the connection setup, the PuTTY program
displays a security alert message and gives you the option of checking the fingerprint of the key.

22 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces
1.2 Command line interface

Figure 6: Security alert prompt for the fingerprint


 Check the fingerprint. This helps protect yourself from unwelcome guests.
 If the fingerprint matches that of the device key, click the Yes button.
The device allows you to display the finger prints of the device keys with the CLI command show ssh
or in the Device Security > Management Access > Server dialog, SSH tab.

Note: For experienced network administrators, another way of accessing your device through an SSH
is by using the OpenSSH Suite. To set up the data connection, enter the following command:
ssh admin@10.149.112.53
admin is the user name.
10.149.112.53 is the IP address of your device.

CLI appears on the screen with a window for entering the user name. The device enables up to 5 users
to have access to the Command Line Interface at the same time.
login as: adminadmin@a.b.c.d's password:

a.b.c.d is the IP address of your device.

 Enter the user name. The default user name is admin. Press the <Enter> key.
 Enter the password. The default password is private. Press the <Enter> key. The device offers the
possibility to change the user name and the password later in the Command Line Interface. These
entries are case-sensitive.

The device displays the CLI start screen.

Note: This device is a security-relevant product. Change the password during the first startup
procedure.

UM Config HiOS-2A GRS1040 23


Release 7.0 11/2017
User interfaces
1.2 Command line interface

Figure 7: Start screen of CLI

1.2.4 CLI using the V.24 port


The V.24 interface is a serial interface for the local connection of an external network management
station (VT100 terminal or PC with terminal emulation). The interface allows you to set up a data
connection to the Command Line Interface (CLI) and to the system monitor.
VT 100 terminal settings
Speed 9600 bit/s
Data 8 bit
Stopbit 1 bit
Handshake off
Parity none

 Connect the device to a terminal using V.24. Alternatively connect the device to a COM port of your
PC using terminal emulation based on VT100 and press any key.
 Alternatively you set up the serial data connection to the device using V.24 with the PuTTY program.
Press the <Enter> key.

Figure 8: Serial data connection using V.24 with the PuTTY program

24 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces
1.2 Command line interface

After the data connection has been set up successfully, the device displays a window for entering the
user name.

Note: You can configure the V.24 interface as a terminal/CLI interface.


Press any key on your terminal keyboard a number of times until the login screen indicates the CLI
mode.

 Enter the user name. The default user name is admin. Press the <Enter> key.
 Enter the password. The default password is private. Press the <Enter> key. The device offers the
possibility to change the user name and the password later in the Command Line Interface. These
entries are case-sensitive.

Figure 9: Logging in to the Command Line Interface program

Figure 10: CLI screen after login

UM Config HiOS-2A GRS1040 25


Release 7.0 11/2017
User interfaces
1.3 System monitor

1.3 System monitor

The System Monitor allows you to set basic operating parameters before starting the operating system.

1.3.1 Functional scope


In the System Monitor, you carry out the following tasks, for example:
 Managing the operating system and verifying the software image
 Updating the operating system
 Starting the operating system
 Deleting configuration profiles, resetting the device to the factory defaults
 Checking boot code information

1.3.2 Starting the System Monitor


Prerequisite:
 Terminal cable for connecting the device to your PC (available as an optional accessory).
 PC with VT100 terminal emulation (such as the PuTTY program) or serial terminal

26 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
User interfaces
1.3 System monitor

Perform the following steps:


 Use the terminal cable to connect the V.24 interface of the device with the COM port of the PC.
 Start the VT100 terminal emulation on the PC.
 Specify the following transmission parameters:
VT 100 terminal settings
Speed 9600 bit/s
Data 8 bit
Stopbit 1 bit
Handshake off
Parity none
 Set up a connection to the device.
 Switch on the device. If the device is already on, reboot it.
The screen displays the following message after rebooting:
Press <1> to enter System Monitor 1.
 Press the <1> key within 3 seconds.
The device starts the System Monitor. The screen displays the following view:
System Monitor 1
(Selected OS: ...-7.0 (2017-11-20 19:17))

1 Manage operating system


2 Update operating system
3 Start selected operating system
4 Manage configurations
5 Show boot code information
q End (reset and reboot)

sysMon1>

Figure 11: System Monitor 1 screen display


 Select a menu item by entering the number.
 To leave a submenu and return to the main menu of System Monitor 1, press the <ESC> key.

UM Config HiOS-2A GRS1040 27


Release 7.0 11/2017
User interfaces
1.3 System monitor

28 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters

2 Specifying the IP parameters

When you install the device for the first time enter the IP parameters.

The device provides the following options for entering the IP parameters during the first installation:
 Entry using the Command Line Interface.
You choose this “Out-of-Band” method if you preconfigure your device outside its operating
environment, or if you restore the network access (“In-Band”) to the device.
 Entry using the HiDiscovery protocol.
You choose this “In-Band” method on a previously installed network device or if you have another
Ethernet connection between your PC and the device
 Configuration using the external memory.
You choose this method if you are replacing a device with a device of the same type and have already
saved the configuration in the external memory.
 Using BOOTP.
You choose this “In-Band” method to configure the installed device using BOOTP. You need a
BOOTP server for this method. The BOOTP server assigns the configuration data to the device using
its MAC address. The DHCP mode is the default mode for the configuration data reference.
 Configuration using DHCP.
You choose this “In-Band” method to configure the installed device using DHCP. You need a DHCP
server for this method. The DHCP server assigns the configuration data to the device using its MAC
address or its system name.
 Configuration using the graphical user interface.
If the device already has an IP address and is reachable using the network, then the graphical user
interface provides you with another option for configuring the IP parameters.

UM Config HiOS-2A GRS1040 29


Release 7.0 11/2017
Specifying the IP parameters
2.1 IP parameter basics

2.1 IP parameter basics

2.1.1 IP address (version 4)


The IP addresses consist of 4 bytes. Write these 4 bytes in decimal notation, separated by a decimal
point.
RFC 1340 written in 1992, defines 5 IP Address classes.
Class Network address Host address Address range
A 1 Byte 3 Bytes 0.0.0.0 to 127.255.255.255
B 2 Bytes 2 Bytes 128.0.0.0 to 191.255.255.255
C 3 Bytes 1 Byte 192.0.0.0 to 223.255.255.255
D 224.0.0.0 to 239.255.255.255
E 240.0.0.0 to 255.255.255.255
Table 2: IP address classes

The first byte of an IP address is the network address. The worldwide leading regulatory board for
assigning network addresses is the IANA ("Internet Assigned Numbers Authority"). If you require an IP
address block, contact your Internet Service Provider (ISP). Your ISP contacts their local higher-level
organization to reserve an IP address block:
 APNIC (Asia Pacific Network Information Center)
Asia/Pacific Region
 ARIN (American Registry for Internet Numbers)
Americas and Sub-Sahara Africa
 LACNIC (Regional Latin-American and Caribbean IP Address Registry)
Latin America and some Caribbean Islands
 RIPE NCC (Réseaux IP Européens)
Europe and Surrounding Regions

0 Net ID - 7 bits Host ID - 24 bits Class A

I 0 Net ID - 14 bits Host ID - 16 bits Class B

I I 0 Net ID - 21 bits Host ID - 8 bit s Class C

I I I 0 Multicast Group ID - 28 bits Class D

I I I I reserved for future use - 28 b its Class E

Figure 12: Bit representation of the IP address

The IP addresses belong to class A when their first bit is a zero, for example, the first octet is less than
128.
The IP address belongs to class B if the first bit is a one and the second bit is a zero, for example, the
first octet is between 128 and 191.
The IP address belongs to class C when the first 2 bits are a one, for example, the first octet is higher
than 191.

30 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.1 IP parameter basics

Assigning the host address (host ID) is the responsibility of the network operator. The network operator
alone is responsible for the uniqueness of the assigned IP addresses.

2.1.2 Netmask
Routers and Gateways subdivide large networks into subnetworks. The netmask asssigns the IP
addresses of the individual devices to a particular subnetwork.
You perform subnetwork division using the netmask in much the same way as the division of the network
addresses (net id) into classes A to C.
Set the bits of the host address (host id) that represent the mask to one. Set the remaining host address
bits to zero (see the following examples).

Example of a subnet mask:


Decimal notation
255.255.192.0

Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B

Example of IP addresses with subnetwork assignment when applying the subnet mask:
Decimal notation
129.218.65.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address

Decimal notation
129.218.129.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address

UM Config HiOS-2A GRS1040 31


Release 7.0 11/2017
Specifying the IP parameters
2.1 IP parameter basics

 Example of how the netmask is used


In a large network it is possible that Gateways and routers separate the management agent from its
network management station. How does addressing work in such a case?
Romeo

Juliet
Lorenzo

LAN 1
LAN 2

Figure 13: The management agent is separated from its network management station by a router

The network management station “Romeo” wants to send data to the management agent “Juliet”.
Romeo knows Juliet's IP address and also knows that the router “Lorenzo” knows the way to Juliet.

Romeo therefore puts his message in an envelope and writes Juliet's IP address as the destination
address; for the source address he writes his own IP address on the envelope.

Romeo then places this envelope in a second one with Lorenzo's MAC address as the destination
and his own MAC address as the source. This process is comparable to going from Layer 3 to
Layer 2 of the ISO/OSI base reference model.

Finally, Romeo puts the entire data packet into the mailbox which is comparable to going from
Layer 2 to Layer 1, that means to sending the data packet over the Ethernet.

Lorenzo receives the letter, removes the outer envelope and recognizes from the inner envelope that
the letter is meant for Juliet. He places the inner envelope in a new outer envelope and searches his
address list (the ARP table) for Juliet's MAC address; he writes her MAC address on the outer
envelope as the destination address and his own MAC address as the source address. He then
places the entire data packet in the mail box.

Juliet receives the letter and removes the outer envelope. She finds the inner envelope with Romeo's
IP address. Opening the inner envelope and reading its contents corresponds to transferring the
message to the higher protocol layers of the ISO/OSI layer model.

Juliet would now like to send a reply to Romeo. She places her reply in an envelope with Romeo's
IP address as destination and her own IP address as source. But where is she to send the answer?
For she did not receive Romeo's MAC address. It was lost when Lorenzo replaced the outer
envelope.

In the MIB, Juliet finds Lorenzo listed under the variable hmNetGatewayIPAddr as a means of
communicating with Romeo. She therefore puts the envelope with the IP addresses in a further
envelope with Lorenzo's MAC destination address.

The letter now travels back to Romeo via Lorenzo, the same way the first letter traveled from Romeo
to Juliet.

32 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.1 IP parameter basics

2.1.3 Classless Inter-Domain Routing


Class C with a maximum of 254 addresses was too small, and class B with a maximum of
65534 addresses was too large for most users. Resulting in an ineffective usage of the available class
B addresses.
Class D contains reserved Multicast addresses. Class E is for experimental purposes. A non-
participating Gateway ignores experimental datagrams with these destination addresses.
Since 1993, RFC 1519 has been using Classless Inter-Domain Routing (CIDR) to provide a solution.
CIDR overcomes these class boundaries and supports classless address ranges.
With CIDR, you enter the number of bits that designate the IP address range. You represent the IP
address range in binary form and count the mask bits that designate the netmask. The mask bits equal
the number of bits used for the subnet in a given IP address range.
Example:
IP address, decimal Network mask, IP address, binary
decimal
149.218.112.1 255.255.255.128 10010101 11011010 01110000 00000001
149.218.112.127 10010101 11011010 01110000 01111111
25 mask bits
CIDR notation: 149.218.112.0/25
Mask bits

The term “supernetting” refers to combing a number of class C address ranges. Supernetting enables
you to subdivide class B address ranges to a fine degree.

UM Config HiOS-2A GRS1040 33


Release 7.0 11/2017
Specifying the IP parameters
2.2 Specifying the IP parameters using the CLI

2.2 Specifying the IP parameters using the


CLI

There are several methods you enter the system configuration, either using BOOTP/DHCP, the
HiDiscovery protocol, the external memory. You have the option of performing the configuration using
the V.24 interface using the CLI.
The device allows you to specifiy the IP parameters using the HiDiscovery protocol or using the CLI over
the V.24 interface.
Entering IP addresses

Connect the PC with terminal


program started to the RJ11 socket

Command Line Interface


starts after key press

Log in and change to the


Privileged EXEC Mode

Enter and save IP parameters

End of entering IP addresses

Figure 14: Flow chart for entering IP addresses

Note: If a terminal or PC with terminal emulation is unavailable in the vicinity of the installation location,
you can configure the device at your own workstation, then take it to its final installation location.
 Set up a connection to the device.
The start screen appears.

34 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.2 Specifying the IP parameters using the CLI

 Deactivate DHCP.

 Enter the IP parameters.


 Local IP address
In the default setting, the local IP address is 0.0.0.0.
 Netmask
If you divided your network into subnetworks, and if these are identified with a netmask, then enter
the netmask here. In the default setting, the local netmask is 0.0.0.0.
 IP address of the Gateway.
This entry is only required if the device and the network management station or TFTP server are
located in different subnetworks (see on page 32 “Example of how the netmask is used”).
Specify the IP address of the Gateway between the subnetwork with the device and the path to
the network management station.
In the default setting, the IP address is 0.0.0.0.

 Save the configuration specified using copy config running-config nvm.


enable Change to the Privileged EXEC mode.
network protocol none Deactivating DHCP.
network parms 10.0.1.23 255.255.255.0 Assign the device the IP address 10.0.1.23 and the netmask
255.255.255.0. You have the option of also assigning a
Gateway address.
copy config running-config nvm Save the current settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

After entering the IP parameters, you easily configure the device using the graphical user interface.

UM Config HiOS-2A GRS1040 35


Release 7.0 11/2017
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery

2.3 Specifying the IP parameters using


HiDiscovery

The HiDiscovery protocol enables you to assign IP parameters to the device using the Ethernet.
You easily configure other parameters using the graphical user interface.
Install the HiDiscovery software on your PC. The software is on the product DVD supplied with the
device.

 To install it, you start the installation program on the DVD.


 Start the HiDiscovery program.

Figure 15: HiDiscovery


When HiDiscovery is started, HiDiscovery automatically searches the network for those devices which
support the HiDiscovery protocol.
HiDiscovery uses the first network interface found for the PC. If your computer has several network
cards, you can select the one you desire in the HiDiscovery toolbar.
HiDiscovery displays a line for every device that responds to a HiDiscovery protocol inquiry.

HiDiscovery enables you to identify the devices displayed.


 Select a device line.
 To set the LEDs to flashing for the selected device, click the Signal button on the tool bar. To stop
the flashing, click the Signal button again.
 By double-clicking a line, you open a window in which you specify the device name and the IP
parameter.

Figure 16: HiDiscovery – assigning IP parameters

36 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery

Note: For security reasons, disable the HiDiscovery function for the device in the graphical user
interface, after you have assigned the IP parameters to the device.

Note: Save the settings so that you will still have the entries after a restart.

UM Config HiOS-2A GRS1040 37


Release 7.0 11/2017
Specifying the IP parameters
2.4 Specifying the IP parameters using the graphical user interface

2.4 Specifying the IP parameters using the


graphical user interface

Perform the following steps:


 Open the Basic Settings > Network dialog.
In this dialog you first specify the source from which the device gets its IP parameters after
starting. You also define the VLAN in which the device management can be accessed, configure
the HiDiscovery access and allocate manual IP parameters.
 In the Management interface frame you first specify where the device gets its IP parameters
from:
 In the BOOTP mode, the configuration is using a BOOTP or DHCP server on the basis of the
MAC address of the device.
 In the DHCP mode, the configuration is using a DHCP server on the basis of the MAC address
or the name of the device.
 In the Local mode, the device uses the network parameters from the internal device memory.
Note: When you change the allocation mode of the IP address, the device activates the new
mode immediately after you click the button.
 In the VLAN ID column you specify the VLAN in which the device management can be
accessed over the network.
 Note here that you can only access the device management using ports that are members of
the relevant VLAN.
The MAC address field displays the MAC address of the device with which you access the device
over the network.
 In the HiDiscovery protocol v1/v2 frame you specify the settings for accessing the device
using the HiDiscovery software.
 The HiDiscovery protocol allows you to allocate an IP address to the device on the basis of its
MAC address . Activate the HiDiscovery protocol if you want to allocate an IP address to the
device from your PC with the HiDiscovery software.
 If required, you enter the IP address, the netmask and the Gateway in the IP parameter
frame.
 To save the changes temporarily, click the button.

38 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.5 Specifying the IP parameters using BOOTP

2.5 Specifying the IP parameters using


BOOTP

With the BOOTP function activated the device sends a boot request message to the BOOTP server. The
boot request message contains the Client ID configured in the Basic Settings > Network dialog. The
BOOTP server enters the Client ID into a database and assigns an IP address. The server answers with
a boot reply message. The boot reply message contains the assigned IP address.

UM Config HiOS-2A GRS1040 39


Release 7.0 11/2017
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP

2.6 Specifying the IP parameters using DHCP

The DHCP (Dynamic Host Configuration Protocol) is a further development of BOOTP, which it has
replaced. The DHCP additionally allows the configuration of a DHCP client using a name instead of
using the MAC address.
For the DHCP, this name is known as the “Client Identifier” in accordance with RFC 2131.
The device uses the name entered under sysName in the system group of the MIB II as the Client
Identifier. You can change the system name using the graphic user interface (see dialog Basic
Settings > System), the Command Line Interface or SNMP.
The device sends its system name to the DHCP server. The DHCP server then uses the system name
to allocate an IP address as an alternative to the MAC address.

In addition to the IP address, the DHCP server sends


 the netmask
 the default Gateway (if available)
 the TFTP URL of the configuration file (if available).
The device applies the configuration data to the appropriate parameters. When the DHCP Sever
assigns the IP address, the device permanently saves the configuration data in non-volatile memory..
Options Meaning
1 Subnet Mask
2 Time Offset
3 Router
4 Time server
12 Host Name
42 NTP server
61 Client Identifier
66 TFTP Server Name
67 Bootfile Name
Table 3: DHCP options which the device requests

The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity of the
configuration parameters (“Lease”) to a specific time period (known as dynamic address allocation).
Before this period (“Lease Duration”) elapses, the DHCP client can attempt to renew this lease.
Alternatively, the client can negotiate a new lease. The DHCP server then allocates a random free
address.
To help avoid this, DHCP servers provide the explicit configuration option of assigning a specific client
the same IP address based on a unique hardware ID (known as static address allocation).
In the default setting, DHCP is activated. As long as DHCP is activated, the device attempts to obtain
an IP address. If it cannot find a DHCP server after restarting, it will not have an IP address. The Basic
Settings > Network dialog offers you the opportunity to activate or to deactivate DHCP.

Note: When using Industrial HiVision network management, ensure that DHCP always allocates the
original IP address to each device.
The appendix contains an example configuration of the BOOTP/DHCP-server.

Example of a DHCP-configuration file:


# /etc/dhcpd.conf for DHCP Daemon
#
subnet 10.1.112.0 netmask 255.255.240.0 {
option subnet-mask 255.255.240.0;

40 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP

option routers 10.1.112.96;


}
#
# Host berta requests IP configuration
# with her MAC address
#
host berta {
hardware ethernet 00:80:63:08:65:42;
fixed-address 10.1.112.82;
}
#
# Host hugo requests IP configuration
# with his client identifier.
#
host hugo {
#
option dhcp-client-identifier "hugo";
option dhcp-client-identifier 00:68:75:67:6f;
fixed-address 10.1.112.83;
server-name "10.1.112.11";
filename "/agent/config.dat";
}

Lines beginning with the # character, contain comments.


The lines preceding the individually listed devices refer to settings that apply to the following device.
The fixed-address line assigns a permanent IP address to the device.
For further information, please refer to the DHCP server manual.

UM Config HiOS-2A GRS1040 41


Release 7.0 11/2017
Specifying the IP parameters
2.7 Management address conflict detection

2.7 Management address conflict detection

You assign an IP address to the device using several different methods. This function helps the device
detect IP address conflicts on a network after boot up and the device also checks periodically during
operation. This function is described in RFC 5227.
When enabled, the device sends an SNMP trap informing you that it detected an IP address conflict.
The following list contains the default settings for this function:
– Operation : On
– Detection mode : active and passive
– Send periodic ARP probes : marked
– Detection delay [ms] : 200
– Release delay [s] : 15
– Address protections : 3
– Protection interval [ms] : 200
– Send trap : marked

2.7.1 Active and passive detection


Actively checking the network helps prevent the device from connecting to the network with a duplicate
IP address. After connecting the device to a network or after configuring the IP address, the device
immediately checks whether its IP address exists within the network. To check the network for address
conflicts, the device sends 4 ARP probes with the detection delay of 200 ms into the network. If the IP
address exists, the device returns to the previous configuration, if possible, and makes another check
after the configured release delay time.
When you disable active detection, the device sends 2 gratuitous APR announcements in 2 s intervals.
Using the ARP announcements with passive detection enabled, the device polls the network to
determine whether there is an address conflict. After resolving an address conflict or after expired
release delay time, the device reconnects to the network. Following 10 detected conflicts, if the
configured release delay interval is less than 60 s, then the device sets the release delay interval to 60 s.
After the device performs active detection or you disable the active detection function, with passive
detection enabled the device listens on the network for other devices using the same IP address. If the
device detects a duplicate IP address, it initially defends its address by employing the ACD mechanism
in the passive detection mode and sends out gratuitous ARPs. The number of protections that the
device sends and the protection interval are configurable. To resolve conflicts, if the remote device
remains connected to the network, the network interface of the local device disconnects from the
network.
When a DHCP server assigns an IP address to the device, the device returns a DHCP decline message
when an address conflict occurs.
The device uses the ARP probe method. This has the following advantages:
 ARP caches on other devices remain unchanged
 the method is robust through multiple ARP probe transmissions

42 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device

3 Access to the device

UM Config HiOS-2A GRS1040 43


Release 7.0 11/2017
Access to the device
3.1 Authentication lists

3.1 Authentication lists

An authentication list contains the policies that the device applies for authentication when a user
accesses the device using a specific connection.
The prerequisite for a user's access to the device management is that at least one policy is assigned to
the authentication list of the application through which access is performed.

3.1.1 Applications
The device provides an application for each type of connection through which someone accesses the
device:
 Access using CLI via a serial connection: Console(V.24)
 Access using CLI via SSH: SSH
 Access using CLI via Telnet: Telnet
 Access using the graphical user interface: WebInterface
The device also provides an application to control the access to the network from connected end
devices using port-based access control: 8021x

3.1.2 Policies
The device allows users to access its management exclusively when they log in with valid login data.
The device authenticates the users using the following policies:
 User management of the device
 LDAP
 RADIUS
With the port-based access control according to IEEE 802.1X, the device allows connected end devices
to access the network if they log in with valid login data. The device authenticates the end devices using
the following policies:
 RADIUS
 IAS (Integrated Authentication Server)
The device gives you the option of a fall-back solution. For this, you specify more than one policy in the
authentication list. If authentication is unsuccessful using the current policy, the device applies the next
specified policy.

44 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.1 Authentication lists

3.1.3 Managing authentication lists


You manage the authentication lists in the graphical user interface or in the Command Line Interface.
Perform the following steps:
 Open the Device Security > Authentication List dialog.
The dialog displays the authentication lists that are set up.
show authlists Displays the authentication lists that are set up.

 Deactivate the authentication list for those applications by means of which no access to the device
is performed, for example 8021x.
 In the Active column of the authentication list defaultDot1x8021AuthList, unmark the
checkbox.
 To save the changes temporarily, click the button.

authlists disable Deactivates the authentication list


defaultDot1x8021AuthList defaultDot1x8021AuthList.

3.1.4 Adjust the settings


Example:
Set up a separate authentication list for the application WebInterface which is by default included in
the authentication list defaultLoginAuthList. The device forwards authentication requests to a
RADIUS server in the network. As a fall-back solution, the device authenticates users using the local
user management.

Perform the following steps:


 Create an authentication list loginGUI.
 Open the Device Security > Authentication List dialog.
 Click the button.
The dialog displays the Create window.
 Enter a meaningful name in the Name field.
In this example, enter the name loginGUI.
 Click the Ok button.
The device adds a new table entry.

UM Config HiOS-2A GRS1040 45


Release 7.0 11/2017
Access to the device
3.1 Authentication lists

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
authlists add loginGUI Creates the authentication list loginGUI.

 Select the policies for the authentication list loginGUI.


 In the Policy 1 column, select the value radius .
 In the Policy 2 column, select the value local .
 In the Policy 3 to Policy 5 columns, select the value reject to prevent further fall-back.
 In the Active column, mark the checkbox.
 To save the changes temporarily, click the button.

authlists set-policy loginGUI radius Assigns the policies radius, local and reject to the
local reject reject reject authentication list loginGUI.
show authlists Displays the authentication lists that are set up.
authlists enable loginGUI Activates the authentication list loginGUI.

 Assign an application to the authentication list loginGUI.


 In the Device Security > Authentication List dialog, highlight the authentication list
loginGUI.
 Click the button and then the Allocate applications item.
The dialog displays the Allocate applications window.
 In the left column, highlight the application WebInterface.
 Click the button.
The right column now displays the application WebInterface.
 Click the Ok button.
The dialog displays the updated settings:
– The Dedicated applications column of authentication list loginGUI displays the application
WebInterface.
– The Dedicated applications column of authentication list defaultLoginAuthList does not display the
application WebInterface anymore.

 To save the changes temporarily, click the button.

show appllists Displays the applications and the allocated lists.


appllists set-authlist WebInterface Assigns the loginGUI application to the authentication list
loginGUI WebInterface.

46 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.2 User management

3.2 User management

The device allows users to access its management functions when they log in with valid login data. The
device authenticates the users either using the local user management or with a RADIUS server in the
network. To get the device to use the user management, assign the local policy to an authentication
list, see the Device Security > Authentication List dialog.
In the local user management, you manage the user accounts. One user account is usually allocated to
each user.

3.2.1 Access roles


The device allows you to use a role-based authorization model to specifically control the access to the
management functions. Users to whom a specific authorization profile is allocated are allowed to use
commands and functions from the same authorization profile or a lower one.
The device uses the authorization profiles on all applications with which the management functions can
be accessed.
Every user account is linked to an access role that regulates the access to the individual functions of the
device. Depending on the planned activity for the respective user, you assign a pre-defined access role
to the user. The device differentiates between the following access roles.
Role Description Authorized for the following activities
Administrator The user is authorized to monitor and All activities with read/write access, including the following
administer the device. activities reserved for an administrator:
 Add, modify or delete user accounts
 Activate, deactivate or unlock user accounts
 Change all passwords
 Configure password management
 Set or change system time
 Load files to the device, for example device configurations,
certificates or software images
 Reset settings and security-related settings to the state on
delivery
 Configure RADIUS server and authentication lists
 Apply CLI scripts
 Enable/disable CLI logging and SNMP logging
 External memory activation and deactivation
 System monitor activation and deactivation
 Enable/disable the services for the management access
(for example SNMP).
 Configure access restrictions to the user interfaces or the
CLI based on the IP addresses
Operator The user is authorized to monitor and All activities with read/write access, with the exception of the
configure the device - with the above-named activities, which are reserved for an
exception of security-related settings. administrator:
Auditor The user is authorized to monitor the Monitoring activities with read access.
device and to save the log file in the
Diagnostics > Report > Audit
Trail dialog.
Table 4: Access roles for user accounts

UM Config HiOS-2A GRS1040 47


Release 7.0 11/2017
Access to the device
3.2 User management

Role Description Authorized for the following activities


Guest The user is authorized to monitor the Monitoring activities with read access.
device - with the exception of security-
related settings.
Unauthorized No access to the device possible. No activities allowed.
 As an administrator you assign
this access role to temporarily lock
a user account.
 The device assigns this access
role to a user account if an error
occurs when assigning a different
access role.
Table 4: Access roles for user accounts (cont.)

3.2.2 Managing user accounts


You manage the user accounts in the graphical user interface (GUI) or in the CLI.
Perform the following steps:
 Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
show users Displays the user accounts that are set up.

3.2.3 Default setting


In the state on delivery, the user accounts admin and user are set up on the device.
Parameter Default setting
User name admin user
Password private public
Role administrator guest
User locked unmarked unmarked
Policy check unmarked unmarked
SNMP auth type hmacmd5 hmacmd5
SNMP encryption type des des
Table 5: Default settings for the factory setting user accounts

Change the password for the admin user account before making the device available in the network.

48 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.2 User management

3.2.4 Changing default passwords


To prevent undesired access, change the password of the default user accounts.

Perform the following steps:


 Change the passwords for the admin and user user accounts.
 Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
 To obtain a higher level of complexity for the password, mark the checkbox in the Policy
check column.
Before saving it, the device checks the password according to the policy specified in the
Password policy frame.
Note: The password check may lead to a message in the Security status frame in the Basic
Settings > System dialog. You specify the settings that cause this message in the Basic
Settings > System dialog.
 Click the row of the relevant user account in the Password field. Enter a password of at least
6 characters.
Up to 64 alphanumeric characters are allowed.
 The device differentiates between upper and lower case.
 The minimum length of the password is specified in the Configuration frame. The device always checks the
minimum length of the password.

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
users password-policy-check <user> Activates the checking of the password for the <user> user
enable account based on the specified policy. In this way, you obtain a
higher level of complexity for the password.
Note: The password check may lead to a message when you display the security status (show security-status
all). You specify the settings that cause this message with the command security-status monitor pwd-
policy-inactive.
users password <user> SECRET Specifies the password <user> for the SECRET user account.
Enter at least 6 characters.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

3.2.5 Setting up a new user account


Allocate a separate user account to each user that accesses the device management. In this way you
can specifically control the authorizations for the access.
In the following example, we will set up the user account for a USER user with the role operator. Users
with the operator role are authorized to monitor and configure the device - with the exception of
security-related settings.
Perform the following steps:
 Create a new user account.

UM Config HiOS-2A GRS1040 49


Release 7.0 11/2017
Access to the device
3.2 User management

 Open the Device Security > User Management dialog.


 Click the button.
The dialog displays the Create window.
 Enter the name in the User name field.
In this example, we give the user account the name USER.
 Click the Ok button.
 To obtain a higher level of complexity for the password, mark the checkbox in the Policy
check column.
Before saving it, the device checks the password according to the policy specified in the
Password policy frame.
 In the Password field, enter a password of at least 6 characters.
Up to 64 alphanumeric characters are allowed.
 The device differentiates between upper and lower case.
 The minimum length of the password is specified in the Configuration frame. The device always checks the
minimum length of the password.
 In the Role column, select the user role.
In this example, we select the value operator.
 To activate the user account, mark the checkbox in the Active column.
 To save the changes temporarily, click the button.
The dialog displays the user accounts that are set up.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
users add USER Creates the USER user account.
users password-policy-check USER enable Activates the checking of the password for the USER user account
based on the specified policy. In this way, you obtain a higher
level of complexity for the password.
users password USER SECRET Specifies the password USER for the SECRET user account. Enter
at least 6 characters.
users access-role USER operator Assign the user role operator to the user account USER.
users enable USER Activates the USER user account.
show users Displays the user accounts that are set up.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

Note: Remember to allocate the password when you are setting up a new user account in the CLI.

50 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.2 User management

3.2.6 Deactivating the user account


After a user account is deactivated, the device denies the related user access to the management
functions. In contrast to completely deleting it, deactivating a user account allows you to keep the
settings and reuse them in the future.

Perform the following steps:


 To keep the user account settings and reuse them in the future, you temporarily deactivate the user
account.
 Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
 In the row for the relevant user account, unmark the checkbox in the Active column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
users disable <user> To disable user account.
show users Displays the user accounts that are set up.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

 To permanently deactivate the user account settings, you delete the user account.
 Highlight the row for the relevant user account.
 Click the button.

users delete <user> Deletes the <user> user account.


show users Displays the user accounts that are set up.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

3.2.7 Adjusting policies for passwords


The device allows you to check whether the passwords for the user accounts adhere to the specified
policy. You obtain a higher level of complexity for the passwords when they adhere to the policy.
The user management of the device allows you to activate or deactivate the check separately in each
user account. When the check is activated, the device accepts a changed password only if it fulfills the
requirements of the policy.
In the default settings, practical values for the policy are set up on the device. You have the option of
adjusting the policy to meet your requirements.

Perform the following steps:


 Adjust the policy for passwords to meet your requirements.
 Open the Device Security > User Management dialog.

UM Config HiOS-2A GRS1040 51


Release 7.0 11/2017
Access to the device
3.2 User management

In the Configuration frame you specify the number user login attempts before the device locks
out the user. You also specify the minimum number of characters that defines a password.
 Specify the values to meet your requirements.
 You specify the number of times that a user attempts to log on to the device in the Login attempts field. The
field allows you to define this value in the range 0..5.
In the above example, the value 0 deactivates the function.
 The Min. password length field allows values in the range 1..64.
The dialog displays the policy set up in the Password policy frame.
 Adjust the values to meet your requirements.
 Values in the range 1 through 16 are allowed.
The value 0 deactivates the relevant policy.
To apply the entries specified in the Configuration and Password policy frames, mark the
checkbox in the Policy check column for a particular user.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
passwords min-length 6 Specifies the policy for the minimum length of the password.
passwords min-lowercase-chars 1 Specifies the policy for the minimum number of lower-case letters
in the password.
passwords min-numeric-chars 1 Specifies the policy for the minimum number of digits in the
password.
passwords min-special-chars 1 Specifies the policy for the minimum number of special
characters in the password.
passwords min-uppercase-chars 1 Specifies the policy for the minimum number of upper-case
letters in the password.
show passwords Displays the policies that are set up.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

52 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.3 LDAP

3.3 LDAP

Server administrators manage Active Directorys which contain user login credentials for applications
used in the office environment. The Active Directory is hierarchical in nature, containing user names,
passwords, and the authorized read/write permission levels for each user.
This device uses the Lightweight Directory Access Protocol (LDAP) to retrieve user login information
and permission levels from a Active Directory. This provides a “single sign on“ for network devices.
Retrieving the credentials from an Active Directory allows the user to login to the device with the same
credentials used in the office environment.
An LDAP session starts with the device contacting the Directory System Agent (DSA) to search the
Active Directory of an LDAP server. If the server finds multiple entries in the Active Directory for a user,
then the server sends the higher permission level found. The DSA listens for information requests and
sends responses on TCP port 389 for LDAP, or on TCP port 636 for LDAP over SSL (LDAPS). Clients
and servers encode LDAPS requests and responses using the Basic Encoding Rules (BER). The device
opens a new connection for every request and closes the connection after receiving a response from
the server.
The device allows you to upload a CA certificate to validate the server for Secure Socket Level (SSL)
and Transport Layer Security (TLS) sessions. Whereby, the certificate is optional for TLS sessions.
The device is able to cache credentials for up to 1024 users in memory. If the active directory servers
are unreachable, then the users are still able to login using their office credentials.

3.3.1 Coordination with the server administrator


Configuring the LDAP function requires that the network administrator request the following information
from the server administrator:
 The server name or IP address
 The location of the Active Directory on the server
 The type of connection used
 The TCP listening port
 If required, the location of the CA certificate
 The name of the attribute containing the user login name
 The names of the attribute containing the user permission levels
The server administrator can assign permission levels individually using an attribute such as
description, or to a group using the memberOf attribute. In the Device Security > LDAP > LDAP
Role Mapping dialog you specify which attributes receive the various permission levels.
You also have the option to retrieve the name of the attributes containing the user login name and
permission levels using a LDAP browser such as JXplorer or Softerra.

UM Config HiOS-2A GRS1040 53


Release 7.0 11/2017
Access to the device
3.3 LDAP

3.3.2 Example configuration


The device is able to establish an encrypted link to a local server using only the server name or to a
server on a different network using an IP address. The server administrator uses attributes to identify
credentials of a user and assign individual and group permission levels.
Using information received from the server administrator, specify which attributes in the Active Directory
contain the user credentials and permission level. The device then compares the user credentials with
the permission levels specified on the device and allows the user to login at the assigned permission
level.
Primary Backup
Server Server

local.server 10.16.1.2

Figure 17: LDAP Example Configuration


For this example, the server administrator sent the following information:
Information Primary Server Backup Server
The server name or IP address local.server 10.16.1.2
The location of the Active Directory on Country/City/User Country/Company/User
the server
The type of connection used TLS (with certificate) SSL
The server administrator sent the CA CA certificate for primary server saved CA certificate for backup server saved
certificate in an email. locally locally
The TCP listening port 389 (tls) 636 (ssl)
Name of the attribute containing the userPrincipalName userPrincipalName
user name
The names of the attribute containing OPERATOR OPERATOR
the user permission levels ADMINISTRATOR ADMINISTRATOR

 Open the Device Security > Authentication List dialog.


 To configure the device to retrieve the user credentials, when logging in using the graphical
user interface, from the Active Directory first, specify for the defaultLoginAuthList list the
value ldap in thePolicy 1 column.
 Open the Device Security > LDAP > Configuration dialog.
 The device allows you to specify the length of time that it saves the login credentials in the
cache. To cache user credentials for a day, in the Configuration frame, Client cache
timeout [min] field, enter the value 1440.
 The Bind user entry is optional. When specified, users enter only their user name to log on
to the device. The service user can be anyone with credentials listed in the Active Directory
under the attribute specified in the User name attribute column. In the Bind user column,
enter the user name and the domain.
 The Base DN is a combination of the domain component (dc) and the organizational unit (ou).
The Base DN allows the device to locate a server in a domain (dc) and find the Active Directory
(ou). Specify the location of the Active Directory. In the Base DN column, specify the value
ou=Users,ou=City,ou=Country,dc=server,dc=local.
 In the User name attribute column, enter the value userPrincipalName to specify the
attribute under which the server administrator lists the users.
The device uses a CA certificate to verify the server.
 If the certificate is located on your PC or on a network drive, drag and drop the certificate in
the area. Alternatively click in the area to select the certificate.

54 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.3 LDAP

 Upload the CA certificate to the device, click the Start button.


 To add a table entry, click the button.
 To specify a description, enter the value Primary AD Server in the Description column.
 To specify the server name and domain of the primary server, in the Address column, enter
the value local.server.
 The primary server uses the TCP port 389 for communication which is the Destination TCP
port default value.
 The primary server uses TLS for encrypting communication and a CA certificate for server
validation. In the Connection security column, specify the value startTLS.
 To activate the entry, mark the checkbox in the Active column.
 Using the information received from the server administrator for the Backup server, add,
configure and activate another row.

 Open the Device Security > LDAP > LDAP Role Mapping dialog.
 To add a table entry, click the button.
When a user logs on to the device, with LDAP configured and enabled, the device searches the
Active Directory for the credentials of the user. If the device finds the user name and the
password is correct, then the device searches for the value specified in the Type column. If the
device finds the attribute and the text in the Parameter column matches the text in the Active
Directory, then the device allows the user to login with the assigned permission level. If the value
attribute is specified in the Type column, specify the value in the Parameter column in the
following form: attributeName=attributeValue.
 In the Role column, enter the value operator to specify the user role.
 To activate the entry, mark the checkbox in the Active column.
 Click the button.
The dialog displays the Create window.
Enter the values received from the server administrator for the administrator role.
To activate the entry, mark the checkbox in the Active column.
 Open the Device Security > LDAP > Configuration dialog.
 To enable the function, select the On radio button in the Operation frame.
The following table describes how to configure the LDAP function on the device using the CLI
commands. The table displays the commands for Index 1. To configure Index 2, use the same
commands and substitute the appropriate information.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
ldap cache-timeout 1440 Specify the device to flush the non-volatile memory after a day.
ldap client server add 1 local.server Add a connection to the remote authentication client server with
port 389 the host name eu.local and the UDP port 389.
ldap client server modify 1 security Specify the type of security used for the connection.
startTLS
ldap client server modify 1 description Specify the configuration name of the entry.
Primary_AD_Server
ldap basedn Specify the Base Domain Name used to find the Active Directory
ou=Users,ou=City,ou=Country,dc=server,dc on the server.
=local
ldap search-attr userPrincipalName Specify the attribute to search for in the Active Directory which
contains the credential of the users.
ldap bind-user user@company.com Specify the name and domain of the service user.
ldap bind-passwd Ur-123456 Specify the password of the service user.
ldap client server enable 1 Enable the remote authentication client server connection.

UM Config HiOS-2A GRS1040 55


Release 7.0 11/2017
Access to the device
3.3 LDAP

ldap mapping add 1 access-role operator Add a remote authentication role mapping entry for the Operator
mapping-type attribute mapping-parameter role. Map the operator role to the attribute containing the word
OPERATOR OPERATOR.
ldap mapping enable 1 Enable the remote authentication role mapping entry.
ldap operation Enable the remote authentication function.

56 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.4 SNMP access

3.4 SNMP access

The SNMP protocol allows you to work with a network management system to monitor the device over
the network and change its settings.

3.4.1 SNMPv1/v2 access


Using SNMPv1 or SNMPv2 the network management system and the device communicate
unencrypted. Every SNMP packet contains the community name in plain text and the IP address of the
sender.
The community names public for read accesses and private for write accesses are preset in the
device. If SNMPv1/v2 is enabled, the device allows anyone who knows the community name to access
the device.
Make the following basic provisions to make undesired access to the device more difficult:
 Change the default community names in the device.
Treat the community names with discretion.
Anyone who knows the community name for write access, has the ability to change the settings of
the device.
 Specify a different community name for read/write access than for read access.
 Use SNMPv1 or SNMPv2 only in environments protected from eavesdropping. The protocols do not
use encryption.
 We recommend using SNMPv3 and disabling the access using SNMPv1 and SNMPv2 in the device.

3.4.2 SNMPv3 access


Using SNMPv3 the network management system and the device communicate encrypted. The network
management system authenticates itself with the device using the credentials of a user. The
prerequisite for the SNMPv3 access is that in the network management system uses the same settings
that are defined in the device.
The device allows you to specify the SNMP auth type and SNMP encryption type parameters
individually in each user account.
When you set up a new user account on the device, the parameters are preset so that the network
management system Industrial HiVision reaches the device immediately.
The user accounts set up in the device use the same passwords in the graphical user interface, in the
command line interface (CLI), and for SNMPv3.

UM Config HiOS-2A GRS1040 57


Release 7.0 11/2017
Access to the device
3.4 SNMP access

To adapt the SNMPv3 parameters of the user account settings to the settings in your network
management system, perform the following steps:
 Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
 Click the row of the relevant user account in the SNMP auth type field. Select the desired
setting.
 Click the row of the relevant user account in the SNMP encryption type field. Select the
desired setting.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
users snmpv3 authentication <user> md5 Assigning the HMAC-MD5 or HMACSHA protocol for
| sha1 authentication requests to the <user> user account.
users snmpv3 encryption <user> des | Assigns the DES or AES-128 algorithm to the <user> user
aescfb128 | none account.
With this algorithm, the device encrypts authentication requests.
The value none removes the encryption.
show users Display the user accounts that have been configured.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

58 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.5 Service Shell

3.5 Service Shell

When you need assistance with your device, then the service personnel use the Service Shell to monitor
internal conditions, for example switch or CPU registers.
The Service Shell is for service purposes exclusively. This function allows the access on internal
functions of the device. In no case, execute internal functions without service technician instructions.
Executing internal functions such as deleting the content of the NVM (non-volatile memory) possibly
leads to inoperability of your device.

 Start the Service Shell

Perform the following steps:


 To switch from the User Exec mode to the Privileged Exec mode, enter enable, or enter en and
a Space character, and press the <Enter> key.
 To get a list of the commands available in this mode, press the <?> key.

!(GRS) >enable

!(GRS) #?
clear Clear several items.
configure Enter into global config mode.
copy Copy different kinds of items.
debug Service functions to find configuration errors.
exit Exit from current mode.
help Display help for various special keys.
history Show a list of previously run commands.
login Set login parameters.
logout Exit this session.
network Modify network parameters.
ping Send ICMP echo packets to a specified
IP address.
profile Activate or delete configuration profiles.
reboot Reset the device (cold start).
save Save configuration.
serviceshell Enter system mode.
set Set device parameters.
show Display device options and settings.
traceroute Trace route to a specified host.

!(GRS) #serviceshell

-> exit
Au revoir!

!*(GRS) #

 To start the Service Shell, enter serviceshell in the privileged exec mode, or enter ser and a
Space character, and press the <Enter> key.
To prevent configuration inconsistencies, log out from the Service Shell before any other user
starts uploading a new configuration to the device.

 To end the Service Shell, enter exit and then press the <Enter> key.

Note: When the Service Shell is active, the timeout of the Command Line Interface is inactive.

UM Config HiOS-2A GRS1040 59


Release 7.0 11/2017
Access to the device
3.5 Service Shell

 Deactivate the Service Shell permanently


If you do not need the Service Shell, the device allows you to disable the function. In this case you
still have the option to configure the device. Though, the service technician has no possibilities to
access internal functions of your device to call up additional required information.

Note: When you deactivate the Service Shell, then you are still able to configure the device, but you
limit the service personnel to system diagnostics. The deactivation is irreversible, the Service Shell
remains permanently deactivated. In order to reactivate the Service Shell, the device requires
disassembly by the manufacturer.

Perform the following steps:


 To display the Service Shell, enter serviceshell, or enter ser and a Space character, and press
the <Enter> key.
 This process is irreversible!
To permanently deactivate the Service Shell, enter deactivate, or enter d and a Space
character, and press the <Enter> key.

!(GRS) >enable

!(GRS) #serviceshell?
[deactivate] Disable the service shell access permanently
(Cannot be undone).
<cr> Press Enter to execute the command.

!(GRS) #serviceshell deactivate

60 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Access to the device
3.6 Out of Band

3.6 Out of Band

You use the Out of Band function (OoB) to specify the IP address, subnet mask and IP address
assignment method required for access to the device management through the Out of Band interface.
The device management is possible even when there is a high in-band load on internal CPU port. The
device also lets you perform Restricted Management Access by using Out of Band port.
The Out of Band management port allows you manage the device and upload configurations. The Out
of Band port supports:
 Industry protocols
for example
– IEC61850-MMS
– Modbus TCP
– EtherNet/IP
 Management protocols
for example
– SNMP
– Telnet
– SSH
– HTTP
– HTTPS
– FTP
– SCP
– TFTP
– SFTP
 Configuration of the IP address
– DHCP client
– Manually assigning an IP address (default setting: 192.168.1.1/24)

 Example
The following example describes how to specify the IP addresses using the Out of Band function
on the selected ports. You can specify the IP parameters to the device by either of these methods:
 Select a source and specify the MAC address.
The device adds the IP parameters of the source.
 Add the IP parameters manually as the source of the device. Select the Local radio button in the
Management interface frame.
 Open the Basic Settings > Out of Band dialog.
 To manually assign the IP parameters to the device, select the Local radio button in the
Management interface frame.
 To enable the function, select the On radio button in the Operation frame.

UM Config HiOS-2A GRS1040 61


Release 7.0 11/2017
Access to the device
3.6 Out of Band

62 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles

4 Managing configuration profiles

If you change the settings of the device during operation, the device stores the changes in its memory
(RAM). After a reboot the settings are lost.
In order to keep the changes after a reboot, the device offers the possibility of saving additional settings
in a configuration profile in the non-volatile memory (NVM). In order to make it possible to quickly switch
to other settings, the non-volatile memory offers storage space for multiple configuration profiles.
If an external memory is connected, the device generates a copy of the configuration profile on the
external memory automatically. This function can be deactivated.

UM Config HiOS-2A GRS1040 63


Release 7.0 11/2017
Managing configuration profiles
4.1 Detecting changed settings

4.1 Detecting changed settings

Changes made to settings during operation are stored by the device in its memory (RAM). The
configuration profile in non-volatile memory (NVM) remains unchanged until you explicitly save it. Until
then, the configuration profiles in memory and non-volatile memory differ.
This device helps you recognize changed settings. If the configuration profile in the memory (RAM) differs
from the "selected" configuration profile in the non-volatile memory (NVM), you can recognize the
difference based on the following criteria:

The status bar at the top of the menu displays the icon . If the configuration profiles match,
the icon is hidden.
Tn the Basic Settings > Load/Save dialog, the checkbox in the Information frame is
unmarked. If the configuration profiles match, the checkbox is marked.
show config status
Configuration Storage sync State
--------------------------------
running-config to NV........................out of sync
...

If the copy in the external memory differs from the configuration profile in the non-volatile memory, you
see the difference based on the following criteria:
Tn the Basic Settings > Load/Save dialog, the checkbox in the Information frame is
unmarked. If the configuration profiles match, the checkbox is marked.
show config status
Configuration Storage sync State
--------------------------------
...
NV to ACA...................................out of sync
...

64 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles
4.2 Saving the settings

4.2 Saving the settings

4.2.1 Saving the configuration profile in the device


If you change the settings of the device during operation, the device stores the changes in its memory
(RAM). In order to keep the changes after a reboot, save the configuration profile in non-volatile memory
(NVM).

 Saving a configuration profile


The device always stores the settings in the "selected" configuration profile in non-volatile memory
(NVM).
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 Verify that the desired configuration profile is "Selected".
You can recognize the “selected” configuration profile by the fact that the checkbox in the
Selected column is marked.
 Click the button.

show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

 Copying settings to a configuration profile


The device allows you to store the settings saved in memory (RAM) in a configuration profile other than
the "selected" configuration profile. In this way you create a new configuration profile in non-volatile
memory (NVM) or overwrite an existing one.
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 Click the button and then the Save As... item.
The dialog displays the Save As... window.
 In the Name field, change the name of the configuration profile. If you keep the proposed name,
the device will overwrite an existing configuration profile of the same name.
 Click the Ok button.
The new configuration profile is designated as “Selected”.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).

UM Config HiOS-2A GRS1040 65


Release 7.0 11/2017
Managing configuration profiles
4.2 Saving the settings

enable Change to the Privileged EXEC mode.


copy config running-config nvm profile Save the current settings in the configuration profile named
<string> <string> in non-volatile memory (nvm). If present, the device
overwrites a configuration profile of the same name. The new
configuration profile is designated as “Selected”.

 Selecting a configuration profile


If the non-volatile memory (NVM) contains several configuration profiles, you have the option to select
any configuration profile there. The device always stores the settings in the "selected" configuration
profile. Upon reboot, the device loads the settings of the "selected" configuration profile into memory
(RAM).
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
The table displays the configuration profiles present in the device. You can recognize the
“selected” configuration profile by the fact that the checkbox in the Selected column is marked.
 In the table, select the entry of the desired configuration profile stored in non-volatile memory
(NVM).
 Click the button and then the Select item.
In the Selected column, the checkbox of the configuration profile is now marked.
enable Change to the Privileged EXEC mode.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
configure Change to the Configuration mode.
config profile select nvm 1 Identifier of the configuration profile.
Take note of the adjacent name of the configuration profile.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

4.2.2 Backup the configuration profile on a remote server


The device allows you to automatically backup the configuration profile to a remote server.
The prerequisite is that you activate the function before you save the configuration profile.
After you save the configuration profile in the non-volatile memory (NVM ) , the device sends a copy to
the specified URL.
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
The following steps you perform in the Backup config on a remote server when saving
frame.
 In the URL field, specify the server as well as path and file name of the backed up configuration
profile.
 Click the Set credentials button.
The dialog displays the Credentials window.
 Enter the credentials needed to authenticate on the remote server.

66 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles
4.2 Saving the settings

 In the Operation option list, enable the function.


 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


show config remote-backup Check status of the function.
configure Change to the Configuration mode.
config remote-backup destination Enter the destination URL for the configuration profile backup.
config remote-backup username Enter the user name to authenticate on the remote server.
config remote-backup password Enter the password to authenticate on the remote server.
config remote-backup operation Enable the function.

In case the transfer to the remote server is unsuccessful, the device logs this event in the log file (System
Log).

4.2.3 Saving the configuration profile in external memory


When you save a configuration profile, the device automatically creates a copy in external memory when
the external memory is connected. In the default setting, the function is enabled. You have the following
option of enabling or disabling this function.
Perform the following steps:
 Open the Basic Settings > External Memory dialog.

 In order to cause the device to automatically generate a copy in external memory during the
saving process, select the checkbox in the Backup config when saving column.
 To disable the function, remove the checkmark from the checkbox in the Backup config when
saving column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
config envm config-save sd Enable the function. When you save a configuration profile, the
device creates a copy in the external memory.
sd = External SD memory
config envm config-save usb Enable the function. When you save a configuration profile, the
device creates a copy in the external memory.
usb = External USB memory
no config envm config-save sd Disable the function. The device does not create a copy in the
external memory.
sd = External SD memory
no config envm config-save usb Disable the function. The device does not create a copy in the
external memory.
usb = External USB memory
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

UM Config HiOS-2A GRS1040 67


Release 7.0 11/2017
Managing configuration profiles
4.2 Saving the settings

4.2.4 Exporting a configuration profile


The device offers you the option of saving a configuration profile to a server as an XML file. If you use
the graphical user interface, you have the option to save the XML file directly to your PC.
Prerequisite:
 To save the file on a server, you need a configured server on the network.
 To save the file to an SCP or SFTP server, you also need the username and password for accessing
this server.
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 In the table, select the entry of the desired configuration profile.

To export the configuration profile to your PC, perform the following steps:
 Click the link in the Profile name column.
 Select the storage location and specify the file name.
 Click the Ok button.
The configuration profile is now saved as an XML file in the specified location.

To export the configuration profile to a remote server, perform the following steps:

 Click the button and then the Export... item.


The dialog displays the Export... window.
 In the URL field, specify the file URL on the remote server:
 To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
 To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 To save the file on an SCP or SFTP server, specify the URL for the file in one of the following forms:
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Ok button, the device displays the Credentials window. There you enter User name and
Password , to log on to the server.
 Click the Ok button.
The configuration profile is now saved as an XML file in the specified location.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
copy config running-config remote tftp:/ Save the current settings on a TFTP server.
/<IP_address>/ <path>/<file_name>
copy config nvm remote sftp:// Saves the selected configuration profile in the non-volatile
<user_name>:<password>@<IP_address>/ memory (nvm) on a SFTP server.
<path>/<file_name>
copy config nvm profile config3 Save the configuration profile config3 in the non-volatile
remote tftp://<IP_address>/ <path>/ memory (nvm) on a TFTP server.
<file_name>
copy config nvm profile config3 Save the configuration profile config3 in the non-volatile
remote ftp://<IP_address>:<port>/<path>/ memory (nvm) on an FTP server.
<file_name>

68 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles
4.3 Loading settings

4.3 Loading settings

Through loading of settings, the device allows you to quickly switch to other settings if required.

4.3.1 Activating a configuration profile


The non-volatile memory of the device can accommodate several configuration profiles. If you activate
a configuration profile stored there, you change the settings on the device on the fly without rebooting.
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 In the table, select the entry of the desired configuration profile.
 Click the button and then the Activate item.
The device copies the settings to memory (RAM) and disconnects from the graphical user
interface. The device immediately uses the settings of the configuration profile on the fly.
 Reload the graphical user interface.
 Log in again.
In the Selected column, the checkbox of the configuration profile that was just activated is
marked.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
copy config nvm profile config3 running- Activate the settings of the configuration profile config3 in the
config non-volatile memory (nvm).
The device copies the settings into the volatile memory and
disconnects the CLI connection. The device immediately uses
the settings of the configuration profile config3 on the fly.

UM Config HiOS-2A GRS1040 69


Release 7.0 11/2017
Managing configuration profiles
4.3 Loading settings

4.3.2 Loading the configuration profile from the external


memory
If an external memory is connected, the device loads a configuration profile from the external memory
upon restart automatically. The device allows you to save these settings in a configuration profile in non-
volatile memory.
If the external memory contains the configuration profile of an identical device, this allows you to transfer
the settings from one device to another.
Perform the following steps:
 Verify that the device loads a configuration profile from the external memory upon restart.
In the default setting, the function is enabled. If the function is disabled, enable it again as follows:
 Open the Basic Settings > External Memory dialog.
 In the Config priority column, select the value first.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
config envm load-priority sd first Enable the function.
Upon reboot, the device loads a configuration profile from the
external memory.
sd = External SD memory
config envm load-priority usb first Enable the function.
Upon reboot, the device loads a configuration profile from the
external memory.
usb = External USB memory
show config envm settings Displays the settings of the external memory (envm).

Type Status Auto Update Save Config Config Load Prio


------ ----------- ----------- ----------- ----------------
sd ok [x] [x] second
save Save the settings in a configuration profile in the non-volatile
memory (NVM ) of the device

The device allows you via CLI to copy the settings from the external memory directly into non-volatile
memory.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
copy config envm profile config3 nvm Copy the configuration profile config3 from the external memory
(envm) to the non-volatile memory (nvm).

70 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles
4.3 Loading settings

4.3.3 Importing a configuration profile


The device allows you to import from a server a configuration profile saved as an XML file. If you use
the graphical user interface, you have the option to import the XML file directly from your PC.
Prerequisite:
 To save the file on a server, you need a configured server on the network.
 To save the file to an SCP or SFTP server, you also need the username and password for accessing
this server.
Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 Click the button and then the Import... item.
The dialog displays the Import... window.
 In the Select source drop-down list, select from where the device imports the configuration
profile.
 PC/URL
The device imports the configuration profile from the local PC or from a remote server.
 External memory
The device imports the configuration profile from the selected external memory.

To import the configuration profile from the local PC or from a remote server, perform the following
steps:
 Import the configuration profile:
 If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
 If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 If the file is located on an SCP or SFTP server, specify the URL for the file in one of the following forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter User name
and Password , to log on to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
 In the Destination frame, specify where the device saves the imported configuration profile:
 In the Profile name field, specify the name under which the device saves the configuration profile.
 In the Storage type field, specify the storage location for the configuration profile.
 Click the Ok button.
The device copies the configuration profile into the specified memory.
If you specified the value ram in the Destination frame, the device disconnects the graphical
user interface and uses the settings immediately on the fly.
To import the configuration profile from the external memory, perform the following steps:
 In the Import profile from external memory frame, Profile name drop-down list, select
the name of the configuration profile to be imported.
The prerequisite is that the external memory contains an exported configuration profile.
 In the Destination frame, specify where the device saves the imported configuration profile:
 In the Profile name field, specify the name under which the device saves the configuration profile.
 Click the Ok button.
The device copies the configuration profile into the non-volatile memory (NVM ) of the device.
If you specified the value ram in the Destination frame, the device disconnects the graphical
user interface and uses the settings immediately on the fly.

UM Config HiOS-2A GRS1040 71


Release 7.0 11/2017
Managing configuration profiles
4.3 Loading settings

enable Change to the Privileged EXEC mode.


copy config remote ftp:// Import and activate the settings of a configuration profile saved
<IP_address>:<port>/<path>/<file_name> on an FTP server.
running-config The device copies the settings into the volatile memory and
disconnects the CLI connection. The device immediately uses
the settings of the imported configuration profile on the fly.
copy config remote tftp://<IP_address>/ Import and activate the settings of a configuration profile saved
<path>/<file_name> running-config on a TFTP server.
The device copies the settings into the volatile memory and
disconnects the CLI connection. The device immediately uses
the settings of the imported configuration profile on the fly.
copy config remote sftp:// Import and activate the settings of a configuration profile saved
<user name>:<password>@<IP_address>/ on a SFTP server.
<path>/<file_name> running-config The device copies the settings into the volatile memory and
disconnects the CLI connection. The device immediately uses
the settings of the imported configuration profile on the fly.
copy config remote ftp:// Import the settings of a configuration profile saved on an FTP
<IP_address>:<port>/<path>/<file_name> server and save the settings in the configuration profile config3
nvm profile config3 in the non-volatile memory (nvm).
copy config remote tftp://<IP_address>/ Import the settings of a configuration profile saved on a TFTP
<path>/<file_name> nvm profile config3 server and save the settings in the configuration profile config3
in the non-volatile memory (nvm).

72 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Managing configuration profiles
4.4 Reset the device to the factory defaults

4.4 Reset the device to the factory defaults

If you reset the settings in the device to the delivery state, the device deletes the configuration profiles
in the volatile memory and in the non-volatile memory.
If an external memory is connected, the device also deletes the configuration profiles saved on the
external memory.
The device then reboots and loads the factory settings.

4.4.1 Using the graphical user interface or CLI


Perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 Click the button, then Back to factory... .
The dialog displays a warning message.
 Click the Ok button.
The device deletes the configuration profiles in the memory (RAM) and in the non-volatile memory
(NVM).
If an external memory is connected, the device also deletes the configuration profiles saved on
the external memory.
After a brief period, the device restarts and loads the delivery settings.
enable Change to the Privileged EXEC mode.
clear factory Deletes the configuration profiles from the non-volatile memory
and from the external memory.
If an external memory is connected, the device also deletes the
configuration profiles saved on the external memory.
After a brief period, the device restarts and loads the delivery
settings.

4.4.2 Using the System Monitor


Prerequisite:
Your PC is connected with the V.24 connection of the device using a terminal cable.
Perform the following steps:
 Restart the device.
 To switch to the System Monitor, press the <1> key within 3 seconds when prompted during reboot.
The device loads the System Monitor.
 To switch from the main menu to the Manage configurations menu, press the <4> key.

UM Config HiOS-2A GRS1040 73


Release 7.0 11/2017
Managing configuration profiles
4.4 Reset the device to the factory defaults

 To execute the Clear configs and boot params command, press the <1> key.
 To load the factory settings, press the <Enter> key.
The device deletes the configuration profiles in the memory (RAM) and in the non-volatile memory
(NVM).
If an external memory is connected, the device also deletes the configuration profiles saved on the
external memory.
 To switch to the main menu, press the <q> key.
 To reboot the device with factory settings, press the <q> key.

74 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Loading software updates

5 Loading software updates

Hirschmann is continually working on improving and developing their software. Check regularly whether
there is an updated version of the software that provides you with additional benefits. You find
information and software downloads on the Hirschmann product pages on the Internet at
www.hirschmann.com.

The device gives you the following options for updating the device software:
 Software update from the PC
 Software update from a server
 Software update from the external memory
 Loading an older software

Note: The device settings are kept after updating the device software.
You see the version of the installed device software on the Login page of the graphical user interface.
If you are already logged in, perform the following steps to display the version of the installed software.
 Open the Basic Settings > Software dialog.
The field Running version displays the version number and creation date of the device
software that the device loaded during the last restart and is currently running.
enable Change to the Privileged EXEC mode.
show system info Displays the system information such as the version number and
creation date of the device software that the device loaded during
the last restart and is currently running.

UM Config HiOS-2A GRS1040 75


Release 7.0 11/2017
Loading software updates
5.1 Software update from the PC

5.1 Software update from the PC

The prerequisite is that the image file of the device software is saved on a data carrier which is
accessible from your PC.
Perform the following steps:
 Navigate to the folder where the image file of the device software is saved.
 Open the Basic Settings > Software dialog.
 Drag and drop the image file in the area. Alternatively click in the area to select the file.
 To start the update procedure, click the Start button.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.

76 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Loading software updates
5.2 Software update from a server

5.2 Software update from a server

To update the software using SFTP or SCP you need a server on which the image file of the device
software is saved.
To update the software using TFTP, SFTP or SCP you need a server on which the image file of the
device software is saved.
Perform the following steps:
 Open the Basic Settings > Software dialog.
 In the Software update frame, URL field, enter the URL for the image file in the following
form:
 When the image file is saved on an FTP server:
ftp://<IP_address>:<port>/<path>/<image_file_name>.bin
 When the image file is saved on a TFTP server:
tftp://<IP_address>/<path>/<image_file_name>.bin
 When the image file is saved on a SCP or SFTP server:
scp:// or sftp://<IP_address>/<path>/<image_file_name>.bin
scp:// or sftp://<username>:<password>@<IP_address>/<path>/<image_file_name>.bin
If you enter the URL without the user name and password, the device displays the Credentials window.
There you enter credentials needed to log on to the server.
 To start the update procedure, click the Start button.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.
enable Change to the Privileged EXEC mode.
copy firmware remote tftp://10.0.1.159/ Transfer the product.bin file from the TFTP server with the IP
product.bin system address 10.0.1.159 to the device.

UM Config HiOS-2A GRS1040 77


Release 7.0 11/2017
Loading software updates
5.3 Software update from the external memory

5.3 Software update from the external


memory

5.3.1 Manually—initiated by the administrator


The device allows you to update the device software with just a few mouse clicks. The prerequisite is
that the image file of the device software is located in the external memory.
Perform the following steps:
 Open the Basic Settings > Software dialog.
 In the table, mark the row which displays the name of the desired image file on the external
memory.
 Right-click to display the context menu.
 To start the update procedure, click in the context menu the Update item.

The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.

5.3.2 Automatically—initiated by the device


During a restart the device updates the device software automatically when the following files are
located in the external memory:
 the image file of the device software
 a text file startup.txt with the content autoUpdate=<Image_file_name>.bin
The prerequisite is that in the Basic Settings > External Memory dialog, you mark the checkbox in
the Software auto update column. This is the default setting on the device.
Perform the following steps:
 Copy the image file of the new device software into the main directory of the external memory. Use
an image file suitable for the device exclusively.
 Create a text file startup.txt in the main directory of the external memory.
 Open the startup.txt file in the text editor and add the following line:
autoUpdate=<Image_file_name>.bin
 Install the external memory on the device.
 Restart the device.
During the booting process, the device checks automatically the following criteria:
– Is an external memory connected?
– Is a startup.txt file in the main directory of the external memory?

78 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Loading software updates
5.3 Software update from the external memory

– Does the image file exist which is specified in the startup.txt file?
– Is the software version of the image file more recent than the software currently running on the
device?
If the criteria are fulfilled, the device starts the update procedure.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device reboots automatically and
loads the new software version.
Check the result of the update procedure. The log file in the Diagnostics > Report > System Log
dialog contains one of the following messages:
 S_watson_AUTOMATIC_SWUPDATE_SUCCESS
Software update completed successfully
 S_watson_AUTOMATIC_SWUPDATE_ABORTED
Software update aborted
 S_watson_AUTOMATIC_SWUPDATE_ABORTED_WRONG_FILE
Software update aborted due to wrong image file
 S_watson_AUTOMATIC_SWUPDATE_ABORTED_SAVING_FILE
Software update aborted due to failed saving of the image file to the device

UM Config HiOS-2A GRS1040 79


Release 7.0 11/2017
Loading software updates
5.4 Loading an older software

5.4 Loading an older software

The device allows you to replace the device software with an older version. The basic settings on the
device are kept after replacing the device software.

Note: The settings for functions which are available in the newer device software version exclusively
are lost.

80 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Configuring the ports

6 Configuring the ports

The following port configuration functions are available.


 Enabling/disabling the port
 Selecting the operating mode

UM Config HiOS-2A GRS1040 81


Release 7.0 11/2017
Configuring the ports
6.1 Enabling/disabling the port

6.1 Enabling/disabling the port

In the default setting, every port is enabled. For a higher level of access security, disable the ports for
which you are not making any connection.
Perform the following steps:
 Open the Basic Settings > Port dialog, Configuration tab.
 To enable a port, mark the checkbox in the Port on column.
 To disable a port, unmark the checkbox in the Port on column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
no shutdown Enable the interface.

82 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Configuring the ports
6.2 Selecting the operating mode

6.2 Selecting the operating mode

In the default setting, the ports are set to Automatic configuration operating mode.

Note: The active automatic configuration has priority over the manual configuration.
Perform the following steps:
 Open the Basic Settings > Port dialog, Configuration tab.
 If the device connected to this port requires a fixed setting:
 Deactivate the function. Unmark the checkbox in the Automatic configuration column.
 In the Manual configuration column, enter the desired operating mode (transmission rate, duplex mode).

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
no auto-negotiate Disable the automatic configuration mode.
speed 10 full Port speed 10 MBit/s, full duplex

UM Config HiOS-2A GRS1040 83


Release 7.0 11/2017
Configuring the ports
6.3 Deactivating the module slots

6.3 Deactivating the module slots

When you plug a module in an empty slot on modular devices, the device configures the module with
the default settings. The default settings allow access to the network. To help prevent unauthorized
network access, deactivate the unused slots.
Perform the following steps:
 Open the Basic Settings > Modules dialog.
 To deactivate the unused slots, unmark the Active checkbox.

84 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Configuring the ports
6.4 Link monitoring

6.4 Link monitoring

You use the Link monitoring function for end stations that support Far End Fault Indication (FEFI) on
optical links connected with an unsupported SFP. If a device detects a link up, the LED illuminates.
When the device detects the a lost link, the LED extinguishes.

6.4.1 Example
The given example describes activation of the Link monitoring function on the selected ports.
Perform the following steps:
 Open the Basic Settings > Port dialog, Configuration tab.
 To illuminate the green LED of the Ethernet port, mark the checkbox in the Link monitoring
column.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
link loss alert Enable the Link monitoring function on the interface.

UM Config HiOS-2A GRS1040 85


Release 7.0 11/2017
Configuring the ports
6.5 2.5G Support

6.5 2.5G Support

The device supports 2.5 Gbit/s on several interfaces with one of the following SFP transceivers:
 M-SFP-2.5-MM/LC EEC
 M-SFP-2.5-SM-/LC EEC
 M-SFP-2.5-SM/LC EEC
 M-SFP-2.5-SM+/LC EEC
Speed is determined by the plugged SFP transceiver. The device has no option to set the speed
manually. Devices with 2.5 Gbit/s ports are unable to support 100 Mbit/s SFP transceivers.

6.5.1 Example
You use the 2.5 Gbit/s to get higher bandwidth for uplinks. To use the 2.5 Gbit/s speed, you need to
insert a proper SFP transceiver for the appropriate port.
In the Basic Settings > Port dialog, the Link/Current settings column displays the value
2.5 Gbit/s FDX for the ports that have inserted a 2.5 Gbit/s SFP transceiver. You cannot change this
speed.
Perform the following steps:
 Open the Basic Settings > Port dialog, Configuration tab.
show port 1/1 Displays 2500 full as the Physical Mode of the port.

86 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Assistance in the protection from unauthorized access

7 Assistance in the protection from


unauthorized access

The device offers functions that help you protect the device against unauthorized access.
After you set up the device, carry out the following steps in order to reduce the risk of unauthorized
access to the device.
 Changing the SNMPv1/v2 community
 Disabling SNMPv1/v2
 Disabling HTTP
 Using your own HTTPS certificate
 Using your own SSH key
 Disabling Telnet
 Disabling HiDiscovery
 Enable IP access restriction
 Adjusting the session timeouts

UM Config HiOS-2A GRS1040 87


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.1 Changing the SNMPv1/v2 community

7.1 Changing the SNMPv1/v2 community

SNMPv1/v2 works unencrypted. Every SNMP packet contains the IP address of the sender and the
plaintext community name with which the sender accesses the device. If SNMPv1/v2 is enabled, the
device allows anyone who knows the community name to access the device.
The community names public for read accesses and private for write accesses are preset. If you are
using SNMPv1 or SNMPv2, you change the default community name. Treat the community names with
discretion.
Perform the following steps:
 Open the Device Security > Management Access > SNMPv1/v2 Community dialog.
The dialog displays the communities that are set up.
 For the Write community, specify in the Name column the community name.
 Up to 32 alphanumeric characters are allowed.
 The device differentiates between upper and lower case.
 Specify a different community name than for read access.

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
snmp community rw <community name> Specify the community for read/write access.
show snmp community Display the communities that have been configured.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

88 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.2 Disabling SNMPv1/v2

7.2 Disabling SNMPv1/v2

If you need SNMPv1 or SNMPv2, use these protocols solely in environments protected from
eavesdropping. SNMPv1 and SNMPv2 do not use encryption. The SNMP packets contain the
community in clear text. We recommend using SNMPv3 in the device and disabling the access using
SNMPv1 and SNMPv2.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, SNMP tab.
The dialog displays the settings of the SNMP server.
 To deactivate the SNMPv1 protocol, you unmark the SNMPv1 checkbox.
 To deactivate the SNMPv2 protocol, you unmark the SNMPv2 checkbox.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
no snmp access version v1 Deactivate the SNMPv1 protocol.
no snmp access version v2 Deactivate the SNMPv2 protocol.
show snmp access Display the SNMP server settings.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

UM Config HiOS-2A GRS1040 89


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.3 Disabling HTTP

7.3 Disabling HTTP

The web server provides the graphical user interface with the protocol HTTP or HTTPS. HTTPS
connections are encrypted, while HTTP connections are unencrypted.
The HTTP protocol is enabled by default. If you disable HTTP, no unencrypted access to the graphical
user interface is possible.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, HTTP tab.
 To disable the HTTP protocol, select the Off radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
no http server Disable the HTTP protocol.

If the HTTP protocol is disabled, then you can reach the graphical user interface of the device only by
HTTPS. In the address bar of the web browser, enter the string https:// before the IP address of the
device.

When the HTTPS protocol is disabled and you also disable HTTP, then the graphical user interface is
unaccessible. To work with the graphical user interface, enable the HTTPS server using the command
line interface.
Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
https server Enable the HTTPS protocol.

90 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.4 Disabling Telnet

7.4 Disabling Telnet

The device allows you to remotely access the management functions of the device using Telnet or SSH.
Telnet connections are unencrypted, while SSH connections are encrypted.
The Telnet server is enabled on the device by default. If you disable Telnet, unencrypted remote access
to the command line interface is no longer possible.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, Telnet tab.
 To disable the Telnet server, select the Off radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
no telnet server Disable the Telnet server.

If the SSH server is disabled and you also disable Telnet, the access to the Command Line Interface is
only possible through the V.24 interface of the device. To work remotely with the command line
interface, enable SSH.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, SSH tab.
 To enable the SSH server, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
ssh server Enable the SSH server.

UM Config HiOS-2A GRS1040 91


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.5 Disabling the HiDiscovery access

7.5 Disabling the HiDiscovery access

HiDiscovery allows you to assign IP parameters to the device over the network during commissioning.
HiDiscovery communicates in the management VLAN without encryption and authentication.
After the device is commissioned, we recommend to setHiDiscoveryto read-only or to disable
HiDiscovery access completely.
Perform the following steps:
 Open the Basic Settings > Network dialog.
 To take away write permission from the HiDiscovery software, in the HiDiscovery protocol
v1/v2 frame, specify the value readOnly in the Access field.
 To disable HiDiscovery access completely, select the Off radio button in the HiDiscovery
protocol v1/v2 frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


network hidiscovery mode read-only Disable write permission of the HiDiscovery software.
no network hidiscovery operation Disable HiDiscovery access.

92 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.6 Activating the IP access restriction

7.6 Activating the IP access restriction

In the default setting, you access the management functions of the device from any IP address and with
the supported protocols.
The IP access restriction allows you to restrict access to the management functions to selected IP
address ranges and selected IP-based protocols.
Example:
The device is to be accessible only from the company network using the graphical user interface. The
administrator has additional remote access using SSH. The company network has the address range
192.168.1.0/24 and remote access from a mobile network with the IP address range 109.237.176.0/
24. The SSH application program knows the fingerprint of the RSA/DSA key.
Parameter Company network Mobile phone network
Network address 192.168.1.0 109.237.176.0
Netmask 24 24
Desired protocols https, snmp ssh
Table 6: Parameters for the IP access restriction

Perform the following steps:


 Open the Device Security > Management Access > IP Access Restriction dialog.
 Unmark the checkbox in the Active column for the entry.
This entry allows access to the device from any IP address and the supported protocols.
Address range of the company network:
 To add a table entry, click the button.
 Specify the address range of the company network in the IP address range column:
192.168.1.0/24
 For the address range of the corporate network, deactivate the undesired protocols. The
HTTPS , SNMP , and Active checkboxes remain marked.
Address range of the mobile phone network:
 To add a table entry, click the button.
 Specify the address range of the mobile network in the IP address range column:
109.237.176.0/24
 For the address range of the mobile network, deactivate the undesired protocols. The SSH and
Active checkboxes remain marked.
Before you enable the function, verify that at least one active entry in the table allows you access.
Otherwise, the connection to the device terminates when you change the settings. To access the
management functions is possible solely using the CLI through the V.24 interface of the device.
 To enable IP access restriction, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


show network management access global Displays whether IP access restriction is enabled or disabled.
show network management access rules Display the entries that have been configured.

no network management access operation Disable the IP access restriction.

UM Config HiOS-2A GRS1040 93


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.6 Activating the IP access restriction

network management access add 2 Create the entry for the address range of the company network.
Number of the next available index in this example: 2.
network management access modify 2 ip Specify the IP address of the company network.
192.168.1.0
network management access modify 2 mask Specify the netmask of the company network.
24
network management access modify 2 ssh Deactivate SSH for the address range of the company network.
disable Repeat the operation for all unwanted protocols.

network management access add 3 Create an entry for the address range of the mobile phone
network.
Number of the next available index in this example: 3.
network management access modify 3 ip Specify the IP address of the mobile phone network.
109.237.176.0
network management access modify 3 mask Specify the netmask of the mobile phone network.
24
network management access modify 3 snmp Deactivate SNMP for the address range of the mobile phone
disable network.
Repeat the operation for all unwanted protocols.

no network management access status 1 Deactivate the default entry.


This entry allows access to the device from any IP address and
the supported protocols.
network management access status 2 Activate an entry for the address range of the company network.
network management access status 3 Activate an entry for the address range of the mobile phone
network.

show network management access rules Display the entries that have been configured.

network management access operation Enable the IP access restriction.

94 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.7 Adjusting the session timeouts

7.7 Adjusting the session timeouts

The device allows you to automatically terminate the session upon inactivity of the logged-on user. The
session timeout is the period of inactivity after the last user action.
You can specify a session timeout for the following applications:
 CLI sessions using an SSH connection
 CLI sessions using a Telnet connection
 CLI sessions using a V.24 connection
 Graphical user interface

 Session timeout for CLI sessions using a SSH connection


Perform the following steps:
 Open the Device Security > Management Access > Server dialog, SSH tab.
 Specify the timeout period in minutes in the Configuration frame, Session timeout [min]
field.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
ssh timeout <0..160> Specify the timeout period in minutes for CLI sessions using an
SSH connection.

 Timeout for CLI sessions using a Telnet connection


Perform the following steps:
 Open the Device Security > Management Access > Server dialog, Telnet tab.
 Specify the timeout period in minutes in the Configuration frame, Session timeout [min]
field.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
telnet timeout <0..160> Specify the timeout period in minutes for CLI sessions using a
Telnet connection.

 Session timeout for CLI sessions using a V.24 connection


Perform the following steps:
 Open the Device Security > Management Access > CLI dialog, Global tab.
 Specify the timeout period in minutes in the Configuration frame, V.24 timeout [min]
field.
 To save the changes temporarily, click the button.

UM Config HiOS-2A GRS1040 95


Release 7.0 11/2017
Assistance in the protection from unauthorized access
7.7 Adjusting the session timeouts

enable Change to the Privileged EXEC mode.


cli serial-timeout <0..160> Specify the timeout period in minutes for CLI sessions using a
V.24 connection.

 Session timeout for the graphical user interface


Perform the following steps:
 Open the Device Security > Management Access > Web dialog.
 Specify the timeout period in minutes in the Configuration frame, Web interface session
timeout [min] field.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


network management access web timeout Specify the timeout period in minutes for graphical user interface
<0..160> sessions

96 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Controlling the data traffic

8 Controlling the data traffic

The device checks the data packets to be forwarded in accordance with defined rules. Data packets to
which the rules apply are either forwarded by the device or blocked. When data packets do not
correspond to any of the rules, the device blocks the packets.
Routing ports to which no rules are assigned allow packets to pass. As soon as a rule is assigned, the
assigned rules are processed first. After that, the specified standard action of the device takes effect.
The device provides the following functions for controlling the data stream:
 Service request control (Denial of Service, DoS)
 Denying access to devices based on their IP or MAC address (Access Control List)
The device observes and monitors the data stream. The device takes the results of the observation and
the monitoring and combines them with the rules for the network security to create what is known as a
status table. Based on this status table, the device decides whether to accept, drop or reject data.
The data packets go through the filter functions of the device in the following sequence:
 DoS … if permit or accept, then progress to the next rule
 ACL … if permit or accept, then progress to the next rule

UM Config HiOS-2A GRS1040 97


Release 7.0 11/2017
Controlling the data traffic
8.1 Helping protect against unauthorized access

8.1 Helping protect against unauthorized


access

With this function, the device supports you in protecting against invalid or falsified data packets targeted
at causing the failure of certain services or devices. You have the option of specifying filters in order to
restrict data stream for protection against denial-of-service attacks. The activated filters check incoming
data packets and discard them as soon as a match with the filter criteria is found.
The Network Security > DoS > Global dialog contains 2 frames in which you activate different filters.
To activate them, mark the corresponding checkboxes.
In the TCP/UDP frame, you activate up to 4 filters that influence TCP and UDP packets exclusively. Using
this filter, you deactivate port scans, which attackers use to try to recognize devices and services
offered. The filters operate as follows:
Filter Action
Activate Null Scan Filter The device detects and discards TCP packets for which no TCP flags are set.
Activate Xmas Filter The device detects and discards TCP packets for which the TCP flags FIN, URG and
PUSH are simultaneously set.
Activate SYN/FIN Filter The device detects and discards TCP packets for which the TCP flags SYN and FIN are
simultaneously set.
Activate Minimal Header Filter The device detects and discards TCP packets for which the TCP header is too short.
Table 7: DoS filters for TCP packets

The ICMP frame offers you 2 filter options for ICMP packets. Fragmentation of incoming ICMP packets
is a sign of an attack. When you activate this filter, the device detects fragmented ICMP packets and
discards them. Using the Allowed packet size [byte] parameter, you can also specify the maximum
permissible size of the payload of the ICMP packets. The device discards data packets that exceed this
byte specification.

Note: You can combine the filters in any way in the Network Security > DoS > Global dialog. When
several filters are selected, a logical Or applies: The device discards a data packet if the first or second
(or the third, etc.) filter applies to it.

98 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

8.2 ACL

In this menu you can enter the settings for the Access Control Lists (ACLs).
The device uses access control lists to filter data packets coming in on individual or multiple ports or on
VLANs. In the respective ACL, you create rules that the device uses to carry out filtering. When such a
rule applies to a packet, the device applies the actions defined in the rule to the packet. The following
actions are available:

 allow (permit)
 discard (deny)
 redirect to a certain port (see Redirection port field)
 mirror (see Mirror port field)

You can filter incoming data packets according to the following criteria:

 Source or destination address of a packet (MAC)


 Source or destination address of a data packet (IPv4)
 Type of the transmitting protocol (MAC/IPv4)
 Source or destination port of a data packet (IPv4)
 Service class of a packet (MAC)
 Membership of a specific VLAN (MAC)
 Classification according to DSCP (IPv4)
 Classification according to ToS (IPv4)
 Packet Fragmentation (IPv4)

The assignment of IP ACLs and MAC ACLs to ports and VLANs results in the following different types
of ACLs:

 IP ACLs for VLANs


 IP ACLs for ports
 MAC ACLs for VLANs
 MAC ACLs for ports

When you assign both an IP ACL and MAC ACL to the same interface, the device filters the traffic using
the IP ACL first. To filter the traffic using the MAC ACL, create a permit all statement at the end of
the IP ACL.

Within an ACL type, the device processes the rules in order, with the index of the respective role
determining the corresponding order. You can thus specify the priority of a rule using the index or
sequence number when you assign an ACL to a port or VLAN. The following generally applies: the lower
the sequence number, the higher the priority. When processing the rules, the device processes the rule
with the higher priority first.

When several ACL types contain rules that apply to a data packet, the priority of the ACL type decides
which rule the device applies first. Note that the priority of an ACL type is independent of the index or
sequence number of a rule. It is generally true that IP ACLs have a higher priority than MAC ACLs. The
device thus gives preference to IP ACLs over MAC ACLs.

You can create up to 128 MAC ACLs and up to 128 IP ACLs. Each ACL can contain up to 239 rules,
with the device allowing a maximum number of 956 rules regardless of the ACL type. This corresponds
to four completely filled ACLs with 239 rules each.

You can assign a maximum of 239 rules to a single port, irrespectively of the ACL type used.

UM Config HiOS-2A GRS1040 99


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

This means you can simultaneously assign a maximum of 128 MAC ACLs and 128 IP ACLs to a single
port.

You can assign a maximum of 176 rules to a single VLAN, regardless of the ACL type used.

Note: You can assign a single ACL to any number of ports or VLANs.

Note: If you activate the Packet fragmented function for a rule, then the device processes IPv4
fragments with the offset specified as unequal to zero, in accordance to the rule. The device processes
every IPv4 fragment except for the initial IPv4 fragment.

If you assign one or several ACLs to a port or VLAN, the device processes the ACLs corresponding to
their priority when traffic comes in on an interface. If none of the rules contained in the ACLs match an
incoming data packet, the implicit deny rule applies. As a result, the device drops incoming data packets.

Keep in mind that the device directly implements the implicit deny rule.
The ACL menu contains the following dialogs:
 ACL IPv4 Rule
 ACL MAC Rule
 ACL Assignment

In these dialogs you can designate the rules for the various ACL types, configure them, and provide
them with the required priorities. You also take care of the assignment of the rules to certain ports or
VLANs here.

8.2.1 Creating and editing IPv4 rules


When filtering IPv4 data packets, the device allows you to:
 create new groups and rules
 add new rules to existing groups
 edit an existing rule
 activate and deactivate groups and rules
 delete existing groups and rules
 change the order of exisitng rules
Perform the following steps:
 Open the Network Security > ACL > IPv4 Rule dialog.
 Click the button.
The dialog displays the Create window.
 To create a group, specify a meaningful name in the Group name field. You can combine
several rules in one group.
 To add a rule to an existing group, select the name of the group in the Group name field.
 In the Index field you enter a value in the range 1..239.
This value defines the priority of the rule.

100 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

 Click the Ok button.


The device adds the rule to the table.
Group and role are active immediately.
To deactivate group or rules, unmark the checkbox in the Active column.
To remove a rule, highlight the affected table entry and click the button.
 Edit the rule parameters in the table.
To change a value, double-click the relevant field.
 To save the changes temporarily, click the button.

Note: The device allows you to use wildcards with the Source IP address and Destination IP
address parameters. If you enter, for example, 192.168.?.?, the device admits addresses the first two
octets of which start with 192.168.

Note: The prerequisite for changing the values in the Source TCP/UDP port and Destination TCP/
UDP port column is that you specify the value tcp or tcp in the Protocol column.

Note: The prerequisite for changing the value in the Redirection port and Mirror port column is
that you specify the value permit in the Action column.

8.2.2 Creating and configuring an IP ACL using the CLI


In the following example, you configure ACLs to block communications from computers B and C, to
computer A via IP (TCP, UDP, etc.).
IP: 10.0.1.11/24 IP: 10.0.1.13/24

C B
Port 1 Port 3
IP: 10.0.1.158/24

IP: 10.0.1.159/24
Port 2 Port 4

D A

Figure 18: Example of an IP ACL


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
ip acl add 1 filter Adds an IP ACL with the ID 1 and the name filter.
ip acl rule add 1 1 deny src 10.0.1.11 Adds a rule to position 1 of the IP ACL with the ID 1 denying IP
0.0.0.0 dst 10.0.1.158 0.0.0.0 data packets from 10.0.1.11 to 10.0.1.158.

UM Config HiOS-2A GRS1040 101


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

ip acl rule add 1 2 permit src any any dst Adds a rule to position 2 of the IP ACL with the ID 1 admitting IP
any any data packets.
show acl ip rules 1 Displays the rules of the IP ACL with the ID 1.
ip acl add 2 filter2 Adds an IP ACL with the ID 2 and the name filter2.
ip acl rule add 2 1 deny src 10.0.1.13 Adds a rule to position 1 of the IP ACL with the ID 2 denying IP
0.0.0.0 dst 10.0.1.158 0.0.0.0 data packets from 10.0.1.13 to 10.0.1.158.
ip acl rule add 2 2 permit src any any dst Adds a rule to position 2 of the IP ACL with the ID 2 admitting IP
any any data packets.
show acl ip rules 2 Displays the rules of the IP ACL with the ID 2.
interface 1/1 Change to the interface configuration mode of interface 1/1.
acl ip assign 1 in 1 Assigns the IP ACL with the ID 1 to incoming data packets (in)
on interface 1/1, with a priority of 1 (highest priority).
exit Leaves the interface mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
acl ip assign 2 in 1 Assigns the IP ACL with the ID 2 to incoming data packets (in)
on interface 1/3, with a priority of 1 (highest priority).
exit Leaves the interface mode.
show acl ip assignment 1 Displays the assignment of the IP ACL with ID 1.
show acl ip assignment 2 Displays the assignment of the IP ACL with ID 2.

8.2.3 Creating and editing MAC rules


When filtering MAC data packets, the device allows you to:
 create new groups and rules
 add new rules to existing groups
 edit an existing rule
 activate and deactivate groups and rules
 delete existing groups and rules
 change the order of exisitng rules
Perform the following steps:
 Open the Network Security > ACL > MAC Rule dialog.
 Click the button.
The dialog displays the Create window.
 To create a group, specify a meaningful name in the Group name field. You can combine
several rules in one group.
 To add a rule to an existing group, select the name of the group in the Group name field.
 In the Index field you enter a value in the range 1..239.
This value defines the priority of the rule.
 Click the Ok button.
The device adds the rule to the table.
Group and role are active immediately.
To deactivate group or rules, unmark the checkbox in the Active column.
To remove a rule, highlight the affected table entry and click the button.
 Edit the rule parameters in the table.
To change a value, double-click the relevant field.
 To save the changes temporarily, click the button.

102 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

Note: In the Source MAC address and Destination MAC address fields you can use wildcards in the
FF:??:??:??:??:?? or ??:??:??:??:00:01 form. Use capital letters here.

8.2.4 Creating and configuring a MAC ACL using the CLI


In the following example, AppleTalk and IPX are to be filtered out from the entire network.
Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mac acl add 1 macfilter Adds an MAC ACL with the ID 1 and the name macfilter.
mac acl rule add 1 1 deny src any any dst Adds a rule to position 1 of the MAC ACL with the ID 1 rejecting
any any etype appletalk packets with EtherType 0x809B (AppleTalk).
mac acl rule add 1 2 deny src any any dst Adds a rule to position 2 of the MAC ACL with the ID 1 rejecting
any any etype ipx-old packets with EtherType 0x8137 (IPX alt).
mac acl rule add 1 3 deny src any any dst Adds a rule to position 3 of the MAC ACL with the ID 1 rejecting
any any etype ipx-new packets with EtherType 0x8138 (IPX).
mac acl rule add 1 4 permit src any any Adds a rule to position 4 of the MAC ACL with the ID 1 forwarding
dst any any packets.
show acl mac rules 1 Displays the rules of the MAC ACL with the ID 1.
interface 1/1,1/2,1/3,1/4,1/5,1/6 Change to the interface configuration mode of the interfaces 1/1
to 1/6.
acl mac assign 1 in 1 Assigns the MAC ACL with the ID 1 to incoming data packets (1/
1) on interfaces 1/6 to in.
exit Leaves the interface mode.
show acl mac assignment 1 Displays the assignment of the MAC ACL with the ID 1 to
interfaces or VLANs.

8.2.5 Assigning ACL groups to ports or VLANs


When assigning group rules to ports or VLANs, the device allows you to:
 Assigning ACL groups to ports or VLANs
 Specifying the rule priority
 assign the ACL using the group name
Perform the following steps:
 Open the Network Security > ACL > Assignment dialog.
 Click the button.
The dialog displays the Create window.
 In the Port/VLAN field, specify the desired port or the desired VLAN.
 In the Priority field, specify the the allocation priority.
 In the Direction field, specify the data packets to which the device applies the rule.
 In the Group name field, specify the rule the device assigns to the port or the VLAN.
 Click the Ok button.

UM Config HiOS-2A GRS1040 103


Release 7.0 11/2017
Controlling the data traffic
8.2 ACL

 To save the changes temporarily, click the button.

104 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Controlling the data traffic
8.3 MAC authentication bypass

8.3 MAC authentication bypass

The MAC authorized bypass function allows clients that do not support 802.1X, such as printers and
fax machines, to authenticate to the network using their MAC address. The device allows you to specify
the format of the MAC address used to authenticate the clients on the RADIUS server.
Example:
Split the MAC address into 6 groups of 2 characters. Use uppercase letters and a colon character as
separator: AA:BB:CC:DD:EE:FF
Use the passwort xY-45uM_e.
Perform the following steps:
 Open the Network Security > 802.1X Port Authentication > Global dialog.
The following steps you perform in the MAC authentication bypass format options frame.
 In the Group size drop-down list, select the value 2 .
The device splits the MAC address into 6 groups of 2 characters.
 In the Group separator drop-down list, select the : character.
 In the Upper or lower case drop-down list, select the value upper-case .
 In the Password field, enter the password xY-45uM_e.
The device uses this password for every client that authenticates to the RADIUS server. If you
leave the field empty, then the device uses the formatted MAC address also as the password.
 To temporarily save the settings, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
dot1x mac-authentication-bypass format Specify the group size 2.
group-size 2
dot1x mac-authentication-bypass format Specify the group separator :.
group-separator :
dot1x mac-authentication-bypass format Specify that the device formats the authentication data in
letter-case upper-case uppercase letters.
dot1x mac-authentication-bypass password Specify the password xY-45uM_e. The device uses this
xY-45uM_e password to authenticate every client on the RADIUS server.

UM Config HiOS-2A GRS1040 105


Release 7.0 11/2017
Controlling the data traffic
8.3 MAC authentication bypass

106 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network

9 Synchronizing the system time in the


network

Many applications rely on a time that is as correct as possible. The necessary accuracy, and thus the
allowable deviation from the actual time, depends on the application area.

Examples of application areas include:


 Log entries
 Time stamping of production data
 Process control

The device offers the following options for synchronizing the time on the network:

 The Simple Network Time Protocol (SNTP) is a simple solution for low accuracy requirements. Under
ideal conditions, SNTP achieves an accuracy in the millisecond range. The accuracy depends on the
signal delay.

 IEEE 1588 with the Precision Time Protocol (PTP) achieves accuracies on the order of fractions of
microseconds. This method is suitable even for demanding applications up to and including process
control.

PTP is always the better choice if the involved devices support this protocol. PTP is more accurate, has
advanced methods of error correction, and causes a low network load. The implementation of PTP is
comparatively easy.

Note: According to the PTP and SNTP standards, both protocols function in parallel in the same
network. However, since both protocols influence the system time of the device, situations may occur
in which the two protocols conflict with each other.

UM Config HiOS-2A GRS1040 107


Release 7.0 11/2017
Synchronizing the system time in the network
9.1 Basic settings

9.1 Basic settings

In the Time > Basic Settings dialog, you specify general settings for the time.

9.1.1 Setting the time


If no reference time source is available to you, you have the option to set the time in the device.
After a cold start or reboot, if no real-time clock is available or if the real-time clock contains an invalid
time, the device initializes its clock with January 1, 00:00h. After the power supply is switched off, the
device buffers the settings of the real-time clock up to 24 hours.
Alternatively, you configure the settings in the device so that it automatically obtains the current time
from a PTP clock or from an SNTP server.
Alternatively, you configure the settings in the device so that it automatically obtains the current time
from an SNTP server.
Perform the following steps:
 Open the Time > Basic Settings dialog.
 The System time (UTC) field displays the current UTC (Universal Time Coordinated) of the
device. UTC is the time relating to the coordinated world time measurement. UTC is the same
worldwide and does not take local time shifts into account.
 The time in the System time field comes from the System time (UTC) plus the Local offset
[min] value and a possible shift due to daylight saving time.

 In order to cause the device to apply the time of your PC to the System time field, click the
Set time from PC button.
Based on the value in the Local offset [min] field, the device calculates the time in the
System time (UTC) field: The System time (UTC) comes from the System time minus the
Local offset [min] value and a possible shift due to daylight saving time.
 The Time source field displays the origin of the time data. The device automatically selects
the source with the greatest accuracy.
The source is initially local.
If SNTP is active and if the device receives a valid SNTP packet, the device sets its time
source to sntp.
If PTP is active and if the device receives a valid PTP message, the device sets its time source
to ptp. The device prioritizes PTP ahead of SNTP.
 The Local offset [min] value specifies the time difference between the local time and the
System time (UTC) .
 In order to cause the device to determine the time zone on your PC, click the Set time from
PC button. The device calculates the local time difference from UTC and enters the difference
into the Local offset [min] field.
Note: The device provides the option to obtain the local offset from a DHCP server.

 To save the changes temporarily, click the button.

108 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network
9.1 Basic settings

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
clock set <YYYY-MM-DD> <HH:MM:SS> Set the system time of the device.
clock timezone offset <-780..840> Enter the time difference between the local time and the received
UTC time in minutes.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

9.1.2 Automatic daylight saving time changeover


If you operate the device in a time zone in which there is a summer time change, you set up the
automatic daylight saving time changeover on the Daylight saving time tab.
When daylight saving time is enabled, the device sets the local system time forward by 1 hour at the
beginning of daylight saving time. At the end of daylight saving time, the device sets the local system
time back again by 1 hour.
Perform the following steps:
 Open the Time > Basic Settings dialog, Daylight saving time tab.
 To select a preset profile for the start and end of daylight saving time, click the Profile...
button in the Operation frame.
 If no matching daylight saving time profile is available, you specify the changeover times in
the Summertime begin and Summertime end fields.
For both time points, you specify the month, the week within this month, the weekday, and the
time of day.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
clock summer-time mode Configure the automatic daylight saving time changeover:
<disable|recurring|eu|usa> enable/disable or activate with a profile.
clock summer-time recurring start Enter the start time for the changeover.
clock summer-time recurring end Enter the end time for the changeover.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

UM Config HiOS-2A GRS1040 109


Release 7.0 11/2017
Synchronizing the system time in the network
9.2 SNTP

9.2 SNTP

The Simple Network Time Protocol (SNTP) allows you to synchronize the system time in your network.
The device supports the SNTP client and the SNTP server function.
The SNTP server makes the UTC (Universal Time Coordinated) available. UTC is the time relating to
the coordinated world time measurement. The UTC is the same worldwide and ignores local time shifts.
SNTP is a simplified version of NTP (Network Time Protocol). The data packets are identical with SNTP
and NTP. Accordingly, both NTP and SNTP servers serve as a time source for SNTP clients.

Note: Statements in this chapter relating to external SNTP servers also apply to NTP servers.
SNTP knows the following operation modes for the transmission of time:
 Unicast
In Unicast operation mode, an SNTP client sends requests to an SNTP server and expects a
response from this server.
 Broadcast
In Broadcast operation mode, an SNTP server sends SNTP messages to the network in specified
intervals. SNTP clients receive these SNTP messages and evaluate them.
IP destination address Send SNTP packets to
0.0.0.0 Nobody
224.0.1.1 Multicast address for SNTP messages
255.255.255.255 Broadcast address
Table 8: Target address classes for Broadcast operation mode

Note: An SNTP server in Broadcast operation mode also responds to direct requests using Unicastfrom
SNTP clients. In contrast, SNTP clients work in either Unicast or Broadcast operation mode.

110 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network
9.2 SNTP

9.2.1 Preparation
Perform the following steps:
 To get an overview of how the time is passed on, draw a network plan with the devices participating
in SNTP.
When planning, bear in mind that the accuracy of the time depends on the delays of the SNTP
messages. To minimize delays and their variance, place an SNTP server in each network segment.
Each of these SNTP servers synchronizes its own system time as an SNTP client with its parent
SNTP server (SNTP cascade). The highest SNTP server in the SNTP cascade has the most direct
access to a reference time source.
GPS PLC
SNTP
client

SNTP 192.168.1.11
SNTP
server client

192.168.1.12
192.168.1.1
Switch Switch

SNTP SNTP SNTP SNTP


client server client server
192.168.1.2 192.168.1.3

Figure 19: Example of SNTP cascade

Note: For precise time distribution, between SNTP servers and SNTP clients you preferably use
network components (routers and switches) that forward the SNTP packets with a low and uniform
transmission time (latency).
 An SNTP client sends its requests to up to 4 configured SNTP servers. If there is no response from
the 1st SNTP server, the SNTP client sends its requests to the 2nd SNTP server. If this request is
also unsuccessful, it sends the request to the 3rd and finally the 4th SNTP server. If none of these
SNTP servers responds, the SNTP client loses its synchronization. The SNTP client periodically
sends requests to each SNTP server until a server delivers a valid time.

Note: The device provides the option of obtaining a list of SNTP server IP addresses from a DHCP
server.

 If no reference time source is available to you, determine a device with an SNTP server as a
reference time source. Adjust its system time at regular intervals.

UM Config HiOS-2A GRS1040 111


Release 7.0 11/2017
Synchronizing the system time in the network
9.2 SNTP

9.2.2 Defining settings of the SNTP client


As an SNTP client, the device obtains the time information from SNTP or NTP servers and synchronizes
its system clock accordingly.
Perform the following steps:
 Open the Time > SNTP > Client dialog.
 Set the SNTP operation mode.
In the Configuration frame, select one of the following values in the Mode field:
 unicast
The device sends requests to an SNTP server and expects a response from this server.
 broadcast
The device waits for Broadcast messages from SNTP servers on the network.
 To synchronize the time only once, mark the Disable client after successful sync
checkbox.
After synchronization, the device disables the SNTP Client function.
 The table displays the SNTP server to which the SNTP client sends a request in Unicast
operation mode. The table contains up to four SNTP server definitions.
 To add a table entry, click the button.
 Specify the connection data of the SNTP server.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 The State field displays the current status of the SNTP Client function.
Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12
SNTP Client function Off On On On On
Configuration : Mode unicast unicast unicast unicast unicast
Request interval [s] 30 30 30 30 30
SNTP Server address(es) – 192.168.1.1 192.168.1.2 192.168.1.2 192.168.1.3
192.168.1.1 192.168.1.1 192.168.1.2
192.168.1.1
Table 9: SNTP client settings for the example

9.2.3 Specifying SNTP server settings


When the device operates as an SNTP server, it provides its system time in coordinated world time
(UTC) in the network.
Perform the following steps:
 Open the Time > SNTP > Server dialog.
 To enable the function, select the On radio button in the Operation frame.

112 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network
9.2 SNTP

 To enable the Broadcast operation mode, select the Broadcast admin mode radio button in
the Configuration frame.
In Broadcast operation mode, the SNTP server sends SNTP messages to the network in
specified intervals. The SNTP server also responds to the requests from SNTP clients in
Unicast operation mode.
 In the Broadcast destination address field, you set the IP address to which the SNTP server sends the
SNTP packets. Set a Broadcast address or a Multicast address.
 In the Broadcast UDP port field, you specify the number of the UDP port to which the SNTP server sends
the SNTP packets in Broadcast operation mode.
 In the Broadcast VLAN ID field, you specify the ID of the VLAN to which the SNTP server sends the SNTP
packets in Broadcast operation mode.
 In the Broadcast send interval [s] field, you enter the time interval at which the SNTP server of the device
sends SNTP Broadcast packets.

 To save the changes temporarily, click the button.


 The State field displays the current status of the SNTP Server function.

Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12


SNTP Server function On On On Off Off
UDP port 123 123 123 123 123
Broadcast admin mode unmarked unmarked unmarked unmarked unmarked
Broadcast destination address 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Broadcast UDP port 123 123 123 123 123
Broadcast VLAN ID 1 1 1 1 1
Broadcast send interval [s] 128 128 128 128 128
Disable server at local time unmarked unmarked unmarked unmarked unmarked
source
Table 10: Settings for the example

UM Config HiOS-2A GRS1040 113


Release 7.0 11/2017
Synchronizing the system time in the network
9.3 PTP

9.3 PTP

In order for LAN-controlled applications to work without latency, precise time management is required.
With PTP (Precision Time Protocol), IEEE 1588 describes a method that enables precise
synchronization of clocks in the network.
PTP enables synchronization with an accuracy of a few 100 ns. PTP uses Multicasts for the
synchronization messages, which keeps the network load low.

9.3.1 Types of clocks


PTP defines the roles of “master” and “slave” for the clocks in the network:
 A master clock (reference time source) distributes its time.
 A slave clock synchronizes itself with the timing signal received from the master clock.

 Boundary clock
The transmission time (latency) in routers and switches has a measurable effect on the precision of
the time transmission. To correct such inaccuracies, PTP defines what are known as boundary
clocks.
In a network segment, a boundary clock is the reference time source (master clock) to which the
subordinate slave clocks synchronize. Typically routers and switches take on the role of boundary
clock.
The boundary clock in turn obtains the time from a higher-level reference time source (Grandmaster).
GPS
PLC
Reference
(Grandmaster Clock)

Switch Ordinary Clock

Ordinary Clock
Slave Master

Boundary Clock

Figure 20: Position of the boundary clock in a network

114 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network
9.3 PTP

 Transparent Clock
Switches typically take on the Transparent Clock role to enable high accuracy across the cascades.
The Transparent Clock is a Slave clock that corrects its own transmission time when it forwards
received synchronization messages.

 Ordinary Clock
PTP designates the clock in a end device as an “Ordinary Clock”. An Ordinary Clock functions either
as a master clock or slave clock.

9.3.2 Best Master Clock algorithm


The devices participating in PTP designate a device in the network as a reference time source
(Grandmaster). Here the “Best Master Clock” algorithm is used, which determines the accuracy of the
clocks available in the network.
The “Best Master Clock” algorithm evaluates the following criteria:
 Priority 1
 Clock class
 Clock accuracy
 Clock variance
 Priority 2
The algorithm first evaluates the value in the Priority 1 field of the participating devices. The device
with the smallest value in the Priority 1 field becomes the reference time source (Grandmaster). If
the value is the same for multiple devices, the algorithm takes the next criterion, and if this is also the
same, it takes the next criterion after this one. If all the values are the same for multiple devices, the
smallest value in the Clock identity field decides which device becomes the reference time source
(Grandmaster).
The device offers you the option in the settings of the boundary clock to individually specify the values
for Priority 1 and Priority 2 . This allows you to influence which device will be the reference time
source (Grandmaster) in the network.

UM Config HiOS-2A GRS1040 115


Release 7.0 11/2017
Synchronizing the system time in the network
9.3 PTP

9.3.3 Delay measurement


The delay of the synchronization messages between the devices affects the accuracy. The delay
measurement allows the devices to take into account the average delay.

PTP version 2 offers the following methods for delay measurement:


 e2e (End to End)
The slave clock measures the delay of synchronization messages to the master clock.
 e2e-optimized
The slave clock measures the delay of synchronization messages to the master clock.
This method is available only for transparent clocks. The device sends the synchronization
messages sent using Multicast only to the master clock, keeping the network load low. If the device
receives a synchronization message from another master clock, it sends the synchronization
messages only to this new port.
If the device knows no master clock, it sends synchronization messages to every port.
 p2p (Peer to Peer)
The slave clock measures the delay of synchronization messages to the master clock.
In addition, the master clock measures the delay to each slave clock, even across blocked ports. This
requires that the master and slave clock support Peer-to-Peer (p2p ).
In case of interruption of a redundant ring, for example, the slave clock becomes the master clock
and the master clock becomes the slave clock. This switch occurs without loss of precision, because
the clocks already know the delay in the other direction.

9.3.4 PTP domains


The device transmits synchronization messages only from and to devices in the same PTP domain. The
device allows you to set the domain for the boundary clock and for the transparent clock individually.
GPS Ordinary Clock
PLC
Reference
(Grandmaster Clock)

Switch
PTP Subdomain 1

Boundary
Clock

PTP Subdomain 2

Figure 21: Example of PTP domains

116 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Synchronizing the system time in the network
9.3 PTP

9.3.5 Using PTP


In order to synchronize the clocks precisely with PTP, only use switches with a boundary clock or
transparent clock as nodes.
Perform the following steps:
 To gain an overview of the distribution of clocks, draw a network plan with the devices involved in
PTP.
 Specify the role for each participating switch (boundary clock or transparent clock). In the device, this
setting is called PTP mode .
PTP mode Application
v2-boundary-clock As a boundary clock, the device distributes synchronization messages to the slave clocks in
the subordinate network segment.
The boundary clock in turn obtains the time from a higher-level reference time source
(Grandmaster).
v2-transparent-clock As a transparent clock, the device forwards received synchronization messages after they
have been corrected by the delay of the transparent clock.
Table 11: Possible settings for PTP mode

 Enable PTP on each participating switch.


PTP is then configured on a largely automatic basis.
 Enable PTP on the end devices.
 The device allows you to influence which device in the network becomes the reference clock
(Grandmaster). Therefore, change the default value in the Priority 1 and Priority 2 fields for
the Boundary Clock.

UM Config HiOS-2A GRS1040 117


Release 7.0 11/2017
Synchronizing the system time in the network
9.3 PTP

118 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control

10 Network load control

The device features a number of functions that reduce the network load:
 Direct packet distribution
 Multicasts
 Rate limiter
 Prioritization - QoS
 Differentiated services
 Flow control

UM Config HiOS-2A GRS1040 119


Release 7.0 11/2017
Network load control
10.1 Direct packet distribution

10.1 Direct packet distribution

The device reduces the network load with direct packet distribution.
On each of its ports, the device learns the sender MAC address of received data packets. The device
stores the combination “port and MAC address” in its MAC address table (FDB).
By applying the “Store and Forward” method, the device buffers data received and checks it for validity
before forwarding it. The device rejects invalid and defective data packets.

120 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.1 Direct packet distribution

10.1.1 Learning MAC addresses


If the device receives a data packet, it checks whether the MAC address of the sender is already stored
in the MAC address table (FDB). If the MAC address of the sender is unknown, the device generates a
new entry. The device then compares the destination MAC address of the data packet with the entries
stored in the MAC address table (FDB):
 The device sends packets with a known destination MAC address directly to ports that have already
received data packets from this MAC address.
 The device floods data packets with unknown destination addresses, that is, the device forwards
these data packets to all ports.

10.1.2 Aging of learned MAC addresses


Addresses that have not been detected by the device for an adjustable period of time (aging time) are
deleted from the MAC address table (FDB) by the device. A reboot or resetting of the MAC address table
deletes the entries in the MAC address table (FDB).

10.1.3 Static address entries


In addition to learning the sender MAC address, the device also provides the option to set MAC
addresses manually. These MAC addresses remain configured and survive resetting of the MAC
address table (FDB) as well as rebooting of the device.
Static address entries allow the device to forward data packets directly to selected ports. If you do not
specify a destination port, the device discards the corresponding data packets.
You manage the static address entries in the graphical user interface (GUI) or in the CLI.
Perform the following steps:
 Create a static address entry.
 Open the Switching > Filter for MAC Addresses dialog.
 Add a user-configurable MAC address:
 Click the button.
The dialog displays the Create window.
 In the Address field, specify the destination MAC address.
 In the VLAN ID field, specify the ID of the VLAN.
 In the Port list, select the ports to which the device sends data packets with the specified destination MAC
address in the specified VLAN.
Select exactly one port if you have defined a Unicast MAC address in the Address field.
Select one or more ports if you have defined a Multicast MAC address in the Address field.
Do not select any port if you want the device to discard data packets with the destination MAC address.
 Click the Ok button.

UM Config HiOS-2A GRS1040 121


Release 7.0 11/2017
Network load control
10.1 Direct packet distribution

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
mac-filter <MAC address> <VLAN ID> Create the MAC address filter, consisting of a MAC address and
VLAN ID.
interface 1/1 Change to the interface configuration mode of interface 1/1.
mac-filter <MAC address> <VLAN ID> Assign the port to a previously created MAC address filter.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.
 Convert a learned MAC address into a static address entry.
 Open the Switching > Filter for MAC Addresses dialog.
 To convert a learned MAC address into a static address entry, select the value permanent in
the Status column.
 To save the changes temporarily, click the button.
 Disable a static address entry.
 Open the Switching > Filter for MAC Addresses dialog.
 To disable a static address entry, select the value invalid in the Status column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
no mac-filter <MAC address> <VLAN ID> Cancel the assignment of the MAC address filter on the port.
exit Change to the Configuration mode.
no mac-filter <MAC address> <VLAN ID> Deleting the MAC address filter, consisting of a MAC address and
VLAN ID.
exit Change to the Privileged EXEC mode.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.
 Delete learned MAC addresses.
 To delete the learned addresses from the MAC address table (FDB), open the Basic
Settings > Restart dialog and click the Reset MAC address table button.
clear mac-addr-table Delete the learned MAC addresses from the MAC address table
(FDB).

122 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.2 Multicasts

10.2 Multicasts

By default, the device floods data packets with a Multicast address, that is, the device forwards the data
packets to all ports. This leads to an increased network load.
The use of IGMP snooping can reduce the network load caused by Multicast data traffic. IGMP snooping
allows the device to send Multicast data packets only on those ports to which devices “interested” in
multicast are connected.

10.2.1 Example of a Multicast application


Surveillance cameras transmit images to monitors in the machine room and in the monitoring room. With
an IP Multicast transmission, the cameras transmit their graphic data over the network in Multicast
packets.
The Internet Group Management Protocol (IGMP) organizes the Multicast data traffic between the
Multicast routers and the monitors. The switches in the network between the Multicast routers and the
monitors monitor the IGMP data traffic continuously (“IGMP Snooping”).
Switches register logins for receiving a Multicast stream (IGMP report). The device then creates an entry
in the MAC address table (FDB) and forwards Multicast packets only to the ports on which it has
previously received IGMP reports.

10.2.2 IGMP snooping


The Internet Group Management Protocol (IGMP) describes the distribution of Multicast information
between routers and connected receivers on Layer 3. IGMP Snooping describes the function of a switch
of continuously monitoring IGMP traffic and optimizing its own transmission settings for this data traffic.
The IGMP snooping function in the device operates according to RFC 4541 (Considerations for Internet
Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches).
Multicast routers with an active IGMP function periodically request (query) registration of Multicast
streams in order to determine the associated IP Multicast group members. IP Multicast group members
reply with a Report message. This Report message contains the parameters required by the IGMP
function. The Multicast router enters the IP Multicast group address from the Report message in its
routing table. This causes it to forward data packets with this IP Multicast group in the destination
address field according to its routing table.
Receivers log out with a “Leave” message when leaving a Multicast group (IGMP version 2 and higher)
and do not send any more Report messages. The Multicast router removes the routing table entry of a
receiver if it does not receive any more Report messages from this receiver within a certain time (aging
time).

UM Config HiOS-2A GRS1040 123


Release 7.0 11/2017
Network load control
10.2 Multicasts

If several IGMP Multicast routers are in the same network, then the device with the smaller IP address
takes over the query function. If there are no Multicast routers on the network, then you have the option
to enable the query function in an appropriately equipped switch.
A switch that connects one Multicast receiver with a Multicast router analyzes the IGMP information with
the IGMP snooping method.
The IGMP snooping method also makes it possible for switches to use the IGMP function. A switch
stores the MAC addresses derived from IP addresses of the Multicast receivers as recognized Multicast
addresses in its MAC address table (FDB). In addition, the switch identifies the ports on which it has
received reports for a specific Multicast address. In this way the switch transmits Multicast packets
exclusively on ports to which Multicast receivers are connected. The other ports do not receive these
packets.
A special feature of the device is the possibility of determining the processing of data packets with
unknown Multicast addresses. Depending on the setting, the device discards these data packets or
forwards them to all ports. By default, the device transmits the data packets only to ports with connected
devices, which in turn receive query packets. You also have the option of additionally sending known
Multicast packets to query ports.

124 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.2 Multicasts

 Setting IGMP snooping


Perform the following steps:
 Open the Switching > IGMP Snooping > Global dialog.
 To enable the function, select the On radio button in the Operation frame.
When the IGMP Snooping function is disabled, the device behaves as follows:
 The device ignores the received query and report messages.
 The device sends (floods) received data packets with a Multicast address as the destination
address on every port.
 To save the changes temporarily, click the button.

 Specifying the settings for a port:


 Open the Switching > IGMP Snooping > Configuration dialog, Port tab.
 To activate the IGMP Snooping function on a port, mark the checkbox in the Active column
for the relevant port.
 To save the changes temporarily, click the button.

 Specifying the settings for a VLAN:


 Open the Switching > IGMP Snooping > Configuration dialog, VLAN ID tab.
 To activate the IGMP Snooping function for a specific VLAN, mark the checkbox in the Active
column for the relevant VLAN.
 To save the changes temporarily, click the button.

 Setting the IGMP querier function


The device itself optionally sends active query messages; alternatively, it responds to query
messages or detects other Multicast queriers in the network (IGMP Snooping Querier function).
Prerequisite:
The IGMP Snooping function is enabled globally.

Perform the following steps:


 Open the Switching > IGMP Snooping > Querier dialog.
 In the Operation frame, enable/disable the IGMP Snooping Querier function of the device
globally.
 To activate the IGMP Snooping Querier function for a specific VLAN, mark the checkbox in
the Active column for the relevant VLAN.
 The device carries out a simple selection process: If the IP source address of the other
Multicast querier is lower than its own, the device switches to the passive state, in which it
does not send out any more query requests.
 In the Address column, you specify the IP Multicast address that the device inserts as the
sender address in generated query requests. You use the address of the Multicast router.
 To save the changes temporarily, click the button.

UM Config HiOS-2A GRS1040 125


Release 7.0 11/2017
Network load control
10.2 Multicasts

 IGMP snooping enhancements (table)


The Switching > IGMP Snooping > Snooping Enhancements dialog provides you access to
enhanced settings for the IGMP Snooping function. You activate or deactivate the settings on a per
port basis in a VLAN.
The following settings are possible:
 Static
Use this setting to set the port as a static query port. The device sends every IGMP message on
a static query port, even if it has previously received no IGMP query messages on this port. If the
static option is disabled, the device sends IGMP messages on this port only if it has previously
received IGMP query messages. If that is the case, the entry displays L (“learned”).
 Learn by LLDP
A port with this setting automatically discovers other Hirschmann devices using LLDP (Link Layer
Discovery Protocol). The device then learns the IGMP query status of this port from these
Hirschmann devices and configures the IGMP Snooping Querier function accordingly. The ALA
entry indicates that the Learn by LLDP function is activated. If the device has found another
Hirschmann device on this port in this VLAN, the entry also displays an A (“automatic”).
 Forward All
With this setting, the device sends the data packets addressed to a Multicast address on this port.
The setting is suitable in the following situations, for example:
– For diagnostic purposes.
– For devices in an MRP ring: After the ring is switched, the Forward All function allows rapid
reconfiguration of the network for data packets with registered Multicast destination addresses.
Activate the Forward All function on all ring ports.

Prerequisite:
The IGMP Snooping function is enabled globally.

Perform the following steps:


 Open the Switching > IGMP Snooping > Snooping Enhancements dialog.
 Double-click the desired port in the desired VLAN.
 To activate one or more functions, select the corresponding options.
 Click the Ok button.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
igmp-snooping vlan-id 1 forward-all 1/1 Activate the Forward All function for port 1/1 in VLAN 1.

126 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.2 Multicasts

 Configure Multicasts
The device allows you to configure the exchange of Multicast data packets. The device provides
different options depending on whether the data packets are to be sent to unknown or known
Multicast receivers.
The settings for unknown Multicast addresses are global for the entire device. The following options
can be selected:
 The device discards unknown Multicasts.
 The device sends unknown Multicasts on every port.
 The device sends unknown Multicasts exclusively on ports that have previously received query
messages (query ports).

Note: The exchange settings for unknown Multicast addresses also apply to the reserved IP
addresses from the “Local Network Control Block” (224.0.0.0..224.0.0.255). This behavior may
affect higher-level routing protocols.
For each VLAN, you specify the sending of Multicast packets to known Multicast addresses
individually. The following options can be selected:
 The device sends known Multicasts on the ports that have previously received query messages
(query ports) and to the registered ports. Registered ports are ports with Multicast receivers
registered with the corresponding Multicast group. This option ensures that the transfer works with
basic applications without further configuration.
 The device sends out known Multicasts only on the registered ports. The advantage of this setting
is that it uses the available bandwidth optimally through direct distribution.

Prerequisite:
The IGMP Snooping function is enabled globally.

Perform the following steps:


 Open the Switching > IGMP Snooping > Multicasts dialog.
 In the Configuration frame, you specify how the device sends data packets to unknown
Multicast addresses.
 send to registered ports
The device sends packets with unknown Multicast address to every query port.
 send to query and registered ports
The device sends packets with unknown Multicast address to every port.
 In the Known multicasts column, you specify how the device sends data packets to known
Multicast addresses in the corresponding VLAN. Click the relevant field and select the desired
value.
 To save the changes temporarily, click the button.

UM Config HiOS-2A GRS1040 127


Release 7.0 11/2017
Network load control
10.3 Rate limiter

10.3 Rate limiter

The rate limiter function allows you to limit the data traffic on the ports in order to ensure stable operation
even when there is a high level of traffic. The rate limitation is performed individually for each port, as
well as separately for inbound and outbound traffic.
If the data rate on a port exceeds the defined limit, the device discards the overload on this port.
Rate limitation occurs entirely on Layer 2. In the process, the rate limiter function ignores protocol
information on higher levels such as IP or TCP. This may affect the TCP traffic.
To minimize these effects, use the following options:
 Limit the rate limitation to certain packet types, for example, Broadcasts, Multicasts, and Unicasts
with an unknown destination address.
 Limit the outbound data traffic instead of the inbound traffic. The outbound rate limitation works better
with TCP flow control due to device-internal buffering of the data packets.
 Increase the aging time for learned Unicast addresses.

Perform the following steps:


 Open the Switching > Rate Limiter dialog.
 Activate the rate limiter and set limits for the data rate. The settings apply on a per port basis
and are broken down by type of traffic:
 Received Broadcast data packets
 Received Multicast data packets
 Received Unicast data packets with an unknown destination address
To activate the rate limiter on a port, mark the checkbox for at least one category. In the
Threshold unit column, you specify whether the device interpretes the threshold values as
percent of the port bandwidth or as packets per second. The threshold value 0 deactivates the
rate limiter.
 To save the changes temporarily, click the button.

128 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

10.4 QoS/Priority

QoS (Quality of Service) is a procedure defined in IEEE 802.1D which is used to distribute resources in
the network. QoS allows you to prioritize the data of important applications.
Prioritizing prevents data traffic with lower priority from interfering with delay-sensitive data traffic,
especially when there is a heavy network load. Delay-sensitive data traffic includes, for example, voice,
video, and real-time data.

10.4.1 Description of prioritization


For data traffic prioritization, traffic classes are defined in the device. The device prioritizes higher traffic
classes over lower traffic classes. The number of traffic classes depends on the device type.
To provide for optimal data flow for delay-sensitive data, you assign higher traffic classes to this data.
You assign lower traffic classes to data that is less sensitive to delay.

 Assigning traffic classes to the data


The device automatically assigns traffic classes to inbound data (traffic classification). The device
takes the following classification criteria into account:
 Methods according to which the device carries out assignment of received data packets to traffic
classes:
 trustDot1p
The device uses the priority of the data packet contained in the VLAN tag.
 trustIpDscp
The device uses the QoS information contained in the IP header (ToS/DiffServ).
 untrusted
The device ignores possible priority information within the data packets and uses the priority of
the receiving port directly.
 The priority assigned to the receiving port.

Both classification criteria are configurable.

During traffic classification, the device uses the following rules:


 When the receiving port is set to trustDot1p (default setting), the device uses the data packet
priority contained in the VLAN tag. When the data packets do not contain a VLAN tag, the device
is guided by the priority of the receiving port.
 When the receiving port is set to trustIpDscp, the device uses the QoS information (ToS/
DiffServ) in the IP header. When the data packets do not contain IP packets, the device is guided
by the priority of the receiving port.
 When the receiving port is set to untrusted, the device is guided by the priority of the receiving
port.

UM Config HiOS-2A GRS1040 129


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

 Prioritizing traffic classes


For prioritization of traffic classes, the device uses the following methods:
 Strict
When transmission of data of a higher traffic class is no longer taking place or the relevant data
is still in the queue, the device sends data of the corresponding traffic class. If every traffic class
is prioritized according to the Strict method, under high network load the device may
permanently block the data of lower traffic classes.
 Weighted Fair Queuing
The traffic class is assigned a guaranteed bandwidth. This ensures that the device sends the data
traffic of this traffic class even if there is a great deal of data traffic in higher traffic classes.

10.4.2 Handling of received priority information


Applications label data packets with the following prioritization information:
 VLAN priority based on IEEE 802.1Q/ 802.1D (Layer 2)
 Type-of-Service (ToS) or DiffServ (DSCP) for VLAN Management IP packets (Layer 3)

The device offers the following options for evaluating this priority information:
 trustDot1p
The device assigns VLAN-tagged data packets to the different traffic classes according to their VLAN
priorities. The corresponding allocation is configurable. The device assigns the priority of the
receiving port to data packets it receives without a VLAN tag.
 trustIpDscp
The device assigns the IP packets to the different traffic classes according to the DSCP value in the
IP header, even if the packet was also VLAN-tagged. The corresponding allocation is configurable.
The device prioritizes non-IP packets according to the priority of the receiving port.
 untrusted
The device ignores the priority information in the data packets and assigns the priority of the receiving
port to them.

130 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

10.4.3 VLAN tagging


For the VLAN and prioritizing functions, the IEEE 802.1Q standard provides for integrating a MAC frame
in the VLAN tag. The VLAN tag consists of 4 bytes and is between the source address field (“Source
Address Field”) and type field (“Length / Type Field”).
d
el ld
r Fi Fie
d
ite ess el
lim dr Fi d
s el
d e
el D A
d
re
s Fi
Fi me on d p e ck ld
e i Ad ld /Ty el
d ld d he Fie
bl ra at Fi ie el C
m rt F tin r ce Fie gth a
F Fi me nce
e a a s u g n t ta d a e
Pr St De So Ta Le Da Da Pa Fr equ
S

7 1 6 6 4 2 42-1500 Octets 4
t

min. 64, max. 1522 Octets

Figure 22: Ethernet data packet with tag

For data packets with VLAN tags, the device evaluates the following information:
 Priority information
 VLAN tagging, if VLANs are configured
r
ie
ntif
er de
ifi I
ent t
Bi at
Id 3 rm r
, ie
o l
ity l Fo tif
oc r e n
r ot rio ica Id
P it e r P non A N
g B s t
Ta x 8 U Ca Bit VL Bi
2 1 12

4 Octets

Figure 23: Structure of the VLAN tagging

Data packets with VLAN tags containing priority information but no VLAN information (VLAN ID = 0), are
known as Priority Tagged Frames.

Note: Network protocols and redundancy mechanisms use the highest traffic class 7. Therefore, select
other traffic classes for application data.
When using VLAN prioritizing, consider the following special features:
 End-to-end prioritizing requires the VLAN tags to be transmitted to the entire network. The
prerequisite is that every network component is VLAN-capable.
 Routers are not able to send and receive packets with VLAN tags through port-based router
interfaces.

UM Config HiOS-2A GRS1040 131


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

10.4.4 IP ToS (Type of Service)


The Type-of-Service field (ToS) in the IP header was already part of the IP protocol from the start, and
is used to differentiate different services in IP networks. Even back then, there were ideas about
differentiated treatment of IP packets, due to the limited bandwidth available and the unreliable
connection paths. Because of the continuous increase in the available bandwidth, there was no need to
use the ToS field.
Only with the real-time requirements of today’s networks has the ToS field become significant again.
Selecting the ToS byte of the IP header enables you to differentiate between different services.
However, this field is not widely used in practice.
Bits 0 1 2 3 4 5 6 7
Precedence Type of Service MBZ
Bits (0-2): IP Precedence Defined Bits (3-6): Type of Service Defined Bit (7)
111 - Network Control 0000 - [all normal] 0 - Must be zero
110 - Internetwork Control 1000 - [minimize delay]
101 - CRITIC / ECP 0100 - [maximize throughput
100 - Flash Override 0010 - [maximize reliability]
011 - Flash 0001 - [minimize monetary cost]
010 - Immediate
001 - Priority
000 - Routine
Table 12: ToS field in the IP header

10.4.5 Handling of traffic classes


The device provides the following options for handling traffic classes:
 Strict Priority
 Weighted Fair Queuing
 Strict Priority combined with Weighted Fair Queuing
 Queue management

 Strict Priority description


With the Strict Priority setting, the device first transmits data packets that have a higher traffic class
(higher priority) before transmitting a data packet with the next highest traffic class. The device
transmits a data packet with the lowest traffic class (lowest priority) when there are no other data
packets remaining in the queue. In unfortunate cases, the device never sends packets with a low
priority if there is a high volume of high-priority traffic waiting to be sent on this port.
In delay-sensitive applications, such as VoIP or video, Strict Priority allows data to be sent
immediately.

132 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

 Weighted Fair Queuing description


With Weighted Fair Queuing, also called Weighted Round Robin (WRR), the user assigns a minimum
or reserved bandwidth to each traffic class. This ensures that data packets with a lower priority are
also sent when the network is very busy.

The reserved values range from 0% through 100% of the available bandwidth, in steps of 1%.
 A reservation of 0 is equivalent to a "no bandwidth" setting.
 The sum of the individual bandwidths may add up to 100%.

If you assign Weighted Fair Queuing to every traffic class, the entire bandwidth of the corresponding
port is available to you.

 Combining Strict Priority and Weighted Fair Queuing


When combining Weighted Fair Queuing with Strict Priority, ensure that the highest traffic class of
Weighted Fair Queuing is lower than the lowest traffic class of Strict Priority.

When you combine Weighted Fair Queuing with Strict Priority, a high Strict Priority network load can
significantly reduce the bandwidth available for Weighted Fair Queuing.

10.4.6 Queue management

 Queue Shaping
Queue Shaping throttles the rate at which queues transmit packets. For example, using Queue
Shaping, you rate-limit a higher strict-priority queue so that it allows a lower strict-priority queue to
send packets even though higher priority packets are still available for transmission. The device
allows you to setup Queue Shaping for any queue. You specify Queue Shaping as the maximum rate
at which traffic passes through a queue by assigning a percentage of the available bandwidth.

 Defining settings for queue management


Perform the following steps:
 Open the Switching > QoS/Priority > Queue Management dialog.
The total assigned bandwidth in the Min. bandwidth [%] column is 100%.
 To activate Weighted Fair Queuing for Traffic class = 0, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 5.
 To activate Weighted Fair Queuing for Traffic class = 1, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 20.

UM Config HiOS-2A GRS1040 133


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

 To activate Weighted Fair Queuing for Traffic class = 2, proceed as follows:


 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 30.
 To activate Weighted Fair Queuing for Traffic class = 3, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 20.
 To activate Weighted Fair Queuing and Queue Shaping for Traffic class = 4, proceed as
follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 10.
 In the Max. bandwidth [%] column, specify the value 10.
When using a Weighted Fair Queuing and Queue Shaping combination for a specific traffic
class, specify a higher value in the Max. bandwidth [%] column than the value specified in
the Min. bandwidth [%] column.
 To activate Weighted Fair Queuing for Traffic class = 5, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 5.
 To activate Weighted Fair Queuing for Traffic class = 6, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 10.
 To activate Strict Priority and Queue Shaping for Traffic class = 7, proceed as follows:
 Mark the checkbox in the Strict priority column.
 In the Max. bandwidth [%] column, specify the value 10.

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
cos-queue weighted 0 Enabling Weighted Fair Queuing for traffic class 0.
cos-queue min-bandwidth: 0 5 Assigning a weight of 5 % to traffic class 0.
cos-queue weighted 1 Enabling Weighted Fair Queuing for traffic class 1.
cos-queue min-bandwidth: 1 20 Assigning a weight of 20 % to traffic class 1.
cos-queue weighted 2 Enabling Weighted Fair Queuing for traffic class 2.
cos-queue min-bandwidth: 2 30 Assigning a weight of 30 % to traffic class 2.
cos-queue weighted 3 Enabling Weighted Fair Queuing for traffic class 3.
cos-queue min-bandwidth: 3 20 Assigning a weight of 20 % to traffic class 3.
show cos-queue
Queue Id Min. bandwidth Max. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 0 0 strict
5 0 0 strict
6 0 0 strict
7 0 0 strict

 Combining Weighted Fair Queuing and Queue Shaping


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
cos-queue weighted 4 Enabling Weighted Fair Queuing for traffic class 4.
cos-queue min-bandwidth: 4 10 Assigning a weight of 10 % to traffic class 4.
cos-queue max-bandwidth: 4 10 Assigning a weight of 10 % to traffic class 4.

134 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

cos-queue weighted 5 Enabling Weighted Fair Queuing for traffic class 5.


cos-queue min-bandwidth: 5 5 Assigning a weight of 5 % to traffic class 5.
cos-queue weighted 6 Enabling Weighted Fair Queuing for traffic class 6.
cos-queue min-bandwidth: 6 10 Assigning a weight of 10 % to traffic class 6.
show cos-queue
Queue Id Min. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 10 10 weighted
5 5 0 weighted
6 10 0 weighted
7 0 0 strict

 Setting up Queue Shaping


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
cos-queue max-bandwidth: 7 10 Assigning a weight of 10 % to traffic class 7.
show cos-queue
Queue Id Min. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 10 10 weighted
5 5 0 weighted
6 10 0 weighted
7 0 10 strict

10.4.7 Management prioritization


In order for you to have full access to the management of the device, even when there is a high network
load, the device allows you to prioritize management packets.
When prioritizing management packets, the device sends the management packets with priority
information.
 On Layer 2, the device modifies the VLAN priority in the VLAN tag.
For this function to be useful, the configuration of the corresponding ports must permit the sending
of packets with a VLAN tag.
 On Layer 3, the device modifies the IP-DSCP value.

UM Config HiOS-2A GRS1040 135


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

10.4.8 Setting prioritization

 Assigning the port priority


Perform the following steps:
 Open the Switching > QoS/Priority > QoS/Priority Port Configuration dialog.
 In the Port priority column, you specify the priority with which the device sends the data
packets received on this port without a VLAN tag.
 In the Trust mode column, you specify the criteria the device uses to assign a traffic class to
data packets received.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
vlan priority 3 Assign interface 1/1 the port priority 3.
exit Change to the Configuration mode.

 Assigning VLAN priority to a traffic class


Perform the following steps:
 Open the Switching > QoS/Priority > 802.1D/p Mapping dialog.
 To assign a traffic class to a VLAN priority, insert the associated value in the Traffic class
column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
classofservice dot1p-mapping 0 2 Assigning a VLAN priority of 0 to traffic class 2.
classofservice dot1p-mapping 1 2 Assigning a VLAN priority of 1 to traffic class 2.
exit Change to the Privileged EXEC mode.
show classofservice dot1p-mapping Display the assignment.

 Assign port priority to received data packets


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
classofservice trust untrusted Assigning the untrusted mode to the interface.
classofservice dot1p-mapping 0 2 Assigning a VLAN priority of 0 to traffic class 2.
classofservice dot1p-mapping 1 2 Assigning a VLAN priority of 1 to traffic class 2.
vlan priority 1 Specifying the value 1 for the port priority.
exit Change to the Configuration mode.
exit Change to the Privileged EXEC mode.
show classofservice trust Displaying the Trust mode of the ports/interfaces.

136 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

Interface Trust Mode


--------- -------------
1/1 untrusted
1/2 dot1p
1/3 dot1p
1/4 dot1p
1/5 dot1p
1/6 dot1p
1/7 dot1p

 Assigning DSCP to a traffic class


Perform the following steps:
 Open the Switching > QoS/Priority > IP DSCP Mapping dialog.
 Specify the desired value in the Traffic class column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
classofservice ip-dscp-mapping cs1 1 Assigning the DSCP value CS1 to traffic class 1.
show classofservice ip-dscp-mapping Displaying the IP DSCP assignments

IP DSCP Traffic Class


------------- -------------
be 2
1 2
. .
. .
(cs1) 1
. .

 Assign the DSCP priority to received IP data packets


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
classofservice trust ip-dscp Assigning the trust ip-dscp mode globally.
exit Change to the Configuration mode.
show classofservice trust Displaying the Trust mode of the ports/interfaces.

Interface Trust Mode


---------- -------------
1/1 ip-dscp
1/2 dot1p
1/3 dot1p
. .
. .
1/5 dot1p
. .

UM Config HiOS-2A GRS1040 137


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

 Configuring traffic shaping on a port


Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/2 Change to the interface configuration mode of interface 1/2.
traffic-shape bw 50 Limiting the maximum bandwidth of the port 1/2 to 50%.
exit Change to the Configuration mode.
exit Change to the Privileged EXEC mode.
show traffic-shape Display the Traffic Shaping configuration.

Interface Shaping rate


--------- ------------
1/1 0 %
1/2 50 %
1/3 0 %
1/4 0 %

 Configuring Layer 2 management priority


Perform the following steps:
 Open the Switching > QoS/Priority > QoS/Priority Global dialog.
 In the VLAN priority for management packets field, specify the VLAN priority with which
the device sends management data packets.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


network management priority dot1p 7 Assigning the VLAN priority of 7 to management packets. The
device sends management packets with the highest priority.
show network parms Displaying the priority of the VLAN in which the device
management is located.

IPv4 Network
------------
...
Management VLAN priority....................7
...

 Configuring Layer 3 management priority


Perform the following steps:
 Open the Switching > QoS/Priority > QoS/Priority Global dialog.
 In the IP DSCP value for management packets field, specify the DSCP value with which
the device sends management data packets.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


network management priority ip-dscp 56 Assigning the DSCP value of 56 to management packets. The
device sends management packets with the highest priority.
show network parms Displaying the priority of the VLAN in which the device
management is located.

138 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.4 QoS/Priority

IPv4 Network
------------
...
Management IP-DSCP value....................56

UM Config HiOS-2A GRS1040 139


Release 7.0 11/2017
Network load control
10.5 Differentiated services

10.5 Differentiated services

RFC 2474 defines the “Differentiated Services” field in the IP header. This field is also called “DiffServ
Codepoint” or DSCP. The DSCP field is used for classification of packets into different quality classes.
The DSCP field replaces the ToS field. The first 3 bits of the DSCP field are used to divide the packets
into classes. The next 3 bits are used to further subdivide the classes on the basis of different criteria.
This results in up to 64 different service classes.
Bits 0 1 2 3 4 5 6 7
Differentiated Services Codepoint Explicit
(DSCP) RFC 2474 Congestion
Class Selector Notification
Codepoints (ECN)

Figure 24: Differentiated Services field in the IP header

The different DSCP values get the device to employ a different forwarding behavior, what is known as
Per Hop Behavior (PHB). The following PHB classes are defined:
 Class Selector (CS0–CS7)
For backward compatibility, the Class Selector PHB assigns the 7 possible IP precedence values
from the previous ToS field to specific DSCP values.
 Expedited Forwarding (EF)
For applications with high priority. The Expedited Forwarding PHB reduces delays (latency), jitter,
and packet loss (RFC 2598).
 Assured Forwarding (AF)
The Assured Forwarding PHB provides a differentiated schema for handling different data traffic
(RFC 2597).
 Default Forwarding/Best Effort
This PHB stands for the dispensation with a specific prioritization.
ToS Meaning Precedence Value Assigned DSCP
Network Control 111 CS7 (111000)
Internetwork Control 110 CS6 (110000)
Critical 101 CS5 (101000)
Flash Override 100 CS4 (100000)
Flash 011 CS3 (011000)
Immediate 010 CS2 (010000)
Priority 001 CS1 (001000)
Routine 000 CS0 (000000)
Table 13: Assigning the IP precedence values to the DSCP value

140 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.5 Differentiated services

10.5.1 DiffServ example


Configure the device to drop packets received on port 1/1 with the source IP address 10.20.10.11, the
TCP protocol and the source port 80 using the following steps.

Perform the following steps:

 Step 1: Create a class.


 Open the Switching > QoS/Priority > DiffServ > DiffServ Class dialog.
 Create a class:
 Click the button.
The dialog displays the Create window.
 In the Class name drop-down list, enter the value class1.
 In the Type drop-down list, select the value protocol .
 In the Protocol number field, enter the value 6.
Specify a value according to the „Assigned Internet Protocol Numbers“ defined by the IANA.
Use this link to find a list of the protocol numbers:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
 Click the Ok button.
 Add the source IP address and mask to the class:
 Click the button.
The dialog displays the Create window.
 In the Class name drop-down list, select the value class1.
 In the Type drop-down list, select the value srcip .
 In the Source IP address field, enter the value 10.20.10.11.
 Click the Ok button.
 Add the source port to the class.
 Click the button.
The dialog displays the Create window.
 In the Class name drop-down list, select the value class1.
 In the Type drop-down list, select the value srcl4port .
 In the Source IP address field, enter the value 80.
 Click the Ok button.

 To save the changes temporarily, click the button.

 Step 2: Create a policy.


 Open the Switching > QoS/Priority > DiffServ > Policy dialog.
 Create a policy:
 Click the button.
The dialog displays the Create window.
 In the Policy name drop-down list, enter the value policy1.
 In the Direction drop-down list, select the value in .
 In the Class name field, select the value class1.
 In the Type field, select the value drop .
 Click the Ok button.

 To save the changes temporarily, click the button.

 Step 3: Assign the policy to a port.


 Open the Switching > QoS/Priority > DiffServ > DiffServ Assignment dialog.

UM Config HiOS-2A GRS1040 141


Release 7.0 11/2017
Network load control
10.5 Differentiated services

 Assign the policy to a port:


 Click the button.
The dialog displays the Create window.
 In the Port drop-down list, select the port 1/1.
 In the Direction drop-down list, select the value In .
 In the Policy drop-down list, select the value policy1.
 Click the Ok button.

 To save the changes temporarily, click the button.

 Step 4: Enable the function globally.


 Open the Switching > QoS/Priority > DiffServ > DiffServ Global dialog.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
In the Status column, the value is up if the link on the port is up.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
class-map match-all class1 Creating a class named class1.
class-map name class1 match protocol tcp Adding the tcp protocol as a match condition to the class.
class-map name class1 match srcip Adding the source IP address 10.20.10.11 as a match
10.20.10.11 255.255.255.0 condition to the class.
class-map name class1 match srcl4port Adding the value http(TCP Port 80) as a match condition to the
http class.
policy-map create policy1 in Creating a policy named policy1 for incoming data packets
(in).
policy-map name policy1 class add class1 Assigning the class with the name class1 to the policy with the
name policy1.
policy-map name policy1 class name class1 Drop data packets.
drop
interface 1/1 Change to the interface configuration mode of interface 1/1.
service-policy in policy1 Assigning the policy with the name policy1 to the interface 1/1.
exit Change to the Configuration mode.
diffserv enable Enable the DiffServ function globally.

142 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Network load control
10.6 Flow control

10.6 Flow control

If a large number of data packets are received in the priority queue of a port at the same time, this can
cause the port memory to overflow. This happens, for example, when the device receives data on a
Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus data packets.
The flow control mechanism described in standard IEEE 802.3 ensures that no data packets are lost
due to a port memory overflowing. Shortly before a port memory is completely full, the device signals to
the connected devices that it is not accepting any more data packets from them.
 In full-duplex mode, the device sends a pause data packet.
 In half-duplex mode, the device simulates a collision.

The following figure displays how flow control works. Workstations 1, 2, and 3 want to simultaneously
transmit a large amount of data to Workstation 4. The combined bandwidth of Workstations 1, 2, and 3
is greater than the bandwidth of Workstation 4. This causes an overflow on the receive queue of port 4.
The left funnel symbolizes this status.
If the flow control function on ports 1, 2 and 3 of the device is enabled, the device reacts before the
funnel overflows. The funnel on the right illustrates ports 1, 2 and 3 sending a message to the
transmitting devices to control the transmition speed. This results in the receiving port no longer being
overwhelmed and is able to process the incoming traffic.

Port 1 Port 4
Switch
Port 2 Port 3

Workstation 1 Workstation 2 Workstation 3 Workstation 4

Figure 25: Example of flow control

UM Config HiOS-2A GRS1040 143


Release 7.0 11/2017
Network load control
10.6 Flow control

10.6.1 Halfduplex or fullduplex link

 Flow Control with a half duplex link


In the example, there is a halfduplex link between Workstation 2 and the device.
Before the send queue of port 2 overflows, the device sends data back to Workstation 2. Workstation
2 detects a collision and stops transmitting.

 Flow Control with a full duplex link


In the example, there is a fullduplex link between Workstation 2 and the device.
Before the send queue of port 2 overflows, the device sends a request to Workstation 2 to include a
small break in the sending transmission.

10.6.2 Setting up the Flow Control


Perform the following steps:
 Open the Switching > Global dialog.
 Mark the Flow control checkbox.
With this setting you enable flow control in the device.
 Open the Basic Settings > Port dialog, Configuration tab.
 To enable the Flow Control on a port, mark the checkbox in the Flow control column.
 To save the changes temporarily, click the button.
Note: When you are using a redundancy function, you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, there is a risk that the
redundancy function operates differently than intended.

144 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs

11 VLANs

In the simplest case, a virtual LAN (VLAN) consists of a group of network participants in one network
segment who can communicate with each other as if they belonged to a separate LAN.

More complex VLANs span out over multiple network segments and are also based on logical (instead
of only physical) connections between network participants. VLANs are an element of flexible network
design. It is easier to reconfiguring logical connections centrally than cable connections.

The device supports independent VLAN learning in accordance with the IEEE 802.1Q standard which
defines the VLAN function.

Using VLANs has many benefits. The following list displays the top benefits:

 Network load limiting


VLANs reduce the network load considerably as the devices transmit Broadcast, Multicast, and
Unicast packets with unknown (unlearned) destination addresses exclusively inside the virtual LAN.
The rest of the data network forwards traffic as normal.

 Flexibility
You have the option of forming user groups based on the function of the participants apart from their
physical location or medium.

 Clarity
VLANs give networks a clear structure and make maintenance easier.

UM Config HiOS-2A GRS1040 145


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

11.1 Examples of VLANs

The following practical examples provide a quick introduction to the structure of a VLAN.

Note: When configuring VLANs you use an interface for management that will remain unchanged. For
this example, you use either interface 1/6 or the V.24 serial connection to configure the VLANs.

11.1.1 Example 1
The example displays a minimal VLAN configuration (port-based VLAN). An administrator has
connected multiple end devices to a transmission device and assigned them to 2 VLANs. This effectively
prohibits any data transmission between the VLANs, whose members communicate only within their
own VLANs.

A VLAN D
2

1 2 3 4 5

B C VLAN
3

Figure 26: Example of a simple port-based VLAN

When setting up the VLANs, you create communication rules for every port, which you enter in ingress
(incoming) and egress (outgoing) tables.
The ingress table specifies which VLAN ID a port assigns to the incoming data packets. Hereby, you
use the port address of the end device to assign it to a VLAN.
The egress table specifies on which ports the device sends the packets from this VLAN.
 T = Tagged (with a tag field, marked)
 U = Untagged (without a tag field, unmarked)
For this example, the status of the TAG field of the data packets has no relevance, so you use the setting
U.
Terminal Port Port VLAN identifier (PVID)
A 1 2
B 2 3
C 3 3
D 4 2
5 1
Table 14: Ingress table

146 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

VLAN ID Port
1 2 3 4 5
1 U
2 U U
3 U U
Table 15: Egress table

Perform the following steps:

 Setting up the VLAN


 Open the Switching > VLAN > VLAN Configuration dialog.
 Click the button.
The dialog displays the Create window.
 In the VLAN ID field, specify the value 2.
 Click the Ok button.
 For the VLAN, specify the name VLAN2:
Double-click in the Name column and specify the name.
For VLAN 1, in the Name column, change the value Default to VLAN1.
 Repeat the previous steps to create a VLAN 3 with the name VLAN3.
enable Change to the Privileged EXEC mode.
vlan database Change to the VLAN configuration mode.
vlan add 2 Creates a new VLAN with the VLAN ID 2.
name 2 VLAN2 Assign the name 2 to the VLAN VLAN2.
vlan add 3 Creates a new VLAN with the VLAN ID 3.
name 3 VLAN3 Assign the name 3 to the VLAN VLAN3.
name 1 VLAN1 Assign the name 1 to the VLAN VLAN1.
exit Change to the Privileged EXEC mode.
show vlan brief Display the current VLAN configuration.
Max. VLAN ID................................... 4042
Max. supported VLANs........................... 512
Number of currently configured VLANs........... 3
vlan unaware mode.............................. disabled
VLAN ID VLAN Name VLAN Type VLAN Creation Time
---- -------------------------------- --------- ------------------
1 VLAN1 default 0 days, 00:00:05
2 VLAN2 static 0 days, 02:44:29
3 VLAN3 static 0 days, 02:52:26

 Setting up the ports


 Open the Switching > VLAN > Port dialog.
 To assign the port to a VLAN, specify the desired value in the corresponding column.
Possible values:
 T = The port is a member of the VLAN. The port transmits tagged data packets.
 U = The port is a member of the VLAN. The port transmits untagged data packets.
 F = The port is not a member of the VLAN.
Changes using the GVRP function are disabled.
 - = The port is not a member of this VLAN.
Changes using the GVRP function are allowed.
Because end devices usually interpret untagged data packets, you specify the value U.
 To save the changes temporarily, click the button.
 Open the Switching > VLAN > Port dialog.

UM Config HiOS-2A GRS1040 147


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

 In the Port-VLAN ID column, specify the VLAN ID of the related VLAN:


2 or 3
 Because end devices usually interpret untagged data packets, in the Acceptable packet
types column, you specify the value admitAll for end device ports.
 To save the changes temporarily, click the button.
The value in the Ingress filtering column has no affect on how this example functions.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
vlan participation include 2 The port 1/1 becomes a member of the VLAN 2 and transmits
the data packets without a VLAN tag.
vlan pvid 2 Assign the port VLAN ID 1/1 to port 2.
exit Change to the Configuration mode.
interface 1/2 Change to the interface configuration mode of interface 1/2.
vlan participation include 3 The port 1/2 becomes a member of the VLAN 3 and transmits
the data packets without a VLAN tag.
vlan pvid 3 Assign the port VLAN ID 1/2 to port 3.
exit Change to the Configuration mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
vlan participation include 3 The port 1/3 becomes a member of the VLAN 3 and transmits
the data packets without a VLAN tag.
vlan pvid 3 Assign the port VLAN ID 1/3 to port 3.
exit Change to the Configuration mode.
interface 1/4 Change to the interface configuration mode of interface 1/4.
vlan participation include 2 The port 1/4 becomes a member of the VLAN 2 and transmits
the data packets without a VLAN tag.
vlan pvid 2 Assign the port VLAN ID 1/4 to port 2.
exit Change to the Configuration mode.
exit Change to the Privileged EXEC mode.
show vlan id 3 Displays details for VLAN 3.
VLAN ID : 3
VLAN Name : VLAN3
VLAN Type : Static
Interface Current Configured Tagging
---------- -------- ----------- --------
1/1 - Autodetect Tagged
1/2 Include Include Untagged
1/3 Include Include Untagged
1/4 - Autodetect Tagged
1/5 - Autodetect Tagged

148 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

11.1.2 Example 2
The second example displays a more complex configuration with 3 VLANs (1 to 3). Along with the
Switch from example 1, you use a 2nd Switch (on the right in the example).

A D VLAN E G
2

Management
Station (optional)
1 2 3 4 5 1 2 3 4 5

VLAN 1

B C VLAN F H
3

Figure 27: Example of a more complex VLAN configuration

The terminal devices of the individual VLANs (A to H) are spread over 2 transmission devices
(Switches). Such VLANs are therefore known as distributed VLANs. An optional network management
station is also shown, which enables access to every network component if the VLAN is configured
correctly.

Note: In this case, VLAN 1 has no significance for the end device communication, but it is required for
the administration of the transmission devices via what is known as the Management VLAN.
As in the previous example, uniquely assign the ports with their connected terminal devices to a VLAN.
With the direct connection between the 2 transmission devices (uplink), the ports transport packets for
both VLANs. To differentiate these uplinks you use “VLAN tagging”, which handles the data packets
accordingly. Thus, you maintain the assignment to the respective VLANs.
Perform the following steps:
 Add Uplink Port 5 to the ingress and egress tables from example 1.
 Create new ingress and egress tables for the right switch, as described in the first example.
The egress table specifies on which ports the device sends the packets from this VLAN.
 T = Tagged (with a tag field, marked)
 U = Untagged (without a tag field, unmarked)

In this example, tagged packets are used in the communication between the transmission devices
(Uplink), as packets for different VLANs are differentiated at these ports.
Terminal Port Port VLAN identifier (PVID)
A 1 2
B 2 3
C 3 3
D 4 2
Uplink 5 1
Table 16: Ingress table for device on left

Terminal Port Port VLAN identifier (PVID)


Uplink 1 1
E 2 2
F 3 3
G 4 2
H 5 3
Table 17: Ingress table for device on right

UM Config HiOS-2A GRS1040 149


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

VLAN ID Port
1 2 3 4 5
1 U
2 U U T
3 U U T
Table 18: Egress table for device on left

VLAN ID Port
1 2 3 4 5
1 U
2 T U U
3 T U U
Table 19: Egress table for device on right

The communication relationships here are as follows: end devices on ports 1 and 4 of the left device
and end devices on ports 2 and 4 of the right device are members of VLAN 2 and can thus communicate
with each other. The behavior is the same for the end devices on ports 2 and 3 of the left device and the
end devices on ports 3 and 5 of the right device. These belong to VLAN 3.
The end devices “see” their respective part of the network. Participants outside this VLAN cannot be
reached. The device also sends Broadcast, Multicast, and Unicastpackets with unknown (unlearned)
destination addresses exclusively inside a VLAN.
Here, the devices use VLAN tagging (IEEE 801.1Q) within the VLAN with the ID 1 (Uplink). The letter T
in the egress table of the ports indicates VLAN tagging.
The configuration of the example is the same for the device on the right. Proceed in the same way, using
the ingress and egress tables created above to adapt the previously configured left device to the new
environment.

Perform the following steps:


 Setting up the VLAN
 Open the Switching > VLAN > Configuration dialog.
 Click the button.
The dialog displays the Create window.
 In the VLAN ID field, specify the VLAN ID, for example 2.
 Click the Ok button.
 For the VLAN, specify the name VLAN2:
Double-click in the Name column and specify the name.
For VLAN 1, in the Name column, change the value Default to VLAN1.
 Repeat the previous steps to create a VLAN 3 with the name VLAN3.

150 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 2 Creates a new VLAN with the VLAN ID 2.
name 2 VLAN2 Assign the name 2 to the VLAN VLAN2.
vlan add 3 Creates a new VLAN with the VLAN ID 3.
name 3 VLAN3 Assign the name 3 to the VLAN VLAN3.
name 1 VLAN1 Assign the name 1 to the VLAN VLAN1.
exit Change to the Privileged EXEC mode.
show vlan brief Display the current VLAN configuration.
Max. VLAN ID................................... 4042
Max. supported VLANs........................... 512
Number of currently configured VLANs........... 3
vlan unaware mode.............................. disabled
VLAN ID VLAN Name VLAN Type VLAN Creation Time
---- -------------------------------- --------- ------------------
1 VLAN1 default 0 days, 00:00:05
2 VLAN2 static 0 days, 02:44:29
3 VLAN3 static 0 days, 02:52:26

 Setting up the ports


 Open the Switching > VLAN > Port dialog.
 To assign the port to a VLAN, specify the desired value in the corresponding column.
Possible values:
 T = The port is a member of the VLAN. The port transmits tagged data packets.
 U = The port is a member of the VLAN. The port transmits untagged data packets.
 F = The port is not a member of the VLAN.
Changes using the GVRP function are disabled.
 - = The port is not a member of this VLAN.
Changes using the GVRP function are disabled.
Because end devicees usually interpret untagged data packets, you specify the value U.
You specify the T setting on the uplink port on which the VLANs communicate with each other.
 To save the changes temporarily, click the button.
 Open the Switching > VLAN > Port dialog.
 In the Port-VLAN ID column, specify the VLAN ID of the related VLAN:
1, 2 or 3
 Because end devices usually interpret untagged data packets, in the Acceptable packet
types column, you specify the value admitAll for end device ports.
 For the uplink port, in the Acceptable packet types column, specify the value
admitOnlyVlanTagged.
 Mark the checkbox in the Ingress filtering column for the uplink ports to evaluate VLAN
tags on this port.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
vlan participation include 1 The port 1/1 becomes a member of the VLAN 1 and transmits
the data packets without a VLAN tag.
vlan participation include 2 The port 1/1 becomes a member of the VLAN 2 and transmits
the data packets without a VLAN tag.
vlan tagging 2 enable The port 1/1 becomes a member of the VLAN 2 and transmits
the data packets with a VLAN tag.
vlan participation include 3 The port 1/1 becomes a member of the VLAN 3 and transmits
the data packets without a VLAN tag.
vlan tagging 3 enable The port 1/1 becomes a member of the VLAN 3 and transmits
the data packets with a VLAN tag.

UM Config HiOS-2A GRS1040 151


Release 7.0 11/2017
VLANs
11.1 Examples of VLANs

vlan pvid 1 Assigning the Port VLAN ID 1 to port 1/1.


vlan ingressfilter Activate ingress filtering on port 1/1.
vlan acceptframe vlanonly Port 1/1 only forwards packets with a VLAN tag.
exit Change to the Configuration mode.
interface 1/2 Change to the interface configuration mode of interface 1/2.
vlan participation include 2 The port 1/2 becomes a member of the VLAN 2 and transmits
the data packets without a VLAN tag.
vlan pvid 2 Assigning the Port VLAN ID 2 to port 1/2.
exit Change to the Configuration mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
vlan participation include 3 The port 1/3 becomes a member of the VLAN 3 and transmits
the data packets without a VLAN tag.
vlan pvid 3 Assigning the Port VLAN ID 3 to port 1/3.
exit Change to the Configuration mode.
interface 1/4 Change to the interface configuration mode of interface 1/4.
vlan participation include 2 The port 1/4 becomes a member of the VLAN 2 and transmits
the data packets without a VLAN tag.
vlan pvid 2 Assigning the Port VLAN ID 2 to port 1/4.
exit Change to the Configuration mode.
interface 1/5 Change to the interface configuration mode of interface 1/5.
vlan participation include 3 The port 1/5 becomes a member of the VLAN 3 and transmits
the data packets without a VLAN tag.
vlan pvid 3 Assigning the Port VLAN ID 3 to port 1/5.
exit Change to the Configuration mode.
exit Change to the Privileged EXEC mode.
show vlan id 3 Displays details for VLAN 3.
VLAN ID......................3
VLAN Name....................VLAN3
VLAN Type....................Static
VLAN Creation Time...........0 days, 00:07:47 (System Uptime)
VLAN Routing.................disabled

Interface Current Configured Tagging


---------- -------- ----------- --------
1/1 Include Include Tagged
1/2 - Autodetect Untagged
1/3 Include Include Untagged
1/4 - Autodetect Untagged
1/5 Include Include Untagged

152 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.2 Guest / Unauthenticated VLAN

11.2 Guest / Unauthenticated VLAN

The guest VLAN function allows a device to provide port-based Network Access Control (IEEE 802.1x)
to non-802.1x capable supplicants. This feature provides a mechanism to allow guests to access
external networks exclusively. When you connect non-802.1x capable supplicants to an active
unauthorized 802.1x port, the supplicants send no responds to 802.1x requests. Since the supplicants
send no responses, the port remains in the unauthorized state. The supplicants have no access to
external networks.
The guest VLAN supplicant function is a per-port basis configuration. When you configure a port as a
guest VLAN and connect non-802.1x capable supplicants to this port, the device assigns the supplicants
to the guest VLAN. Adding supplicants to a guest VLAN causes the port to change to the authorized
state allowing the supplicants to access to external networks.
The Unauthenticated VLAN function allows the device to provide service to 802.1x capable supplicants
which authenticate incorrectly. This function allows the unauthorized supplicants to have access to
limited services. When you configure an unauthenticated VLAN on a port with 802.1x port authentication
and the global operation enabled, the device places the port in an unauthenticated VLAN. When a
802.1x capable supplicant incorrectly authenticates on the port, the device adds the supplicant to the
unauthenticated VLAN. If you also configure a guest VLAN on the port, then non-802.1x capable
supplicants use the guest VLAN.
The reauthentication timer counts down when the port has an unauthenticated VLAN assigned. The
unauthenticated VLAN reauthenticates when the time specified in the Reauthentication period [s]
column expires and supplicants are present on the port. If no supplicants are present, the device places
the port in the configured guest VLAN.
The following example explains how to create a Guest VLAN. Create an Unauthorized VLAN in the
same manner.

Perform the following steps:


 Open the Switching > VLAN > Configuration dialog.
 Click the button.
The dialog displays the Create window.
 In the VLAN ID field, specify the value 10.
 Click the Ok button.
 For the VLAN, specify the name Guest:
Double-click in the Name column and specify the name.
 Click the button.
The dialog displays the Create window.
 In the VLAN ID field, specify the value 20.
 Click the Ok button.
 For the VLAN, specify the name Not authorized:
Double-click in the Name column and specify the name.
 Open the Network Security > 802.1X Port Authentication > Global dialog.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Open the Network Security > 802.1X Port Authentication > Port Configuration
dialog.

UM Config HiOS-2A GRS1040 153


Release 7.0 11/2017
VLANs
11.2 Guest / Unauthenticated VLAN

 Specify the following settings for port 1/4:


– The value auto in the Port control column
– The value 10 in the Guest VLAN ID column
– The value 20 in the Unauthenticated VLAN ID column

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 10 Creates VLAN 10.
vlan add 20 Creates VLAN 20.
name 10 Guest Renames VLAN 10 to Guest.
name 20 Unauth Renames VLAN 20 to Unauth.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
dot1x system-auth-control enable Enable the 802.1X function globally.
dot1x port-control auto Enables port control on port 1/4.
interface 1/4 Change to the interface configuration mode of interface 1/4.
dot1x guest-vlan 10 Assign the guest vlan to port 1/4.
dot1x unauthenticated-vlan 20 Assign the unauthorized vlan to port 1/4.
exit Change to the Configuration mode.

154 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.3 RADIUS VLAN assignment

11.3 RADIUS VLAN assignment

The RADIUS VLAN assignment feature allows for a RADIUS VLAN ID attribute to be associated with
an authenticated client. When a client authenticates successfully, and the RADIUS server sends a
VLAN attribute, the device associates the client with the RADIUS assigned VLAN. As a result, the device
adds the physical port as an untagged member to the appropriate VLAN and sets the port VLAN ID
(PVID) with the given value.

UM Config HiOS-2A GRS1040 155


Release 7.0 11/2017
VLANs
11.4 Creating a Voice VLAN

11.4 Creating a Voice VLAN

Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority. A
primary benefit of using Voice VLAN is to safeguard the sound quality of an IP phone when the data
traffic on the port is high.
The device uses the source MAC address to identify and prioritize the voice data flow. Using a MAC
address to identify devices helps prevent a rogue client from connecting to the same port causing the
voice traffic to deteriorate.
Another benefit of the Voice VLAN feature is that a VoIP phone obtains a VLAN ID or priority information
using LLDP-MED. As a result, the VoIP phone sends voice data as tagged, priority tagged or untagged.
This depends on the Voice VLAN Interface configuration.
The following Voice VLAN interface modes are possible. The first 3 methods segregate and prioritize
voice and data traffic. Traffic segregation results in an increased voice traffic quality during high traffic
periods.
 Configuring the port to using the vlan mode allows the device to tag the voice data coming from a
VoIP phone with the user-defined voice VLAN ID. The device assigns regular data to the default port
VLAN ID.
 Configuring the port to use the dot1p-priority mode allows the device to tag the data coming from
a VoIP phone with VLAN 0 and the user-defined priority. The device assigns the default priority of the
port to regular data.
 Configure both the voice VLAN ID and the priority using the vlan/dot1p-priority mode. In this
mode the VoIP phone sends voice data with the user-defined voice VLAN ID and priority information.
The device assigns the default PVID and priority of the port to regular data.
 When configured as untagged, the phone sends untagged packets.
 When configured as none, the phone uses its own configuration to send voice traffic.

156 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.5 MAC based VLANs

11.5 MAC based VLANs

Use the MAC-based VLAN to forward traffic based on the source MAC address associated with the
VLAN. A MAC-based VLAN defines the filtering criteria for untagged or priority tagged packets.
You specify a MAC-based VLAN filter by assigning a specific source address to a MAC-based VLAN.
The device forwards untagged packets received with the source MAC address on the MAC-based VLAN
ID. The other untagged packets are subject to normal VLAN classification rules.

UM Config HiOS-2A GRS1040 157


Release 7.0 11/2017
VLANs
11.6 IP subnet based VLANs

11.6 IP subnet based VLANs

In an IP subnet-based VLAN, the device forwards traffic based on the source IP address and subnet
mask associated with the VLAN. User-defined filters determine whether a packet belongs to a particular
VLAN.
Use the IP subnet-based VLAN to specify the filtering criteria for untagged or priority tagged packets.
For example, assign a specific subnet address to an IP subnet-based VLAN. When the device receives
untagged packets from the subnet address, it forwards them to the IP subnet-based VLAN. Other
untagged packets are subject to normal VLAN classification rules.
To configure an IP subnet-based VLAN, specify an IP address, a subnet mask and the associated VLAN
ID. In case of multiple matching entries, the device associates the VLAN ID to the entry with the longer
prefix first.

158 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
VLANs
11.7 Protocol-based VLAN

11.7 Protocol-based VLAN

In a protocol-based VLAN, the device bridges traffic through specified ports based on the protocol
associated with the VLAN. User-defined packet filters determine whether a packet belongs to a
particular VLAN.
Configure protocol-based VLANs using the value in the Ethertype column as the filtering criteria for
untagged packets. For example, assign a specific protocol to a protocol-based VLAN. When the device
receives untagged packets with the protocol, it forwards them to the protocol-based VLAN. The device
assigns the other untagged packets to the port VLAN ID.

UM Config HiOS-2A GRS1040 159


Release 7.0 11/2017
VLANs
11.8 VLAN unaware mode

11.8 VLAN unaware mode

The VLAN-unaware function defines the operation of the device in a LAN segmented by VLANs. The
device accepts packets and processes them according to its inbound rules. Based on the IEEE 802.1Q
specifications, the function governs how the device processes VLAN tagged packets.
Use the VLAN aware mode to apply the user-defined VLAN topology configured by the network
administrator. The device uses VLAN tagging in combination with the IP or Ethernet address when
forwarding packets. The device processes inbound and outbound packets according to the defined
rules. VLAN configuration is a manual process.
Use the VLAN unaware mode to forward traffic as received, without any modification. The device
transmits tagged packets when received as tagged. The device transmits also transmits untagged
packets when received as untagged. Regardless of VLAN assignment mechanisms, the device assigns
packets to VLAN ID 1 and to a Multicast group, indicating that the packet flood domain is according to
the VLAN.

160 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy

12 Redundancy

UM Config HiOS-2A GRS1040 161


Release 7.0 11/2017
Redundancy
12.1 Network Topology vs. Redundancy Protocols

12.1 Network Topology vs. Redundancy


Protocols

When using Ethernet, an important prerequisite is that data packets follow a single (unique) path from
the sender to the receiver. The following network topologies support this prerequisite:

 Line topology
 Star topology
 Tree topology

Figure 28: Network with line, star and tree topologies


To ensure that the communication is maintained when a connection fails, you install additional physical
connections between the network nodes. Redundancy protocols ensure that the additional connections
remain switched off while the original connection is still working. If the connection fails, the redundancy
protocol generates a new path from the sender to the receiver via the alternative connection.
To introduce redundancy onto Layer 2 of a network, you first define which network topology you require.
Depending on the network topology selected, you then choose from the redundancy protocols that can
be used with this network topology.

162 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.1 Network Topology vs. Redundancy Protocols

12.1.1 Network topologies

 Meshed topology
For networks with star or tree topologies, redundancy procedures are only possible in connection
with physical loop creation. The result is a meshed topology.

Figure 29: Meshed topology: Tree topology with physical loops

For operating in this network topology, the device provides you with the following redundancy
protocols:
 Rapid Spanning Tree (RSTP)

 Ring topology
In networks with a line topology, you can use redundancy procedures by connecting the ends of the
line. This creates a ring topology.

Figure 30: Ring topology: Line topology with connected ends

For operating in this network topology, the device provides you with the following redundancy
protocols:
 Media Redundancy Protocol (MRP)
 Rapid Spanning Tree (RSTP)

UM Config HiOS-2A GRS1040 163


Release 7.0 11/2017
Redundancy
12.1 Network Topology vs. Redundancy Protocols

12.1.2 Redundancy Protocols


For operating in different network topologies, the device provides you with the following redundancy
protocols:
Redundancy Network topology Comments
protocol
MRP Ring The switching time can be selected and is practically independent of the number
of devices.
An MRP-Ring consits of up to 50 devices that support the MRP protocol
according to IEC 62439.
If you only use Hirschmann devices, up to 100 devices are possible in the MRP-
Ring.
Subring Ring The subring function enables you to easily couple network segments to existing
redundancy rings.
Ring/Network Ring
coupling
RCP Ring
RSTP Random structure The switching time depends on the network topology and the number of devices.
 typ. < 1 s with RSTP
 typ. < 30 s with STP
Link Aggregation Random structure A Link Aggregation Group is the combining of 2 or more, full-duplex point-to-
point links operating at the same rate, on a single switch to increase bandwidth.
Link Backup Random structure When the device detects an error on the primary link, then the device transfers
traffic to the backup link. You typically use Link Backup in service-provider or
enterprise networks.
HIPER Ring Client Ring Extend an existing HIPER ring or replace a device already participating as a
client in a HIPER ring.
HIPER Ring over Ring Link devices together over a Link Aggregation Group (LAG). The ring clients and
LAG Ring Manager behave in the same manner as a ring without a LAG instance.
Table 20: Overview of redundancy protocols

Note: When you are using a redundancy function, you deactivate the flow control on the participating
device ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function will not operate as intended.

12.1.3 Combinations of Redundancies

MRP RSTP/ Link Link Subring HIPER Fast MRP DLR HSR PRP
MSTP Aggreg. Backup Ring
MRP 
RSTP/  1) 
MSTP 3)
Link  4)  4) 
Aggreg.
Link    
Backup
Subring    4)  
HIPER  1)
 4)   
Ring
Table 21: Overview of redundancy protocols

164 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.1 Network Topology vs. Redundancy Protocols

Symbol Meaning
 Combination applicable
1)
Redundant coupling between these network topologies will possibly lead to data loops.
3) In combination with MSTP, the failover times of other redundancy protocols may slightly increase.
4)
Combination applicable on the same port

UM Config HiOS-2A GRS1040 165


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

12.2 Media Redundancy Protocol (MRP)

Since May 2008, the Media Redundancy Protocol (MRP) has been a standardized solution for ring
redundancy in the industrial environment.
MRP is compatible with redundant ring coupling, supports VLANs, and is distinguished by very short
reconfiguration times.
An MRP-Ring consists of up to 50 devices that support the MRP protocol according to IEC 62439. If you
only use Hirschmann devices, up to 100 devices are possible in the MRP-Ring.
You use the fixed MRP redundant port (Fixed Backup) if the primary ring link fails, the Ring Manager
sends data traffic to the secondary ring link. When the primary link is restored, the secondary link
continues to be in use.

12.2.1 Network Structure


The concept of ring redundancy allows the construction of high-availability, ring-shaped network
structures.
With the help of the RM (Ring Manager) function, the two ends of a backbone in a line structure can be
closed to a redundant ring. The Ring Manager keeps the redundant line open as long as the line
structure is intact. If a segment becomes inoperable, the Ring Manager immediately closes the
redundant line, and line structure is intact again.

Figure 31: Line structure


RM

Figure 32: Redundant ring structure


RM = Ring Manager
—— main line
- - - redundant line

166 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

12.2.2 Reconfiguration time


If a line section fails, the Ring Manager changes the MRP-Ring back into a line structure. You define the
maximum time for the reconfiguration of the line in the Ring Manager.
Possible values for the maximum delay time:
• 500 ms
• 200 ms

Note: You only configure the reconfiguration time with a value less than 500 ms if all the devices in the
ring support the shorter delay time.
Otherwise the devices that only support longer delay times might not be reachable due to overloading.
Loops can occur as a result.

12.2.3 Advanced mode


For times even shorter than the guaranteed reconfiguration times, the device provides the advanced
mode. The advanced mode speeds up the link failure recognition when the ring participants inform the
Ring Manager of interruptions in the ring via link-down notifications.
Hirschmann devices support link-down notifications. Therefore, you generally activate the advanced
mode in the Ring Manager.
If you are using devices that do not support link-down notifications, the Ring Manager reconfigures the
line in the selected maximum reconfiguration time.

12.2.4 Prerequisites for MRP


Before setting up an MRP-Ring, make sure that the following conditions are fulfilled:
 All ring participants support MRP.
 The ring participants are connected to each other via the ring ports. Apart from the device’s
neighbors, no other ring participants are connected to the respective device.
 All ring participants support the configuration time specified in the Ring Manager.
 There is exactly 1 Ring Manager in the ring.

UM Config HiOS-2A GRS1040 167


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

If you are using VLANs, configure every ring port with the following settings:
 Deactivate ingress filtering - see the Switching:VLAN:Port Switching > VLAN > Port dialog.
 Define the port VLAN ID (PVID) - see the Switching > VLAN > Port dialog.
– PVID = 1 if the device transmits the MRP data packets untagged (VLAN ID = 0 in Switching >
L2-Redundancy > MRP dialog)
By setting the PVID = 1, the device automatically assigns the received untagged packets to
VLAN 1.
– PVID = any if the device transmits the MRP data packets in a VLAN (VLAN ID ≥ 1 in the
Switching > L2-Redundancy > MRP dialog)
 Define egress rules - see Switching > VLAN > Configuration dialog.
– U (untagged) for the ring ports of VLAN 1 if the device transmits the MRP data packets untagged
(VLAN ID = 0 in the Switching > L2-Redundancy > MRP dialog, the MRP ring is not assigned to
a VLAN).
– T (tagged) for the ring ports of the VLAN which you assign to the MRP ring. Select T, if the device
transmits the MRP data packets in a VLAN (VLAN ID ≥ 1 in the Switching > L2-Redundancy >
MRP dialog).

12.2.5 Example Configuration


A backbone network contains 3 devices in a line structure. To increase the availability of the network,
you convert the line structure to a redundant ring structure. Devices from different manufacturers are
used.All devices support MRP. On every device you define ports 1.1 and 1.2 as ring ports.
If the primary ring link fails, the Ring Manager sends data on the secondary ring link. When the primary
link is restored, the secondary link reverts back to the backup mode.

1 2 3
1.1 1.2 1.1 1.2 1.1 1.2

RM

Figure 33: Example of MRP-Ring


RM = Ring Manager
—— main line
- - - redundant line

168 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

The following example configuration describes the configuration of the Ring Manager device (1). You
configure the 2 other devices (2 to 3) in the same way, but without activating the Ring Manager function.
This example does not use a VLAN. You specify 200 ms as the ring recovery time. Every device
supports the advanced mode of the Ring Manager.

 Set up the network to meet your demands.


 Configure all ports so that the transmission speed and the duplex settings of the lines correspond to
the following table:
Port type Bit rate Autonegotiation Port setting Duplex
(automatic
configuration)
TX 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
TX 1 Gbit/s on on -
Optical 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
Optical 1 Gbit/s on on -
Optical 10 Gbit/s - on 10 Gbit/s full duplex (FDX)
Table 22: Port settings for ring ports

Note: You configure optical ports without support for autonegotiation (automatic configuration) with 100
Mbit/s full duplex (FDX) or 1000 Mbit/s full duplex (FDX).

Note: You configure optical ports without support for autonegotiation (automatic configuration) with 100
Mbit/s full duplex (FDX).

Note: Configure all the devices of the MRP-Ring individually. Before you connect the redundant line,
you must have completed the configuration of all the devices of the MRP-Ring. You thus avoid loops
during the configuration phase.
 You deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, there is a risk that the
redundancy function will not operate as intended. (Default setting: flow control deactivated globally
and activated on all ports.)
 Switch Spanning Tree off on all devices in the network:
 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Disable the function.
In the state on delivery, Spanning Tree is enabled on the device.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
no spanning-tree operation Switches Spanning Tree off.
show spanning-tree global Displays the parameters for checking.
 Enable MRP on every device in the network:
 Open the Switching > L2-Redundancy > MRP dialog.
 Specify the desired ring ports.
In the Command Line Interface you first define an additional parameter, the MRP domain ID. Configure
all the ring participants with the same MRP domain ID. The MRP domain ID is a sequence of 16 number
blocks (8-bit values).
When configuring with the graphical user interface, the device uses the default value 255 255 255 255
255 255 255 255 255 255 255 255 255 255 255 255.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary 1/1 Specifies port 1/1 as ring port 1.
mrp domain modify port secondary 1/2 Specifies port 1/2 as ring port 2.
 Enable the Fixed backup port.

UM Config HiOS-2A GRS1040 169


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

 Enable the Ring Manager.


For the other devices in the ring, leave the setting as Off .
 To allow the device to continue sending data on the secondary port after the ring is restored,
mark the Fixed backup checkbox.

Note: When the device reverts back to the primary port, the maximum ring recovery time may
be exceeded.

If you unmark the Fixed backup checkbox, and the ring is restored, then the Ring Manager
blocks the secondary port and unblocks the primary port.
mrp domain modify port secondary 1/2 Activates the Fixed backup function on the secondary port. The
fixed-backup enable secondary port continues forwarding data after the ring is
restored.

 Enable the Ring Manager.


For the other devices in the ring, leave the setting as Off .
mrp domain modify mode manager Specifies that the device operates as the Ring manager . Do not
activate the Ring manager function on any other device.

 Select the checkbox in the Advanced mode field.


mrp domain modify advanced-mode enabled Activates the advanced mode.

 In the Ring recovery field, select the value 200ms.


mrp domain modify recovery-delay 200ms Specifies the value 200ms as the max. delay time for the
reconfiguration of the ring.

Note: If selecting 200 ms for the ring recovery does not provide the ring stability necessary to meet the
requirements of your network, you select 500 ms.
 Switch the operation of the MRP-Ring on.
 To save the changes temporarily, click the button.

mrp domain modify operation enable Activates the MRP-Ring.

 When all the ring participants are configured, close the line to the ring. To do this, you connect the
devices at the ends of the line via their ring ports.

 Check the messages from the device:


show mrp Displays the parameters for checking.

170 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

The Operation field displays the operating state of the ring port.
Possible values:
 forwarding
The port is enabled, connection exists.
 blocked
The port is blocked, connection exists.
 disabled
The port is disabled.
 not-connected
No connection exists.
The Information field displays messages for the redundancy configuration and the possible
causes of errors.
The following messages are possible if the device is operating as a ring client or a Ring Manager:
 Redundancy available
The redundancy is set up. When a component of the ring is down, the redundant line takes
over its function.
 Configuration error: Error on ringport link.
Error in the cabling of the ring ports.
The following messages are possible if the device is operating as a Ring Manager:
 Configuration error: Packets from another ring manager received.
Another device exists in the ring that is operating as the Ring Manager.
Activate the Ring manager function on exactly one device in the ring.
 Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on 1 ring port.
 If applicable, integrate the MRP ring into a VLAN:
 In the VLAN ID field, define the MRP VLAN ID. The MRP VLAN ID determines in which of the
configured VLANs the device transmits the MRP packets. To set the MRP VLAN ID, first
configure the VLANs and the corresponding egress rules in the Switching > VLAN >
Configuration dialog.

 If the MRP-Ring is not assigned to a VLAN (like in this example), leave the VLAN ID as 0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as U
(untagged) for the ring ports in VLAN 1.
 If the MRP-Ring is assigned to a VLAN, enter a VLAN ID >0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as T
(tagged) for the ring ports in the selected VLAN.
mrp domain modify vlan <0..4042> Assigns the VLAN ID.

UM Config HiOS-2A GRS1040 171


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

12.2.6 MRP over LAG


Hirschmann devices allow you to combine Link Aggregation Groups (LAG) to increase bandwidth with
the Media Redundancy Protocol (MRP) providing redundancy. The function allows you to increase the
bandwidth on individual segments or on the entire network.
The LAG function helps you overcome bandwidth limitations of individual ports. LAG allows you to
combine 2 or more links in parallel, creating 1 logical link between 2 devices. The parallel links increase
the bandwidth for the data stream between the 2 devices.
An MRP ring consists of up to 50 devices that support the MRP protocol according to IEC 62439. If you
use only Hirschmann devices, then the protocol allows you to configure MRP rings with up to 100
devices.
You use MRP over LAG in the following cases:
 to increase bandwidth only on specific segments of an MRP ring
 to increase bandwidth on the entire MRP ring

 Network Structure
When configuring an MRP ring with LAGs, the Ring Manager (RM) monitors both ends of the
backbone for continuity. The RM blocks data on the secondary (redundant) port as long as the
backbone is intact. If the RM detects an interruption of the data stream on the ring, then it begins
forwarding data on the secondary port, which restores backbone continuity.
You use LAG instances in MRP rings to increase bandwidth only, in this case MRP provides the
redundancy.
In order for the RM to detect an interruption on the ring, MRP requires a device to block every port in
the LAG instance when a port in the instance is down.

 LAG on a single segment of an MRP ring


The device allows you to configure a LAG instance on specific segments of an MRP ring.
You use the LAG Single Switch method for devices in the MRP ring. The Single Switch method
provides you an inexpensive way to grow your network by using only 1 device on each side of a
segment to provide the physical ports. You group the ports of the device into a LAG instance to
provide increased bandwidth on specific segments where needed.

Link
RM Agregation

Figure 34: Link Aggregation over a single link of an MRP ring.

172 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

 LAG on an entire MRP ring


Besides being able to configure a LAG instance on specific segments of an MRP ring, Hirschmann
devices also allow you to configure LAG instances on every segment, which increases bandwidth on
the entire MRP ring.

RM

Figure 35: Link Aggregation over the entire MRP ring.

 Detecting interruptions on the ring


When configuring the LAG instance, specify the Active ports (min.) value to equal the total
number of ports used in the LAG instance. If a device detects an interruption on a port in the LAG
instance, then it blocks data on the other ports of the instance. With every port of an instance blocked,
the RM senses that the ring is open and begins forwarding data on the secondary port. This way the
RM is able to restore continuity to the devices on the other side of the interrupted segment.

RM

Figure 36: Interruption of a link in an MRP ring.

UM Config HiOS-2A GRS1040 173


Release 7.0 11/2017
Redundancy
12.2 Media Redundancy Protocol (MRP)

 Example Configuration
In the following example, switch A and switch B link to departments together. The departments
produce traffic too large for the individual port bandwidth to handle. You configure a LAG instance for
the single segment of the MRP ring, increasing the bandwidth of the segment.
The prerequisite for the example configuration is that you begin with an operational MRP ring.

RM Ring Port 2 Ring Port 1


1/1 2/1
1/3 2/3
1/2 2/2
Switch A Switch B

Figure 37: MRP over LAG Configuration Example


Proceed the following steps to configure switch A. Configure switch B using the same steps,
substituting the appropriate port and ring port numbers.
 Open the Switching > L2-Redundancy > Link Aggregation dialog.
 Click the button.
The dialog displays the Create window.
 In the Trunk port drop-down list, select the instance number of the link aggregation group.
 In the Port drop-down list, select the port 1/1.
 Click the Ok button.
 Repeat the preceding steps and select the port 1/2.
 Click the Ok button.
 In the Active ports (min.) column enter 2, which in this case is the total number of ports
in the instance. When combining MRP and LAG you specify the total number of ports as the
Active ports (min.) . When the device detects an interruption on a port, it blocks the other
ports in the instance causing the ring to open. The Ring Manager senses that the ring is open,
then begins forwarding data on its secondary ring port which restores the connectivity to the
other devices in the network.
 To save the changes temporarily, click the button.
 Open the Switching > L2-Redundancy > MRP dialog.
 In the Ring port 2 frame, Port drop-down list, select the port lag/1.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 1/1 Adds port 1/1 to the Link Aggregation Group.
link-aggregation modify lag/1 addport 1/2 Adds port 1/2 to the Link Aggregation Group.
mrp domain modify port secondary lag/1 Specifies port lag/1 as ring port 2.
copy config running-config nvm Save the current settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

174 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3 Spanning Tree

Note: The Spanning Tree Protocol is a protocol for MAC bridges. For this reason, the following
description uses the term bridge for the device.
Local networks are getting bigger and bigger. This applies to both the geographical expansion and the
number of network participants. Therefore, it is advantageous to use multiple bridges, for example:
 to reduce the network load in sub-areas,
 to set up redundant connections and
 to overcome distance limitations.

However, using multiple bridges with multiple redundant connections between the subnetworks can
lead to loops and thus loss of communication across of the network. In order to help avoid this, you can
use Spanning Tree. Spanning Tree enables loop-free switching through the systematic deactivation of
redundant connections. Redundancy enables the systematic reactivation of individual connections as
needed.

RSTP is a further development of the Spanning Tree Protocol (STP) and is compatible with it. If a
connection or a bridge becomes inoperable, the STP required a maximum of 30 seconds to reconfigure.
This is no longer acceptable in time-sensitive applications. RSTP achieves average reconfiguration
times of less than a second. When you use RSTP in a ring topology with 10 to 20 devices, you can even
achieve reconfiguration times in the order of milliseconds.

Note: RSTP reduces a layer 2 network topology with redundant paths into a tree structure (Spanning
Tree) that does not contain any more redundant paths. One of the devices takes over the role of the root
bridge here. The maximum number of devices permitted in an active branch (from the root bridge to the
tip of the branch) is specified by the variable Max Age for the current root bridge. The preset value for
Max Age is 20, which can be increased up to 40.
If the device working as the root is inoperable and another device takes over its function, the Max Age
setting of the new root bridge determines the maximum number of devices allowed in a branch.

Note: The RSTP standard dictates that all the devices within a network work with the (Rapid) Spanning
Tree Algorithm. If STP and RSTP are used at the same time, the advantages of faster reconfiguration
with RSTP are lost in the network segments that are operated in combination.
A device that only supports RSTP works together with MSTP devices by not assigning an MST region
to itself, but rather the CST (Common Spanning Tree).

UM Config HiOS-2A GRS1040 175


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.1 Basics
Because RSTP is a further development of the STP, all the following descriptions of the STP also apply
to the RSTP.

 The tasks of the STP


The Spanning Tree Algorithm reduces network topologies built with bridges and containing ring
structures due to redundant links to a tree structure. In doing so, STP opens ring structures according
to preset rules by deactivating redundant paths. If a path is interrupted because a network
component becomes inoperable, STP reactivates the previously deactivated path again. This allows
redundant links to increase the availabiliy of communication.
STP determines a bridge that represents the STP tree structure‘s base. This bridge is called root
bridge.

Features of the STP algorithm:


 automatic reconfiguration of the tree structure in the case of a bridge becoming inoperable or the
interruption of a data path
 the tree structure is stabilized up to the maximum network size,
 stabilization of the topology within a short time period
 topology can be specified and reproduced by the administrator
 transparency for the end devices
 low network load relative to the available transmission capacity due to the tree structure created

 Bridge parameters
In the context of Spanning Tree, each bridge and its connections are uniquely described by the
following parameters:
 Bridge Identifier
 Root Path Cost for the bridge ports,
 Port Identifier

 Bridge Identifier
The Bridge Identifier consists of 8 bytes. The 2 highest-value bytes are the priority. The default
setting for the priority number is 32,768, but the Management Administrator can change this when
configuring the network. The 6 lowest-value bytes of the bridge identifier are the bridge’s MAC
address. The MAC address allows each bridge to have unique bridge identifiers.
The bridge with the smallest number for the bridge identifier has the highest priority.

MSB LSB

80 00 00 80 63 51 74 00

Priority MAC Address

Figure 38: Bridge Identifier, Example (values in hexadecimal notation)

176 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Root Path Cost


Each path that connects 2 bridges is assigned a cost for the transmission (path cost). The device
determines this value based on the transmission speed (see table 23). It assigns a higher path cost
to paths with lower transmission speeds.

Alternatively, the Administrator can set the path cost. Like the device, the Administrator assigns a
higher path cost to paths with lower transmission speeds. However, since the Administrator can
choose this value freely, he has a tool with which he can give a certain path an advantage among
redundant paths.

The root path cost is the sum of all individual costs of those paths that a data packet has to traverse
from a connected bridge‘s port to the root bridge.

1
PC = 200 000 PC = 200 000 000

PC Path costs
Ethernet (100 Mbit/s)
PC = 200 000
Ethernet (10 Mbit/s)
2 3

Figure 39: Path costs


Data rate Recommended value Recommended range Possible range
≤100 Kbit/s 200 000000a 20000000-200000000 1-200000000
1 Mbit/s 20000000a 2000000-200000000 1-200000000
10 Mbit/s 2000000a 200000-20000000 1-200000000
100 Mbit/s 200000 a 20000-2000000 1-200000000
1 Gbit/s 20000 2000-200000 1-200000000
10 Gbit/s 2000 200-20000 1-200 000000
100 Gbit/s 200 20-2000 1-200000000
1 TBit/s 20 2-200 1-200000000
10 TBit/s 2 1-20 1-200000000
Table 23: Recommended path costs for RSTP based on the data rate.
a. Bridges that conform with IEEE 802.1D 1998 and only support 16-bit values for the path costs should use the value 65,535 (FFFFH) for
path costs when they are used in conjunction with bridges that support 32-bit values for the path costs.

 Port Identifier
The port identifier consists of 2 bytes. One part, the lower-value byte, contains the physical port
number. This provides a unique identifier for the port of this bridge. The second, higher-value part is
the port priority, which is specified by the Administrator (default value: 128). It also applies here that
the port with the smallest number for the port identifier has the highest priority.

MSB LSB

Priority Port number

Figure 40: Port Identifier

UM Config HiOS-2A GRS1040 177


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Max Age and Diameter


The “Max Age” and “Diameter” values largely determine the maximum expansion of a Spanning Tree
network.

 Diameter
The number of connections between the devices in the network that are furthest removed from each
other is known as the network diameter.

Diameter = 7

1 2 3 4 5 6 7

Root-Bridge

Figure 41: Definition of diameter


The network diameter that can be achieved in the network is MaxAge-1.
In the state on delivery, MaxAge = 20 and the maximum diameter that can be achieved = 19. If you
set the maximum value of 40 for MaxAge, the maximum diameter that can be achieved = 39.

 MaxAge
Every STP-BPDU contains a “MessageAge” counter. When a bridge is passed through, the counter
increases by 1.
Before forwarding a STP-BPDU, the bridge compares the “MessageAge” counter with the “MaxAge”
value specified in the device:
 If MessageAge < MaxAge, the bridge forwards the STP-BPDU to the next bridge.
 If MessageAge = MaxAge, the bridge discards the STP-BPDU.

Root-Bridge
MaxAge= 5

Message Message Message Message Message Message


Age= 0 Age= 1 Age= 2 Age= 3 Age= 4 Age= 5

Message
Age= 5

Figure 42: Transmission of an STP-BPDU depending on MaxAge

178 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.2 Rules for Creating the Tree Structure

 Bridge information
To determine the tree structure, the bridges need more detailed information about the other bridges
located in the network.
To obtain this information, each bridge sends a BPDU (Bridge Protocol Data Unit) to the other
bridges.

The contents of a BPDU include:


 Bridge identifier
 Root path costs
 Port identifier
(see IEEE 802.1D)

 Setting up the tree structure

 The bridge with the smallest number for the bridge identifier is called the root bridge. It is (or will
become) the root of the tree structure.
 The structure of the tree depends on the root path costs. Spanning Tree selects the structure so
that the path costs between each individual bridge and the root bridge become as small as
possible.
 If there are multiple paths with the same root path costs, the bridge further away from the root
decides which port it blocks. For this purpose, it uses the bridge identifiers of the bridge closer to
the root. The bridge blocks the port that leads to the bridge with the numerically higher ID (a
numerically higher ID is the logically worse one). If 2 bridges have the same priority, the bridge
with the numerically larger MAC address has the numerically higher ID, which is logically the
worse one.
 If multiple paths with the same root path costs lead from one bridge to the same bridge, the bridge
further away from the root uses the port identifier of the other bridge as the last criterion (see
figure 40). In the process, the bridge blocks the port that leads to the port with the numerically
higher ID (a numerically higher ID is the logically worse one). If 2 ports have the same priority, the
port with the higher port number has the numerically higher ID, which is logically the worse one.

UM Config HiOS-2A GRS1040 179


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

Determine root path

Equal no Path with lowest


path costs? path costs = root path

yes

Path with highest


Equal priority in no priority (numerically
bridge identification? lower value) in bridge
identification = root path
yes

Use the bridge with


lowest MAC address
= designated bridge

Equal no Path with highest


port priority? port priority (numerically
lower value) = root path
yes

Path with lowest


port number of designated
bridge = root path

Root path determined

Figure 43: Flow diagram for specifying the root path

180 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.3 Examples

 Example of determining the root path


You can use the network plan (see figure 44) to follow the flow chart (see figure 43) for determining
the root path. The administrator has specified a priority in the bridge identification for each bridge.
The bridge with the smallest numerical value for the bridge identification takes on the role of the root
bridge, in this case, bridge 1. In the example all the sub-paths have the same path costs. The protocol
blocks the path between bridge 2 and bridge 3 as a connection from bridge 3 via bridge 2 to the root
bridge would result in higher path costs.

The path from bridge 6 to the root bridge is interesting:


 The path via bridge 5 and bridge 3 creates the same root path costs as the path via bridge 4 and
bridge 2.
 STP selects the path using the bridge that has the lowest MAC address in the bridge identification
(bridge 4 in the illustration).
 There are also 2 paths between bridge 6 and bridge 4.
The port identifier is decisive here (Port 1 < Port 3).
Root Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768

2 3

P-BID = 32 768

P-BID = 32 768 P-BID = 32 768


Port 3 MAC 00:01:02:03:04:06
MAC 00:01:02:03:04:05 4 5
Port 1

P-BID Priority of the bridge identifikation (BID)


P-BID = 32 768
= BID without MAC Address
Root path
6 Interrupted path

Figure 44: Example of determining the root path

Note: Because the Administrator does not change the default values for the priorities of the bridges
in the bridge identifier, apart from the value for the root bridge, the MAC address in the bridge
identifier alone determines which bridge becomes the new root bridge if the current root bridge goes
down.

UM Config HiOS-2A GRS1040 181


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Example of manipulating the root path


You can use the network plan (see figure 45) to follow the flow chart (see figure 43) for determining
the root path. The Administrator has performed the following:
– Left the default value of 32768 (8000H) for every bridge apart from bridge 1 and bridge 5, and
– assigned to bridge 1 the value 16384 (4000H), thus making it the root bridge.
– To bridge 5 he assigned the value 28672 (7000H).
The protocol blocks the path between bridge 2 and bridge 3 as a connection from bridge 3 via
bridge 2 to the root bridge would mean higher path costs.

The path from bridge 6 to the root bridge is interesting:


 The bridges select the path via bridge 5 because the value 28672 for the priority in the bridge
identifier is smaller than value 32768.

Root Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768

2 3

P-BID = 32 768

P-BID = 32 768 P-BID = 28 672

4 5

P-BID Priority of the bridge identifikation (BID)


P-BID = 32 768
= BID without MAC Address
Root path
6 Interrupted path

Figure 45: Example of manipulating the root path

182 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Example of manipulating the tree structure


The Management Administrator soon discovers that this configuration with bridge 1 as the root bridge
is invalid. On the paths from bridge 1 to bridge 2 and bridge 1 to bridge 3, the control packets which
the root bridge sends to all other bridges add up.
If the Management Administrator configures bridge 2 as the root bridge, the burden of the control
packets on the subnetworks is distributed much more evenly. The result is the configuration shown
here (see figure 46). The path costs for most of the bridges to the root bridge have decreased.

Root-Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768 P-BID = 32 768 P-BID = 32 768


Port 2
7 4 3 1
Port 1
MAC 00:01:02:03:04:05

P-BID = 32 768 P-BID = 32 768

6 5
MAC 00:01:02:03:04:06

P-BID Priority of the bridge identifikation (BID)


= BID without MAC Address
Root path
Interrupted path

Figure 46: Example of manipulating the tree structure

UM Config HiOS-2A GRS1040 183


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.4 The Rapid Spanning Tree Protocol


The RSTP uses the same algorithm for determining the tree structure as STP. RSTP merely changes
parameters, and adds new parameters and mechanisms that speed up the reconfiguration if a link or
bridge becomes inoperable.
The ports play a significant role in this context.

 Port roles
RSTP assigns each bridge port one of the following roles (see figure 47):

 Root Port:
This is the port at which a bridge receives data packets with the lowest path costs from the root
bridge.
If there are multiple ports with equally low path costs, the bridge ID of the bridge that leads to the
root (designated bridge) decides which of its ports is given the role of the root port by the bridge
further away from the root.
If a bridge has multiple ports with equally low path costs to the same bridge, the bridge uses the
port ID of the bridge leading to the root (designated bridge) to decide which port it selects locally
as the root port (see figure 43).
The root bridge itself does not have a root port.
 Designated port:
The bridge in a network segment that has the lowest root path costs is the designated bridge.
If more than 1 bridge has the same root path costs, the bridge with the smallest value bridge
identifier becomes the designated bridge. The designated port on this bridge is the port that
connects a network segment leading away from the root bridge. If a bridge is connected to a
network segment with more than one port (via a hub, for example), the bridge gives the role of the
designated port to the port with the better port ID.
 Edge port
Every network segment with no additional RSTP bridges is connected with exactly one designated
port. In this case, this designated port is also an edge port. The distinction of an edge port is the
fact that it does not receive any RST BPDUs (Rapid Spanning Tree Bridge Protocol Data Units).
 Alternate port
This is a blocked port that takes over the task of the root port if the connection to the root bridge
is lost. The alternate port provides a backup connection to the root bridge.
 Backup port
This is a blocked port that serves as a backup in case the connection to the designated port of this
network segment (without any RSTP bridges) is lost
 Disabled port
This is a port that does not participate in the Spanning Tree Operation, that means, the port is
switched off or does not have any connection.

184 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

BID = 16 384

BID = 20 480 BID = 24 576

2 3

BID = 40 960

BID = 28 672 BID = 32 768


P-BID Priority of the bridge identifikation (BID)
Port 2 = BID without MAC Address
4 5 Root path
Port 1
Interrupted path
Root port
Designated port
Alternate port
Backup port
Edge port

Figure 47: Port role assignment

 Port states
Depending on the tree structure and the state of the selected connection paths, the RSTP assigns
the ports their states.

STP port state Administrative MAC Operational RSTP Port state Active topology (port role)
bridge port state
DISABLED Disabled FALSE Discardinga Excluded (disabled)
DISABLED Enabled FALSE Discarding a Excluded (disabled)
BLOCKING Enabled TRUE Discardingb Excluded (alternate, backup)
LISTENING Enabled TRUE Discarding b Included (root, designated)
LEARNING Enabled TRUE Learning Included (root, designated)
FORWARDING Enabled TRUE Forwarding Included (root, designated)
Table 24: Relationship between port state values for STP and RSTP
a. The dot1d-MIB displays “Disabled”
b. The dot1d-MIB displays “Blocked”

Meaning of the RSTP port states:


 Disabled: Port does not belong to the active topology
 Discarding: No address learning in FDB, no data traffic except for STP-BPDUs
 Learning: Address learning active (FDB), no data traffic apart from STP-BPDUs
 Forwarding: Address learning active (FDB), sending and receiving of all packet types (not only
STP-BPDUs)

UM Config HiOS-2A GRS1040 185


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Spanning Tree Priority Vector


To assign roles to the ports, the RSTP bridges exchange configuration information with each other.
This information is known as the Spanning Tree Priority Vector. It is part of the RSTP BPDUs and
contains the following information:
 Bridge identification of the root bridge
 Root path costs of the sending bridge
 Bridge identification of the sending bridge
 Port identifiers of the ports through which the message was sent
 Port identifiers of the ports through which the message was received

Based on this information, the bridges participating in RSTP are able to determine port roles
themselves and define the port states of their own ports.

 Fast reconfiguration
Why can RSTP react faster than STP to an interruption of the root path?
 Introduction of edge-ports:
During a reconfiguration, RSTP switches an edge port into the transmission mode after three
seconds (default setting) and then waits for the “Hello Time” to elapse, to be sure that no bridge
sending BPDUs is connected.
When the user ensures that a end device is connected at this port and will remain connected, there
are no waiting times at this port in the case of a reconfiguration.
 Introduction of alternate ports:
As the port roles are already distributed in normal operation, a bridge can immediately switch from
the root port to the alternate port after the connection to the root bridge is lost.
 Communication with neighboring bridges (point-to-point connections):
Decentralized, direct communication between neighboring bridges enables reaction without wait
periods to status changes in the spanning tree topology.
 Address table:
With STP, the age of the entries in the FDB determines the updating of communication. RSTP
immediately deletes the entries in those ports affected by a reconfiguration.
 Reaction to events:
Without having to adhere to any time specifications, RSTP immediately reacts to events such as
connection interruptions, connection reinstatements, etc.

Note: The downside of this fast reconfiguration is the possibility that data packages could be
duplicated and/or arrive at the recipient in the wrong order during the reconfiguration phase of the
RSTP topology. If this is unacceptable for your application, use the slower Spanning Tree Protocol
or select one of the other, faster redundancy procedures described in this manual.

186 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 STP compatibility mode


The STP compatibility mode allows you to operate RSTP devices in networks with old installations.
If an RSTP device detects an older STP device, it switches on the STP compatibility mode at the
relevant port.

12.3.5 Configuring the device


RSTP configures the network topology completely independently. The device with the lowest bridge
priority automatically becomes the root bridge. However, to define a specific network structure
regardless, you specify a device as the root bridge. In general, a device in the backbone takes on this
role.

 Set up the network to meet your requirements, initially without redundant lines.
 You deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, there is a risk that the
redundancy function will not operate as intended. (Default setting: flow control deactivated globally
and activated on all ports.)
 Switch MRP off on all devices.
 Switch Spanning Tree on on all devices in the network.
In the state on delivery, Spanning Tree is switched on on the device.
 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Enable the function.

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
spanning-tree operation Enables Spanning Tree.
show spanning-tree global Displays the parameters for checking.

 Now connect the redundant lines.


 Define the settings for the device that takes over the role of the root bridge.
 In the Priority field you enter a numerically lower value.
The bridge with the numerically lowest bridge ID has the highest priority and becomes the root
bridge of the network.

 To save the changes temporarily, click the button.

spanning-tree mst priority 0 <0..61440 Specifies the bridge priority of the device.
in 4096er-Schritten>

After saving, the dialog shows the following information:


– The Bridge is root checkbox is marked.
– The Root port field shows the value 0.0.
– The Root path cost field shows the value 0.
show spanning-tree global Displays the parameters for checking.

UM Config HiOS-2A GRS1040 187


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 If applicable, change the values in the Forward delay [s] and Max age fields.
– The root bridge transmits the changed values to the other devices.

 To save the changes temporarily, click the button.

spanning-tree forward-time <4..30> Specifies the delay time for the status change in seconds.
spanning-tree max-age <6..40> Specifies the maximum permissible branch length, for example
the number of devices to the root bridge.
show spanning-tree global Displays the parameters for checking.

Note: The parameters Forward delay [s] and Max age have the following relationship:
Forward delay [s] ≥ (Max age /2) + 1
If you enter values in the fields that contradict this relationship, the device replaces these values with
the last valid values or with the default value.

Note: If possible, do not change the value in the “Hello Time” field.
 Check the following values in the other devices:
– Bridge ID (bridge priority and MAC address) of the corresponding device and the root bridge.
– Number of the device port that leads to the root bridge.
– Path cost from the root port of the device to the root bridge.

show spanning-tree global Displays the parameters for checking.

188 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.6 Guards
The device allows you to activate various protection functions (guards) on the device ports.
The following protection functions help protect your network from incorrect configurations, loops and
attacks with STP-BPDUs:

 BPDU Guard – for manually specified edge ports (end device ports)
You activate this protection function globally in the device.

Terminal device ports do not normally receive any STP-BPDUs. If an attacker still attempts to feed
in STP-BPDUs at this port, the device deactivates the device port.

 Root Guard – for designated ports


You activate this protection function separately for every device port.

If a designated port receives an STP-BPDU with better path information to the root bridge, the device
discards the STP-BPDU and sets the transmission state of the port to discarding instead of root.
If there are no STP-BPDUs with better path information to the root bridge, after 2 x Hello time [s]
the device resets the state of the port to a value according to the port role.

 TCN Guard – for ports that receive STP-BPDUs with a Topology Change flag
You activate this protection function separately for every device port.

UM Config HiOS-2A GRS1040 189


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

Hacker

If the protection function is activated, the device ignores Topology Change flags in received STP-
BPDUs. This does not change the content of the address table (FDB) of the device port. However,
additional information in the BPDU that changes the topology is processed by the device.

 Loop Guard – for root, alternate and backup ports


You activate this protection function separately for every device port.

This protection function prevents the transmission status of a port from unintentionally being changed
to forwarding if the port does not receive any more STP-BPDUs. If this situation occurs, the device
designates the loop status of the port as inconsistent, but does not forward any data packets.

 Activating the BPDU Guard


 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Mark the BPDU guard checkbox.

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
spanning-tree bpdu-guard Activates the BPDU Guard.
show spanning-tree global Displays the parameters for checking.

190 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Switch to the CIST tab.
 For end device ports, mark the checkbox in the Admin edge port column.

 To save the changes temporarily, click the button.

interface <x/y> Change to the interface configuration mode of interface <x/y>.


spanning-tree edge-port Designates the port as a terminal device port (edge port).
show spanning-tree port x/y Displays the parameters for checking.
exit Leaves the interface mode.
If an edge port receives an STP-BPDU, the device behaves as follows:
 The device deactivates this port.
In the Basic Settings > Port dialog, Configuration tab, the checkbox for this port in the Port
on column is unmarked.
 The device designates the port.
In the Switching > L2-Redundancy > Spanning Tree > Port dialog, Guards tab, the
checkbox in the BPDU guard effect column is marked.
show spanning-tree port x/y Displays the parameters of the port for checking. The value of the
BPDU guard effect parameter is enabled.
To reset the status of the device port to the value forwarding, you proceed as follows:
 If the port is still receiving BPDUs:
– Remove the manual definition as an edge port (end device port).
or
– Deactivate the BPDU Guard.
 Activate the device port again.

 Activating Root Guard / TCN Guard / Loop Guard


 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Switch to the Guards tab.
 For designated ports, select the checkbox in the Root guard column.
 For ports that receive STP-BPDUs with a Topology Change flag, select the checkbox in the
TCN guard column.
 For root, alternate or backup ports, mark the checkbox in the Loop guard column.

Note: The Root guard and Loop guard functions are mutually exclusive. If you try to activate
the Root guard function while the Loop guard function is activated, the device deactivates the
Loop guard function.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface <x/y> Change to the interface configuration mode of interface <x/y>.
spanning-tree guard-root Switches the Root Guard on at the designated port.
spanning-tree guard-tcn Switches the TCN Guard on at the port that receives STP-BPDUs
with a Topology Change flag.
spanning-tree guard-loop Switches the Loop Guard on at a root, alternate or backup port.
exit Leaves the interface mode.
show spanning-tree port x/y Displays the parameters of the port for checking.

UM Config HiOS-2A GRS1040 191


Release 7.0 11/2017
Redundancy
12.3 Spanning Tree

12.3.7 Ring only mode


You use the Ring only mode function to recognize full-duplex connectivity and to configure the ports
that are connected to the end stations. The Ring only mode function allows the device to transition to
the ‘forwarding’ state, and suppress the Topology Change Notification PDUs.

 Configuring the Ring only mode


When you activate the Ring only mode function on the ports, and the device ignores the message
age of normal BDPUs, the device sends Topology Change messages with the message age of 1.

 Example
The given example describes the configuration of the Ring only mode function.
 Open the Switching > L2-Redundancy > Spanning Tree > Spanning Tree Global dialog.
 In the Ring only mode frame, select the port 1/1 in the First port field.
 In the Ring only mode frame, select the port 1/2 in the Second port field.
 To activate the function, in the Ring only mode frame, mark the Active checkbox.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
spanning-tree ring-only-mode operation Enable the Ring only mode function.
spanning-tree ring-only-mode first-port Specify port 1/1 as the first interface.
1/1
spanning-tree ring-only-mode second-port Specify port 1/2 as the second interface.
1/2

192 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.4 Link Aggregation

12.4 Link Aggregation

Link Aggregation using the single switch method helps you overcome 2 limitations with ethernet links,
namely bandwidth, and redundancy.
The first problem that the Link Aggregation Group (LAG) function helps you with is bandwidth limitations
of individual ports. LAG allows you to combine 2 or more links in parallel, creating 1 logical link between
2 devices. The parallel links increase the bandwidth for traffic between the 2 devices.
You typically use Link Aggregation on the network backbone. The function provides you an inexpensive
way to incrementally increase bandwidth.
Furthermore, Link Aggregation provides for redundancy with a seemless failover. With 2 or more links
configured in parallel, when a link goes down, the other links in the group continue to forward traffic.
The device uses a hash option to determine load balancing across the port group. Tagging the egress
traffic allows the device to transmit associated packets across the same link.
The default settings for a new Link Aggregation instance are as follows:
 In the Configuration frame, the value in the Hashing option field is sourceDestMacVlan.
 In the Active column, the checkbox is marked.
 In the Send trap (Link up/down) column, the checkbox is marked.
 In the Static link aggregation column, the checkbox is unmarked.
 In the Hashing option column, the value is sourceDestMacVlan.
 In the Active ports (min.) column, the value is 1.

12.4.1 Methods of Operation


The device operates on the Single Switch method. The Single Switch method provides you an
inexpensive way to grow your network. The single switch method states that you need 1 device on each
side of a link to provide the physical ports. The device balances the traffic load across the group member
ports.
The device also uses the Same Link Speed method in which the group member ports are full-duplex,
point-to-point links having the same transmission rate. The first port the user adds to the group is the
master port and determines the bandwidth for the other member ports of the Link Aggregation Group.
The device allows you to set up up to 8 Link Aggregation groups. The number of useable ports per Link
Aggregation group depends on the device.

UM Config HiOS-2A GRS1040 193


Release 7.0 11/2017
Redundancy
12.4 Link Aggregation

 Hash Algorithm
The frame distributor is responsible for receiving frames from the end devices and transmitting them
over the Link Aggregation Group. The frame distributor implements a distribution algorithm
responsible for choosing the link used for transmitting any given packet. The hash option helps you
achieve load balancing across the group.
The following list contains options which you set for link selection.
 Source MAC address, VLAN ID, EtherType, and receiving port
 Destination MAC address, VLAN ID, EtherType, and receiving port
 Source/Destination MAC address, VLAN ID, EtherType, and receiving port
 Source IP address and Source TCP/UDP port
 Destination IP address and destination TCP/UDP port
 Source/destination IP address and source/destination TCP/UDP port

 Static and Dynamic Links


The device allows you to set up static and dynamic links.
 Static Links - The administrator sets up and maintains the links manually. For example, when a
link fails and there is a media converter between the devices, the media converter continues
forwarding traffic on the link causing the link to fail. Another possibility is that cabling or an
undetected configuration mistake causes undesirable network behavior. In this case, the network
administrator manually changes the link setup to restore traffic.
 Dynamic Links - The device confirms that the setup on the remote device is able to handle link
aggregation and failover occurs automatically.

12.4.2 Link Aggregation Example


Connect multiple workstations using one aggregated link group between switch 1 and 2. By aggregating
multiple links, higher speeds are achievable without a hardware upgrade.

Switch 1 Switch 2
Server 2 Port 5 Port 5 Server 1
Hub 4 Port 6 Port 1 Port 6 Hub 1
Hub 5 Port 7 Port 2 Port 7 Hub 2
Hub 6 Port 8 Port 8 Hub 3

Figure 48: Link Aggregation Switch to Switch Network


Use the following steps to setup switch 1 and 2 in the graphical user interface.
 Open the Switching > L2-Redundancy > Link Aggregation dialog.
 Click the button.
The dialog displays the Create window.
 In the Trunk port drop-down list, select the instance number of the link aggregation group.
 In the Port drop-down list, select the port 1/1.
 Click the Ok button.
 Repeat the preceding steps and select the port 1/2.
 Click the Ok button.

194 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.4 Link Aggregation

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 1/1 Adds port 1/1 to the Link Aggregation Group.
link-aggregation modify lag/1 addport 1/2 Adds port 1/2 to the Link Aggregation Group.

UM Config HiOS-2A GRS1040 195


Release 7.0 11/2017
Redundancy
12.5 Link Backup

12.5 Link Backup

Link Backup provides a redundant link for traffic on Layer 2 devices. When the device detects an error
on the primary link, then the device transfers traffic to the backup link. You typically use Link Backup in
service-provider or enterprise networks.
You set up the backup links in pairs, one as a primary and one as a backup. When providing redundancy
for enterprise networks for example, the device allows you to set up more than 1 pair. The maximum
number of link backup pairs is: total number of physical ports / 2. Furthermore, the device sends an
SNMP trap when the state of a port participating in a link backup pair changes.
When configuring link backup pairs remember the following rules:
 A link pair consists of any combination of physical ports. For example, when 1 port is a 100 Mbit port
and the other is a 1000 Mbit SFP port.
 A specific port is a member of 1 link backup pair at any given time.
 Verify that the ports of a link backup pair are members of the same VLAN with the same VLAN ID.
When the primary port or backup port is a member of a VLAN then, assign the second port of the pair
to the same VLAN.
The default setting for this function is inactive without any link backup pairs.

Note: Verify that the Spanning Tree Protocol is disabled on the Link Backup ports.

12.5.1 Fail Back Description


Link Backup also allows you to set up a Fail Back option. When you activate the fail back function and
the primary link returns to normal operation, the device first blocks traffic on the backup port and then
forwards traffic on the primary port. This process helps protect the device from causing loops in the
network.
When the primary port returns to the link up and active state, the device supports 2 modes of operation:
 When you inactivate Fail back , the primary port remains in the blocking state until the backup link
fails.
 When you activate Fail back , and after the Fail back delay [s] timer expires, the primary port
returns to the forwarding state and the backup port changes to down.
In the cases listed above, the port forcing its link to forward traffic, first sends a "flush FDB" packet to
the remote device. The flush packet helps the remote device quickly relearn the MAC addresses.

196 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.5 Link Backup

12.5.2 Example Configuration


In the example network below, you connect ports 2/3 and 2/4 on switch A to the uplink switches B
and C. When you set up the ports as a Link Backup pair, 1 of the ports forwards traffic and the other port
is in the blocking mode.
The primary, port 2/3 on switch A, is the active port and is forwarding traffic to port 1 on switch B. Port
2/4 on switch A is the backup port and is blocking traffic.
When switch A disables port 2/3 because of a detected error, then port 2/4 on switch A starts
forwarding traffic to port 2 on switch C.
When port 2/3 returns to the active state, “no shutdown“, with Fail back activated, and Fail back
delay [s] set to 30 seconds. After the timer expires, port 2/4 first blocks the traffic and then port 2/3
starts forwarding the traffic.

Switch B Switch C

Port 1 Port 2

Port 2/3 Port 2/4

Switch A

Figure 49: Link Backup example network


The following tables contain examples of parameters for Switch A set up.
 Open the Switching > L2-Redundancy > Link Backup dialog.
 Enter a new Link Backup pair in the table:
 Click the button.
The dialog displays the Create window.
 In the Primary port drop-down list, select port 2/3.
In the Backup port drop-down list, select port 2/4.
 Click the Ok button.
 In the Description textbox, enter Link_Backup_1 as the name for the backup pair.
 To activate the Fail Back function for the link backup pair, mark the Fail back checkbox.
 Set the fail back timer for the link backup pair, enter 30 s in Fail back delay [s] .
 To activate the link backup pair, mark the Active checkbox.
 To enable the function, select the On radio button in the Operation frame.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 2/3 Change to the interface configuration mode of interface 2/3.
link-backup add 2/4 Creates a Link Backup instance where port 2/3 is the primary
port and port 2/4 is the backup port.
link-backup modify 2/4 description Specifies the string Link_Backup_1 as the name of the backup
Link_Backup_1 pair.
link-backup modify 2/4 failback-status Enables the fail back timer.
enable
link-backup modify 2/4 failback-time 30 Specifies the fail back delay time as 30 s.
link-backup modify 2/4 status enable Enables the Link Backup instance.
exit Change to the Configuration mode.
link-backup operation Enables the Link Backup function globally on the device.

UM Config HiOS-2A GRS1040 197


Release 7.0 11/2017
Redundancy
12.6 HIPER Ring Client

12.6 HIPER Ring Client

The concept of HIPER Ring Redundancy enables the construction of high-availability, ring-shaped
network structures. The HIPER Ring Client function allows the network administrator to extend an
existing HIPER Ring or replace a client device already participating in a HIPER Ring.
When the device senses that the link on a ring port goes down, the device sends a LinkDown packet to
the Ring Manager (RM) and flushes the FDB table. Once the RM receives the LinkDown packet, it
immediately forwards the data stream over both the primary and secondary ring ports. Thus, the RM is
able to maintain the integrity of the HIPER Ring.
The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, you can
include the ring ports in a LAG instance.
In the default state, the HIPER Ring client is inactive, and the primary and secondary ports are set to no
Port.

Note: Deactivate the Spanning Tree Protocol (STP) for the ring ports in the Switching > L2-
Redundancy > Spanning Tree > Spanning Tree Port dialog, because STP and HIPER Ring have
different reaction times.

Port type Bit rate Automatic Port on Manual configuration


configuration
TX 100 Mbit/s unmarked marked 100 Mbit/s FDX
TX 1 Gbit/s – marked –
Optical 100 Mbit/s unmarked marked 100 Mbit/s FDX
Optical 1 Gbit/s – marked –
Table 25: Port settings for ring ports

12.6.1 VLANS on the HIPER Ring


The device allows you to forward VLAN data over the HIPER Ring. Thus the device provides
redundancy for your VLAN data. The ring device forwards management data around the ring for
example, on VLAN 1. In order for the data to reach the management station, the ring devices forward
the untagged management data on the ring ports. Also, specify the ring ports as members in VLAN 1.
When you have other VLANs traversing your ring devices, then the ring devices forward the other VLAN
data as tagged.
To specify the VLAN settings, perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 To allow the device to forward untagged VLAN management data on the ring ports, in the
VLAN 1 row, ring port drop-down lists, select U.
 To block management packets from being forwarded to the non-ring ports, in the VLAN 1 row,
non-ring port drop-down lists, select -.
 To allow a ring device to forward VLAN data to and from ports with VLAN membership, in the
VLAN row, ring port drop-down list, select T.

198 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.6 HIPER Ring Client

 Open the Switching > VLAN > VLAN Port dialog.


 To assign VLAN 1 membership to the ring ports, in the ring port rows, Port-VLAN ID field,
enter 1.
 To assign VLAN membership to the non-ring ports, in the port row, Port-VLAN ID field, enter
the appropriate VLAN ID.

12.6.2 HIPER Ring over LAG


The HIPER ring function allows you to link the devices together over a Link Aggregation Group (LAG).
The ring clients and Ring Manager behave in the same manner as a ring without a LAG instance.
When a LAG link goes down, the other link in the instance also goes down making a break in the ring.
After detecting a break in the ring, the affected ports send a Link Down packet to the Ring Manager. The
Ring Manager unblocks the secondary port, sending data in both directions around the ring, and replies
with a Delete packet. Upon receiving a Delete packet the ring participates flush their FDB.

UM Config HiOS-2A GRS1040 199


Release 7.0 11/2017
Redundancy
12.7 FuseNet ™

12.7 FuseNet ™

FuseNet ™ is a family of Hirschmann proprietary protocols which allows you to couple the following
networks:
– MRP
– HIPER Ring
– RSTP

Note: When you use the Ring/Network Coupling protocol to couple a network to the main ring verify
that the networks contain only Hirschmann devices.
Use the following table to select the FuseNet coupling protocol:
Connected Network
Main Ring MRP RSTP HIPER ring
MRP Sub Ring 1) Redundant Coupling Protocol , Redundant Coupling Protocol ,
Ring/Network Coupling Ring/Network Coupling
HIPER ring Sub Ring Redundant Coupling Protocol , Ring/Network Coupling
Ring/Network Coupling
RSTP Redundant Coupling Protocol – Redundant Coupling Protocol

Explanation:
– no suitable coupling protocol
1) with MRP configured on different VLANs

200 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.8 Subring

12.8 Subring

The Sub Ring function is an extension of the Media Redundancy Protocol (MRP). This function allows
you to couple a subring to a main ring using various network structures.
The Subring protocol provides redundancy for devices by coupling both ends of an otherwise flat
network to a main ring.
Setting up subrings has the following advantages:
 Through the coupling process, you include the new network segment in the redundancy concept.
 Subrings allow easy integration of new areas into existing networks.
 Subrings allow you easy mapping of the organizational structure of an area in a network topology.
 In an MRP ring, the failover times of the subring in redundancy cases are typically < 100 ms.

12.8.1 Subring description


The subring concept allows you to couple new network segments to suitable devices in an existing ring
(main ring). The devices with which you couple the subring to the main ring are Subring Managers
(SRM).

RM

1.2 1.1
1.1 1.2
1.1 1.3
SRM 1
1.2

1.2 1.2

1.1 1.1

1.1
SRM 2
1.2 1.3

1.2 1.1 1.1 1.2

Figure 50: Example of a subring structure


blue ring = Main ring
orange ring = Subring
red line = Redundant link
SRM = Subring Manager
RM = Ring Manager
The Subring Manager capable devices support up to 20 instances and thus manage up to 20 subrings
at the same time.
The Sub Ring function allows you to integrate devices that support MRP as participants. The devices
with which you couple the subring to the main ring require the Subring Manager function.
Each subring can consist of up to 200 participants, excluding the Subring Managers themselves and the
devices between the Subring Managers in the main ring.

UM Config HiOS-2A GRS1040 201


Release 7.0 11/2017
Redundancy
12.8 Subring

The following figures display examples of possible subring topologies:

RM

SRM 1

SRM 2

SRM 4 SRM 3

Figure 51: Example of an overlapping subring structure

RM

SRM 1

SRM 2
SRM 3

Figure 52: Special case: A Subring Manager manages 2 subrings (2 instances). The Subring Manager is capable of
managing up to 20 instances.

RM

SRM 1

Figure 53: Special case: a Subring Manager manages both ends of a subring on different ports (Single Subring Manger).

Note: In the previous examples, the Subring Managers couple subrings solely to existing main rings.
The Sub Ring function prohibits cascaded subrings, for example coupling a new subring to another
existing subring.

202 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.8 Subring

When you use MRP for the main ring and the subring, then specify the VLAN settings as follows:
 VLAN X for the main ring
– on the ring ports of the main ring participants
– on the main ring ports of the Subring Manager
 VLAN Y for the Subring
– on the ring ports of the Subring participants
– on the subring ports of the Subring Manager
You can use the same VLAN for multiple subrings.

12.8.2 Subring example


In the following example, you couple a new network segment with 3 devices to an existing main ring
which uses the MRP protocol. If you couple the network at both ends instead of just 1 end, then the
subring provides increased availability with the corresponding configuration.
You couple the new network segment as a subring. You couple the subring to the existing devices of
the main ring using the following configuration types.

RM

1.2 1.1
1.1 1.2
1.1 1.3
SRM 1
1.2

1.2
VLAN VLAN 1.2

1.1
1 2 1.1

1.1
SRM 2
1.2 1.3

1.2 1.1 1.1 1.2

Figure 54: Example of a subring structure


orange line= Main ring members in VLAN 1
black line= Subring members in VLAN 2
orange dash line= Main ring loop open
black dash line= Subring loop open
red line = Redundant link member in VLAN 1
SRM = Subring Manager
RM = Ring Manager
Proceed as follows to configure a subring:
 Configure the three devices of the new network segment as participants in an MRP ring:
– Configure the transmission rate and the duplex mode for the ring ports in accordance with the
following table:
Port type Bit rate Autonegotiation Port setting Duplex
(automatic
configuration)
TX 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
TX 1 Gbit/s on on -
Optical 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
Table 26: Port settings for subring ports

UM Config HiOS-2A GRS1040 203


Release 7.0 11/2017
Redundancy
12.8 Subring

Port type Bit rate Autonegotiation Port setting Duplex


(automatic
configuration)
Optical 1 Gbit/s on on -
Optical 10 Gbit/s - on 10 Gbit/s full duplex (FDX)
Table 26: Port settings for subring ports

The following steps contain additional settings for subring configuration:


 To help prevent loops during configuration, deactivate the Subring Manager function on the main ring
and subring devices. After you completely configure every device participating in the main ring and
subrings activate the global Sub Ring function and Subring Managers.
 Disable the RSTP function on the MRP ring ports used in the subring.
 Verify that the Link Aggregation function is inactive on ports participating in the main ring and
subring.
 Specify a different VLAN membership for the main ring ports and subring ports even if the main ring
is using the MRP protocol. For example, use VLAN ID 1 for the main ring and the redundant link, then
use VLAN ID 2 for the subring.
– For the devices participating in the main ring for example, open the Switching > VLAN > VLAN
Configuration dialog. Create VLAN 1 in the static VLAN table. Tag the main ring ports for
membership in VLAN 1 by selecting T from the drop-down list of the appropriate port columns.
– For the devices participating in the subring use the step above and add the ports to VLAN 2 in the
static VLAN table.
 Activate the MRP function for the main ring and subring devices.
– In the Switching > L2-Redundancy > MRP dialog, configure the 2 ring ports participating in the
main ring on the main ring devices.
– For the devices participating in the subring use the step above and configure the 2 ring ports
participating in the subring on the subring devices.
– Assign the same MRP domain ID to the main ring and subring devices. If you use Hirschmann
Automation and Control GmbH devices solely, then the default values suffice for the MRP domain
ID.

Note: The MRP domain is a sequence of 16 numbers in the range from 0 to 255. The default value is
255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 .
255 . 255 . A MRP domain consisting entirely of zeroes is invalid.
The Sub Ring dialog allows you to change the MRP domian ID if required. Otherwise open the
Command Line Interface (CLI) and proceed as follows:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mrp domain delete Deletes the current MRP domain.
mrp domain add domain-id Creates a new MRP domain with the specified MRP domain ID.
0.0.1.1.2.2.3.4.4.111. 222.123.0.0.66.99 Any subsequent MRP domain changes apply to this domain ID.

12.8.3 Subring example configuration


Note: Avoid loops during configuration. Configure every device of the subring individually. Before you
activate the redundant link, completely configure every subring device.
Proceed as follows to configure the 2 Subring Managers in the example:
 Open the Switching > L2-Redundancy > Sub Ring dialog.

204 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.8 Subring

 To add a table entry, click the button.


 In the Port column, select the port that couples the device to the subring.
Use port 1/3 for this example.
For coupling, use one of the available ports with the exception of the ports which are already
connected to the main ring.
 In the Name column, assign a name to the subring.
For this example enter Test.
 In the SRM mode column, select Subring Manager mode.
You thus specify which port coupling the subring to the main ring becomes the redundant
manager.
The options for the coupling are:
 manager
When you specify both Subring Managers as the same value, the device with the higher MAC address
manages the redundant link.
 redundant manager
This device manages the redundant link, as long as you have specified the other Subring Manager as a
manager. Otherwise the device with the higher MAC address manages the redundant link.
Specify Subring Manager 1 as manager, in accordance with the figure depicting this example.
 Leave the values in the VLAN column and MRP domain column unchanged.
The default values are correct for the example configuration.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
sub-ring add 1 Creates a new subring with the subring ID 1.
sub-ring modify 1 port 1/3 Specify port 1/3 as subring port.
sub-ring modify 1 name Test Assign the name Test to the subring 1.
sub-ring modify 1 mode manager Assign the manager mode to the subring 1.
show sub-ring ring Display the subrings state on this device.
show sub-ring global Display the subring global state on this device.

 Configure the 2nd Subring Manager in the same way.


Specify Subring Manager 2 as redundant manager, in accordance with the figure depicting
this example.

 To activate the Subring Manager function, mark the Active checkbox in the appropriate row.
 After you have configured both Subring Managers and the devices participating in the subring,
enable the function and close the redundant link.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
sub-ring enable 1 Activate subring 1.
sub-ring enable 2 Activate subring 2.
exit Change to the Privileged EXEC mode.
show sub-ring ring <Domain ID> Display the settings of the selected subrings.
show sub-ring global Display global subring settings.
copy config running-config nvm profile Save the current settings in the configuration profile named Test
Test in non-volatile memory (nvm).

UM Config HiOS-2A GRS1040 205


Release 7.0 11/2017
Redundancy
12.9 Subring with LAG

12.9 Subring with LAG

There is a Link Aggregation (LAG) connection when at least two parallel redundant connecting lines
exist (known as a trunk) between two devices, and these lines are combined into one logical connection.
The device allows you to use the LAG ports as ring ports with the Sub Ring protocol.

12.9.1 Example
The following example is a simple setup between an MRP ring and a Subring.

Figure 55: Subring with Link Aggregation


The following table describes the device roles as seen in the figure above. The table provides
information of how you use the ring ports and Subring ports as LAG ports.
Device Name Ring Port Main Ring Role Sub Ring Role Subring Port
MRC1 1/3, 1/4 MRP client - -
SRM1 1/3, 1/4 MRP client Redundant Manager lag/1
SRM2 2/4, 2/5 MRP manager Manager lag/1
MRC2 lag/1, 1/3 - MRP client -
MRC3 lag/1, 1/3 - MRP client -
Table 27: Devices, Ports and Roles

 MRP ring configuration


The devices participating in the Main ring are members of VLAN 300.
SRM2

206 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.9 Subring with LAG

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary 2/4 Specifies port 2/4 as ring port 1.
mrp domain modify port secondary 2/5 Specifies port 2/5 as ring port 2.
mrp domain modify mode manager Specifies that the device operates as the Ring manager . Do not
activate the Ring manager function on any other device.
mrp domain modify operation enable Activates the MRP-Ring.
mrp domain modify vlan 300 Specifies the VLAN ID as 300.
mrp operation Enable the MRP function on the device.
MRC1, SRM1
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary 1/3 Specifies port 1/3 as ring port 1.
mrp domain modify port secondary 1/4 Specifies port 1/4 as ring port 2.
mrp domain modify mode client Specifies the device role as ring client.
mrp domain modify operation enable Activates the MRP-Ring.
mrp domain modify vlan 300 Specifies the VLAN ID as 300.
mrp operation Enable the MRP function on the device.

 Subring configuration
The devices participating in the attached Sub-ring are members of VLAN 200.
SRM1
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 1/1 Adds port 1/1 to the Link Aggregation Group.
link-aggregation modify lag/1 addport 1/2 Adds port 1/2 to the Link Aggregation Group.
link-aggregation modify lag/1 adminmode Activate the Link Aggregation Group.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
sub-ring add 1 Creates a new subring with the subring ID 1.
sub-ring modify 1 name SRM1 Assign the name SRM1 to the subring 1.
sub-ring modify 1 mode redundant-manager Assign the device the role of Sub-ring redundant manager in
vlan 200 port lag/1 subring 1. If the subring is closed, the device blocks the ring port.
VLAN 200 is the set for the VLAN ID of the domain. The lag/1
port is set as a member in VLAN 200.
sub-ring enable 1 Activate subring 1.
sub-ring operation Enable the global Subring Manager functionality on this device.

SRM2
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 2/ Adds port 2/7 to the Link Aggregation Group.
7
link-aggregation modify lag/1 addport 2/ Adds port 2/8 to the Link Aggregation Group.
8
link-aggregation modify lag/1 adminmode Activate the Link Aggregation Group.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
sub-ring add 1 Creates a new subring with the subring ID 1.

UM Config HiOS-2A GRS1040 207


Release 7.0 11/2017
Redundancy
12.9 Subring with LAG

sub-ring modify 1 mode manager vlan 200 Assign the device the role of Subring Manager in subring 1.
port lag/1 VLAN 200 is the set for the VLAN ID of the domain. The lag/1
port is set as a member in VLAN 200.
sub-ring modify 1 name SRM2 Assign the name SRM2 to the subring 1.
sub-ring enable 1 Activate subring 1.
sub-ring operation Enable the global Subring Manager functionality on this device.

MRC 2, 3
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary lag/1 Specifies port lag/1 as ring port 1.
mrp domain modify port secondary 1/3 Specifies port 1/3 as ring port 2.
mrp domain modify mode client Specifies the device role as ring client.
mrp domain modify operation enable Activates the MRP-Ring.
mrp domain modify vlan 200 Specifies the VLAN ID as 200.
mrp operation Enable the MRP function on the device.

 Disable STP
Disable the STP function on every port that you specified as an MRP or Sub-ring port. In the following
steps, port 1/3 is used as an example.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
no spanning-tree operation Disable the option.

208 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

12.10 Ring/Network Coupling

Based on a ring, Ring/Network Coupling allows the redundant coupling of redundant rings or network
segments. Ring/Network Coupling connects 2 rings/network segments through 2 separate paths.
When the devices in the coupled network are Hirschmann devices, the Ring/Network Coupling
function supports the coupling following ring protocols in the primary and secondary rings:
 HIPER-Ring
 Fast HIPER-Ring
 MRP
The Ring/Network Coupling function can also couple network segments of a bus and mesh
structures.

12.10.1 Methods of Ring/Network Coupling

 The One-Switch coupling

Two ports of one device in the first ring/network connect to one port each of two devices in the
second ring/network (see figure 56). In the One-Switch coupling method, the main line forwards data
and the device blocks the redundant line.
If the main line no longer functions, then the device immediately unblocks the redundant line. When
the main line is restored, the device blocks data on the redundant line. The main line forwards data
again.
The ring coupling detects and handles an error within 500 ms (typically 150 ms).

 The Two-Switch coupling

One port each from two devices in the first ring/network connect to one port each of two devices in
the second ring/network segment (see figure 58).
The device in the redundant line and the device in the main line use control packets to inform each
other about their operating states, using the Ethernet or a control line.
If the main line no longer functions, then the redundant device (Stand-by) immediately unblocks the
redundant line. As soon as the main line is restored, the device on the main line informs the
redundant device of this. The Stand-by device blocks data on the redundant line. The main line
forwards data again.
The ring coupling detects and handles an error within 500 ms (typically 150 ms).

The type of coupling configuration is primarily determined by the network topological and the desired
level of availability (see table 28).

UM Config HiOS-2A GRS1040 209


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

One-Switch coupling Two-Switch coupling Two-Switch coupling with


Control line
Application The 2 devices are in impractical The 2 devices are in practical The 2 devices are in practical
topological positions. topological positions. topological positions.
Therefore, putting a link between Installing a control line would Installing a control line would not
them would involve a lot of effort involve a lot of effort. involve much effort.
for two-Switch coupling.
Disadvantage If the Switch configured for the More effort for connecting the 2 More effort for connecting the two
redundant coupling becomes devices to the network (compared devices to the network (compared
inoperable, no connection with one-Switch coupling). with one-Switch and two-Switch
remains between the networks. coupling).
Advantage Less effort involved in connecting If one of the devices configured for If one of the devices configured for
the 2 devices to the network the redundant coupling becomes the redundant coupling becomes
(compared with two-Switch inoperable, the coupled networks inoperable, the coupled networks
coupling). are still connected. are still connected.
The partner determination
between the coupling devices
occurs more secure and faster
than without the control line.
Table 28: Selection criteria for the configuration types for redundant coupling

12.10.2 Prepare the Ring/Network Coupling


Using the images in the dialog you define the role of the devices within the Ring/Network Coupling .

Note: In the following screen shots and diagrams, the following conventions are used:
 Blue boxes and lines indicate devices or connections of the items currently being described.
 Solid lines indicate a main connection.
 Dash lines indicate a stand-by connection.
 Dotted lines indicate the control line.
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the required radio button.
 one-switch coupling
 two-switch coupling, master
 two-switch coupling, slave
 two-switch coupling with control line, master
 two-switch coupling with control line, slave

Note: Refrain from combining the Rapid Spanning Tree Protocol and Ring/Network Coupling .

210 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 One-Switch coupling

RM

5 6

3 4

RM

Figure 56: Example of One-Switch coupling


1: Ring
2: Backbone
3: Partner coupling port
4: Coupling port
5: Main line
6: Redundant line

The main line, indicated by the solid blue line, which is connected to the partner coupling port
provides coupling between the two networks in the normal mode of operation. If the main line is
inoperable, then the redundant line, indicated by the dashed blue line, which is connected to the
coupling port takes over the ring/network coupling. One switch performs the coupling switch-over.
The following settings apply to the device displayed in blue in the selected graphic.

2 1

Figure 57: One-switch-coupling


1: Coupling port
2: Partner coupling port
Perform the following steps:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the one-switch coupling radio button.
Note: Configure the Partner coupling port and the ring ports on different ports.
 In the Coupling port frame, Port drop-down list, select the port on which you connect the
redundant line.

UM Config HiOS-2A GRS1040 211


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 In the Partner coupling port frame, Port drop-down list, select the port on which you
connect the main line.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Connect the redundant line to the Partner coupling port.
In the Partner coupling port frame, the State field displays the status of the Partner
coupling port.
 Connect the main line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.

Perform the following steps for the coupling ports:


Note: The following settings are required for the coupling ports.
 Open the Basic Settings > Port dialog, Configuration tab.
 For the ports selected as the coupling ports, specify the settings according to the parameters in the following table.

 To save the changes temporarily, click the button.

Port type Bit rate Automatic Port on Manual configuration


configuration
TX 100 Mbit/s unmarked marked 100 Mbit/s FDX
TX 1 Gbit/s – marked –
Optical 100 Mbit/s unmarked marked 100 Mbit/s FDX
Optical 1 Gbit/s – marked –
Table 29: Port settings for ring ports

If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
 Open the Switching > VLAN > VLAN Port dialog.
 Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > VLAN Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
 To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.

 In the Configuration frame, Redundancy mode option list, specify the type of redundancy:
 With the redundant ring/network coupling setting, either the main line or the redundant line is active. The
setting allows the devices to toggle between both lines.
 When you activate the extended redundancy setting, the main line and the redundant line are active
simultaneously. The setting allows you to add redundancy to the coupling network. When the connection
between the coupling devices in the second network becomes inoperable the coupling devices continue to
transmit and receive data.
Note: During the reconfiguration period, packet duplications can occur. Therefore, select this
setting only if your devices detect package duplications.

212 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

The Coupling mode describes the type of the backbone network to which you connect the ring
network (see figure 56).
 In the Configuration frame, Coupling mode option list, specify the type of the second
network:
 If you connect to a ring network, then select the ring coupling radio button.
 If you connect to a bus or mesh structure, then select the network coupling radio button.

 To save the changes temporarily, click the button.

Perform the following steps to reset the coupling settings to the default state:

 Click the button and then the Reset item.

UM Config HiOS-2A GRS1040 213


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 Two-Switch coupling

RM

3 4

RM

Figure 58: Example of Two-Switch coupling


1: Ring
2: Backbone
3: Main line
4: Redundant line
The coupling between 2 networks is performed by the main line, indicated by the solid blue line. If the
main line or one of the adjacent devices becomes inoperable, the redundant line, indicated by the
dashed black line, takes over the network coupling. The coupling is performed by 2 devices.
The devices send control packages to each other over the Ethernet.
The primary device connected to the main line, and the stand-by device connected to the redundant
line are partners with regard to the coupling.

 Connect the 2 partners using the ring ports.

 Two-Switch coupling, Primary device


The following settings apply to the device displayed in blue in the selected graphic.

1 2

Figure 59: Two-Switch coupling, Primary device


1: Coupling port
2: Partner coupling port
Perform the following steps:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.

214 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 In the Mode frame, Type option list, select the two-switch coupling, master radio button.
 In the Coupling port frame, Port drop-down list, select the port on which you connect the
network segments.
Configure the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Connect the main line to the Coupling port .
In the Coupling port frame, the State field displays the status of the Coupling port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.
Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration

Perform the following steps for the coupling ports:


 Open the Basic Settings > Port dialog, Configuration tab.
 For the ports selected as the coupling ports, specify the settings according to the parameters
in the following table.
 To save the changes temporarily, click the button.

Port type Bit rate Autonegotiation Port setting Duplex


(automatic
configuration)
TX 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
TX 1 Gbit/s on on -
Optical 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
Optical 1 Gbit/s on on -
Optical 10 Gbit/s - on 10 Gbit/s full duplex (FDX)
Table 30: Port settings for ring ports

If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
 Open the Switching > VLAN > VLAN Port dialog.
 Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > VLAN Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
 To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.

UM Config HiOS-2A GRS1040 215


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 Two-Switch coupling, Stand-by device


The following settings apply to the device displayed in blue in the selected graphic.

2 1

Figure 60: Two-Switch coupling, Stand-by device


1: Coupling port
2: Partner coupling port
Perform the following steps:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling, slave radio button.
 In the Coupling port frame, Port drop-down list, select the port on which you connect the
network segments.
Configure the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Connect the redundant line to the Coupling port .
In the Coupling port frame, the State field displays the status of the Coupling port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.

Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration

Perform the following steps for the coupling ports:


 Open the Basic Settings > Port dialog, Configuration tab.
 For the ports selected as the coupling ports, specify the settings according to the parameters
in the following table.
 To save the changes temporarily, click the button.

Port type Bit rate Autonegotiation Port setting Duplex


(automatic
configuration)
TX 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
TX 1 Gbit/s on on -
Optical 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
Optical 1 Gbit/s on on -
Optical 10 Gbit/s - on 10 Gbit/s full duplex (FDX)
Table 31: Port settings for ring ports

216 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
 Open the Switching > VLAN > VLAN Port dialog.
 Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > VLAN Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
 To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.

Perform the following steps to specify the Redundancy mode and Coupling mode settings:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Configuration frame, Redundancy mode option list, select one of the following radio
buttons:
 redundant ring/network coupling
With this setting, either the main line or the redundant line is active. The setting allows the devices to toggle
between both lines.
 extended redundancy
With this setting, the main line and the redundant line are active simultaneously. The setting allows you to add
redundancy to the second network. When the connection between the coupling devices in the second network
becomes inoperable, the coupling devices continue to transmit and receive data.
During the reconfiguration period, packet duplications can occur. Therefore, select this setting only if your
devices detect package duplications.

Figure 61: Extended redundancy


 In the Configuration frame, Coupling mode option list, select one of the following radio
buttons:
 If you connect to a ring network, then select the ring coupling radio button.
 If you connect to a bus or mesh structure, then select the network coupling radio button.
The Coupling mode describes the type of the backbone network to which you connect the
ring network (see figure 58).
 To save the changes temporarily, click the button.

Perform the following steps to reset the coupling settings to the default state:

 Click the button and then the Reset item.

UM Config HiOS-2A GRS1040 217


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 Two-Switch Coupling with Control Line

RM

3 4
5
RM

STAND-BY ON STAND-BY ON

Figure 62: Example of Two-Switch coupling with control line


1: Ring
2: Backbone
3: Main line
4: Redundant line
5: Control line
The coupling between 2 networks is performed by the main line, indicated by the solid blue line. If the
main line or one of the adjacent devices become inoperable, the redundant line, indicated by the
dashed blue line, takes over coupling the 2 networks. The ring coupling is performed by 2 devices.
The devices send control packets over a control line indicated by the dotted blue line in the figure
below (see figure 63).
The primary device connected to the main line, and the stand-by device connected to the redundant
line are partners with regard to the coupling.

 Connect the 2 partners using the ring ports.

218 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 Two-Switch coupling with Control Line, Primary device


The following settings apply to the device displayed in blue in the selected graphic.

1 3 2

Figure 63: Two-Switch coupling with Control Line, Primary device


1: Coupling port
2: Partner coupling port
3: Control line

Perform the following steps:


 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling with control line,
master radio button.
 In the Coupling port frame, Port drop-down list, select the port on which you connect the
network segments.
Configure the Coupling port and the ring ports on different ports.
 In the Control port frame, Port drop-down list, select the port on which you connect the
control line.
Configure the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Connect the redundant line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
 Connect the control line to the Control port.
In the Control port frame, the State field displays the status of the Control port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.

Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration

Perform the following steps for the coupling ports:


 Open the Basic Settings > Port dialog, Configuration tab.
 For the ports selected as the coupling ports, specify the settings according to the parameters
in the following table.
 To save the changes temporarily, click the button.

UM Config HiOS-2A GRS1040 219


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

Port type Bit rate Autonegotiation Port setting Duplex


(automatic
configuration)
TX 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
TX 1 Gbit/s on on -
Optical 100 Mbit/s off on 100 Mbit/s full duplex (FDX)
Optical 1 Gbit/s on on -
Optical 10 Gbit/s - on 10 Gbit/s full duplex (FDX)
Table 32: Port settings for ring ports

If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
 Open the Switching > VLAN > VLAN Port dialog.
 Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > VLAN Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
 To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.

 Two-Switch coupling with Control Line, Stand-by device


The following settings apply to the device displayed in blue in the selected graphic.

2 3 1

Figure 64: Two-Switch coupling with Control Line, Stand-by device


1: Coupling port
2: Partner coupling port
3: Control line
Perform the following steps:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling with control line,
slave radio button.
 In the Coupling port frame, Port drop-down list, select the port on which you connect the
network segments.
Configure the Coupling port and the ring ports on different ports.
 In the Control port frame, Port drop-down list, select the port on which you connect the
control line.
Configure the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

220 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 Connect the redundant line to the Coupling port.


In the Coupling port frame, the State field displays the status of the Coupling port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
 Connect the control line to the Control port.
In the Control port frame, the State field displays the status of the Control port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.

Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration

Perform the following steps for the coupling ports:


 Open the Switching > VLAN > VLAN Port dialog.
 Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > VLAN Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
 To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.

Perform the following steps to specify the Redundancy mode and Coupling mode settings:
 Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
 In the Configuration frame, Redundancy mode option list, select one of the following radio
buttons:
 redundant ring/network coupling
With this setting, either the main line or the redundant line is active. The setting allows the devices to toggle
between both lines.
 extended redundancy
With this setting, the main line and the redundant line are active simultaneously. The setting allows you to add
redundancy to the second network. When the connection between the coupling devices in the second network
becomes inoperable, the coupling devices continue to transmit and receive data.
During the reconfiguration period, packet duplications can occur. Therefore, select this setting only if your
devices detect package duplications.

Figure 65: Extended redundancy

UM Config HiOS-2A GRS1040 221


Release 7.0 11/2017
Redundancy
12.10 Ring/Network Coupling

 In the Configuration frame, Coupling mode option list, select one of the following radio
buttons:
 If you connect to a ring network, then select the ring coupling radio button.
 If you connect to a bus or mesh structure, then select the network coupling radio button.
The Coupling mode describes the type of the backbone network to which you connect the
ring network (see figure 62).
 To save the changes temporarily, click the button.

Perform the following steps to reset the coupling settings to the default state:

 Click the button and then the Reset item.

222 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.11 RCP

12.11 RCP

Industrial applications require your networks to have high availability. This also involves maintaining
deterministic, short interruption times for the communication when a network device becomes
inoperable.
A ring topology provides short transition times with a minimal use of resources. However, ring topology
brings the challenge of coupling these rings together redundantly.
If you want to couple a redundancy protocol such as MRP, HIPER-Ring, RSTP, the Redundant Coupling
Protocol (RCP) provides you the required options.
RCP allows you to couple multiple secondary rings to a primary ring (see figure 66). Only the switches
which couple the rings require the Redundant Coupling Protocol function.
You can also use devices other than Hirschmann devices within the coupled networks.
The Redundant Coupling Protocol uses a master and a slave device to transport data between the
networks. Only the master forward frames between the rings.
Using Hirschmann proprietary multicast messages, the RCP master and slave devices inform each
other about their operating state. Configure the devices in the ring which are not coupling devices to
forward the following multicast addresses: 01:80:63:07:00:09 and 01:80:63:07:00:0A. Connect the
master and slave devices as direct neighbors.
You use 4 ports per device to create the redundant coupling. Install the coupling devices with 2 inner
and 2 outer ports in each network. The “Inner Port” connects the master and slave devices together.
The “Outer Port” connects the devices to the network (see figure 66).
If the role is set to AUTO, the coupler devices automatically selects its role as master or slave. If you
want a permanent master or slave device, configure the roles manually.
When the master is no longer reachable using the inner coupling ports, then the slave device waits for
the timeout period to expire before taking over the master role. During the specified timeout period, the
slave attempts to reach the master using the outer coupling ports. If the master is still not reachable,
then the slave assumes the master role. To maintain stability in the network connected to the outer
coupling ports, configure the timeout period for a longer duration than the recovery time in the coupled
rings.

UM Config HiOS-2A GRS1040 223


Release 7.0 11/2017
Redundancy
12.11 RCP

Secondary Ring (RSTP)

3 4 4 3
Coupler pair
1 2 2 1
Master Slave

Primary Ring (MRP)

Master Slave
1 2 2 1
Coupler pair
3 4 4 3

Secondary Ring (RSTP)

Figure 66: Example of a two-switch redundant coupling


1: Outer coupling port in the primary ring
2: Inner coupling port in the primary ring
3: Outer coupling port in the secondary ring
4: Inner coupling port in the secondary ring

Note: Disable RSTP on the RCP redundant coupling inner and outer ports not connected to the RSTP
ring. In the example configuration, you disable RSTP on ports 1 and 2 of every device.

12.11.1 Example Configuration


The Hirschmann devices support the two switch Redundant Coupler Protocol method. You can use the
RCP coupler function to provide a network installed in a train for example. The network provides
information for the passengers about the train location or the different stops on the line. The network
can also provide passenger safety for example using video surveillance.
The primary rings in the figure represent an MRP ring network within a car. The secondary rings in the
figure are RSTP ring networks. Each ring contains 4 devices (see figure 67).
To simplify the train topology in the figure, the MRP ring ports and the RCP inner and outer ports are
assigned the same port numbers. Specify the same values for the parameters of the ports according to
their function in the network. For example, specify ports 1/1 and 1/2 on Switch 1D and 1C as MRP ring
ports. Port 1/4 as an RCP inner port, and port 1/3 as an RCP outer port.

224 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.11 RCP

MRP1 - Primary Ring

Switch 1D (RM) Switch 1C


1/1 1/2 1/2 1/1
1/4 1/4
1/3 1/3
Secondary Ring Coupler A
2/3 2/4 2/4 2/3
2/1 2/2 2/2 2/1
Switch 2A Switch 2B

MRP2 - Primary Ring

Switch 2D (RM) Switch 2C


2/1 2/2 2/2 2/1
2/4 2/4
2/3 2/3
Secondary Ring Coupler B
3/3 3/4 3/4 3/3
3/1 3/2 3/2 3/1
Switch 3A Switch 3B

MRP3 - Primary Ring

Figure 67: Redundant Coupler Protocol Train Topology

The following list specifies roles of the ports on each device.


1: ports 1 and 2 are MRP ring ports
2: port 3 is an RCP outer port
3: port 4 is an RCP inner port
The following steps describe how to specify the parameters for Switch 1D in “Coupler A”. Configure the
other devices used for “Coupler A”, and the devices used in “Coupler B” in the same manner.

 Disable the RSTP function in the MRP Ring


MRP and RSTP do not work together. Therefore, deactivate the RSTP function on the RCP ports
used in the MRP ring. In the example configuration, ports 1 and 2 are used for the MRP ring. Activate
the RSTP function only on the RCP inner and outer port used in the secondary ring. For example,
activate the RSTP function on port 3 and 4.
 Open the Switching > L2-Redundancy > Spanning Tree > Spanning Tree Port dialog,
CIST tab.
 In the default setting, the RSTP function is active on the ports. To deactivate the RSTP
function on the MRP ring ports, unmark the STP active checkboxes for ports 1/1 and 1/2.
 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.

UM Config HiOS-2A GRS1040 225


Release 7.0 11/2017
Redundancy
12.11 RCP

 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
no spanning-tree mode Deactivate STP on the port.
exit Leaves the interface mode.
interface 1/2 Change to the interface configuration mode of interface 1/2.
no spanning-tree mode Deactivate STP on the port.
exit Leaves the interface mode.
spanning-tree operation Enables Spanning Tree.

 Specify the Ring Master in the MRP ring


In the figure, Switch D of each MRP ring is designated as the ring manger (see figure 67). Specify
the other switches in the rings as ring clients.
 Open the Switching > L2-Redundancy > MRP dialog.
 Specify the first ring port in the Ring port 1 frame.
In the Port column, select the port 1/1.
 Specify the second ring port in the Ring port 2 frame.
In the Port column, select the port 1/2.
 To designate the device as the Ring Manager, activate the function in the Ring manager
frame.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary 1/1 Specifies port 1/1 as ring port 1.
mrp domain modify port secondary 1/2 Specifies port 1/2 as ring port 2.
mrp domain modify mode manager Specifies that the device operates as the Ring manager . Do not
activate the Ring manager function on any other device.
mrp domain modify operation enable Activates the MRP-Ring.

 Specify the devices in the redundant coupler


 Open the Switching > L2-Redundancy > Redundant Coupling Protocol dialog.
 Specify the Inner port in the Primary ring/network frame.
Select port 1/2.
 Specify the Outer port in the Primary ring/network frame.
Select port 1/1.
 Specify the Inner port in the Secondary ring/network frame.
Select port 1/4.
 Specify the Outer port in the Secondary ring/network frame.
Select port 1/3.

 To enable the function, select the On radio button in the Operation frame.

226 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Redundancy
12.11 RCP

 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
redundant-coupling port primary inner 1/2 Specify port 1/2 as the primary inner port.
redundant-coupling port primary outer 1/1 Specify port 1/1 as the primary outer port.
redundant-coupling port secondary inner 1/4 Specify port 1/4 as the secondary inner port.
redundant-coupling port secondary outer 1/3 Specify port 1/3 as the secondary outer port.
redundant-coupling operation Enables the RCP function on the device.
copy config running-config nvm Save the current settings in the non-volatile memory (nvm) in the
“selected” configuration profile.

UM Config HiOS-2A GRS1040 227


Release 7.0 11/2017
Redundancy
12.11 RCP

228 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis

13 Operation diagnosis

The device provides you with the following diagnostic tools:


 Sending SNMP traps
 Monitoring the Device Status
 Out-of-Band signaling using the signal contact
 Port status indication
 Event counter at port level
 Detecting non-matching duplex modes
 Auto-Disable
 Displaying the SFP status
 Topology discovery
 Detecting IP address conflicts
 Detecting loops
 Reports
 Monitoring data traffic on a port (port mirroring)
 Syslog
 Event log
 Cause and action management during selftest

UM Config HiOS-2A GRS1040 229


Release 7.0 11/2017
Operation diagnosis
13.1 Sending SNMP traps

13.1 Sending SNMP traps

The device immediately reports unusual events which occur during normal operation to the network
management station. This is done by messages called SNMP traps that bypass the polling procedure
(“polling” means querying the data stations at regular intervals). SNMP traps allow you to react quickly
to unusual events.
Examples of such events are:
 Hardware reset
 Changes to the configuration
 Segmentation of a port

The device sends SNMP traps to various hosts to increase the transmission reliability for the messages.
The unacknowledged SNMP trap message consists of a packet containing information about an
unusual event.
The device sends SNMP traps to those hosts entered in the trap destination table. The device allows
you to configure the trap destination table with the network management station using SNMP.

230 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.1 Sending SNMP traps

13.1.1 List of SNMP traps


The following table displays possible SNMP traps sent by the device.
Name of the SNMP trap Meaning
authenticationFailure This is sent if a station attempts to access an agent without authorisation.
coldStart Sent after a restart.
hm2DevMonSenseExtNvmRemoval This is sent when the external memory has been removed.
linkDown This is sent if the connection to a port is interrupted.
linkUp This is sent when connection is established to a port.
hm2DevMonSensePSState This is sent if the status of a power supply unit changes.
hm2SigConStateChange This is sent if the status of the signal contact changes in the operation
monitoring.
newRoot This is sent if the sending agent becomes the new root of the spanning tree.
topologyChange This is sent when the port changes from blocking to forwarding or from
forwarding to blocking.
alarmRisingThreshold This is sent if the RMON input exceeds its upper threshold.
alarmFallingThreshold This is sent if the RMON input goes below its lower threshold.
hm2AgentPortSecurityViolation This is sent if a MAC address detected on this port does not match the current
settings of the parameter hm2AgentPortSecurityEntry.
hm2DiagSelftestActionTrap Sent if a self test for the four categories “task”, “resource”, “software”, and
“hardware” is performed according to the configured settings.
hm2MrpReconfig This is sent if the configuration of the MRP ring changes.
hm2DiagIfaceUtilizationTrap This is sent if the threshold of the interface exceeds or undercuts the upper or
lower threshold specified.
hm2LogAuditStartNextSector This trap is sent if the audit trail after completing one sector starts a new one.
hm2PtpSynchronizationChance This is sent if the status of the PTP synchronization has been changed.
hm2ConfigurationSavedTrap This is sent after the device has successfully saved its configuration locally.
hm2ConfigurationChangedTrap This is sent when you change the configuration of the device for the first time
after it has been saved locally.
hm2PlatformStpInstanceLoopInconsi This is sent if the port in this STP instance changes to the “loop inconsistent”
stentStartTrap status.
hm2PlatformStpInstanceLoopInconsi This is sent if the port in this STP instance leaves the “loop inconsistent” status
stentEndTrap when receiving a BPDU packet.
Table 33: Possible SNMP traps

13.1.2 SNMP traps for configuration activity


After you save a configuration in the memory, the device sends a hm2ConfigurationSavedTrap. This
SNMP trap contains both the Non-Volatile Memory (NVM) and External Non-Volatile Memory (ENVM)
state variables indicating whether the running configuration is in sync with the NVM, and with the ENVM.
You can also trigger this SNMP trap by copying a configuration file to the device, replacing the active
saved configuration.
Furthermore, the device sends a hm2ConfigurationChangedTrap, whenever you change the local
configuration, indicating a mismatch between the running and saved configuration.

UM Config HiOS-2A GRS1040 231


Release 7.0 11/2017
Operation diagnosis
13.1 Sending SNMP traps

13.1.3 SNMP trap setting


The device offers you the option of sending an SNMP trap as a reaction to specific events. Create at
least 1 trap destination that receives SNMP traps.

Perform the following steps:


 Open the Diagnostics > Status Configuration > Alarms (Traps) dialog.
 Click the button.
The dialog displays the Create window.
 In the Name frame, specify the name that the device uses to identify itself as the source of the
SNMP trap.
 In the Address frame, specify the IP address of the trap destination to which the device sends
the SNMP traps.
 In the Active column you select the entries that the device should take into account when it
sends SNMP traps.
 To save the changes temporarily, click the button.

For example, in the following dialogs you specify when the device triggers an SNMP trap:
 Basic Settings > Port dialog
 Basic Settings > Power over Ethernet > PoE Global dialog
 Network Security > Port Security dialog
 Switching > L2-Redundancy > Link Aggregation dialog
 Diagnostics > Status Configuration > Device Status dialog
 Diagnostics > Status Configuration > Security Status dialog
 Diagnostics > Status Configuration > Signal Contact dialog
 Diagnostics > Status Configuration > MAC Notification dialog
 Diagnostics > System > IP Address Conflict Detection dialog
 Diagnostics > System > Selftest dialog
 Diagnostics > Ports > Port Monitor dialog

13.1.4 ICMP messaging


The device allows you to use the Internet Control Message Protocol (ICMP) for diagnostic applications,
for example ping and trace route. The device also uses ICMP for time-to-live and discarding messages
in which the device forwards an ICMP message back to the packet source device.
Use the ping network tool to test the path to a particular host across an IP network. The traceroute
diagnostic tool displays paths and transit delays of packets across a network.

232 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.2 Monitoring the Device Status

13.2 Monitoring the Device Status

The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device in order to present its condition in graphic
form.
The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.

The device enables you to:


 Out-of-Band signalling using a signal contact
 signal the changed device status by sending an SNMP trap
 detect the device status in the Basic Settings > System dialog of the graphical user interface
 query the device status in the Command Line Interface

The Global tab of the Diagnostics > Status Configuration > Device Status dialog allows you
to configure the device to send a trap to the management station for the following events:
 Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
 When the device is operating outside of the user-defined temperature threshold
 Loss of the redundancy (in ring manager mode)
 The interruption of link connection(s)
Configure at least one port for this feature. In the Port tab of the Diagnostics > Status
Configuration > Device Status dialog in the Propagate connection error row, you specify
which ports the device signals if the link is down.
 The removal of the external memory.
 The configuration in the external memory is out-of-sync with the configuration in the device.
 The removal of a module
Select the corresponding entries to decide which events the device status includes.

Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.

13.2.1 Events which can be monitored

Name Meaning
Temperature If the temperature exceeds or falls below the value specified.
Ring redundancy Enable this function to monitor if ring redundancy is present.
Connection errors Enable this function to monitor every port link event in which the Propagate connection
error checkbox is active.
Module removal Enable this global function to monitor the removal of a module. Also enable the individual
module to monitor.
Table 34: Device Status events

UM Config HiOS-2A GRS1040 233


Release 7.0 11/2017
Operation diagnosis
13.2 Monitoring the Device Status

Name Meaning
External memory removal Enable this function to monitor the presence of an external storage device.
External memory not in The device monitors synchronization between the device configuration and the configuration
sync stored on the ENVM.
Power supply Enable this function to monitor the power supply.
Table 34: Device Status events (cont.)

13.2.2 Configuring the Device Status


Perform the following steps:
 Open the Diagnostics > Status Configuration > Device Status dialog, Global tab.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.
 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, create at least
1 trap destination that receives SNMP traps.
 To save the changes temporarily, click the button.
 Open the Basic Settings > System dialog.
 To monitor the temperature, at the bottom of the System data frame, you specify the
temperature thresholds.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
device-status trap Sending an SNMP trap if the device status changes.
device-status monitor envm-not-in-sync Monitors the configuration profiles in the device and in the
external memory.
The Device status changes to error in the following
situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the
configuration profile in the external memory.
device-status monitor envm-removal Monitors the active external memory. The value in the Device
status frame changes to error if you remove the active
external memory from the device.
device-status monitor power-supply 1 Monitors the power supply unit 1. The value in the Device
status frame changes to error if the device has a detected
power supply fault.
device-status monitor ring-redundancy Monitors the ring redundancy.
The Device status changes to error in the following
situations:
– The redundancy function becomes active (loss of redundancy
reserve).
– The device is a normal ring participant and detects an error in
its settings.
device-status monitor temperature Monitors the temperature in the device. The value in the Device
status frame changes to error if the temperature exceeds or
falls below the specified limit.

234 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.2 Monitoring the Device Status

device-status monitor module-removal Monitors the modules. The value in the Device status frame
changes to error if you remove a module from the device.
device-status module 1 Monitors module 1. The value in the Device status frame
changes to error if you remove the module 1 from the device.

In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.
Perform the following steps:
 Open the Diagnostics > Status Configuration > Device Status dialog, Global tab.
 For the Connection errors parameter, mark the checkbox in the Monitor column.
 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
 For the Propagate connection error parameter, mark the checkbox in the column of the
ports to be monitored.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
device-status monitor link-failure Monitors the ports/interfaces link. The value in the Device
status frame changes to error if the link interrupts on a
monitored port/interface.
interface 1/1 Change to the interface configuration mode of interface 1/1.
device-status link-alarm Monitors the port/interface link. The value in the Device status
frame changes to error if the link interrupts on the port/interface.

Note: The above CLI commands activate monitoring and trapping for the supported components. If you
want to activate or deactivate monitoring for individual components, you will find the corresponding
syntax in the “Command Line Interface” reference manual or in the help of the CLI console. (Enter a
question mark ? for the CLI prompt.)

13.2.3 Displaying the Device Status


Perform the following steps:
 Open the Basic Settings > System dialog.
show device-status all In the EXEC Privilege mode: Displays the device status and the
setting for the device status determination.

UM Config HiOS-2A GRS1040 235


Release 7.0 11/2017
Operation diagnosis
13.3 Security Status

13.3 Security Status

The Security Status provides an overview of the overall security of the device. Many processes aid in
system visualization by recording the security status of the device and then presenting its condition in
graphic form. The device displays the overall security status in the Basic Settings > System dialog,
Security status frame.
In the Global tab of the Diagnostics > Status Configuration > Security Status dialog the
device displays its current status as error or ok in the Security status frame. The device determines
this status from the individual monitoring results.

The device enables you to:


 Out-of-Band signalling using a signal contact
 signal the changed security status by sending an SNMP trap
 detect the security status in the Basic Settings > System dialog of the graphical user interface
 query the security status in the Command Line Interface

13.3.1 Events which can be monitored


 Specify the events that the device monitors.
For the corresponding parameter, mark the checkbox in the Monitor column.
Name Meaning
Password default settings unchanged After installation change the passwords to increase security. The device
monitors if the default passwords remain unchanged.
Min. password length < 8 Create passwords more than 8 characters long to maintain a high security
posture. When active the device monitors the Min. password length setting.
Password policy settings deactivated The device monitors the settings located in the Device Security > User
Management dialog for password policy requirements.
User account password policy check The device monitors the settings of the Policy check checkbox. When Policy
deactivated check is inactive, the device sends an SNMP trap.
Telnet server active The device monitors when you enable the Telnet function.
HTTP server active The device monitors when you enable the HTTP connection function.
SNMP unencrypted The device monitors when you enable the SNMPv1 or v2 connection function.
Access to system monitor with V.24 The device monitors the System Monitor status.
possible
Saving the configuration profile on the The device monitors the possibility to save configurations to the external non-
external memory possible volatile memory.
Link interrupted on enabled device ports The device monitors the link status of active ports.
Access with HiDiscovery possible The device monitors when you enable the HiDiscovery read/write access
function.
Load unencrypted config from external The device monitors the security settings for loading the configuration from the
memory external NVM.
IEC61850-MMS active The device monitors the IEC 61850-MMS protocol activation setting.
Modbus TCP active The device monitors the Modbus TCP/IP protocol activation setting.
Self-signed HTTPS certificate present The device monitors the HTTPS server for self-created digital certificates.
Table 35: Security Status events

236 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.3 Security Status

13.3.2 Configuring the Security Status


Perform the following steps:
 Open the Diagnostics > Status Configuration > Security Status dialog, Global tab.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.
 To save the changes temporarily, click the button.
 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, create at least
1 trap destination that receives SNMP traps.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
security-status monitor pwd-change Monitors the password for the locally set up user accounts user
and admin. The value in the Security status frame changes
to error if the password for the user or admin user accounts is
the default setting.
security-status monitor pwd-min-length Monitors the value specified in the Min. password length
policy. The value in the Security status frame changes to
error if the value for the Min. password length policy is less
than 8.
security-status monitor pwd-policy- Monitors the password policy settings.
config The value in the Security status frame changes to error if
the value for at least one of the following policies is specified as 0.
– Upper-case characters (min.)
– Lower-case characters (min.)
– Digits (min.)
– Special characters (min.)
security-status monitor pwd-policy- Monitors the password policy settings. The value in the Security
inactive status frame changes to error if the value for at least one of
the following policies is specified as 0.
security-status monitor telnet-enabled Monitors the Telnet server. The value in the Security status
frame changes to error if you enable the Telnet server.
security-status monitor http-enabled Monitors the HTTP server. The value in the Security status
frame changes to error if you enable the HTTP server.
security-status monitor snmp-unsecure Monitors the SNMP server.
The value in the Security status frame changes to error if at
least one of the following conditions applies:
– The SNMPv1 function is enabled.
– The SNMPv2 function is enabled.
– The encryption for SNMPv3 is disabled.
You enable the encryption in the Device Security > User
Management dialog, in the SNMP encryption type field.
security-status monitor sysmon-enabled To monitor the activation of System Monitor 1 on the device.
security-status monitor extnvm-upd- To monitor the activation of the external non volatile memory
enabled update.
security-status monitor iec61850-mms- Monitors the IEC61850-MMS function. The value in the Security
enabled status frame changes to error if you enable the IEC61850-
MMS function.
security-status trap Sending an SNMP trap if the device status changes.

In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.

UM Config HiOS-2A GRS1040 237


Release 7.0 11/2017
Operation diagnosis
13.3 Security Status

Perform the following steps:


 Open the Diagnostics > Status Configuration > Security Status dialog, Global tab.
 For the Link interrupted on enabled device ports parameter, mark the checkbox in the
Monitor column.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
 For the Link interrupted on enabled device ports parameter, mark the checkbox in the
column of the ports to be monitored.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
security-status monitor no-link-enabled Monitors the link on active ports. The value in the Security
status frame changes to error if the link interrupts on an active
port.
interface 1/1 Change to the interface configuration mode of interface 1/1.
security-status monitor no-link Monitors the link on interface/port 1.

13.3.3 Displaying the Security Status


Perform the following steps:
 Open the Basic Settings > System dialog.
show security-status all In the EXEC Privilege mode, display the security status and the
setting for the security status determination.

238 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.4 Out-of-Band signaling

13.4 Out-of-Band signaling

The device uses the signal contact to control external devices and monitor device functions. Function
monitoring enables you to perform remote diagnostics.
The device reports the operating status using a break in the potential-free signal contact (relay contact,
closed circuit) for the selected mode. The device monitors the following functions:
 Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
 When the device is operating outside of the user-defined temperature threshold
 Events for ring redundancy
Loss of the redundancy (in ring manager mode)
In the default setting, ring redundancy monitoring is inactive. The device is a normal ring participant
and detects an error in the local configuration.
 The interruption of link connection(s)
Configure at least one port for this feature. In the Propagate connection error frame, you specify
which ports the device signals if the link is down. In the default setting, link monitoring is inactive.
 The removal of the external memory.
 The configuration on the external memory does not match that in the device.
 The removal of a module
Select the corresponding entries to decide which events the device status includes.

Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.

13.4.1 Controlling the Signal contact


With the Manual setting mode you control this signal contact remotely.
Application options:
 Simulation of an error detected during SPS error monitoring
 Remote control of a device using SNMP, such as switching on a camera
Perform the following steps:
 Open the Diagnostics > Status Configuration > Signal Contact dialog, Global tab.
 To control the signal contact manually, in the Configuration frame, Mode drop-down list,
select the value Manual setting .
 To open the signal contact, you select the open radio button in the Configuration frame.
 To close the signal contact, you select the close radio button in the Configuration frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
signal-contact 1 mode manual Select the manual setting mode for signal contact 1.

UM Config HiOS-2A GRS1040 239


Release 7.0 11/2017
Operation diagnosis
13.4 Out-of-Band signaling

signal-contact 1 state open Open signal contact 1.


signal-contact 1 state closed Close signal contact 1.

13.4.2 Monitoring the Device and Security Statuses


In the Configuration field, you specify which events the signal contact indicates.
 Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog.
 Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog.
 Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status
Configuration > Security Status dialog.

 Configuring the operation monitoring


Perform the following steps:
 Open the Diagnostics > Status Configuration > Signal Contact dialog, Global tab.
 To monitor the device functions using the signal contact, in the Configuration frame, specify
the value Monitoring correct operation in the Mode field.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.
 To save the changes temporarily, click the button.
 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, create at least
1 trap destination that receives SNMP traps.
 To save the changes temporarily, click the button.
 You specify the temperature thresholds for the temperature monitoring in the Basic
Settings > System dialog.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
signal-contact 1 monitor temperature Monitors the temperature in the device. The signal contact opens
if the temperature exceeds / falls below the threshold values.
signal-contact 1 monitor ring-redundancy Monitors the ring redundancy.
The signal contact opens in the following situations:
– The redundancy function becomes active (loss of redundancy
reserve).
– The device is a normal ring participant and detects an error in
its settings.
signal-contact 1 monitor link-failure Monitors the ports/interfaces link. The signal contact opens if the
link interrupts on a monitored port/interface.

240 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.4 Out-of-Band signaling

signal-contact 1 monitor envm-removal Monitors the active external memory. The signal contact opens if
you remove the active external memory from the device.
signal-contact 1 monitor envm-not-in-sync Monitors the configuration profiles in the device and in the
external memory.
The signal contact opens in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the
configuration profile in the external memory.
signal-contact 1 monitor power-supply 1 Monitors the power supply unit 1. The signal contact opens if the
device has a detected power supply fault.
signal-contact 1 monitor module-removal 1 Monitors module 1. The signal contact opens if you remove
module 1 from the device.
signal-contact 1 trap Enables the device to send an SNMP trap when the status of the
operation monitoring changes.
no signal-contact 1 trap Disabling the SNMP trap

In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.
Perform the following steps:
 In the Monitor column, activate the Link interrupted on enabled device ports function.
 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
signal-contact 1 monitor link-failure Monitors the ports/interfaces link. The signal contact opens if the
link interrupts on a monitored port/interface.
interface 1/1 Change to the interface configuration mode of interface 1/1.
signal-contact 1 link-alarm Monitors the port/interface link. The signal contact opens if the
link interrupts on the port/interface.

 Events which can be monitored


Name Meaning
Temperature If the temperature exceeds or falls below the value specified.
Ring redundancy Enable this function to monitor if ring redundancy is present.
Connection errors Enable this function to monitor every port link event in which the Propagate
connection error checkbox is active.
Module removal Enable this global function to monitor the removal of a module. Also enable the
individual module to monitor.
External memory not in sync with NVM The device monitors synchronization between the device configuration and the
configuration stored on the ENVM.
External memory removed Enable this function to monitor the presence of an external storage device.
Power supply Enable this function to monitor the power supply.
Table 36: Device Status events

 Displaying the signal contact’s status


The device gives you additional options for displaying the status of the signal contact:
 Display in the graphical user interface
 Query in the Command Line Interface

UM Config HiOS-2A GRS1040 241


Release 7.0 11/2017
Operation diagnosis
13.4 Out-of-Band signaling

 Open the Basic Settings > System dialog.


The Signal contact status frame displays the signal contact status and informs you about
alarms that have occurred. When an alarm currently exists, the frame is highlighted.

show signal-contact 1 all Displays signal contact settings for the specified signal contact.

242 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.5 Port status indication

13.5 Port status indication

Perform the following steps:


 Open the Basic Settings > System dialog.
The dialog displays the device with the current configuration. Furthermore, the dialog indicates the
status of the individual ports with a symbol.
The following symbols represent the status of the individual ports. In some situations, these symbols
interfere with one another. If you position the mouse pointer over the port icon, a bubble help displays
a detailed description of the port state.
Criterion Symbol
Bandwidth of the port 10 Mbit/s
Port activated, connection okay, full-duplex mode
100 Mbit/s
Port activated, connection okay, full-duplex mode
1000 Mbit/s
Port activated, connection okay, full-duplex mode
Operating state Half-duplex mode enabled
See the Basic Settings > Port dialog, Configuration tab, Automatic
configuration checkbox, Manual configuration field and Manual cable crossing
(Auto. conf. off) field.
Autonegotiation enabled
See the Basic Settings > Port dialog, Configuration tab, Automatic
configuration checkbox.
The port is blocked by a redundancy function.

AdminLink The port is deactivated, connection okay


The port is deactivated, no connection set up
See the Basic Settings > Port dialog, Configuration tab, Port on checkbox and
Link/Current settings field.
Table 37: Symbols identifying the status of the ports

UM Config HiOS-2A GRS1040 243


Release 7.0 11/2017
Operation diagnosis
13.6 Port event counter

13.6 Port event counter

The port statistics table enables experienced network administrators to identify possible detected
problems in the network.
This table displays the contents of various event counters. The packet counters add up the events sent
and the events received. In the Basic Settings > Restart dialog, you can reset the event counters.
Counter Indication of known possible weakness
Received fragments – Non-functioning controller of the connected device
– Electromagnetic interference in the transmission medium
CRC Error – Non-functioning controller of the connected device
– Electromagnetic interference in the transmission medium
– Inoperable component in the network
Collisions – Non-functioning controller of the connected device
– Network over extended/lines too long
– Collision or a detected fault with a data packet
Table 38: Examples indicating known weaknesses

Perform the following steps:


 To display the event counter, open the Basic Settings > Port dialog, Statistics tab.
 To reset the counters, in the Basic Settings > Restart dialog, click the Clear port
statistics button.

13.6.1 Detecting non-matching duplex modes


Problems occur when 2 ports directly connected to each other have mismatching duplex modes. These
problems are difficult to track down. The automatic detection and reporting of this situation has the
benefit of recognizing mismatching duplex modes before problems occur.
This situation arises from an incorrect configuration, for example, if you deactivate the automatic
configuration on the remote port.
A typical effect of this non-matching is that at a low data rate, the connection seems to be functioning,
but at a higher bi-directional traffic level the local device records a lot of CRC errors, and the connection
falls significantly below its nominal capacity.
The device allows you to detect this situation and report it to the network management station. In the
process, the device evaluates the error counters of the port in the context of the port settings.

244 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.6 Port event counter

 Possible causes of port error events


The following table lists the duplex operating modes for TX ports, with the possible fault events. The
meanings of terms used in the table are as follows:
 Collisions
In half-duplex mode, collisions mean normal operation.
 Duplex problem
Mismatching duplex modes.
 EMI
Electromagnetic interference.
 Network extension
The network extension is too great, or too many cascading hubs.
 Collisions, Late Collisions
In full-duplex mode, no incrementation of the port counters for collisions or Late Collisions.
 CRC Error
The device evaluates these errors as non-matching duplex modes in the manual full duplex mode.
No. Automatic Current duplex Detected error Duplex modes Possible causes
configuration mode events (≥ 10 after
link up)
1 marked Half duplex None OK
2 marked Half duplex Collisions OK
3 marked Half duplex Late Collisions Duplex problem Duplex problem, EMI,
detected network extension
4 marked Half duplex CRC Error OK EMI
5 marked Full duplex None OK
6 marked Full duplex Collisions OK EMI
7 marked Full duplex Late Collisions OK EMI
8 marked Full duplex CRC Error OK EMI
9 unmarked Half duplex None OK
10 unmarked Half duplex Collisions OK
11 unmarked Half duplex Late Collisions Duplex problem Duplex problem, EMI,
detected network extension
12 unmarked Half duplex CRC Error OK EMI
13 unmarked Full duplex None OK
14 unmarked Full duplex Collisions OK EMI
15 unmarked Full duplex Late Collisions OK EMI
16 unmarked Full duplex CRC Error Duplex problem Duplex problem, EMI
detected
Table 39: Evaluation of non-matching of the duplex mode

UM Config HiOS-2A GRS1040 245


Release 7.0 11/2017
Operation diagnosis
13.7 Auto-Disable

13.7 Auto-Disable

The device can disable a port due to several configurable reasons. Each reason causes the port to “shut
down”. In order to recover the port from the shut down state, you can manually clear the condition which
caused the port to shut down or specify a timer to automatically re-enable the port.
If the configuration displays a port as enabled, but the device detects an error or change in the condition,
the software shuts down that port. In other words, the device software disables the port because of a
detected error or change in the condition.
When a port is auto-disabled, the device effectively shuts down the port and the port blocks traffic. The
port LED blinks green 3 times per period and identifies the reason for the shutdown. In addition, the
device creates a log file entry which lists the causes of the deactivation. When you re-enable the port
after a timeout using the Auto-Disable function, the device generates a log entry.
The Auto-Disable function provides a recovery function which automatically enables an auto-disabled
port after a user-defined time. When this function enables a port, the device sends an SNMP trap with
the port number, but without a value for the Reason parameter.
The Auto-Disable function serves the following purposes:
 It assists the network administrator in port analysis.
 It reduces the possibility that this port causes the network to be instable.
The Auto-Disable function is available for the following functions:
 Link flap (Port Monitor function)
 CRC/Fragments (Port Monitor function)
 Duplex Mismatch detection (Port Monitor function)
 DHCP Snooping
 Dynamic ARP Inspection
 Spanning Tree
 Port Security
 Overload detection (Port Monitor function)
 Link speed/Duplex mode detection (Port Monitor function)

In the following example, you configure the device to disable a port due to detected violations to the
thresholds specified the Diagnostics > Ports > Port Monitor > CRC/Fragments tab and then
automatically re-enable the disabled port.

Perform the following steps:


 Open the Diagnostics > Ports > Port Monitor dialog, CRC/Fragments tab.
 Verify that the thresholds specified in the table concur to your preferences for port 1/1.
 Open the Diagnostics > Ports > Port Monitor dialog, Global tab.
 To enable the function, select the On radio button in the Operation frame.
 To allow the device to disable the port due to detected errors, mark the checkbox in the CRC/
Fragments on column for port 1/1.

246 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.7 Auto-Disable

 In the Action column you can choose how the device reacts to detected errors. In this
example, the device disables port 1/1 for threshold violations and then automatically re-
enables the port.
 To allow the device to disable and automatically re-enable the port, select the value auto-disable and
configure the Auto-Disable function. The value auto-disable only works in conjunction with the
Diagnostics > Ports > Auto-Disable function.
The device can also disable a port without auto re-enabling.
 To allow the device to disable the port only, select the value disable port .
To manually re-enable a disabled port, highlight the port.
Click the button and then the Reset item.
 When you configure the Auto-Disable function, the value disable port also automatically re-enables the
port.
 Open the Diagnostics > Ports > Port Monitor dialog, Auto-disable tab.
 To allow the device to auto re-enable the port after it was disabled due to detected threshold
violations, mark the checkbox in the CRC error column.
 Open the Diagnostics > Ports > Port Monitor dialog, Port tab.
 Specify the delay time as 120 s in the Reset timer [s] column for the ports you want to
enable.
Note: The Reset item allows you to enable the port before the time specified in the Reset timer
[s] column counts down.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
port-monitor condition crc-fragments Specifying the CRC-Fragment counter to 2000 parts per million.
count 2000
port-monitor condition crc-fragments Sets the measure interval to 15 seconds for CRC-Fragment
interval 15 detection.
auto-disable timer 120 Specifies the waiting period of 120 seconds, after which the
Auto-disable function re-enables the port.
exit Change to the Configuration mode.
auto-disable reason crc-error Activate the auto-disable CRC function.
port-monitor condition crc-fragments mode Activate the CRC-Fragments condition to trigger an action.
port-monitor operation Activate the Port Monitor function.

When the device disables a port due to threshold violations the device allows you to use the following
CLI commands to manually reset the disabled port.
Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
auto-disable reset Allows you to enable the port before the Timer counts down.

UM Config HiOS-2A GRS1040 247


Release 7.0 11/2017
Operation diagnosis
13.8 Displaying the SFP status

13.8 Displaying the SFP status

The SFP status display allows you to look at the current SFP module connections and their properties.
The properties include:
 module type
 serial number of media module
 temperature in º C
 transmission power in mW
 receive power in mW

Perform the following steps:


 Open the Diagnostics > Ports > SFP dialog.

248 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.9 Topology discovery

13.9 Topology discovery

IEEE 802.1AB defines the Link Layer Discovery Protocol (LLDP). LLDP allows the user to automatically
detect the LAN network topology.

Devices with LLDP active:


 broadcast their connection and management information to neighboring devices on the shared LAN.
Evaluation of the devices occur when the receiving device has its LLDP function active.
 receive connection and management information from neighbor devices on the shared LAN,
provided these adjacent devices also have LLDP active.
 build a management information database and object definitions for storing information about
adjacent devices with LLDP active.

As the main element, the connection information contains an exact, unique identifier for the connection
end point: MAC (Service Access Point). This is made up of a device identifier which is unique on the
entire network and a unique port identifier for this device.
 Chassis identifier (its MAC address)
 Port identifier (its port-MAC address)
 Description of port
 System name
 System description
 Supported system capabilities
 System capabilities currently active
 Interface ID of the management address
 VLAN-ID of the port
 Auto-negotiation status on the port
 Medium, half/full duplex setting and port speed setting
 Information about the VLANs installed in the device (VLAN-ID and VLAN name, irrespective of
whether the port is a VLAN participant).

A network management station can call up this information from devices with activated LLDP. This
information enables the network management station to map the topology of the network.
Non-LLDP devices normally block the special Multicast LLDP IEEE MAC address used for information
exchange. Non-LLDP devices therefore discard LLDP packets. When positioning a non-LLDP capable
device between 2 LLDP capable devices, the non-LLDP capable device prohibits information
exchanges between the 2 LLDP capable devices.
The Management Information Base (MIB) for a device with LLDP capability holds the LLDP information
in the lldp MIB and in the private HM2-LLDP-EXT-HM-MIB and HM2-LLDP-MIB.

13.9.1 Displaying the Topology discovery results


To show the topology of the network:
 Open the Diagnostics > LLDP > LLDP Topology Discovery dialog, LLDP tab.

UM Config HiOS-2A GRS1040 249


Release 7.0 11/2017
Operation diagnosis
13.9 Topology discovery

If you use a port to connect several devices, for example via a hub, the table contains a line for each
connected device.
Activating Display FDB Entries at the bottom of the table allows you to display devices without active
LLDP support in the table. In this case, the device also includes information from its FDB (forwarding
database).

If you connect the port to devices with the topology discovery function active, then the devices exchange
LLDP Data Units (LLDPDU) and the topology table displays these neighboring devices.
When a port connects devices without an active topology discovery exclusively, the table contains a line
for this port to represent the connected devices. This line contains the number of connected devices.
The FDB address table contains MAC addresses of devices that the topology table hides for the sake
of clarity.

13.9.2 LLDP-Med
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices. Endpoints include devices such as IP phones, or other Voice over IP (VoIP) devices
or servers and network devices such as switches. It specifically provides support for VoIP applications.
LLDP-MED provides this support using an additional set of common type-length-value (TLV)
advertisement messages, for capabilities discovery, network policy, Power over Ethernet, inventory
management and location information.
The device supports the following TLV messages:
 capabilities TLV
Allows LLDP-MED endpoints to determine the capabilities that the connected device supports and
what capabilities the device has enabled.
 Network policy TLV
Allows both network connectivity devices and endpoints to advertise VLAN configurations and
associated attributes for the specific application on that port. For example, the device notifies a phone
of the VLAN number. The phone connects to a switch, obtain its VLAN number, and then starts
communicating with the call control.
LLDP-MED provides the following functions:
 Network policy discovery, including VLAN ID, 802.1p priority and Diffserv code point (DSCP)
 Device location and topology discovery based on LAN-level MAC/port information
 Endpoint move detection notification, from network connectivity device to the associated VoIP
management application
 Extended device identification for inventory management
 Identification of endpoint network connectivity capabilities, for example, multi-port IP Phone with
embedded switch or bridge capability
 Application level interactions with the LLDP protocol elements to provide timely startup of LLDP to
support rapid availability of an Emergency Call Service
 Applicability of LLDP-MED to Wireless LAN environments, support for Voice over Wireless LAN

250 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.10 Detecting loops

13.10 Detecting loops

Loops in the network cause connection interruptions or data losses. This also applies to temporary
loops. The automatic detection and reporting of this situation allows you to detect it faster and diagnose
it more easily.
An incorrect configuration causes loops, for example, if you deactivate Spanning Tree.
The device allows you to detect the effects typically caused by loops and report this situation
automatically to the network management station. You have the option here to specify the magnitude of
the loop effects that trigger the device to send a report.
BPDU frames sent from the designated port and received on either a different port of the same device
or the same port within a short time, is a typical effect of a loop.
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab.
 Check the value in the fields Port state and Port role . If the Port state field displays
the value discarding and the Port role field displays the value backup, the port is in a loop
status.
or
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, Guards tab.
 Check the value in the Loop state column. If the field displays the value true, the port is in
a loop status.

UM Config HiOS-2A GRS1040 251


Release 7.0 11/2017
Operation diagnosis
13.11 Email Notification

13.11 Email Notification

The device allows you to inform users by email about events that have occurred. Prerequisite is that a
mail server is available through the network on which the device transfers the emails.

To setup the device to send emails, use the following steps:


 Specify the sender address
 Specify the triggering events
 Specify the recipients
 Specify the mail server
 Enable/disable the function
 Send a test email

13.11.1 Specify the sender address


The sender address is the email address that indicates the device which sent the email. In the device,
the default setting is switch@hirschmann.com.
To change the preset value, perform the following steps:
 Open the Diagnostics > Email Notification > Global dialog.
 In the Sender frame, change the value in the Address field.
Add a valid email address.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email from-addr <user@doma.in> Changes the sender address.

13.11.2 Specify the triggering events


The device differentiates between the following severities:
Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
Table 40: Meaning of the severities for events

252 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.11 Email Notification

Severity Meaning
informational Informal message
debug Debug message
Table 40: Meaning of the severities for events (cont.)

You have the option of specifying the events of which the device informs you. For this, assign the
desired minimum severity to the notification levels of the device.

The device informs the recipients as follows:


 Notification immediate
The device sends an email immediately when an event of the severity assigned or more critical
occurs.
 Notification periodic
– In the buffer, the device logs if an event of the severity assigned or more critical occurs.
– The device sends an email with the log file periodically or if the buffer overflows.
– If an event of a lesser severity occurs, the device does not log this event.

Perform the following steps:


 Open the Diagnostics > Email Notification > Global dialog.
In the Notification immediate frame, you specify the settings for emails which the device
sends immediately.
 In the Severity field, you specify the minimum severity.
 In the Subject field, you specify the subject of the email.
In the Notification periodic frame, you specify the settings for emails which the device
sends periodically.
 In the Severity field, you specify the minimum severity.
 In the Subject field, you specify the subject of the email.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email severity immediate Specifies the minimum severity for events for which the device
<level> sends an email immediately.
logging email severity periodic Specifies the minimum severity for events for which the device
<level> sends an email periodically.
logging email subject add <immediate | Creates a subject line with the content TEXT.
periodic> TEXT

13.11.3 Change the send interval


The device allows you to specify in which interval it sends emails with the log file. The default setting is
30 minutes.
Perform the following steps:
 Open the Diagnostics > Email Notification > Global dialog.

UM Config HiOS-2A GRS1040 253


Release 7.0 11/2017
Operation diagnosis
13.11 Email Notification

In the Notification periodic frame, you specify the settings for emails which the device
sends periodically.
 Change the value in the Sending interval [min] field to change the interval.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email duration <30..1440> Specifies the interval at which the device sends emails with log
file.

13.11.4 Specify the recipients


The device allows you to specify up to 10 recipients.
Perform the following steps:
 Open the Diagnostics > Email Notification > Email Notification Recipients
dialog.
 To add a table entry, click the button.
 In the Notification type column, specify whether the device sends the emails to this
recipient immediately or periodically.
 In the Address column, specify the email address of the recipient.
 In the Active column, mark the checkbox.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email to-addr add <1..10> Specifies the recipient with the email address user@doma.in.
addr <user@doma.in> msgtype The device manages the settings in memory 1..10.
<immediately | periodically>

13.11.5 Specify the mail server


The device supports encrypted and unencrypted connections to the mail server.
Perform the following steps:
 Open the Diagnostics > Email Notification > Email Notification Mail Server
dialog.
 To add a table entry, click the button.
 In the IP address column, specify the IP address or the DNS name of the server.

254 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.11 Email Notification

 In the Encryption column, specify the protocol which encrypts the connection between the
device and the mail server.
 In the Destination TCP port column, specify the TCP port if the mail server uses a port other
than the well-known port.
If the mail server requests an authentication:
 In the User name and Password columns, specify the account credentials which the device
uses to authenticate on the mail server.
 In the Description column, enter a meaningful name for the mail server.
 In the Active column, mark the checkbox.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email mail-server add <1..5> Specifies the mail server with the IP address IP ADDRESS. The
addr <IP ADDRESS> [security device manages the settings in memory 1..5.
<none|tlsv1>] [username <USER NAME>]
[password <PASSWORD>] [port <1..65535>]

13.11.6 Enable/disable the function


Perform the following steps:
 Open the Diagnostics > Email Notification > Global dialog.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email operation Enables the sending of emails.
no logging email operation Disables the sending of emails.

13.11.7 Send a test email


The device allows you to check the settings by sending a test email.
Prerequisite:
 The email settings are completely specified.
 The Email Notification function is enabled.
Perform the following steps:
 Open the Diagnostics > Email Notification > Email Notification Mail Server
dialog.

UM Config HiOS-2A GRS1040 255


Release 7.0 11/2017
Operation diagnosis
13.11 Email Notification

 Click the button and then the Connection test item.


The dialog displays the Connection test window.
 In the Recipient drop-down list, select to which recipients the device sends the test email.
 In the Message text field, specify the text of the test email.
 Click the Ok button to send the test email.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging email test msgtype <urgent|non- Sends an email with the content TEXT to the recipients.
urgent> TEXT
If you do not see any error message and the recipients obtain the email, the device settings are correct.

256 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

13.12 Reports

The following lists reports and buttons available for diagnostics:


 System Log file
The log file is an HTML file in which the device writes important device-internal events.
 Audit Trail
Logs successful CLI commands and user comments. The file also includes SNMP logging.
 Persistent Logging
The device saves log entries in a file in the external memory, when present. These files are available
after power down. The maximum size, maximum number of retainable files and the severity of logged
events are configurable. After obtaining the user-defined maximum size or maximum number of
retainable files, the device archives the entries and starts a new file. The device deletes the oldest
file and renames the other files to maintain the configured number of files. To review these files use
the CLI or copy them to an external server for future reference.
 Download Support Information
This button allows you to download system information as files in a ZIP archive.
In service situations, these reports provide the technician with the necessary information.

13.12.1 Global settings


Using this dialog you enable or disable where the device sends reports, for example, to a Console, a
Syslog Server, or a CLI connection. You also set at which severity level the device writes events into
the reports.
Perform the following steps:
 Open the Diagnostics > Report > Report Global dialog.
 To send a report to the console, specify the desired level in the Console logging frame,
Severity field.
 To enable the function, select the On radio button in the Console logging frame.
 To save the changes temporarily, click the button.

The device buffers logged events in 2 separate storage areas so that the device keeps log entries for
urgent events. Specify the minimum severity for events that the device logs to the buffered storage area
with a higher priority.
Perform the following steps:
 To send events to the buffer, specify the desired level in the Buffered logging frame,
Severity field.
 To save the changes temporarily, click the button.

UM Config HiOS-2A GRS1040 257


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

When you activate the logging of SNMP requests, the device logs the requests as events in the Syslog.
The Log SNMP get request function logs user requests for device configuration information. The Log
SNMP set request function logs device configuration events. Specify the minimum level for events that
the device logs in the Syslog.
Perform the following steps:
 Enable the Log SNMP get request function for the device in order to send SNMP Read
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Enable the Log SNMP set request function for the device in order to send SNMP Write
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Choose the desired severity level for the get and set requests.
 To save the changes temporarily, click the button.

When active, the device logs configuration changes made using the CLI commands, to the audit trail.
This feature is based on the IEEE 1686 standard for Substation Intelligent Electronic Devices.
Perform the following steps:
 Open the Diagnostics > Report > Report Global dialog.
 To enable the function, select the On radio button in the CLI logging frame.
 To save the changes temporarily, click the button.

The device allows you to save the following system information data in one ZIP file on your PC:
 audittrail.html
 CLICommands.txt
 defaultconfig.xml
 script
 runningconfig.xml
 supportinfo.html
 systeminfo.html
 systemlog.html
The device creates the file name of the ZIP archive automatically in the format
<IP_address>_<system_name>.zip.
Perform the following steps:

 Click the button and then the Download support information item.
 Select the directory in which you want to save the support information.
 To save the changes temporarily, click the button.

258 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

13.12.2 Syslog
The device enables you to send messages about important device internal events to one or more Syslog
servers (up to 8). Additionally, you also include SNMP requests to the device as events in the Syslog.

Note: To display the logged events, open the Diagnostics > Report > Audit Trail dialog or the
Diagnostics > Report > System Log dialog.
Perform the following steps:
 Open the Diagnostics > Syslog dialog.
 To add a table entry, click the button.
 In the IP address column, enter the IP address of the Syslog server.
 In the Destination UDP port column, specify the TCP or UDP port on which the Syslog
server expects the log entries.
 In the Min. severity column, specify the minimum seriousness level an event must attain
for the device to send a log entry to this Syslog server.
 Mark the checkbox in the Active column.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

In the SNMP logging frame, configure the following settings for read and write SNMP requests:
Perform the following steps:
 Open the Diagnostics > Report > Report Global dialog.
 Enable the Log SNMP get request function for the device in order to send SNMP Read
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Enable the Log SNMP set request function for the device in order to send SNMP Write
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Choose the desired severity level for the get and set requests.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
logging host add 1 addr 10.0.1.159 Adds a new recipient in the Syslog servers list. The value 3
severity 3 specifies the severity level of the event that the device logs. The
value 3 means Error.
logging syslog operation Enable the Syslog function.
exit Change to the Privileged EXEC mode.
show logging host Display the Syslog host settings.

No. Server IP Port Max. Severity Type Status


----- -------------- ----- -------------- ---------- -------
1 10.0.1.159 514 error systemlog active

configure Change to the Configuration mode.


logging snmp-requests get operation Logs SNMP GET requests.
logging snmp-requests get severity 5 The value 5 specifies the severity level of the event that the
device logs in case of SNMP GET requests. The value 5 means
Notice.
logging snmp-requests set operation Logs SNMP SET requests.

UM Config HiOS-2A GRS1040 259


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

logging snmp-requests set severity 5 The value 5 specifies the severity level of the event that the
device logs in case of SNMP SET requests. The value 5 means
Notice.
exit Change to the Privileged EXEC mode.
show logging snmp Display the SNMP logging settings.

Log SNMP GET requests : enabled


Log SNMP GET severity : notice
Log SNMP SET requests : enabled
Log SNMP SET severity : notice

13.12.3 System Log


The device allows you to call up a log file of the system events. The table in the Diagnostics >
Report > System Log dialog lists the logged events.
Perform the following steps:
 To update the content of the log, click “Reload”.
 To search the content of the log for a key word, click “Search“.
 To archive the content of the log as an html file, click “Save”.

Note: You have the option to also send the logged events to one or more Syslog servers.

13.12.4 Syslog over TLS


The Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications
security over a computer network. The primary goal of the TLS protocol is to provide privacy and data
integrity between two communicating computer applications.
After initiating a connection with a Syslog server, using a TLS handshake, the device validates the
certificate received from the server. For this purpose, you upload the CA certificate in PEM format from
a remote server or from the external memory. Verify that the configured IP address or DNS name of the
server matches the information provided in the certificate. You find the information in the Common
Name or in the Subject Alternative Name fields of the certificate.
The device sends the TLS encrypted Syslog messages over the TCP port specified in the Destination
UDP port column.

Note: Specify the IP address or DNS name on the server to match the IP Address or DNS name
provided in the server certificate. You find the values entered in the certificate as the Common Name or
the Subject Alternative Name.

260 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

 Example
The given example describes the configuration of the Syslog function. By following these steps, the
device allows you to send the TLS encrypted Syslog messages over the TCP port specified in the
Destination UDP port column.
The Syslog messages that are sent from a device to a syslog server may transit over unsecure
networks. To configure a Syslog server over TLS, upload the Certificate Authority (CA) certificate to
the device.

Note: In order for the changes to take effect after loading a new certificate, restart the Syslog
function.
Perform the following steps:
 Open the Diagnostics > Syslog dialog.
 To initiate a connection with the Syslog servers, select the On radio button in the Operation
frame.
 To save the changes temporarily, click the button.
The device validates the certificate received. The device also authenticates the server and starts
sending Syslog messages.
 Upload the PEM certificate from the remote server or from the external memory.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
logging host add 1 addr 192.168.3.215 Add index 1 to the Syslog server with IP address
192.168.3.215.
logging host modify 1 port 6512 type Specifying the port number 6512 and logging the events in the
systemlog system log.
logging host modify 1 transport tls Specify the type of transmission as tls.
logging host modify 1 severity Specifying the type of event to log into the system log as
informational informational.
exit Change to the Privileged EXEC mode.
copy syslogcacert evmm Copy CA certificates from external memory to the device.
show logging host Display the Syslog host settings.

13.12.5 Audit Trail


The Diagnostics > Report > Audit Trail dialog contains system information and changes to the
device configuration performed through CLI and SNMP. In the case of device configuration changes,
the dialog displays Who changed What and When. To log changes to the device configuration, use in
the Diagnostics > Report > Audit Trail dialog the functions Log SNMP get request and Log SNMP
set request .
The Diagnostics > Syslog dialog allows you to configure up to 8 Syslog servers to which the device
sends Audit Trails.
The following list contains log events:
 changes to configuration parameters
 CLI commands (except show commands)
 CLI command logging audit-trail <string> which logs the comment
 Automatic changes to the System Time

UM Config HiOS-2A GRS1040 261


Release 7.0 11/2017
Operation diagnosis
13.12 Reports

 watchdog events
 locking a user after several unsuccessful login attempts
 User login, either locally or remote, using CLI
 Manual, user-initiated, logout
 Timed logout after a user-defined period of CLI inactivity
 file transfer operation including a Firmware Update
 Configuration changes using HiDiscovery
 Automatic configuration or firmware updates using the external memory
 Blocked management access due to invalid login
 rebooting
 opening and closing SNMP over HTTPS tunnels
 Detected power failures

262 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.13 Network analysis with TCPdump

13.13 Network analysis with TCPdump

Tcpdump is a packet-sniffing UNIX utility used by network administrators to sniff and analyze traffic on
a network. A couple of reasons for sniffing traffic on a network is to verify connectivity between hosts,
or to analyze the traffic traversing the network.
TCPDump on the device provides the possibility to decode or capture packets received and transmitted
by the Management CPU. This function is available using the debug CLI command. Refer to the
“Command Line Interface” reference manual for further information about the TCPDump function.

UM Config HiOS-2A GRS1040 263


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

13.14 Monitoring the data traffic

The device allows you to forward data packets that pass through the device to a destination port. There
you can monitor and evaluate the data packets.
The device provides you with the following options:
 Port Mirroring
 VLAN mirroring
 Remote SPAN

13.14.1 Port Mirroring


The Port Mirroring function allows you to copy data packets from physical source ports to a physical
destination port.
You monitor the data traffic on the source ports in the sending and receiving directions with a
management tool connected on the destination port, for example an RMON probe. The function has no
affect on the data traffic running on the source ports.

Switch PLC

Backbone

RMON-Probe

Figure 68: Example

On the destination port, the device exclusively sends the data packets copied from the source ports.
Before you switch on the Port Mirroring function, mark the checkbox Allow management to access
the management functions via the destination port. The device allows access to the management
functions via the destination port without interrupting the active Port Mirroring session.

Note: The device duplicates multicasts, broadcasts and unknown unicasts on the destination port.
The VLAN settings on the destination port remain unchanged. Prerequisite for management access at
the destination port is that the destination port is a member of the management VLAN.

264 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Enabling the Port Mirroring function


Perform the following steps:
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specify the source ports.
Mark the checkbox in the Enabled column for the relevant ports.
 Specify the destination port.
In the Destination port frame, select the desired port in the Primary port drop-down list.
The drop-down list only displays available ports. Ports that are already specified as source
ports are unavailable.
 If needed, specify a second destination port.
In the Destination port frame, select the desired port in the Secondary port drop-down
list.
The prerequisite is that you have already specified the primary destination port.
 In order to access the management functions of the device via the destination port:
In the Destination port frame, mark the Allow management checkbox.
 To save the changes temporarily, click the button.

To deactivate the Port Mirroring function and restore the default settings, click the button and
then the Reset config item.

13.14.2 VLAN mirroring


The VLAN mirroring function allows you to mirror the received data stream that matches a specific
VLAN to a selected destination port. The device only copies the data on the VLAN, and sends the
original data to the intended recipients. For example, the device can mirror data to a network analyzer
connected to the destination port.
Only one of the functions, either the VLAN mirroring function or the Port Mirroring function, can be
active at the same time. When you select VLAN 0 as the source VLAN, the VLAN mirroring function
is inactive. To disable the VLAN mirroring function, unmark the checkbox in the Enabled column for
the source port.
If the data stream received on the mirrored VLAN exceeds the maximum bandwidth of the destination
port, then the device drops some packets to accommodate the maximum bandwidth of the destination
port. Even though the device drops some packets, the device continues to mirror packets that match the
specified VLAN.
When you specify the PVID on a port as the source VLAN ID, the device mirrors the untagged packets
received, but without a VLAN tag. In this case, the device mirrors the packet exactly as it received the
packet.

UM Config HiOS-2A GRS1040 265


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Example configuration
In this example configuration, Sw 4 mirrors data received on VLAN 20 to a network analyzer on the
destination port.
To configure VLAN mirroring on Sw 4 use the following steps:
 Create the mirrored VLAN.
 Configure VLAN mirroring
Destination
Sw 1 VLAN: 20 Sw 4 port
If: 3/1 If: 3/4

VLAN: 100 VLAN: 20 Network


If: 3/2 If: 3/3 Analyzer

Sw 2 Sw 3

Figure 69: VLAN Mirroring Example Configuration


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
 Click the button.
The dialog displays the Create window.
 In the VLAN ID field, specify the value 20.
 Click the Ok button.
 In the Name column, enter the value VLAN mirroring port.

 To save the changes temporarily, click the button.


 Open the Diagnostics > Ports > Port Mirroring dialog.
 Deactivating the Port Mirroring function:
Unmark every checkbox in the Enabled column.
 Specifying the destination port:
In the Destination port frame, specify the value 3/4.
 Specifying the data source:
In the VLAN mirroring frame, Source VLAN ID field, specify the value 20.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 20 Create VLAN 20 on the device.
name 20 VLAN mirroring port Assign the name 20 to the VLAN VLAN mirroring port.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 source vlan 20 Creates VLAN mirroring session 1, the source is VLAN 20.
monitor session 1 destination interface Specifies port 3/4 as the destination port.
3/4
monitor session 1 mode Activates VLAN mirroring session 1.

266 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

13.14.3 Remote SPAN


Remote Switch Port Analysis (RSPAN) allows the network administrator to forward mirrored data across
multiple devices to a destination port. The network administrator can then analyze the data or diagnose
detected errors on the network from a central location. The device allows the network administrator to
analyze data from a single source or from multiple sources.
The mirrored data traverses the network on a specified VLAN. Each RSPAN device uses the same
RSPAN VLAN to forward mirrored data. Furthermore, any port, except the mirrored ports, can be a
member of the RSPAN VLAN.
Depending on the amount of data and the port bandwidth, the device can drop some of the mirrored
data. To reduce the loss of mirrored data packets, use Gigabit ports and/or LAG interfaces to forward
the RSPAN data to the destination device.
The network administrator configures the devices, used for RSPAN, depending on the various roles.
RSPAN uses the following device configurations:
 A Source device mirrors and tags the data with the RSPAN VLAN ID and forwards the data only to
the destination port of the source device. On the source device, specify the RSPAN VLAN in the
Destination VLAN ID field.
When the source device forwards the uplink data and the RSPAN data on the same link, then the
device requires a Reflector port. The reflector port tags the RSPAN VLAN data with the RSPAN
VLAN ID. The device then forwards the tagged data to the destination device. In order to accomplish
this task, the network administrator connects 2 ports on the source device together with an Ethernet
cable.
 The Destination device aggregates the data tagged with the RSPAN VLAN ID and then forwards the
data to the destination port. On the destination device, specify the RSPAN VLAN in the Source VLAN
ID field. The normal data stream can share the port with the RSPAN VLAN data.
 An Intermediate device floods the data tagged with the RSPAN VLAN ID to the ports with RSPAN
VLAN membership. On an intermediate device, specify the RSPAN VLAN in the VLAN ID field. The
device can transmit the RSPAN VLAN data over a LAG link toward the RSPAN destination device.
The device can forward RSPAN data to the destination device over an MRP ring network as long as the
destination ring device is not a ring member. The device can also forward RSPAN data over a LAG
instance as long as the LAG ports are not destination ports.

Note: To help prevent erroneous loop detection when you use the RSPAN function. If you connect to
the neighboring devices using separate paths for uplink and RSPAN data, then verify that the Spanning-
Tree Protocol is inactive on both ports of the RSPAN data links. If you use a reflector port, then verify
that the Spanning-Tree protocol is inactive on the links forwarding the RSPAN data.
In the following examples the network administrator desires to mirror the data stream to a network
analyzer located somewhere in the network. The examples demonstrate the various ways to integrate
the source device in your network.

In the examples, the network administrator desires to mirror the data packets received from switch 1,
on port 2/1 of switch 2 to the network analyzer connected to switch 4. The network administrator has
specified VLAN 30 as the RSPAN VLAN ID.

Note: Use only RSPAN-aware devices to forward the RSPAN data.

UM Config HiOS-2A GRS1040 267


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Example 1
In the example, you configure a reflector port on switch 2. Connect the ports 2/3 and 2/4 together
with an ethernet cable. The links between switch 2, switch 3 and switch 4 carry both the RSPAN and
the uplink data stream. Afterwards, perform the following steps:
Sw 2 Sw 3 Sw 4
Reflector 2/3
port 2/2 3/1 3/2 4/1
2/4
2/1 4/2
1/1

Network
Sw 1 Analyzer
RSPAN data only
Uplink and RSPAN data
Uplink data only

Configure switch 2 as a port mirroring source.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 2/2 as a member of the RSPAN VLAN:
For VLAN 30, specify in the 2/2 column the value T.
 Block management packets from being forwarded to port 2/4.
For VLAN 1, specify in the 2/4 column the value -.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specifying the destination port:
In the Destination port frame, specify the value 2/3.
 Specifying the RSPAN VLAN:
In the RSPAN frame, VLAN ID field, specify the value 30.
 Specifying the destination VLAN:
In the RSPAN frame, Destination VLAN ID field, specify the value 30.
 Specifying the data source:
For port 2/1, mark the checkbox in the Enabled column.
 Specifying the direction:
For port 2/1, specify in the Type column the value txrx.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Deactivating the Spanning Tree function on port 2/4:
For port 2/4, unmark the checkbox in the STP active column.
 To save the changes temporarily, click the button.

268 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 source add interface 2/ Add port 2/1 to session 1 as a source port.
1
monitor session 1 destination interface Add port 2/3 to session 1 as a source port.
2/3
monitor session 1 destination remote vlan Create VLAN mirroring session 1. The source is VLAN 30.
30
monitor session 1 mode Activate the VLAN mirroring session 1.
interface 2/2 Change to the interface configuration mode of interface 2/2.
vlan participation include 30 Specify that port 2/2 is a member of VLAN 30.
vlan tagging 30 Specify that port 2/2 forwards VLAN 30 data.
exit Change to the Configuration mode.
interface 2/4 Change to the interface configuration mode of interface 2/4.
vlan participation auto 1 The port participates in this VLAN only when requested.
spanning-tree mode disable Deactivate STP on the port.
exit Change to the Configuration mode.

Configure switch 3 as an intermediate device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 3/2 as a member of the RSPAN VLAN:
For VLAN 30, specify in the 3/2 column the value T.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 3/2 Change to the interface configuration mode of interface 3/2.
vlan participation include 30 Specify that port 3/2 is a member of VLAN 30.
vlan tagging 30 Specify that port 3/2 forwards VLAN 30 data.
exit Change to the Configuration mode.

Configure switch 4 as the destination device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.

UM Config HiOS-2A GRS1040 269


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Add the VLAN:


Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specifying the destination port:
In the Destination port frame, specify the value 4/2.
 Specifying the RSPAN VLAN:
In the RSPAN frame, VLAN ID field, specify the value 30.
 Specifying the data source:
In the RSPAN frame, Source VLAN ID field, specify the value 30.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 source remote vlan 30 Specify VLAN 30 as the RSPAN data source.
monitor session 1 destination interface Specify port 4/2 as the destination port.
4/2
monitor session 1 mode Activate the VLAN mirroring session 1.

 Example 2
In this example, the network forwards the RSPAN data and the uplink data on parallel paths from the
source device to the destination device.
Sw 2 Sw 3 Sw 4
2/3 3/3 3/4 4/3
2/2 3/1 3/2 4/1
2/1 4/2
1/1

Network
Sw 1 Analyzer

RSPAN data only


Uplink data only

Configure switch 2 as a port mirroring source.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.

270 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Add the VLAN:


Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 2/3 as a non-member of the RSPAN VLAN:
For VLAN 30, specify in the 2/3 column the value -.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specifying the destination port:
In the Destination port frame, specify the value 2/2.
 Specifying the destination VLAN:
In the RSPAN frame, Destination VLAN ID field, specify the value 30.
 Specifying the data source:
For port 2/1, mark the checkbox in the Enabled column.
 Specifying the direction:
For port 2/1, specify in the Type column the value txrx.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 source add interface 2/ Add port 2/1 to session 1 as a source port.
1
monitor session 1 destination interface Add port 2/3 to session 1 as a source port.
2/3
monitor session 1 destination remote vlan Create VLAN mirroring session 1. The source is VLAN 30.
30
monitor session 1 mode Activate the VLAN mirroring session 1.
interface 2/3 Change to the interface configuration mode of interface 2/3.
vlan participation auto 30 The port participates in this VLAN only when requested.
exit Change to the Configuration mode.

Configure switch 3 as an intermediate device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 3/1 as a non-member of the management VLAN:
For VLAN 1, specify in the 3/1 column the value -.

UM Config HiOS-2A GRS1040 271


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Specifying port 3/2 as a non-member of the management VLAN:


For VLAN 1, specify in the 3/2 column the value -.
 Specifying port 3/2 as a member of the RSPAN VLAN:
For VLAN 30, specify in the 3/2 column the value T.
 Specifying port 3/3 as a non-member of the RSPAN VLAN:
For VLAN 30, specify in the 3/3 column the value -.
 Specifying port 3/4 as a non-member of the RSPAN VLAN:
For VLAN 30, specify in the 3/4 column the value -.
 To save the changes temporarily, click the button.
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Deactivating the Spanning Tree function on port 3/1:
For port 3/1, unmark the checkbox in the STP active column.
 Deactivating the Spanning Tree function on port 3/2:
For port 3/2, unmark the checkbox in the STP active column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 3/1 Change to the interface configuration mode of interface 3/1.
vlan participation auto 1 The port participates in this VLAN only when requested.
spanning-tree mode disable Deactivate STP on the port.
exit Change to the Configuration mode.
interface 3/2 Change to the interface configuration mode of interface 3/2.
vlan participation include 30 Specify that port 3/2 is a member of VLAN 30.
vlan tagging 30 Specify that port 3/2 forwards VLAN 30 data.
vlan participation auto 1 The port participates in this VLAN only when requested.
spanning-tree mode disable Deactivate STP on the port.
exit Change to the Configuration mode.
interface 3/3 Change to the interface configuration mode of interface 3/3.
vlan participation auto 30 The port participates in this VLAN only when requested.
exit Change to the Configuration mode.
interface 3/4 Change to the interface configuration mode of interface 3/4.
vlan participation auto 30 The port participates in this VLAN only when requested.
exit Change to the Configuration mode.

Configure switch 4 as the destination device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.

272 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Specifying the destination port:


In the Destination port frame, specify the value 4/2.
 Specifying the data source:
In the RSPAN frame, Source VLAN ID field, specify the value 30.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Deactivating the Spanning Tree function on port 4/1:
For port 4/1, unmark the checkbox in the STP active column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 destination interface Specify port 4/2 as the destination port.
4/2
monitor session 1 source remote vlan 30 Specify VLAN 30 as the RSPAN data source.
monitor session 1 mode Activate the VLAN mirroring session 1.
interface 4/1 Change to the interface configuration mode of interface 4/1.
spanning-tree mode disable Deactivate STP on the port.
exit Change to the Configuration mode.

 Example 3
In the example, the source device switch 2 sends the uplink data and the RSPAN data to the
intermediate device switch 3. The intermediate device switch 3 then forwards the combined traffic on
a single link to the destination device switch 4.
Sw 2 Sw 3 Sw 4
2/3 3/3
3/2 4/1
2/2 3/1
2/1 4/2
1/1

Network
Sw 1 Analyzer

RSPAN data only


Uplink and RSPAN data
Uplink data only

Configure switch 2 as a port mirroring source.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.

UM Config HiOS-2A GRS1040 273


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Add the VLAN:


Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 2/3 as a member of the RSPAN VLAN:
For VLAN 30, specify in the 2/3 column the value -.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specifying the destination port:
In the Destination port frame, specify the value 2/2.
 Specifying the destination VLAN:
In the RSPAN frame, Destination VLAN ID field, specify the value 30.
 Specifying the data source:
For port 2/1, mark the checkbox in the Enabled column.
 Specifying the direction:
For port 2/1, specify in the Type column the value txrx.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 destination interface Add port 2/3 to session 1 as a source port.
2/2
monitor session 1 destination remote vlan Create VLAN mirroring session 1. The source is VLAN 30.
30
monitor session 1 source add interface 2/ Add port 2/1 to session 1 as a source port.
1
monitor session 1 mode Activate the VLAN mirroring session 1.
interface 2/3 Change to the interface configuration mode of interface 2/3.
vlan participation auto 30 The port participates in this VLAN only when requested.
exit Change to the Configuration mode.

Configure switch 3 as an intermediate device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 Specifying port 3/1 as a non-member of the management VLAN:
For VLAN 1, specify in the 3/1 column the value -.

274 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

 Specifying port 3/2 as a member of the RSPAN VLAN:


For VLAN 30, specify in the 3/2 column the value T.
 Specifying port 3/3 as a non-member of the management VLAN:
For VLAN 1, specify in the 3/3 column the value -.
 To save the changes temporarily, click the button.
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Deactivating the Spanning Tree function on port 3/1:
For port 3/1, unmark the checkbox in the STP active column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.
name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.
rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 3/1 Change to the interface configuration mode of interface 3/1.
vlan participation auto 1 The port participates in this VLAN only when requested.
spanning-tree mode disable Deactivate STP on the port.
exit Change to the Configuration mode.
interface 3/2 Change to the interface configuration mode of interface 3/2.
vlan participation include 30 Specify that port 3/2 is a member of VLAN 30.
vlan tagging 30 Specify that port 3/2 forwards VLAN 30 data.
exit Change to the Configuration mode.
interface 3/3 Change to the interface configuration mode of interface 3/3.
vlan participation auto 30 The port participates in this VLAN only when requested.
exit Change to the Configuration mode.

Configure switch 4 as the destination device.


Perform the following steps:
 Open the Switching > VLAN > VLAN Configuration dialog.
 Add the VLAN:
Click the button.
The dialog displays the Create window.
In the VLAN ID field, specify the value 30.
Click the Ok button.
In the Name column, specify the value RSPAN_VLAN.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Ports > Port Mirroring dialog.
 Specifying the destination port:
In the Destination port frame, specify the value 4/2.
 Specifying the data source:
In the RSPAN frame, Source VLAN ID field, specify the value 30.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


vlan database Change to the VLAN configuration mode.
vlan add 30 Create VLAN 30 on the device.

UM Config HiOS-2A GRS1040 275


Release 7.0 11/2017
Operation diagnosis
13.14 Monitoring the data traffic

name 30 RSPAN_VLAN Assign the name 30 to the VLAN RSPAN_VLAN.


rspan-vlan 30 Specify VLAN 30 as the RSPAN VLAN.
exit Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
monitor session 1 destination interface Specify port 4/2 as the destination port.
4/2
monitor session 1 source remote vlan 30 Specify VLAN 30 as the RSPAN data source.
monitor session 1 mode Activate the VLAN mirroring session 1.

276 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.15 Self-test

13.15 Self-test

The device checks its assets during the boot process and occasionally thereafter. The device checks
system task availability or termination and the available amount of memory. Furthermore, the device
checks for application functionality and if there is any hardware degradation in the chip set.
When the device detects a loss in integrity, the device responds to the degradation with a user-defined
action. The following categories are available for configuration.
 task
Action to be taken when a task is unsuccessful.
 resource
Action to be taken due to the lack of resources.
 software
Action taken for loss of software integrity; for example, code segment checksum or access violations.
 hardware
Action taken due to hardware degradation

Configure each category to produce an action when the device detects a loss in integrity. The following
actions are available for configuration.
 log only
This action writes a message to the logging file.
 send trap
Sends an SNMP trap to the trap destination.
 reboot
An error in the category, when activated, will cause the device to reboot

Perform the following steps:


 Open the Diagnostics > System > Selftest dialog.
 In the Action column, specify the action to perform for a cause.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
selftest action task log-only To send a message to the event log when a task is unsuccessful.
selftest action resource send-trap Sending an SNMP trap if there are insufficient resources.
selftest action software send-trap Sending an SNMP trap if the software integrity has been lost.
selftest action hardware reboot To reboot the device when hardware degradation occurs.

Disabling these functions lets you decrease the time required to restart the device after a cold start. You
find these options in the Diagnostics > System > Selftest dialog, Configuration frame.
 RAM test
Activates/deactivates the RAM test function during a cold start.
 SysMon1 is available
Activates/deactivates the System Monitor function during a cold start.
 Load default config on error
Activates/deactivates the loading of the default device configuration if no readable configuration is
available during a restart.

Note: The following settings block your access to the device permanently if the device does not detect
any readable configuration profile when it is restarting. This is the case, for example, if the password of
the configuration profile that you are loading differs from the password set in the device.
 The SysMon1 is available checkbox is unmarked.
 The Load default config on error checkbox is unmarked.

UM Config HiOS-2A GRS1040 277


Release 7.0 11/2017
Operation diagnosis
13.15 Self-test

To have the device unlocked again, contact your sales partner.


selftest ramtest Enable RAM selftest on cold start.
no selftest ramtest Disable the "ramtest“ function.
selftest system-monitor Enable the "SysMon1“ function.
no selftest system-monitor Disable the "SysMon1“ function.
show selftest action Show status of the actions to be taken in the event of device
degradation.
show selftest settings Display the settings for "ramtest" and "SysMon" settings in event
of a cold start.

278 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.16 Copper cable test

13.16 Copper cable test

Use this feature to test copper cables attached to an interface for a short or open circuit. The test
interrupts traffic flow, when in progress, on this port.
The table displays the state and lengths of each individual pair. The device returns a result with the
following meaning:
 normal - indicates that the cable is operating properly
 open - indicates an interruption in the cable
 short circuit - indicates a short circuit in the cable
 untested - indicates an untested cable
 Unknown - cable unplugged

UM Config HiOS-2A GRS1040 279


Release 7.0 11/2017
Operation diagnosis
13.17 Network monitoring with sFlow

13.17 Network monitoring with sFlow

SFlow is a standard protocol for monitoring networks. The device provides this function for visibility into
network activity, enabling effective management and control of network resources.
The SFlow monitoring system consists of an SFlow agent, embedded in the device and a central SFlow
collector. The agent uses sampling technology to capture traffic statistics. SFlow instances associated
with individual data sources within the agent perform packet flow and counter sampling. Using SFlow
datagrams the agent forwards the sampled traffic statistics to an SFlow collector for analysis.
The agent uses 2 forms of sampling, a statistical packet based sampling of packet flows and a timed
based sampling of counters. An SFlow datagram contains both types of samples. Packet flow sampling,
based on a sampling rate, sends a steady, but random stream of datagrams to the collector. For time-
based sampling, the agent polls the counters at set intervals to fill the datagrams.
The device implements datagram version 5 for the SFlow agent.

The user-defined SFlow functions are:


 Sampler configuration, packet flow sampling:
– data source port number, to sample physical ports
– receiver index associated with the sampler
– Sampling rate
The device counts the packets of received data. When the count reaches the user-defined number
the agent samples the packet.
Range: 256..65535
0 = function inactive
– Header size in bytes to sample
Range: 20..256
 Poller configuration, counter sampling:
– data source port number, available for physical ports
– receiver index associated with the poller
– Interval, in seconds, between samples
Range: 0..86400
 Receiver configuration, up to 8 entries:
– Owner name, to claim an SFlow entry
– timeout, in seconds, until sampling is stopped and the device releases the receiver along with the
sampler and the poller
– datagram size
– IP address
– port number

To configure the SFlow agent for a monitoring session, first configure an available receiver. Then,
configure a sampling rate to perform packet flow sampling. Additionally configure a polling interval for
counter sampling.
For example, Company XYZ wishes to monitor data flow on a device. The IP address for the remote
server containing the sFlow collector, is 10.10.10.10. XYZ requires a sample of the first 256 bytes of
every 300th packet. Furthermore, XYZ requires counter polling every 400 s.
Perform the following steps:
 Open the Diagnostics > SFlow > Receiver dialog.

280 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Operation diagnosis
13.17 Network monitoring with sFlow

 For the name of the person or organization controlling the receiver, enter the value XYZ in the
Name column.
 For the remote server IP Address, on which the SFlow collector software runs, enter the value
10.10.10.10 in the IP address column.
 Open the Diagnostics > SFlow > Configuration dialog, Sampler tab.
 In the Receiver column, select the index number of the receiver specified in the previous
steps.
 In the Sampling rate column, specify the value 300.
 In the Max. header size [byte] column, specify the value 256.
 Open the Diagnostics > SFlow > Configuration dialog, Poller tab.
 In the Receiver column, select the index number of the receiver specified in the previous
steps.
 In the Interval [s] column, specify the value 400.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
sflow receiver 1 owner XYZ ip 10.10.10.10 Configure an SFlow receiver
interface 1/1 Change to the interface configuration mode of interface 1/1.
sflow sampler receiver 1 rate 300 To assign the SFlow sampler on the port to the previously
configured receiver with a sampling rate of 300.
sflow sampler maxheadersize 256 To configure the maximum header size of the SFlow sampler to
the value 256.
sflow poller receiver 1interval 400 To assign the SFlow poller to the previously configured receiver
and to sample data for 400 s.

UM Config HiOS-2A GRS1040 281


Release 7.0 11/2017
Operation diagnosis
13.17 Network monitoring with sFlow

282 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device

14 Advanced functions of the device

UM Config HiOS-2A GRS1040 283


Release 7.0 11/2017
Advanced functions of the device
14.1 Using the device as a DHCP server

14.1 Using the device as a DHCP server

A DHCP server ("Dynamic Host Configuration Protocol") assigns IP addresses, Gateways, and other
networking definitions such as DNS and NTP parameters to clients.
The DHCP operations fall into 4 basic phases: IP discovery, IP lease offer, IP request, and IP lease
acknowledgment. Use the acronym DORA which stands for Discovery, Offer, Request, and
Acknowledgement to help remember the phases. The server receives client data on UDP port 67 and
sends data to the client on UDP port 68.
The DHCP server provides an IP address pool or "pool", from which it allocates IP addresses to clients.
The pool consists of a list of entries. An entry defines either a specific IP address or an IP address range.
The device allows you to activate the DHCP server globally and per interface.

14.1.1 IP Addresses assigned per port or per VLAN


The DHCP server assigns a static IP address or dynamic range of IP addresses to a client connected
to a port or a VLAN. The device allows you to create entries for either a port or a VLAN. When creating
an entry to assigning IP addresses to a VLAN the port entry grays out. When creating an entry to
assigning IP addresses to a port the VLAN entry grays out.
Static allocation means that the DHCP server assigns the same IP address to a specific client. The
DHCP server identifies the client using a unique hardware ID. A static address entry contains 1 IP
address, and applies it to a port or VLAN on which the server receives a request from a specific client.
For static allocation, create a pool entry for the ports or one specific port, enter the IP address, and leave
the Last IP address column empty. Specify a hardware ID with which the DHCP server uniquely
identifies the client. This ID is either a MAC address, a client ID, a remote ID, or a circuit ID. If a client
contacts the server with the configured hardware ID, the DHCP server allocates the static IP address.
The device also allows you to assign a dynamic IP address range to ports or VLANs from which the
DHCP server allocates a free IP address from a pool. To add a dynamic pool entry for the ports or
VLANs, specify the first and last IP addresses for the IP address range, leaving the MAC address , Client
ID , Remote ID , and Circuit ID columns empty. Creating multiple pool entries allows you to have IP
address ranges that contain gaps.

284 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.1 Using the device as a DHCP server

14.1.2 DHCP server static IP address example


In this example, configure the device to allocate a static IP address to a port. The device recognizes
clients with unique hardware identification. The Hardware ID in this case is the client MAC address
00:24:E8:D6:50:51.
Perform the following steps:
 Open the Advanced > DHCP Server > Pool dialog.
 To add a table entry, click the button.
 In the IP address column, specify the value 192.168.23.42.
 In the Port column, specify the value 1/1.
 In the MAC address column, specify the value 00:24:E8:D6:50:51.
 To assign the IP address to the client infinitely, in the Lease time [s] column, specify the
value 4294967295.
 Mark the checkbox in the Active column.
 Open the Advanced > DHCP Server > Global dialog.
 For port 1/1, mark the checkbox in the DHCP server active column.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
dhcp-server pool add 1 static Creating an entry with index 1 and adding the IP address
192.168.23.42 192.168.23.42 to the static pool.
dhcp-server pool modify 1 mode interface Assign the static address in index 1 to interface 1/1.
1/1
dhcp-server pool modify 1 mode mac Assign the IP address in index 1 to the device with the MAC
00:24:E8:D6:50:51 address 00:24:E8:D6:50:51.
dhcp-server pool mode 1 Enable the index 1 pool entry.
dhcp-server pool modify 1 leasetime To allocate the IP address to the client infinitely, modify the entry
infinite with index 1.
dhcp-server operation Enable the DHCP server globally.
interface 1/1 Change to the interface configuration mode of interface 1/1.
dhcp-server operation Activate the DHCP Server server function on this port.

14.1.3 DHCP server dynamic IP address range example


The device allows you to create dynamic IP address ranges. Leave the MAC address , Client ID ,
Remote ID and Circuit ID fields empty. To create dynamic IP address ranges with gaps between the
ranges add several entries to the table.
Perform the following steps:
 Open the Advanced > DHCP Server > Pool dialog.
 To add a table entry, click the button.
 In the IP address column, specify the value 192.168.23.92. This is the first IP address of
the range.

UM Config HiOS-2A GRS1040 285


Release 7.0 11/2017
Advanced functions of the device
14.1 Using the device as a DHCP server

 In the Last IP address column, specify the value 192.168.23.142.


This is the last IP address of the range.
In the Lease time [s] column. the default setting is 60 days.
 In the Port column, specify the value 1/2.
 Mark the checkbox in the Active column.
 Open the Advanced > DHCP Server > Global dialog.
 For port 1/2, mark the checkbox in the DHCP server active column.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
dhcp-server pool add 2 dynamic Add a dynamic pool with an IP range from 192.168.23.92 to
192.198.23.92 192.168.23.142 192.168.23.142.
dhcp-server pool modify 2 leasetime Entering the Lease Time in seconds or infinite.
{seconds | infinite}
dhcp-server pool add 3 dynamic Add a dynamic pool with an IP range from 192.168.23.172 to
192.198.23.172 192.168.23.180 192.168.23.180.
dhcp-server pool modify 3 leasetime Entering the Lease Time in seconds or infinite.
{seconds | infinite}
dhcp-server pool mode 2 Enable the index 2 pool entry.
dhcp-server pool mode 3 Enable the index 3 pool entry.
dhcp-server operation Enable the DHCP server globally.
interface 2/1 Change to the interface configuration mode of interface 2/1.
dhcp-server operation Activate the DHCP Server server function on this port.

286 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.2 DHCP L2 Relay

14.2 DHCP L2 Relay

A network administrator uses the DHCP Layer 2 Relay agent to add DHCP client information. This
information is required by Layer 3 Relay agents and DHCP servers to assign an address and
configuration to a client.
When a DHCP client and server are in the same IP subnet, they exchange IP address requests and
replies directly. However, having a DHCP server on each subnet is expensive and often impractical. An
alternative to having a DHCP server in every subnet is to use the network devices to relay packets
between a DHCP client and a DHCP server located in a different subnet.
A Layer 3 Relay agent is generally a router that has IP interfaces in both the client and server subnets
and routes traffic between them. However, in Layer 2 switched networks, there are one or more network
devices, switches for example, between the client and the Layer 3 Relay agent or DHCP server. In this
case, this device provides a Layer 2 Relay agent to add the information that the Layer 3 Relay agent
and DHCP server require to perform their roles in address and configuration assignment.
The following list contains the default settings for this function:
 Global setting:
– Active setting: disable
 Interface settings:
– Active setting: disable
– Trusted Port: disable
 VLAN settings:
– Active setting: disable
– Circuit ID: enable
– Remote ID Type: mac
– Remote ID: blank

14.2.1 Circuit and Remote IDs


Before forwarding the request of a client to the DHCP server, the device adds the Circuit ID and the
Remote ID to the Option 82 field of the DHCP request packet.
 The Circuit ID stores on which port the device received the request of the client.
 The remote ID contains the MAC address, the IP address, the system name, or a user-defined
character string. Using it, the participating devices identify the relay agent that received the request
of the client.
The device and other relay agents use this information to re-direct the answer from the DHCP relay
agent to the original client. The DHCP server is able to analyze this data for example to assign the client
an IP address from a specific address pool.

UM Config HiOS-2A GRS1040 287


Release 7.0 11/2017
Advanced functions of the device
14.2 DHCP L2 Relay

Also, the replay packet of the DHCP server contains the Circuit-ID and the Remote ID. Before
forwarding the answer to the client, the device removes the information from the Option 82 field.

14.2.2 DHCP L2 Relay configuration


The Advanced > DHCP L2 Relay > Configuration dialog allows you to activate the function on the
active ports and on the VLANs.
The device forwards DHCP packets with Option 82 information on those ports for which the checkbox
in the DHCP L2 Relay column and in the Trusted port column is marked. Typically, these are ports
in the network of the DHCP server.
The ports to which the DHCP clients are connected, you activate the DHCP L2 Relay function, but leave
the Trusted port checkbox unmarked. On these ports, the device discards DHCP packets with
Option 82 information.
Switch 2
Port 1/1 Port 1/2

Port 1/2
Switch 1 DHCP
Server
Port 1/VLAN 2

DHCP Client

Figure 70: DHCP Layer 2 Example Network

Perform the following steps on Switch 1:


 Open the Advanced > DHCP L2 Relay > Configuration dialog, Interface tab.
 For port 1/1, specify the settings as follows:
– Mark the checkbox in the Active column.
 For port 1/2, specify the settings as follows:
– Mark the checkbox in the Active column.
– Mark the checkbox in the Trusted port column.
 Open the Advanced > DHCP L2 Relay > Configuration dialog, VLAN tab.
 Specify the settings for VLAN 2 as follows:
– Mark the checkbox in the Active column.
– Mark the checkbox in the Circuit ID column.
– To use the IP address of the device as the Remote ID, in the Remote ID type column, specify the value ip.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

Perform the following steps on Switch 2:


 Open the Advanced > DHCP L2 Relay > Configuration dialog, Interface tab.

288 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.2 DHCP L2 Relay

 For port 1/1 and 1/2, specify the settings as follows:


– Mark the checkbox in the Active column.
– Mark the checkbox in the Trusted port column.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

Verify that VLAN 2 is present then perform the following steps on Switch 1:
 Configure VLAN 2, and specify port 1/1 as a member of VLAN 2.
enable Change to the Privileged EXEC mode.
vlan database Change to the VLAN configuration mode.
dhcp-l2relay circuit-id 2 Activate the Circuit ID and the DHCP Option 82 on VLAN 2.
dhcp-l2relay remote-id ip 2 Specify the IP address of the device as the Remote ID on VLAN
2.
dhcp-l2relay mode 2 Activate the DHCP L2 Relay function on VLAN 2.
exit Change to the Privileged EXEC mode.

configure Change to the Configuration mode.

interface 1/1 Change to the interface configuration mode of interface 1/1.


dhcp-l2relay mode Activate the DHCP L2 Relay function on the port.
exit Change to the Configuration mode.

interface 1/2 Change to the interface configuration mode of interface 1/2.


dhcp-l2relay trust Specify the port as Trusted port .
dhcp-l2relay mode Activate the DHCP L2 Relay function on the port.
exit Change to the Configuration mode.

dhcp-l2relay mode Enable the DHCP L2 Relay function on the device.

Perform the following steps on Switch 2:


enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
dhcp-l2relay trust Specify the port as Trusted port .
dhcp-l2relay mode Activate the DHCP L2 Relay function on the port.
exit Change to the Configuration mode.
interface 1/2 Change to the interface configuration mode of interface 1/2.
dhcp-l2relay trust Specify the port as Trusted port .
dhcp-l2relay mode Activate the DHCP L2 Relay function on the port.
exit Change to the Configuration mode.
dhcp-l2relay mode Enable the DHCP L2 Relay function on the device.

UM Config HiOS-2A GRS1040 289


Release 7.0 11/2017
Advanced functions of the device
14.3 Using the device as a DNS client

14.3 Using the device as a DNS client

The Domain Name System (DNS) client queries DNS servers to resolve host names and IP addresses
of network devices. Much like a telephone book, the DNS client converts names of devices into IP
addresses. When the DNS client receives a request to resolve a new name it first queries its internal
static database, then the assigned DNS servers for the information. The DNS client saves the queried
information in a cache for future requests. The device offers the possibility to configure the DNS client
from the DHCP server using the management VLAN. The device also offers you the possibility to assign
host names to IP addresses statically.
The DNS client provides the following user functions:
 DNS server list, with space for 4 domain name server IP addresses
 static hostname to IP address mapping, with space for 64 configurable static hosts
 host cache, with space for 128 entries

14.3.1 Configuring a DNS server example


Name the DNS client and configure it to query a DNS server to resolve host names.
Perform the following steps:
 Open the Advanced > DNS > Client > Static dialog.
 In the Configuration frame, Configuration source field, specify the value user.
 In the Configuration frame, Domain name field, specify the value device1.
 To add a table entry, click the button.
 In the Address column, specify the value 10.1.3.5 as the IP address of the DNS server.
 Mark the checkbox in the Active column.
 Open the Advanced > DNS > Client > Global dialog.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
dns client source user Specifying that the user manually configures the DNS client
settings.
dns client domain-name devicel Specifying the string device1 as a unique domain name for the
device.
dns client servers add 1 ip 10.1.3.5 To add a DNS name server with an IP address of 10.1.3.5 as
index 1.
dns client adminstate Enable the DNS Client function globally.

Configure the DNS client to map static hosts with IP addresses.


Perform the following steps:
 Open the Advanced > DNS > Client > DNS Client Static Hosts dialog.
 To add a table entry, click the button.

290 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.3 Using the device as a DNS client

 In the Name column, enter the value example.com.


This is a name of a device in the network.
 In the IP address column, specify the value 10.1.3.9.
 Mark the checkbox in the Active column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
dns client host add 1 name example.com ip Add example.com as a static host with an IP address of
10.1.3.9 10.1.3.9.
dns client adminstate Enable the DNS Client function globally.

UM Config HiOS-2A GRS1040 291


Release 7.0 11/2017
Advanced functions of the device
14.4 GARP

14.4 GARP

The Generic Attribute Registration Protocol (GARP ) is defined by the IEEE to provide a generic
framework so switches can register and deregister attribute values, such as VLAN identifiers and
Multicast group membership.
When an attribute for a participant is registered or deregistered according to the GARP function, the
participant is modified according to specific rules. The participants are a set of reachable end stations
and network devices. The defined set of participants at any given time, along with their attributes, is the
reachability tree for the subset of the network topology. The device forwards the data frames only to the
registered end stations. The station registration helps to prevent attempts to send data to the end
stations that are unreachable.

14.4.1 Configuring GMRP


The GARP Multicast Registration Protocol (GMRP ) is a Generic Attribute Registration Protocol (GARP )
that provides a mechanism allowing network devices and end stations to dynamically register group
membership. The devices register group membership information with the devices attached to the same
LAN segment. The GARP function also allows the devices to disseminate the information across the
network devices that support extended filtering services.

Note: Before you enable the GMRP function, verify that the MMRP function is disabled.
The following example describes the configuration of the GMRP function. The device provides a
constrained multicast flooding facility on a selected port.
Perform the following steps:
 Open the Switching > GARP > GMRP dialog.
 To provide constrained Multicast Flooding on a port, mark the checkbox in the GMRP active
column.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
garp gmrp operation Enabling the GMRP function on the port.
exit Change to the Configuration mode.
garp gmrp operation Enabling the GMRP function globally.

292 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.4 GARP

14.4.2 Configuring GVRP


You use the GVRP function to allow the device to exchange VLAN configuration information with other
GVRP devices. Thus reducing unnecessary Broadcast and unknown Unicast traffic. Besides the GVRP
function dynamically creates and manages VLANs on devices connected through 802.1Q trunk ports.
The following example describes the configuration of the GVRP function. The device allows you
exchange VLAN configuration information with other GVRP devices.
Perform the following steps:
 Open the Switching > GARP > GVRP dialog.
 To exchange VLAN configuration information with other GVRP devices, mark checkbox in the
GVRP active column for the port.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
interface 3/1 Change to the interface configuration mode of interface 3/1.
garp gvrp operation Enabling the GVRP function on the port.
exit Change to the Configuration mode.
garp gvrp operation Enabling the GVRP function globally.

UM Config HiOS-2A GRS1040 293


Release 7.0 11/2017
Advanced functions of the device
14.5 MRP-IEEE

14.5 MRP-IEEE

The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP ). The IEEE also modified
and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP ) and GARP VLAN
Registration Protocol (GVRP ), with the Multiple MAC Registration Protocol (MMRP ) and the Multiple VLAN
Registration Protocol (MVRP ).
To confine traffic to the required areas of a network, the MRP applications distribute attribute values to
MRP enabled devices across a LAN. The MRP applications register and de-register Multicast group
memberships and VLAN identifiers.

Note: The Multiple Registration Protocol (MRP) requires a loop free network. To help prevent loops in
your network, use a network protocol such as the Media Redundancy Protocol, Spanning Tree Protocol,
or Rapid Spanning Tree Protocol with MRP.

14.5.1 MRP operation


Each participant contains an applicant component and an MRP Attribute Declaration (MAD) component.
The applicant component is responsible for forming the attribute values and their registration and de-
registration. The MAD component generates MRP messages for transmission and processes
messages received from other participants. The MAD component encodes and transmits the attributes
to other participants in MRP Data Units (MRPDU). In the switch, an MRP Attribute Propagation (MAP)
component distributes the attributes to participating ports.
A participant exists for each MRP application and each LAN port. For example, a participant application
exists on an end device and another application exists on a switch port. The Applicant state machine
records the attribute and port for each MRP participant declaration on an end device or switch. Applicant
state machine variable changes trigger the transmission of MRPDUs to communicate the declaration or
withdrawal.
To establish an MMRP instance, an end device first sends a Join empty (JoinMt) message with the
appropriate attributes. The switch then floods the JoinMt to the participating ports and to the neighboring
switches. The neighboring switches flood the message to their participating port, and so on, establishing
a path for the group traffic.

294 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.5 MRP-IEEE

14.5.2 MRP timers


The default timer settings help prevent unnecessary attribute declarations and withdraws. The timer
settings allow the participants to receive and process MRP messages before the Leave or LeaveAll
timers expire.
Maintain the following relationships when you reconfigure the timers:
 To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message, set the
value of the LeaveTime as follows: ≥ (2x JoinTime) + 60 in 1/100 s
 To minimize the volume of rejoining traffic generated following a LeaveAll, specify the value for the
LeaveAll timer larger than the LeaveTime.

The following list contains various MRP events that the device transmits:
 Join - Controls the interval for the next Join message transmission
 Leave - Controls the length of time that a switch waits in the Leave state before changing to the
withdraw state
 LeaveAll - Controls the frequency with which the switch generates LeaveAll messages

The Periodic timer, when expired, initiates a Join request MRP message that the switch sends to
participants on the LAN. The switches use this message to prevent unnecessary withdraws.

14.5.3 MMRP
When a device receives Broadcast, Multicast or unknown traffic on a port, the device floods the traffic
to the other ports. This process causes unnecessary use of bandwidth on the LAN.
The Multiple MAC Registration Protocol (MMRP ) allows you to control the traffic flooding by distributing
an attribute declaration to participants on a LAN. The attribute values that the MAD component encodes
and transmits on the LAN in MRP messages are Group service requirement information and 48-bit MAC
addresses.
The switch stores the attributes in a filtering database as MAC address registration entries. The
forwarding process uses the filtering database entries solely to transmit dat through those ports
necessary to reach Group member LANs.
Switches facilitate the group distribution mechanisms based on the Open Host Group concept, receiving
packets on the active ports and forward exclusively on ports with group members. This way, any MMRP
participants requiring packets transmitted to a particular group or groups, requests membership in the
group. MAC service users send packets to a particular group from anywhere on the LAN. A group
receives these packets on the LANs attached to registered MMRP participants. MMRP and the MAC
Address Registration Entries thus restrict the packets to required segments of a loop-free LAN.
In order to maintain the registration and deregistration state and to receive traffic, a port declares interest
periodically. Every device on a LAN with the MMRP function enabled maintains a filtering database and
forwards traffic having the group MAC addresses to listed participants.

UM Config HiOS-2A GRS1040 295


Release 7.0 11/2017
Advanced functions of the device
14.5 MRP-IEEE

 MMRP example
In this example, Host A intends to listen to traffic destined to group G1. Switch A processes the MMRP
Join request received from host A and sends the request to both of the neighboring switches. The
devices on the LAN now recognize that there is a host interested in receiving traffic destined for group
G1. When Host B starts transmitting data destined for group G1, the data flows on the path of
registrations and Host A receives it.
Switch 1 Switch 2 Switch 3

Port 2 Port 3 Port 4 Port 5

Port 1 Port 6

MMRP Join G1 Request


Multicast Traffic for G1

Host A Host B

Figure 71: MMRP Network for MAC address Registration

To enable the MMRP function on the switches, proceed as follows.


Perform the following steps:
 Open the Switching > MRP-IEEE > MMRP dialog, Configuration tab.
 To activate port 1 and port 2 as MMRP participants, mark the checkbox in the MMRP column for
port 1 and port 2 on switch 1.
 To activate port 3 and port 4 as MMRP participants, mark the checkbox in the MMRP column for
port 3 and port 4 on switch 2.
 To activate port 5 and port 6 as MMRP participants, mark the checkbox in the MMRP column for
port 5 and port 6 on switch 3.
 To send periodic events allowing the device to maintain the registration of the MAC address
group, enable the Periodic state machine . Select the On radio button in the
Configuration frame.
 To save the changes temporarily, click the button.

To enable the MMRP ports on switch 1, use the following CLI commands. Substituting the appropriate
interfaces in the CLI commands, enable the MMRP functions and ports on switches 2 and 3.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
mrp-ieee mmrp operation Enabling the MMRP function on the port.
interface 1/2 Change to the interface configuration mode of interface 1/2.
mrp-ieee mmrp operation Enabling the MMRP function on the port.
exit Change to the Configuration mode.
mrp-ieee mrp periodic-state-machine Enabling the Periodic state machine function globally.
mrp-ieee mmrp operation Enabling the MMRP function globally.

296 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.5 MRP-IEEE

14.5.4 MVRP
The Multiple VLAN Registration Protocol (MVRP ) is an MRP application that provides dynamic VLAN
registration and withdraw services on a LAN.
The MVRP function provides a maintenance mechanism for the Dynamic VLAN Registration Entries, and
for transmitting the information to other devices. This information allows MVRP -aware devices to
establish and update their VLAN membership information. When members are present on a VLAN, the
information indicates through which ports the switch forwards traffic to reach those members.
The main purpose of the MVRP function is to allow switches to discover some of the VLAN information
that you otherwise manually set up. Discovering this information allows switches to overcome the
limitations of bandwidth consumption and convergence time in large VLAN networks.

 MVRP example
Set up a network comprised of MVRP aware switches (1 - 4) connected in a ring topology with end
device groups, A1, A2, B1, and B2 in 2 different VLANs, A and B. With STP enabled on the switches,
the ports connecting switch 1 to switch 4 are in the discarding state, preventing a loop condition.

B1 Port 3 Port 2 Port 3 Port 2


A2
Switch 1 Port 1 Port 4 Switch 2

Port 8 Port 5

Port 7 Port 6 Port 4 B2


Switch 4 Port 3 Switch 3

VLAN A Registrations VLAN A Join Requests


A1 VLAN B Join Requests
VLAN B Registrations

Figure 72: MVRP Example Network for VLAN Registration


In the MVRP example network, the LANs first send a Join request to the switches. The switch enters
the VLAN registration in the forwarding database for the port receiving the frames.
The switch then propagates the request to the other ports, and sends the request to the neighboring
LANs and switches. This process continues until the switches have registered the VLANs in the
forwarding database of the receive port.
To enable MVRP on the switches, use the following steps.
 Open the Switching > MRP-IEEE > MVRP dialog, Configuration tab.
 To activate the ports 1 through 3 as MVRP participants, mark the checkbox in the MVRP column
for the ports 1 through 3 on switch 1.
 To activate the ports 2 through 4 as MVRP participants, mark the checkbox in the MVRP column
for the ports 2 through 4 on switch 2.
 To activate the ports 3 through 6 as MVRP participants, mark the checkbox in the MVRP column
for the ports 3 through 6 on switch 3.
 To activate port 7 and port 8 as MVRP participants, mark the checkbox in the MVRP column for
port 7 and port 8 on switch 4.
 To maintain the registration of the VLANs, enable the Periodic state machine .
Select the On radio button in the Configuration frame.

UM Config HiOS-2A GRS1040 297


Release 7.0 11/2017
Advanced functions of the device
14.5 MRP-IEEE

 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

To enable the MVRP ports on switch 1, use the following CLI commands. Substituting the appropriate
interfaces in the CLI commands, enable the MVRP functions and ports on switches 2, 3 and 4.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
mrp-ieee mvrp operation Enabling the MVRP function on the port.
interface 1/2 Change to the interface configuration mode of interface 1/2.
mrp-ieee mvrp operation Enabling the MVRP function on the port.
exit Change to the Configuration mode.
mrp-ieee mvrp periodic-state-machine Enabling the Periodic state machine function globally.
mrp-ieee mvrp operation Enabling the MVRP function globally.

298 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Advanced functions of the device
14.6 CLI client

14.6 CLI client

The device supports an CLI client that directly opens a connection to the SSH server using the TCP Port
specified in the Device Security > Management Access > Server dialog, SSH tab. The CLI client
allows you to configure the device using CLI commands.
The prerequisite to using the CLI client is that you enable the function in the Device Security >
Management Access > Server dialog, SSH tab.

For detailed information on CLI commands, review the “Command Line Interface” reference manual.

UM Config HiOS-2A GRS1040 299


Release 7.0 11/2017
Advanced functions of the device
14.6 CLI client

300 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols

15 Industry Protocols

For a long time, automation communication and office communication were on different paths. The
requirements and the communication properties were too different.
Office communication moves large quantities of data with low demands with respect to the transfer time.
Automation communication moves small quantities of data with high demands with respect to the
transfer time and availability.
While the transmission devices in the office are usually kept in temperature-controlled, relatively clean
rooms, the transmission devices used in automation are exposed to wider temperature ranges. Dirty,
dusty and damp ambient conditions make additional demands on the quality of the transmission
devices.

With the continued development of communication technology, the demands and the communication
properties have moved closer together. The high bandwidths now available in Ethernet technology and
the protocols they support enable large quantities to be transferred and exact transfer times to be
specified.

With the creation of the first optical LAN to be active worldwide, at the University of Stuttgart in 1984,
Hirschmann laid the foundation for industry-compatible office communication devices. Thanks to
Hirschmann's initiative with the world's first rail hub in the 1990s, Ethernet transmission devices such as
switches, routers and firewalls are now available for the toughest automation conditions.

The desire for uniform, continuous communication structures encouraged many manufacturers of
automation devices to come together and use standards to aid the progress of communication
technology in the automation sector. This is why we now have protocols that enable us to communicate
via Ethernet from the office right down to the field level.

Output Input

Input
Ethernet
Output

Figure 73: Example of communication.

UM Config HiOS-2A GRS1040 301


Release 7.0 11/2017
Industry Protocols
15.1 IEC 61850/MMS

15.1 IEC 61850/MMS

IEC 61850/MMS is an industrial communication protocol standardized by the International


Electrotechnical Commission (IEC). The protocol is to be found in substation automation, for example
in the control technology of energy suppliers.
This protocol, which works in a packet-oriented way, is based on the TCP/IP transport protocol and uses
the Manufacturing Messaging Specification (MMS) for the client-server communication. The protocol is
object-oriented and defines a standardized configuration language that comprises, among other things,
functions for SCADA, Intelligent Electronic Devices (IED) and for the network control technology.
Part 6 of the IEC 61850 standard defines the configuration language SCL (Substation Configuration
Language). SCL describes the properties of the device and the system structure in an automatically
processable form. The properties of the device described with SCL are stored in the ICD file on the
device.

15.1.1 Switch model for IEC 61850


The Technical Report, IEC 61850 90-4, specifies a bridge model. The bridge model represents the
functions of a switch as objects of an Intelligent Electronic Device (IED). An MMS client (for example the
control room software) uses these objects to monitor and configure the device.

Physical Device
Logical Device LN LPHD LN LPN0

LN LBRI

LN LCCH LN LCCH LN LCCH

LN LCCF LN LCCF LN LCCF

LN LBSP LN LBSP LN LBSP LN LBSP

LN LPLD LN LPLD LN LPLD LN LPLD

LN LPCP LN LPCP LN LPCP LN LPCP

A paired redundant ports B

Port Number 1 2 3 4

Figure 74: Bridge model based on Technical Report IEC 61850 90-4

Class Description
LN LLN0 Zero logical node of the Bridge IED:
Defines the logical properties of the device.
LN LPHD Physical Device logical node of the Bridge IED:
Defines the physical properties of the device.
LN LBRI Bridge logical node:
Represents general settings of the bridge functions of the device.
LN LCCH Communication Channel logical node:
Defines the logical Communication Channel that consists of one or more physical device ports.
Table 41: Classes of the bridge model based on TR IEC61850 90-4

302 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.1 IEC 61850/MMS

Class Description
LN LCCF Channel Communication Filtering logical node:
Defines the VLAN and Multicast settings for the higher-level Communication Channel.
LN LBSP Port Spanning Tree Protocol logical node:
Defines the Spanning Tree statuses and settings for the respective physical device port.
LN LPLD Port Layer Discovery logical node:
Defines the LLDP statuses and settings for the respective physical device port.
LN LPCP Physical Communication Port logical node:
Represents the respective physical device port.
Table 41: Classes of the bridge model based on TR IEC61850 90-4 (cont.)

15.1.2 Integration into a Control System

 Preparation of the device.


 Check that the device has an IP address assigned.
 Open the Advanced > Industrial Protocols > IEC61850-MMS dialog.

 To start the MMS server, select in the Operation frame the On radio button, and click button.
Afterwards, an MMS client is able to connect to the device and to read and monitor the objects
defined in the bridge model.

NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE
IEC61850/MMS does not provide any authentication mechanisms. If the write access for IEC61850/
MMS is activated, every client that can access the device using TCP/IP is capable of changing the
settings of the device. This in turn can result in an incorrect configuration of the device and to failures
in the network.
Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to eliminate the risk of unauthorized access.
Failure to follow these instructions can result in equipment damage.

 To allow the MMS client to change the settings, mark the Write access checkbox, and click the
button.

UM Config HiOS-2A GRS1040 303


Release 7.0 11/2017
Industry Protocols
15.1 IEC 61850/MMS

 Offline configuration
The device allows you to download the ICD file using the graphical user interface. This file contains
the properties of the device described with SCL and enables you to configure the substation without
directly connecting to the device.
 Open the Advanced > Industrial Protocols > IEC61850-MMS dialog.

 To load the ICD file to your PC, click the button and then the Download item.

 Monitoring the device


The IEC61850/MMS server integrated into the device allows you to monitor multiple statuses of the
device by means of the Report Control Block (RCB). Up to 5 MMS clients can register for a Report
Control Block at the same time.
The device allows the following statuses to be monitored:

Class RCB object Description


LN LPHD TmpAlm Changes when the temperature measured in the device exceeds or falls below
the set temperature thresholds.
PhyHealth Changes when the status of the LPHD.TmpAlm RCB object changes.
LN LPHD TmpAlm Changes when the temperature measured in the device exceeds or falls below
the set temperature thresholds.
PwrSupAlm Changes when 1 of the redundant power supplies fails or starts operating again.
PhyHealth Changes when the status of the LPHD.PwrSupAlm or LPHD.TmpAlm RCB object
changes.
LN LBRI RstpRoot Changes when the device takes over or relinquishes the role of the root bridge.
RstpTopoCnt Changes when the topology changes due to a change of the root bridge.
LN LCCH ChLiv Changes when the link status of the physical port changes.
LN LPCP PhyHealth Changes when the link status of the physical port changes.
Table 42: Statuses of the device that can be monitored with IEC 61850/MMS

304 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.2 Modbus TCP

15.2 Modbus TCP

Modbus TCP is an application layer messaging protocol providing client/server communication between
the client and devices connected in Ethernet TCP/IP networks.
The Modbus TCP function allows you to install the device in networks already using Modbus TCP and
retrieve information saved in the registers in the device.

15.2.1 Client/Server Modbus TCP/IP Mode


The device supports the client/server model of Modbus TCP/IP. This device operates as a server in this
constellation and responds to requests from a client for information saved in the registers. The client /
server model uses four types of messages to exchange data between the client and server:

Request Indication
Modbus Modbus
Client Confirmation Response
Server

Figure 75: Client/Server Modbus TCP/IP Mode

 Modbus TCP/IP Request, the client creates a request for information and sends it to the server.
 Modbus TCP/IP Indication, the server receives a request as an indication that a client requires
information.
 Modbus TCP/IP Response, when the required information is available, the server sends a reply
containing the requested information. When the requested information is unavailable, the server
sends an Exception Response to notify the client of the error detected during the processing. The
Exception Response contains an exception code indicating the reason for the detected error.
 Modbus TCP/IP Confirmation, the client receives a response from the server, containing the
requested information.

UM Config HiOS-2A GRS1040 305


Release 7.0 11/2017
Industry Protocols
15.2 Modbus TCP

15.2.2 Supported Functions and Memory Mapping


The device supports functions with the public codes 0x03Read Holding Registers and 0x05Write
Single Coil. The codes allow the user to read information saved in the registers such as the system
information, including the system name, system location, software version, IP address, MAC address.
The codes also allow the user to read the port information and port statistics. The 0x05 code allows the
user to reset the port counters individually or globally.
The following list contains definitions for the values entered in the Format column:
 Bitmap: a group of 32-bits, encoded into the Big-endian byte order and saved in 2 registers. Big-
endian systems save the most significant byte of a word in the smallest address and save the least
significant byte in the largest address.
 F1: 16-bit unsigned integer
 F2: Enumeration - power supply alarm
– 0 = power supply good
– 1 = power supply failure detected
 F3: Enumeration - OFF/ON
– 0 = Off
– 1 = On
 F4: Enumeration - port type
– 0 = Giga - Gigabit Interface Converter (GBIC)
– 1 = Copper - Twisted Pair (TP)
– 2 = Fiber - 10 Mb/s
– 3 = Fiber - 100 Mb/s
– 4 = Giga - 10/100/1000 Mb/s (triple speed)
– 5 = Giga - Copper 1000 Mb/s TP
– 6 = Giga - Small Form-factor Pluggable (SFP)
 F9: 32-bit unsigned long
 String: octets, saved in sequence, 2 octets per register.

 Modbus TCP/IP Codes


The table below lists addresses that allow the client to reset port counters and retrieve specific
information from the device registers.

 Port Information

Address Qty Description MIn Max Step Unit Format


0400 1 Port 1 Type 0 6 1 - F4
0401 1 Port 2 Type 0 6 1 - F4
...
043F 1 Port 64 Type 0 6 1 - F4
0440 1 Port 1 Link Status 0 1 1 - F1
0441 1 Port 2 Link Status 0 1 1 - F1
...
047F 1 Port 64 Link Status 0 1 1 - F1
0480 1 Port 1 STP State 0 1 1 - F1
0481 1 Port 2 STP State 0 1 1 - F1
Table 43: Port Information

306 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.2 Modbus TCP

Address Qty Description MIn Max Step Unit Format


...
04BF 1 Port 64 STP State 0 1 1 - F1
04C0 1 Port 1 Activity 0 1 1 - F1
04C1 1 Port 2 Activity 0 1 1 - F1
...
04FF 1 Port 64 Activity 0 1 1 - F1
0500 1 Port 1 Counter Reset 0 1 1 - F1
0501 1 Port 2 Counter Reset 0 1 1 - F1
...
053F 1 Port 64 Counter Reset 0 1 1 - F1
Table 43: Port Information

 Port Statistics

Address Qty Description MIn Max Step Unit Format


0800 1 Port1 - Number of bytes received 0 4294967295 1 - F9
0802 1 Port1 - Number of bytes sent 0 4294967295 1 - F9
0804 1 Port1 - Number of frames received 0 4294967295 1 - F9
0806 1 Port1 - Number of frames sent 0 4294967295 1 - F9
0808 1 Port1 - Total bytes received 0 4294967295 1 - F9
080A 1 Port1 - Total frames received 0 4294967295 1 - F9
080C 1 Port1 - Number of broadcast frames 0 4294967295 1 - F9
received
080E 1 Port1 - Number of multicast frames 0 4294967295 1 - F9
received
0810 1 Port1 - Number of frames with CRC 0 4294967295 1 - F9
error
0812 1 Port1 - Number of oversized frames 0 4294967295 1 - F9
received
0814 1 Port1 - Number of bad fragments 0 4294967295 1 - F9
rcvd(<64 bytes)
0816 1 Port1 - Number of jabber frames 0 4294967295 1 - F9
received
0818 1 Port1 - Number of collisions occurred 0 4294967295 1 - F9
081A 1 Port1 - Number of late collisions 0 4294967295 1 - F9
occurred
081C 1 Port1 - Number of 64-byte frames rcvd/ 0 4294967295 1 - F9
sent
081E 1 Port1 - Number of 65-127 byte frames 0 4294967295 1 - F9
rcvd/sent
0820 1 Port1 - Number of 128-255 byte frames 0 4294967295 1 - F9
rcvd/sent
0822 1 Port1 - Number of 256-511 byte frames 0 4294967295 1 - F9
rcvd/sent
0824 1 Port1 - Number of 512-1023 byte frames 0 4294967295 1 - F9
rcvd/sent
0826 1 Port1 - Number of 1023-MAX byte frames 0 4294967295 1 - F9
rcvd/sent
0828 1 Port1 - Number of Mac Error Packets 0 4294967295 1 - F9
082A 1 Port1 - Number of dropped received 0 4294967295 1 - F9
packets
082C 1 Port1 - Number of multicast frames 0 4294967295 1 - F9
sent
082E 1 Port1 - Number of broadcast frames 0 4294967295 1 - F9
sent
Table 44: Port Statistics

UM Config HiOS-2A GRS1040 307


Release 7.0 11/2017
Industry Protocols
15.2 Modbus TCP

Address Qty Description MIn Max Step Unit Format


0830 1 Port1 - Number of <64 byte fragments 0 4294967295 1 - F9
w/ good CRC
...
147E 1 Port64 - Number of <64 byte fragments 0 4294967295 1 - F9
w/ good CRC
Table 44: Port Statistics

15.2.3 Example Configuration


In this example, you configure the device to respond to client requests. The prerequisite for this
configuration is that the client device is configured with an IP address within the given range. The Write
access function remains inactive for this example. When you activate the Write access function, the
device allows you to reset the port counters only. In the default configuration the Modbus TCP and Write
access functions are inactive.

NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE
The Modbus TCP protocol does not provide any authentication mechanisms. If the write access for
Modbus TCP is activated, every client that can access the device using TCP/IP is capable of
changing the settings of the device. This in turn can result in an incorrect configuration of the device
and to failures in the network.
Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to eliminate the risk of unauthorized access.
Failure to follow these instructions can result in equipment damage.

 Open the Device Security > Management Access > IP Access Restriction dialog.
 To add a table entry, click the button.
 Specify the IP address range, in Index row 2, enter 10.17.1.0/29 in the IP address range
column.
 Verify that the Modbus TCP function is activated.
 To activate the range, mark the Active checkbox.
 Open the Diagnostics > Status Configuration > Security Status > Global dialog.
 Verify that the Modbus TCP active checkbox contains a mark.
 Open the Advanced > Industrial Protocols > Modbus TCP dialog.
 The standard Modbus TCP listening port, port 502, is the default value. However, if you wish
to listen on another TCP port, enter the value for the listening port in the TCP port field.
 To enable the function, select the On radio button in the Operation frame.
When you enable the Modbus TCP function, the Security Status function detects the activation
and displays an alarm in the Basic Settings > System dialog, Security status frame.

308 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.2 Modbus TCP

enable Change to the Privileged EXEC mode.


network management access add 2 Creates the entry for the address range in the network. Number
of the next available index in this example: 2.
network management access modify 2 ip Specifies the IP address.
10.17.1.0
network management access modify 2 mask Specifies the netmask.
29
network management access modify 2 Specifies that Modbus TCP is allowed to have management
modbus-tcp enable access.
network management access operation Enables the IP access restriction.
configure Change to the Configuration mode.
security-status monitor modbus-tcp- Specifies that the device monitors the activation of the Modbus
enabled TCP server.
modbus-tcp operation Activates the Modbus TCP server.
modbus-tcp port <1..65535> Specify the TCP port for Modbus TCP communication (optionally).
The default value is port 502.
show modbus-tcp Display the Modbus TCP Server settings.
Modbus TCP/IP server settings
--------------------------
Modbus TCP/IP server operation................enabled
Write-access..................................disabled
Listening port................................502
Max number of sessions........................5
Active sessions...............................0
show security-status monitor Display all security-status settings.
Device Security Settings
Monitor
----------------------------------
Password default settings unchanged...........monitored
...
Write access using HiDiscovery is possible....monitored
Loading unencrypted configuration from ENVM...monitored
IEC 61850 MMS is enabled......................monitored
Modbus TCP/IP server active...................monitored
show security-status event Display occurred security status events.
Time stamp Event Info
-------------------- ----------------------- ------
2014-01-01 01:00:39 password-change(10) -
....................................................
2014-01-01 01:00:39 ext-nvm-load-unsecure(21) -
2014-01-01 23:47:40 modbus-tcp-enabled(23) -
show network management access rules 1 Display the restricted management access rules for index 1.
Restricted management access settings
-------------------------------------
Index.......................................1
IP Address..................................10.17.1.0
Prefix Length...............................29
HTTP........................................yes
SNMP........................................yes
Telnet......................................yes
SSH.........................................yes
HTTPS.......................................yes
IEC61850-MMS................................yes
Modbus TCP/IP...............................yes
Active......................................[x]

UM Config HiOS-2A GRS1040 309


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

15.3 EtherNet/IP

EtherNet/IP is accepted worldwide as a standardized industrial communication protocol and is


maintained by the Open DeviceNet Vendor Association (ODVA). The protocol is based on the widely
used standard Ethernet transport protocols TCP/IP and UDP/IP. EtherNet/IP is supported by leading
manufacturers, thus providing a wide base for effective data communication in the industry sector.

UDP/IP Unicast

UDP/IP Unicast/Multicast
Controller EtherNet/IP-Stack

Figure 76: EtherNet/IP network

EtherNet/IP adds the industry protocol, CIP (Common Industrial Protocol) to the standard Ethernet
protocols. EtherNet/IP implements CIP at the Session layer and above and adapts CIP to the specific
EtherNet/IP technology at the Transport layer and below. In the case of automation applications,
EtherNet/IP implements CIP on the application level. Therefore, EtherNet/IP is ideally suited to the
industrial control technology sector.

FTP HTTP DNS CIP SNMP BOOTP DHCP

TCP UDP

IP

IEEE 802.3 Ethernet

Figure 77: IEEE802.3 EtherNet/IP

In particular, you will find EtherNet/IP in the USA and in conjunction with Rockwell controllers.

For detailed information on EtherNet/IP , see the ODVA home page at www.odva.org/Home/
ODVATECHNOLOGIES/EtherNetIP.aspx.

15.3.1 Integration into a Control System


Use the following steps to integrate the device into a Control System:
 Open the Switching > IGMP Snooping > IGMP Snooping Global dialog.

310 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

 Verify that the IGMP Snooping function is activated.


 Open the Advanced > Industrial Protocols > EtherNet/IP dialog. Verify that the
EtherNet/IP function is activated.
 Open the Advanced > Industrial Protocols > EtherNet/IP dialog.
 To save the EDS as a zip file on your PC, click Download . The ZIP file contains the EtherNet/
IP configuration file and the icon used to configure the controller to connect to the device.

Note: If EtherNet/IP and the routing function are enabled at the same time, malfunctions are possible
with EtherNet/IP , for example, in connection with “RS Who”. Therefore, if the routing function is active,
then disable the routing function on the device.
 To disable the routing function on the device, open the Routing > Routing Global dialog
and in the Operation frame, click the Off radio button.

To disable the Routing function, perform the following steps:


enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
no ip routing Deactivate the Routing function on the device.

 Configuration of a PLC using the example of Rockwell software


 Open the “EDS Hardware Installation Tool” of RSLinx.
 Use the “EDS Hardware Installation Tool” to add the EDS file.
 Restart the “RSLinx” service so that RSLinx takes over the EDS file of the device.
 Use RSLinx to check whether RSLinx has detected the device.
 Open your Logix 5000 project.
 Integrate the device into the Ethernet port of the controller as a new module (Generic Ethernet
Module).

Setting I/O connection Input only Listen only


Comm Format Data - DINT Data - DINT Input data - DINT - Run/
Program
IP Address IP address of the device IP address of the device IP address of the device
Input Assembly Instance 2 2 2
Input Size 7 7 7
Input Size 7 7 7
Output Assembly Instance 1 254 255
Output Size 1 0 0
Output Size 1 0 0
Configuration Assembly Instance 3 3 3
Configuration Size 0 0 0
Table 45: Settings for integrating a Generic Ethernet Module
 In the module properties, enter a value of at least 100 ms for the Request Packet Interval (RPI).

Note: Monitoring the I/O connection to the CPU of the device as a failure can result in a system
failure. Therefore, monitoring the I/O connection as a failure criterion is less suitable.
The I/O connection between the programmable logic controller (PLC) and the device can be
interrupted by a management program. For example, a management station can saturate the CPU
of the device with higher priority Real Time (RT) data. In this case, the device can still transmit or
receive data packets and the system remains operational.

UM Config HiOS-2A GRS1040 311


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

 Example of integration from the Sample Code Library


The Sample Code Library is a website from Rockwell. The object of the website is to provide users
with a place where they can exchange their best architecture integration applications.
On the website http://samplecode.rockwellautomation.com, search for catalog number 9701. This is
the catalog number of an example for integrating the Hirschmann device into RS Logix 5000 rel. 16,
PLC firmware release 16.

15.3.2 EtherNet/IP Entity Parameters


The following paragraphs identify the objects supported by the device.
Save the entire device configuration. When the device receives a set request, it responds to the request
during the configuration save process. The LEDs flash until the device finishes saving the configuration.

 Identity object
The device supports the identity object (Class Code 0x01) of EtherNet/IP . The Hirschmann
manufacturer ID is 634. Hirschmann uses the ID 44 (0x2C) to indicate the product type "Managed
Ethernet Switch".
The following table lists the Instance attributes. Only instance 1 is available:
Id Attribute Access Data type Description
Rule
1 Vendor ID Get UINT Hirschmann634
2 Device Type Get UINT Managed Ethernet Switch 44 (0x2C) (0x2C)
3 Product Code Get UINT Product Code: mapping is defined for every device type
4 Revision Get STRUCT of: USINT Revision of the EtherNet/IP implementation, 2.1.
MajorUSINT Minor
5 Status Get WORD Support for the following Bit status only:
Bit 0: Owned (always 1)
Bit 2: Configured (always 1)
Bit 4 -7: Extend Device Status value 3: No I/O connection
established, value 7: At least one I/O connection established,
all in idle mode.
6 Serial number Get UDINT Serial number of the device (contains last 3 Bytes of MAC
address).
7 Product name Get Short String Displayed as "Hirschmann" + product family + product ID +
(max. 32 Byte) software variant.

 TCP/IP Interface Object


The device supports only Instance 1 of the TCP/IP Interface Object (Class Code 0xf5, F5H, 245) of
EtherNet/IP .
Depending on the write access status, the device stores the complete configuration in its flash
memory. Saving the configuration file can take up to 10 seconds. If the save process is interrupted,
for example, by a disruption of the input power, the device can become inoperable.

312 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Note: The device replies to the configuration change Get Request with a Response even if saving
of the configuration has not yet been completed.
The following table lists the Class attributes:
Id Attribute Access Data type Description
Rule
1 Revision Get UINT Revision of this object: 3
2 Max Instance Get UINT Maximum instance number: 1
3 Number of instance Get UINT Number of object instances currently
created: 1
The following table lists the attributes of Instance 1:
Id Attribute Access Data type Description
Rule
1 Status Get DWORD Interface Status:
Bit 0-3: 0 Interface not configured,
1 Interface contains valid config
Bit 6: AcdStatus (default 0)
Bit 7: AcdFault (default 0)
2 Interface Capability Get DWORD Bit 0: BOOTP Client
flags Bit 1: DNS Client
Bit 2: DHCP Client
Bit 3: DHCP-DNS Update
Bit 4: Configuration setable (within CIP),
Other bits reserved (0).
Bit 7: AcdCapable (TRUE shall indicate that
the device is ACD capable)
3 Config Control Set/Get DWORD Bit 0-3: Value 0 using stored config
Value 1 using BOOTP
Value 2 using DHCP
Bit 4: 1 device uses DNS for name
lookup (always 0 because not supp.)
Other bits reserved (0)
4 Physical Link Object Get STRUCT of:UINT Path to the Physical Link Object, always
Path sizeEPATH {0x20,0xF6,0x24,0x01} describing instance
Path 1 of the Ethernet Link Object.
5 Interface Configuration Set/Get STRUCT of:UDINT IP IP Stack Configuration (IP-Address,
addressUDINT Netmask, Gateway, 2 Name servers (DNS,
NetmaskUDINT Gateway if supported) and the domain name).
addressUDINT
Name
server 1UDINTName
server 2STRING Domain
name
6 Host Name Set/Get STRING Host Name (for DHCP DNS Update).
7 Safety Network Not supported
Number
8 TTL Value Get/Set USINT Time to live value for IP multicast packets.
(1–255)
The default values: TTL = 1
9 Mcast Config Get/Set STRUCT of:USINT Alloc Control = 0
Alloc control, Number of IP multicast addresses = 32
USINT reserved, UINT Num Multicast start address = 239.192.1.0
Mcast, UDINT Mcast
Start Addr
10 SelectedAcd Get/Set BOOL Enable ACD (1 default).Disable ACD (0)
11 LastConflictDetected Get STRUCT of:USINT ACD Diagnostic Parameters
AcdActivity,Array of 6 USINT,
RemoteMAC
Array of 28 USINT
ArpPdu

The following table lists the Hirschmann extensions to the TCP/IP Interface Object:

UM Config HiOS-2A GRS1040 313


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Id Attribute Access Data type Description


Rule
100=0x64 Cable Test Set/Get STRUCT of:USINT STRUCT of: USINT Interface
Interface,USINT Status USINT Status (active (1) Success (2) Failure
(3) Uninitialized (4)
101=0x65 Cable Pair Size Get USINT Size of the Cable Test Result STRUCT of:2
Pair for 100BASE4 Pair for 1000BASE
102=0x66 Cable Test Get STRUCT of: USINT 100BASE:{
Result Interface,USINT {Interface,CablePair1,CableStatus,
CablePair,USINT CableMinLength, CableMaxLength,
CableStatus,USINT CableFailureLocation}
CableMinLength, {Interface,CablePair2,CableStatus,
USINT CableMinLength, CableMaxLength,
CableMaxLengthUSINTCableF CableFailureLocation}
ailureLocation }
1000BASE:{
{Interface,CablePair1,CableStatus,
CableMinLength, CableMaxLength,
CableFailureLocation}
{Interface,CablePair2,CableStatus,
CableMinLength, CableMaxLength,
CableFailureLocation}
{Interface,CablePair3,CableStatus,
CableMinLength, CableMaxLength,
CableFailureLocation}
{Interface,CablePair4,CableStatus,
CableMinLength, CableMaxLength,
CableFailureLocation}
}

 Ethernet Link object


Specify at least 1 instance on the device, for example, Instance 1 is the CPU Ethernet interface
instance. (Class Code 0xf6, F6H, 246) of EtherNet/IP .
Id Attribute Access Data type Description
Rule
1 Interface Speed Get UDINT Used interface speed in MBits/s (10, 100,
1000, …).
0 is used when the speed has not been
determined or is invalid because of errors.
2 Interface Flags Get DWORD Interface Status Flags:
Bit 0: Link State (1=Link)
Bit 1: Halfduplex(0)/Fullduplex(1)
Bits 2-4: Autoneg Status
0 Autoneg in Progress
1 Autoneg failed
2 failed but Speed detected
3 Autoneg success
4 No Autoneg
Bit 5: manual configuration require
reset (always 0 because not
needed)
Bit 6: hardware error.
3 Physical Address Get ARRAY of 6 USINTs MAC address of physical interface.
4 Interface Counters Get STRUCT of: InOctets, InUcastPackets,
MIB II CountersEach UDINT InNUcastPackets, InDiscards, InErrors,
InUnknownProtos, OutOctets,
OutUcastPackets, OutNUcastPackets,
OutDiscards, OutErrors.

314 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Id Attribute Access Data type Description


Rule
5 Media Counters Get STRUCT of: Alignment Errors, FCS Errors, Single
Ethernet MIB Collision, Multiple Collision, SQE Test
CountersEachUDINT Errors, Deferred Transmissions, Late
Collisions, Excessive Collisions, MAC TX
Errors, Carrier Sense Errors, Frame Too
Long, MAC RX Errors.
6 Interface Control Get/Set STRUCT of: Control Bits:
WORD Control BitsUINT Autoneg enable/disable (Bit 0, enable=1)
Forced Iface Speed Duplex mode (Bit 1, full duplex=1), if
Autoneg disabled (Bit 0 set to 0).
Interface speed in MBits/s: 10,100,…, if
Autoneg disabled (Control Bit 0 set to 0).
7 Interface type Get USINT Type of interface:
Value 0: Unknown interface type,Value 1:
The interface is internal,Value 2: Twisted-
pair,Value 3: Optical fiber.
3 Interface state Get USINT Current state of the interface:
Value 0: Unknown interface state,Value 1:
The interface is enabled,Value 2: The
interface is disabled,Value 3: The interface
is testing
9 Admin State Set/Get USINT Administrative state:
Value 1: Enable the interface,Value 2:
Disable the interface.
10 Interface label Get SHORT-STRING Human readable ID

The following table lists the Hirschmann extensions to the Ethernet Link Object:
Id Attribute Access Data type Description
Rule
100=0x64 Ethernet Get USINT Interface/Port Index (ifIndex out of MIBII)
Interface Index
101=0x65 Port Control Get/Set DWORD Bit 0 (RO): Link state
0 link down
1 link up
Bit 1 (R/W): Link admin state
0 disabled
1 enabled
Bit 8 (RO): Access violation alarm
Bit 9 (RO): Utilization alarm
102=0x66 Interface Get USINT The existing Counter out of the private MIB
Utilization hm2IDiagfaceUtilization is used. Utilization
in percentage (Unit 1% = 100, %/100). RX
Interface Utilization.
103=0x67 Interface Get/Set USINT Within this parameter the variable
Utilization Alarm hm2DiagIfaceUtilizationAlarmUpperThresh
Upper old can be accessed. Utilization in
Threshold percentage (Unit 1% = 100). RX Interface
Utilization Upper Limit.
104=0x68 Interface Get/Set USINT Within this parameter the variable
Utilization Alarm hm2DiagIfaceUtilizationAlarmLowerThresh
Lower old can be accessed. Utilization in
Threshold percentage (Unit 1% = 100). RX Interface
Utilization Lower Limit.
105=0x69 Broadcast limit Get/Set USINT Broadcast limiter Service (Egress BC-
Frames limitation, 0 = disabled), Frames/
second
106=0x6A Ethernet Get/Set STRING [max. 64 Bytes] even Interface/Port Description (from MIB II
Interface number of Bytes ifDescr), for example "Unit: 1 Slot: 2 Port: 1
Description - 10/100 Mbit TX", or "unavailable", max. 64
Bytes.

UM Config HiOS-2A GRS1040 315


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Id Attribute Access Data type Description


Rule
107=0x6B Port Monitor Get/Set DWORD Bit 0: Link Flap
1 ON
0 OFF
Bit 1:CRC/Fragment
1 ON
0 OFF
Bit 2:Duplex Mismatch
1 ON
0 OFF
Bit 3:Overload-Detection
1 ON
0 OFF
Bit 4:Link-Speed/ Duplex Mode
1 ON
0 OFF
Bit 5-6:Action
(to be performed in the event)
Bit 01:Deactivate Port
Bit 10:Send Trap
Bit 7-11:Active Condition
(displays which condition
caused an action to occur)
Bit 00001: Link Flap
Bit 00010: CRC/Fragments
Bit 00100: Duplex Mismatch
Bit 01000: Overload-Detection
Bit 10000: Link-Speed/ Duplex
mode)
Bit 12-15: Reserved (always 0)
108=0x6C Quick Connect Get/Set USINT Enable /disable Quick Connect on the
interface. If you enable Quick Connect, then
the device sets the port speed to 100FD,
disables auto-negotiation, and spanning
tree on the interface.
Quick Connect (1 ON, 0 OFF)
109=0x6D SFP Diagnostics Get STRUCT of:STRING STRUCT of:{ STRING Module type
Module type SHORT-STRING UDINT Serial Number USINT
Serial Connector USINT Supported DINT
NumberUSINTConnectorUSIN Temperature °C DINT Tx Power in mW
TSupportedDINTTemperature DINT Rx Power in mW DINT Tx
°CDINT Tx Power in Power in dBm DINT Rx Power in dBm
mWDINTRx Power in
mWDINTRx Power in
dBmDINTTx Power in dBm

 Switch Agent object


The device supports the Hirschmann vendor specific Ethernet Switch Agent Object (Class Code
0x95, 95H, 149) for the device configuration and information parameters with Instance 1.
The following table lists the Instance attributes of the Ethernet Switch Agent object:
Switch Status Id 0x1 DWORD (32 Bit) RO
Bit 0 Like the signal contact, the value indicates the
Device Overall state (0 ok, 1 failed).
Bit 1 Device Security Status (0 ok, 1 failed)
Bit 2 Power Supply 1 (0 ok, 1 failed or not existing)
Bit 3 Power Supply 2 (0 ok, 1 failed or not existing)
Bit 4 Reserved
Bit 5 Reserved
Bit 6 Signal Contact 1 (0 closed, 1 open)
Bit 7 Signal Contact 2 (0 closed, 1 open or not existing)

316 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Switch Status Id 0x1 DWORD (32 Bit) RO


Bit 8 Reserved
Bit 9 Temperature (0 ok, 1 Failure)
Bit 10 Module removed (1 removed)
Bit 11 ACA22 removed (1 removed)
Bit 12 ACA31 removed (1 removed)
Bit 13 Reserved
Bit 14 Reserved
Bit 15 Reserved
Bit 16 Reserved
Bit 17 Reserved
Bit 18 Reserved
Bit 19 Reserved
Bit 20 Reserved
Bit 21 Reserved
Bit 22 Reserved
Bit 23 - 30 Network Redundancy:
Bit 23: MRP
Bit 24: PRP
Bit 25: HSR
Bit 26: RSTP
Bit 27: LAG
Bit 28: DLR
Bit 29-30: Reserved
No Network Redundancy:
(0 enabled)
Bit 31 Connection Error: (1 Failure)

Switch Id 0x2 Struct{INT RO Temperature °FINT RO


Temperature Temperature °C}

Reserved Id 0x3 UDINT (unsigned 32 Bit int) RO


Always 0, attribute is reserved for future use.

Switch Max Ports Id 0x4 UINT (16 Bit) RO Maximum number of Ethernet
Switch Ports

Multicast Settings Id 0x5 WORD (16Bit) RW


(IGMP Snooping)
Bit 0 RW IGMP Snooping
(1 enabled, 0 disabled)
Bit 1 RW IGMP Querier
(1 enabled, 0 disabled)
Bit 2 RO IGMP Querier Mode
(1 Querier, 0=Non-Querier)
Bit 4 - 6 RW IGMP Querier Packet Version
V1 = 1
V2 = 2
V3 = 3
Off = 0 IGMP Querier disabled
Bit 8 - 10 RW Treatment of Unknown Multicasts (Railswitch
only):
0 = Send To All Ports
1 = Send To Query Ports
2 = Discard

UM Config HiOS-2A GRS1040 317


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Switch Existing Id 0x6 ARRAY OF DWORD (32 bit) RO Bitmask of


Ports existing Switch Ports
Per Bit starting with Bit 0 (=Port 1) 1=Port existing
0=Port not available.
Array (bit mask) size is adjusted to the size of
maximum number of Switch ports (for example
max. 28 Ports => 1 DWORD is used (32 Bit)).

Switch Port Id 0x7 ARRAY OF DWORD (32 bit) RW Bitmask Link


Control Admin Status Switch Ports
Per Bit starting with Bit 0 (=Port 1) 0=Port enabled
1=Port disabled
Array (bit mask) size is adjusted to the size of
maximum number of Switch ports (for example
max. 28 Ports => 1 DWORD is used (32 Bit)).

Switch Ports Id 0x8 ARRAY OF USINT (BYTE, 8 bit) RO Instance


Mapping number of the Ethernet-Link-Object
Starting with Index 0 (=Port 1) All Ethernet Link Object Instances for the existing
Ethernet Switch Ports (1..N, maximum number of
ports). When the entry is 0, the Ethernet Link
Object for this port does not exist

Switch Action Id 0x9 DWORD (32 Bit) RO, Status of the last
Status executed action (for example config save,
software update, etc.)
Bit 0 Flash Save Configuration In Progress/Flash Write
In Progress
Bit 1 Flash Save Configuration Failed/Flash Write
Failed
Bit 4 Configuration changed (configuration not in sync.
between running configuration

The Hirschmann specific Ethernet Switch Agent Object provides you with the additional vendor
specific service, with the Service-Code 35H for saving the Switch configuration. When you send a
request from your PC to save a device configuration, the device sends a reply after saving the
configuration in the flash memory.

 Base Switch object (0x51)


The Base Switch object provides the CIP application-level interface to basic status information for a
Managed Ethernet switch (revision 1).
Only Instance 1 of the Base Switch (Class Code 0x51) is available.
The following table lists the Instance attributes:
Id Attribute Access Data type Description
Rule
1 Device Up Time Get UDINT Time since the device powered up
2 Total port count Get UDINT Number of physical ports
3 System Firmware Get SHORT-STRING Human readable representation of System
Version Firmware Version
4 Power source Get WORD Status of switch power source
5 Port Mask Size Get UINT Number of DWORD in port array attributes
6 Existing ports Get Array of DWORD Port Mask
7 Global Port Admin Get Array of DWORD Port Admin Status
State
8 Global Port link Status Get Array of DWORD Port Link Status
9 System Boot Loader Get SHORT-STRING Readable System Firmware Version
Version

318 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Id Attribute Access Data type Description


Rule
10 Contact Status Get UDINT Switch Contact Closure
11 Aging Time Get UDINT Range 10…1000000
0= Learning off
Default = 300
12 Temperature C Get UINT Switch temperature in degrees Celsius
13 Temperature F Get UINT Switch temperature in degrees Fahrenheit

 Services, Connections and I/O Data


The device supports the following connection types and parameters.
Setting I/O connection Input only Listen only
Comm Format: Data - DINT Data - DINT Input Data - DINT - Run/
Program
IP Address IP address of the device IP address of the device IP address of the device
Input Assembly Instance 100 100 100
Input Size 32 32 32
Output Assembly Instance 150 152 153
Output Size 32 0 0
Configuration Assembly 151 151 151
Instance
Data Size 10 10 10
Table 46: Settings for integrating a new module

The following table displays an overview of the supported EtherNet/IP requests for the objects
instances.
Service code Identity Object TCP/IP Ethernet Link Switch Agent Base Switch DLR
Interface Object Object Object
Object
Get Attribute All All attributes All attributes All attributes All attributes All attributes All attributes
(0x01)
Set Attribute All - Settable Settable - - Settable
(0x02) attributes attributes (6,9) attributes (4,5)
(3,5,6,8,9,10)
Get Attribute All attributes All attributes All attributes All attributes All attributes All attributes
Single (0x0e)
Set Attribute - Settable Settable Settable - Settable
Single (0x10) attributes attributes attributes (7) attributes (4,5)
(3,5,6,8,9,10,0x (6,9,0x65,
64) 0x67,0x68,0x69,
6C)
Reset (0x05) Parameter(0,1) - - - - -
Save - - - Save switch -
Configuration configuration
(0x35) Vendor
specific
Mac Filter(0x36) - - - Add mac- - -
Vendor Specific filterSTRUCT
of:{ USINT
VLAN-
IDARRAY of 6
USINT MAC
DWORD Port
Mask}
Verify Fault Verify Fault
Location (0x4B) Location
Clear Rapid Clear Rapid
Faults (0x4C) Faults

UM Config HiOS-2A GRS1040 319


Release 7.0 11/2017
Industry Protocols
15.3 EtherNet/IP

Service code Identity Object TCP/IP Ethernet Link Switch Agent Base Switch DLR
Interface Object Object Object
Object
Restart Sign On Restart Sign On
(0x4D)
Clear Gateway Clear Gateway
Partial Fault Partial Fault
(0x04E)

I/O Data Value (data types and sizes to be defined) Direction


Device Status Bitmask (see Switch Agent Attribute 1) Input, DWORD 32 Bit
Link Status Bitmask, 1 Bit per port Input (DWORD 32 Bit *)
0 = No link
1 = Link up
Output Links Admin State Bitmask (1 Bit per port) to acknowledge Input (DWORD 32 Bit *)
applied output.
Link state change can be denied, for
example for controller access port.
0 = Port enabled
1 = Port disabled
Utilization Alarm Bitmask, 1 Bit per port Input (DWORD 32 Bit *)
0 = No alarm
1 = Alarm on port
Access Violation Alarm Bitmask, 1 Bit per port Input (DWORD 32 Bit *)
0 = No alarm
1 = Alarm on port
Multicast Connections Integer, number of connections Input (1 DINT 32 Bit)
TCP/IP Connections Integer, number of connections Input (1 DINT 32 Bit)
Quick Connect Mask Bitmask (1 Bit per port) Input (1 DINT 32 Bit *)
0 = Quick Connect is disabled
1 = Quick Connect is enabled
Link Admin State Bitmask, 1 Bit per port Output, DWORDa
0 = Port enabled
1 = Port disabled

 Ethernet Link Object Instances Mapping


The table displays the assignment of the ports to the Ethernet Link Object Instances.
Ethernet Port Ethernet Link Object Instance
CPU 1
Module 1 / Port 1 2
Module 1 / Port 2 3
Module 1 / Port 3 4
Module 1 / Port 4 5
… …
The number of ports depends on the type of hardware used. The Ethernet Link Object only exist, if
the module is plugged in and the port is connected.

320 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

15.4 PROFINET

PROFINET is an industrial communication network based on Ethernet that is accepted worldwide. It is


based on the widely used transport protocols TCP/IP and UDP/IP (standard). This is an important
aspect for fulfilling the requirements for consistency from the management level down to the field level.

PROFINET enhances the existing Profibus technology for such applications that require fast data
communication and the use of industrial IT functions.

DCP (Discovery and Configuration Protocol)


Alarm High, Alarm Low
ARP, UDP/IP Unicast

ARP, UDP/IP Unicast


Alarm High, Alarm Low PROFINET-Stack
Controller
PNIO (PROFINET IO cyclic RT Frame)
DCP (Discovery and Configuration Protocol)

Figure 78: Communication between the Controller and the device


In particular, you will find PROFINET in Europe and in conjunction with Siemens controllers.
PROFINET uses the device description language GSDML (Generic Station Description Markup
Language, based on XML - eXtended Markup Language) to describe devices and their properties so
that they can be processed automatically. You will find the device description in the GSD(ML) file of the
device.

You will find detailed information on PROFINET on the Internet site of the PROFIBUS Organization at
http://www.profibus.com.
The devices conform to class B for PROFINET .

UM Config HiOS-2A GRS1040 321


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

 Device Models for PROFINET GSDML Version 2.3


The device creates GSDML files in the GSDML V.2.3 format. Within the GSDML file, the device is
modeled according to GSDML standard V.2.2.

Bus Interface

Slot 0

Compact
SubSl SubSl SubSl SubSl SubSl SubSl SubSl =Subslot
0x8001 0x8002 0x8003 0x8004 0x8005 0x8006

Port 1 Port 2 Port 3 Port 4 Port 5 Port 6

Figure 79: Compact device

Bus Interface

Slot 0 Slot 1 Slot 2


Module 1 Module 2 Modular
SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl =
0x 0x 0x 0x 0x 0x 0x 0x Subslot
8001 8002 80.. 80.n 8001 8002 80.. 80.n

Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n

Figure 80: Modular device

Bus Interface

Slot 0
Slot 1 Slot ..
Module 1 Module ..
SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl
SubSl SubSl SubSl SubSl 0x 0x 0x 0x 0x 0x 0x 0x
0x8001 0x8002 0x80.. 0x80.n 8001 8002 80.. 80.n 8001 8002 80.. 80.n

Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n

Figure 81: Mixed device

 Graphical user interface and CLI


In PROFINET environments, the automation process establishes an application relation (AR) to the
device when the device is set up successfully.
After the login of a user, the device displays a corresponding message via the graphical user
interface and CLI.

322 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

15.4.1 Integration into a Control System

 Preparing the device


After installing, connecting and configuring the device, proceed using the following steps:
 Open the Basic Settings > System dialog.
 Verify that a valid system name for the device is specified in the System name field.
 To save the changes temporarily, click the button.
 Open the Basic Settings > Network dialog.
 In the Management interface frame, select the Local radio button.
 To save the changes temporarily, click the button.
 Open the Switching > Switching Global dialog, mark the VLAN unaware mode checkbox.
 To save the changes temporarily, click the button.
 Open the Diagnostics > Status Configuration > Device Status dialog, Global and
Port tabs.
 Configure the alarm setting and the threshold value for the alarms you want to monitor.
 To save the changes temporarily, click the button.
 Open the Advanced > Industrial Protocols > PROFINET dialog.
 Load the GSD(ML) file and the icon onto your local computer.
Use the following methods to get the GSD(ML) file and the icon:
– Download the file from the Advanced > Industrial Protocols > PROFINET dialog.
 To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

 Default values to be changed


Functions that directly affect the PROFINET function require the following default values to be
changed. If you have obtained the device as a specially available PROFINET variant, these values are
already predefined:
PROFINET Advanced > Industrial Protocols > PROFINET dialog
– Operation = On
– Name of station = <empty>
Network Basic Settings > Network dialog
– IP address assignment = Local
– HiDiscovery protocol v1/v2 Access = readOnly
– IP address = 0.0.0.0
– Netmask = 0.0.0.0
– Gateway address = 0.0.0.0
VLAN Switching > Global dialog
– VLAN unaware mode = marked
LLDP Diagnostics > LLDP dialog
– Transmit interval [s] = 5
– Transmit delay [s] = 1

UM Config HiOS-2A GRS1040 323


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

 Configuration of the PLC


The following illustrates the configuration of the PLC using the example of the Simatic S7 software
from Siemens, and assumes that you are familiar with operating the software.
The device also supports Network management stations from other manufacturers, such as PC Worx
from Phönix.
In the PLC default setting, the PLC detects the interruption of the I/O connection to the device as a
failure. The PLC considers three consecutive Real Time packets missing from the PLC or from the
device as an interruption. According to the default setting, this leads to a system failure. To change
this default setting, you employ Step7 programming measures.

Note: Monitoring the I/O connection to the CPU of the device as a failure can result in a system
failure. Therefore, monitoring the I/O connection as a failure criterion is less suitable.
The I/O connection between the programmable logic controller (PLC) and the device can be
interrupted by a management program. For example, a management station can saturate the CPU
of the device with higher priority Real Time (RT) data. In this case, the device can still transmit or
receive data packets and the system remains operational.

 Providing the GDSML file


The Hirschmann device provides you with the following options for generating GDSML files and
icons:
 You can use the graphical user interface in the Advanced > Industrial Protocols > PROFINET
dialog to download the GSDML file and the icon of the device.

 Incorporating the device in the configuration


 Open the Simatic Manager application from Simatic S7.
 Open your project.
 Go to the hardware configuration.
 Install the GSD(ML) file:
In the menu bar, click Options > Install GSD File.
Select the GSD file previously saved on your PC.
Simatic S7 installs the file together with the icon.
You will find the new device under:
PROFINET IO > Additional Field Devices > Switching Devices > Hirschmann..
or under
PROFINET IO > Additional Field Devices > Network Components > Hirschmann..
 Use the Drag-and-Drop function, pull the device onto the bus cable.

324 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

To rename the device, use the following steps:


 Highlight the device.
 In the menu bar, click PLC > Ethernet > Edit Ethernet Node.
 In the Edit Ethernet Node dialog, enter the name of the device in the Assign device name
frame, Device name field.
 Click the Browse… button.
Select the device.
Click the OK button.
 Specify the name of the device.
Click the Assign Name button.
 Click the Close button.

 In the hardware configuration, right-click the device and select Object properties from the drop-
down list.
 Enter the same name as specified in the Edit Ethernet Node dialog.
 Click the Ethernet button.
Enter the IP parameters.
To close the Properties - Ethernet interface... window, click the OK button.
 To close the Properties window, click the OK button.

The device is now included in the configuration.

Configuring IO Cycle
 In the hardware configuration, click the device.
 In the Slot/Module View dialog, right-click the X1 / PN-IO row.
 In the drop-down list, select Object properties .
 In the Properties window, open the IO Cycle tab.
 In the Update Time frame, Update time[ms]: field, select the required update time in ms, for the
IO Cycle.
 In the Watchdog Time frame, Number of accepted update cycles with missing IO data
field, select the required number for the IO Cycle.
 To close the Properties window, click the OK button.

Configuring Media Redundancy


 In the hardware configuration, left-click the device.
 In the Slot/Module View dialog, right-click the X1 / PN-IO row.
 In the drop-down list, select Object properties .
 In the Properties window, open the Media Redundancy tab.
 In the MRP Configuration frame, Domain field, select the required MRP domain for the node.
 In the MRP Configuration frame, Role field, select the required role of the node in the ring.
 In the Ring Port 1 and Ring Port 2 fields select the active MRP Ring Ports.
 To close the Properties window, click the OK button.

 Adding modules for modular devices


 Use the Drag & Drop function to pull a module from the library into a slot.
Simatic S7 adds the ports using the Module properties.

UM Config HiOS-2A GRS1040 325


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

 Configuring device property


In slot 0 you enter the settings for the entire device.
 Select the device.
 Right-click slot 0.
To configure the entire device, select Object properties .
 In the Properties window, open the Parameters tab.

 Configuring the port properties


For modular devices, slots 1 through n represent the modules. The ports are represented as
subslots/submodules.
For non-Modular devices, the subslots 1 through n in slot 0 represent the ports.

Configuring Port Alarms


 Right-click a port, 1 through n, and select Object properties .
 In the Properties window, open the Parameters tab.
 Select the desired alarms and close the window.
Special case: “LinkDown” alarm:
The LinkDown alarm is made up of the AND-link
– of the Hirschmann-specific status for connection errors and
– of the Simatic S7-specific option for the connection.
Activating the LinkDown alarm:
 In the Properties dialog, open the Parameters tab (Hirschmann-specific).
 To enable the Alarms parameter, select the value On in the Value column.
 Enable the Link state monitoring parameter and select the Generate diagnosis alarm when
link goes down option in the Value column.
 Open the Options tab.
 To activate link monitoring, select a fixed setting for the port in the Connection frame,
Transmission medium/duplex field.

 Configuring Connection Options


 Right-click a port, 1 through n, and select Object properties .
 In the Properties dialog, open the Options tab.
 In the Connection frame, Transmission medium/duplex field, select the desired setting for the
port.
 To close the Properties window, click the OK button.
When you change the port setting to a value other than Automatic settings, the device disables
the port for a short time. When the port is situated on the path between the I/O controller and the I/O
device, the interruption can possibly lead to a failure in establishing the Application Relation. Make
the following provisions before changing the port setting:

Note: Beware of Loops! Deactivate RSTP on the device ports between the I/O controller and the I/O
device.
 Open the Switching > L2-Redundancy > Spanning Tree > Spanning Tree Port dialog,
CIST tab.
 Unmark the STP active checkbox for the relevant ports.
 To save the changes temporarily, click the button.

326 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

Configuring Topology
 Right-click a port, 1 through n, and select Object properties .
 In the Properties dialog, open the Topology tab.
 In the Partners frame, Partner port field select the required setting for the partner port.
 To close the Properties window, click the OK button.

 Swapping devices
Hirschmann devices support the device swapping function with an engineering station.
If identical devices are being swapped, the Network management station assigns the parameters of
the original device to the new device.
The device swapping function with Simatic S7 requires the following prerequisites:
 S7 300 with SW release from V2.7 (currently available for CPU 319) or S7 400 with SW release
from V5.2
 Hirschmann device SW release from 05.0.00
 Neighboring device(s) support(s) LLDP
 Topology (=neighborhood relationships) is configured and loaded onto SPS
Device swapping requires the following conditions:
 the replacement device is exactly the same type as the device to be replaced.
 the replacement device is connected to the exact same place in the network (same ports and
neighboring devices).
 the replacement device has a PROFINET default configuration. Set the device name to "" (null
string).
If these conditions are met, the Network management station automatically assigns the parameters
of the original device (device name, IP parameters and configuration data) to the replacement device.

Procedure for swapping devices:


 - System name "" (= null string)
- IP address = 0.0.0.0 or DHCP
- PROFINET activated
 Make a note of the port assignment on the original device and remove the original device from the
system.
The PLC now detects an error.
 Now insert the replacement device in the same position in the network. Verify that the port
assignments are the same as the original device.
The PLC finds the replacement device and configures it like the original device.
The PLC detects proper operation.
If necessary, reset the PLC to “Run”.

 Swapping modules
The PROFINET stack in the device detects a change in the connected modules and reports the
change to the engineering station. If a previously configured module is removed from the device, the
engineering station reports an error. If a configured module that was missing is connected, the
Network management station removes the error message.

 Topology Discovery
After the user initializes the Topology Discovery, the Network management station looks for
connected devices.

UM Config HiOS-2A GRS1040 327


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

 Configuring the topology


Simatic S7 gives the user the option to configure the topology and monitor it accordingly.
Simatic S7 displays the connection parameters (quality and settings) in a colored graphic.

 Communication diagnosis
Simatic S7 monitors the communication quality and outputs messages relating to communication
problems.

 Outputting port statistics


Simatic S7 counts for each port the number of data packets received and sent, the collisions, etc.
You can view these figures in the form of statistic tables in Simatic S7.

328 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

15.4.2 PROFINET Parameter

 Alarms
The device supports alarms on the device and port levels.

Alarms on device level Change in device status


Failure of redundant power supply
Failure/removal of ACA
Alarms on port level Change in link status
Specified transfer rate exceeded.
Table 47: Alarms supported

 Record parameters
The device provides records for:
 Device parameters
 Device status
 Port status/parameters

Byte Content Access Value Meaning


0 Send alarm if status rw 0 Do not send alarm
changes 1 Send alarm if one of the following alarm reasons occurs.
1 Power Alarm rw 0 Do not send alarm
1 Send alarm if a power supply fails.
2 ACA Alarm rw 0 Do not send alarm
1 Send alarm if the ACA is removed.
3 Module Alarm rw 0 Do not send alarm
1 Send alarm if the module connections are changed.
Table 48: Device parameters

Byte Content Access Value Meaning


0 Device status ro 0 Unavailable
1 OK
2 Error
1 Power supply unit 1 ro 0 Unavailable
1 OK
2 Error
2 Power supply unit 2 ro 0 Unavailable
1 OK
2 Error
3 Power supply unit 3 ro 0 Unavailable
1 OK
2 Error
4 Power supply unit 4 ro 0 Unavailable
1 OK
2 Error
5 Power supply unit 5 ro 0 Unavailable
1 OK
2 Error
6 Power supply unit 6 ro 0 Unavailable
1 OK
2 Error
Table 49: Device status

UM Config HiOS-2A GRS1040 329


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

Byte Content Access Value Meaning


7 Power supply unit 7 ro 0 Unavailable
1 OK
2 Error
8 Power supply unit 8 ro 0 Unavailable
1 OK
2 Error
9 Signal contact 1 ro 0 Unavailable
1 Closed
2 Open
10 Signal contact 2 ro 0 Unavailable
1 Closed
2 Open
11 Temperature ro 0 Unavailable
1 OK
2 Threshold value for temperature exceeded or not reached
12 Fan ro 0 Unavailable
1 OK
2 Fan failure
13 Module removal ro 0 Unavailable
1 OK
2 A module has been removed.
14 ACA Removed ro 0 Unavailable
1 OK
2 The ACA has been removed.
15 Not used 0
1
2
16 Not used 0
1
2
17 Connection ro 0 Unavailable
1 OK
2 Connection failure.
Table 49: Device status

Byte Content Access Value Meaning


0 Report port error rw 0 Do not send alarm
1 Send alarm if one of the following alarm reasons occurs.
1 Report connection error rw 0 Do not send alarm
1 Send alarm if the connection has failed.
2 Transmission rate rw 0 Do not send alarm
too high 1 Send alarm if the threshold value for the temperature has been
exceeded.
3 Port on rw 0 Unavailable
1 Switched on
2 Switched off
4 Link status ro 0 Unavailable
1 Connection exists
2 Connection interrupted
5 Bit rate ro 0 Unavailable
1 Unknown
2 10 MBit/s
2 100 MBit/s
2 1000 MBit/s
6 Duplex ro 0 Half duplex
1 Full duplexFull duplex
2
7 Autonegotiation ro 0 Unavailable
1 off
2 on
Table 50: Port status/parameters

330 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

 I/O Data
You will find the bit assignment for the transferred I/O data in the following table.

Direction Byte Bit Meaning


Input 0 General
0 Device status
1 Signal contact 1
2 Signal contact 2
3 Temperature
4 Fan
5 Module removal
6 ACA Removed
7 Not used
Input 1 Power supply status
0 Power supply unit 1
1 Power supply unit 2
2 Power supply unit 3
3 Power supply unit 4
4 Power supply unit 5
5 Power supply unit 6
6 Power supply unit 7
7 Power supply unit 8
Input 2 Supply voltage status
0 Not used
1 Not used
2 Connection error
3 Not used
4 Not used
5 Not used
6 Not used
7 Not used
Output Not defined
Meaning of the bit content:
0: OK or unavailable
1: Reason for report exists
Table 51: Device I/O data

Direction Byte Bit Meaning


Input 0 Connection status for ports 1 to 8
0 Port 1
1 Port 2
2 Port 3
3 Port 4
4 Port 5
5 Port 6
6 Port 7
7 Port 8
Input 1 Connection status for ports 9 to 16
0 Port 9
1 Port 10
2 Port 11
3 Port 12
4 Port 13
5 Port 14
6 Port 15
7 Port 16
Table 52: Port I/O data

UM Config HiOS-2A GRS1040 331


Release 7.0 11/2017
Industry Protocols
15.4 PROFINET

Direction Byte Bit Meaning


Input n Connection for port (n * 8) + 1 to port (n * 8) + 8
0 Port (n * 8) + 1
1 Port (n * 8) + 2
2 Port (n * 8) + 3
3 Port (n * 8) + 4
4 Port (n * 8) + 5
5 Port (n * 8) + 6
6 Port (n * 8) + 7
7 Port (n * 8) + 8
Means the Input Bit contains:
– 0: no connection
– 1: active connection

Output 0 "Port activated" for ports 1 to 8


0 Port 1 activated
1 Port 2 activated
2 Port 3 activated
3 Port 4 activated
4 Port 5 activated
5 Port 6 activated
6 Port 7 activated
7 Port 8 activated
Output 1 "Port activated" for ports 9 to 16
0 Port 9 activated
1 Port 10 activated
2 Port 11 activated
3 Port 12 activated
4 Port 13 activated
5 Port 14 activated
6 Port 15 activated
7 Port 16 activated
Output n "Port activated" for port (n * 8) + 1 to port (n * 8) + 8
0 Port (n * 8) + 1 activated
1 Port (n * 8) + 2 activated
2 Port (n * 8) + 3 activated
3 Port (n * 8) + 4 activated
4 Port (n * 8) + 5 activated
5 Port (n * 8) + 6 activated
6 Port (n * 8) + 7 activated
7 Port (n * 8) + 8 activated
Means the Output Bit contains:
– 0: no port active
– 1: active active
Table 52: Port I/O data

332 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment

A Setting up the configuration


environment

UM Config HiOS-2A GRS1040 333


Release 7.0 11/2017
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

A.1 Setting up a DHCP/BOOTP server

The following example describes the configuration of a DHCP server using the haneWIN DHCP Server
software. This shareware software is a product of IT-Consulting Dr. Herbert Hanewinkel. You can
download the software from https://www.hanewin.net. You can test the software for 30 calendar days
from the date of the first installation, and then decide whether you want to purchase a license.
 To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under
Additional Software select haneWIN DHCP-Server . To carry out the installation, follow the installation
assistant.
 Start the haneWIN DHCP-Server program.

Figure 82: Start window of the haneWIN DHCP-Server program

Note: The installation procedure includes a service that is automatically started in the basic
configuration when Windows is activated. This service is also active if the program itself has not been
started. When started, the service responds to DHCP queries.

334 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

 Open the window for the program settings in the menu Options > Preferences and select the DHCP
tab.
 Specify the settings displayed in the figure.
 Click the OK button.

Figure 83: DHCP setting

 To enter the configuration profiles, select Options > Configuration Profiles in the menu bar.
 Specify the name for the new configuration profile.
 Click the Add button.

Figure 84: Adding configuration profiles


 Specify the netmask.
 Click the Apply button.

Figure 85: Netmask in the configuration profile

 Select the Boot tab.


 Enter the IP address of your tftp server.

UM Config HiOS-2A GRS1040 335


Release 7.0 11/2017
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

 Enter the path and the file name for the configuration file.
 Click the Apply button and then the OK button.

Figure 86: Configuration file on the tftp server


 Add a profile for each device type.
If devices of the same type have different configurations, then you add a profile for each
configuration.
 To complete the addition of the configuration profiles, click the OK button.

Figure 87: Managing configuration profiles

 To enter the static addresses, in the main window, click the Static button.

Figure 88: Static address input

 Click the Add button.

Figure 89: Adding static addresses


 Enter the MAC address of the device.
 Enter the IP address of the device.

336 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

 Select the configuration profile of the device.


 Click the Apply button and then the OK button.

Figure 90: Entries for static addresses


 Add an entry for each device that will get its parameters from the DHCP server.

Figure 91: DHCP server with entries

UM Config HiOS-2A GRS1040 337


Release 7.0 11/2017
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

A.2 Setting up a DHCP server with


Option 82

The following example describes the configuration of a DHCP server using the haneWIN DHCP Server
software. This shareware software is a product of IT-Consulting Dr. Herbert Hanewinkel. You can
download the software from https://www.hanewin.net. You can test the software for 30 calendar days
from the date of the first installation, and then decide whether you want to purchase a license.
 To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under
Additional Software select haneWIN DHCP-Server . To carry out the installation, follow the installation
assistant.
 Start the haneWIN DHCP-Server program.

Figure 92: Start window of the haneWIN DHCP-Server program

Note: The installation procedure includes a service that is automatically started in the basic
configuration when Windows is activated. This service is also active if the program itself has not been
started. When started, the service responds to DHCP queries.

338 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

Figure 93: DHCP setting

 To enter the static addresses, click the Add button.

Figure 94: Adding static addresses

 Mark the Circuit Identifier checkbox.


 Mark the Remote Identifier checkbox.

Figure 95: Default setting for the fixed address assignment

 In the Hardware address field, specify the value Circuit Identifier and the value Remote
Identifier for the switch and port.
The DHCP server assigns the IP address specified in the IP address field to the device that you
connect to the port specified in the Hardware address field.
The hardware address is in the following form:
ciclhhvvvvssmmpprirlxxxxxxxxxxxx
 ci
Sub-identifier for the type of the Circuit ID
 cl
Length of the Circuit ID.
 hh
Hirschmann identifier:
01 if a Hirschmann device is connected to the port, otherwise 00.
 vvvv
VLAN ID of the DHCP request.
Default setting: 0001 = VLAN 1

UM Config HiOS-2A GRS1040 339


Release 7.0 11/2017
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

 ss
Socket of device at which the module with that port is located to which the device is connected.
Specify the value 00.
 mm
Module with the port to which the device is connected.
 pp
Port to which the device is connected.
 ri
Sub-identifier for the type of the Remote ID
 rl
Length of the Remote ID.
 xxxxxxxxxxxx
Remote ID of the device (for example MAC address) to which a device is connected.

Figure 96: Specifying the addresses

PLC Switch (Option 82)

MAC =
IP = 00:80:63:10:9a:d7
149.218.112.100

DHCP Server
IP =
149.218.112.1

IP =
149.218.112.100

Figure 97: Application example of using Option 82

340 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.3 Preparing access via SSH

A.3 Preparing access via SSH

To access the device using SSH, perform the following steps:


 Generate a key on the device.
or
 Upload your own key on the device.
 Prepare access to the device in the SSH client program.

Note: In the default setting, the key is already existing and access using SSH is enabled.

A.3.1 Generating a key on the device


The device allows you to generate the key directly on the device.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, SSH tab.
 Disable the SSH server.
To disable the function, select the Off radio button in the Operation frame.
 To save the changes temporarily, click the button.
 To create a DSA key or a RSA key, in the Signature frame, click the Create button.
 Enable the SSH server.
To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


configure Change to the Configuration mode.
ssh key dsa generate Generate a new DSA key.

A.3.2 Loading your own key onto the device


OpenSSH gives experienced network administrators the option of generating an own key. To generate
the key, enter the following commands on your PC:
ssh-keygen(.exe) -q -t rsa1 -f rsa1.key -C '' -N ''
dsaparam -out dsaparam.pem 1024

UM Config HiOS-2A GRS1040 341


Release 7.0 11/2017
Setting up the configuration environment
A.3 Preparing access via SSH

The device allows yout to upload the own SSH key to the device.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, SSH tab.
 Disable the SSH server.
To disable the function, select the Off radio button in the Operation frame.
 To save the changes temporarily, click the button.
 If the host key is located on your PC or on a network drive, drag and drop the file that contains
the key in the area. Alternatively click in the area to select the file.
 Click the Start button in the Key import frame to load the key onto the device.
 Enable the SSH server.
To enable the function, select the On radio button in the Operation frame.
 To save the changes temporarily, click the button.

 Copy the self-generated key from your PC to the external memory.


 Copy the key from the external memory into the device.
enable Change to the Privileged EXEC mode.
copy sshkey envm <file name> Load your own key onto the device from the external memory.

342 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.3 Preparing access via SSH

A.3.3 Preparing the SSH client program


The PuTTY program allows you to access the device using SSH. This program is provided on the
product CD.

Perform the following steps:


 Start the program by double-clicking on it.

Figure 98: PuTTY input screen

 In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
 To select the connection type, select the SSH radio button in the Connection type range.
 Click the Open button to set up the data connection to your device.

Just before the connection is established, the PuTTY program displays a security alarm message and
gives you the option of checking the key fingerprint.

Figure 99: Security alert prompt for the fingerprint


 Check the fingerprint of the key to ensure that you have actually connected to the desired device.
 If the fingerprint matches your key, click the Yes button.

The PuTTY program also displays another security alarm message at the specified warning threshold.

UM Config HiOS-2A GRS1040 343


Release 7.0 11/2017
Setting up the configuration environment
A.3 Preparing access via SSH

For experienced network administrators, another way of accessing your device through an SSH is by
using the OpenSSH Suite. To set up the data connection, enter the following command:
ssh admin@10.0.112.53

admin is the user name.


10.0.112.53 is the IP address of your device.

344 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Setting up the configuration environment
A.4 HTTPS certificate

A.4 HTTPS certificate

Your web browser establishes the connection to the device using the HTTPS protocol. The prerequisite
is that you enable the HTTPS server function in theDevice Security > Management Access > Server
dialog, HTTPS tab.

Note: Third-party software such as web browsers validate certificates based on criteria such as their
expiration date and current cryptographic parameter recommendations. Old certificates can cause
errors, for example, when they expire or cryptographic recommendations change. Upload your own, up-
to-date certificate or regenerate the certificate with the latest firmware to solve validation conflicts with
third-party software.

A.4.1 HTTPS certificate management


A standard certificate according to X.509/PEM (Public Key Infrastructure) is required for encryption. In
the default setting, a self-generated certificate is already present on the device.
 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 To create a X509/PEM certificate, in the Certificate frame, click the Create button.
 To save the changes temporarily, click the button.
 Restart the HTTPS server to activate the key. Restart the server using the Command Line
Interface (CLI).
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
https certificate generate Generate a https X.509/PEM Certificate.
no https server Disable the HTTPS function.
https server Enable the HTTPS function.
 The device enables you also to upload an externally generated X.509/PEM Standard certificate to
the device:
 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 If the certificate is located on your PC or on a network drive, drag and drop the certificate in
the area. Alternatively click in the area to select the certificate.
 Click on the Start button to copy the certificate to the device.
 To save the changes temporarily, click the button.

enable Change to the Privileged EXEC mode.


copy httpscert envm <file name> Copy HTTPS certificate from external non-volatile memory
device.
configure Change to the Configuration mode.
no https server Disable the HTTPS function.
https server Enable the HTTPS function.

Note: If you upload or create a certificate, be sure to reboot the device or the HTTPS server in order to
activate the certificate. Restart the server using the Command Line Interface (CLI).

UM Config HiOS-2A GRS1040 345


Release 7.0 11/2017
Setting up the configuration environment
A.4 HTTPS certificate

A.4.2 Access through HTTPS


The default setting for HTTPS data connection is TCP port 443. If you change the number of the HTTPS
port, reboot the device or the HTTPS server. Thus the change becomes effective.
Perform the following steps:
 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 To enable the function, select the On radio button in the Operation frame.
 To access the device by HTTPS, enter HTTPS instead of HTTP in your browser, followed by
the IP address of the device.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
https port 443 Specifies the number of the TCP port on which the web server
receives HTTPS requests from clients.
https server Enable the HTTPS function.
show https Displays the status of the HTTPS server and the port number.

If you make changes to the HTTPS port number, disable the HTTPS server and then enable it again in
order to make the changes effective.
The device uses HTTPS protocol and establishes a new data connection. At the end of the session,
when the user logs out, the device terminates the data connection.

346 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix

B Appendix

UM Config HiOS-2A GRS1040 347


Release 7.0 11/2017
Appendix
B.1 Literature references

B.1 Literature references

 “Optische Übertragungstechnik in industrieller Praxis”


Christoph Wrobel (ed.)
Hüthig Buch Verlag Heidelberg
ISBN 3-7785-2262-0

 Hirschmann Manual
“Basics of Industrial ETHERNET and TCP/IP”
280 710-834

 “TCP/IP Illustrated”, Vol. 1


W.R. Stevens
Addison Wesley 1994
ISBN 0-201-63346-9

348 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.2 Maintenance

B.2 Maintenance

Hirschmann is continually working on improving and developing their software. Check regularly whether
there is an updated version of the software that provides you with additional benefits. You find
information and software downloads on the Hirschmann product pages on the Internet
(www.hirschmann.com).

UM Config HiOS-2A GRS1040 349


Release 7.0 11/2017
Appendix
B.3 Management Information Base (MIB)

B.3 Management Information Base (MIB)

The Management Information Base (MIB) is designed in the form of an abstract tree structure.
The branching points are the object classes. The "leaves" of the MIB are called generic object classes.
If this is required for unique identification, the generic object classes are instantiated, that means the
abstract structure is mapped onto reality, by specifying the port or the source address.
Values (integers, time ticks, counters or octet strings) are assigned to these instances; these values can
be read and, in some cases, modified. The object description or object ID (OID) identifies the object
class. The subidentifier (SID) is used to instantiate them.
Example:
The generic object class hm2PSState (OID = 1.3.6.1.4.1.248.11.11.1.1.1.1.2) is the description
of the abstract information power supply status. However, it is not possible to read any value from
this, as the system does not know which power supply is meant.
Specifying the subidentifier 2 maps this abstract information onto reality (instantiates it), thus identifying
it as the operating status of power supply 2. A value is assigned to this instance and can be read. The
instance get 1.3.6.1.4.1.248.11.11.1.1.1.1.2.1 returns the response 1, which means that the
power supply is ready for operation.
Definition of the syntax terms used:
Integer An integer in the range -231 - 231-1
IP address xxx.xxx.xxx.xxx
(xxx = integer in the range 0..255)
MAC address 12-digit hexadecimal number in accordance with ISO/IEC 8802-3
Object Identifier x.x.x.x… (for example 1.3.6.1.1.4.1.248...)
Octet String ASCII character string
PSID Power supply identifier (number of the power supply unit)
TimeTicks Stopwatch, Elapsed time = numerical value / 100 (in seconds)
numerical value = integer in the range 0-232-1
Timeout Time value in hundredths of a second
time value = integer in the range 0-232-1
Type field 4-digit hexadecimal number in accordance with ISO/IEC 8802-3
Counter Integer (0-232-1), whose value is increased by 1 when certain events occur.

350 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.3 Management Information Base (MIB)

1 iso

3 org

6 dod

1 internet

2 mgmt 4 private 6 snmp V2

1 mib-2 1 enterprises 3 modules

1 system 248 hirschmann 10 Framework

2 interfaces 11 hm2Configuration 11 mpd

3 at 12 hm2Platform5 12 Target

4 ip 13 Notification

5 icmp 15 usm

6 tcp 16 vacm

7 udp

11 snmp

16 rmon

17 dot1dBridge

26 snmpDot3MauMGT

Figure 100:Tree structure of the Hirschmann MIB

A description of the MIB can be found on the product CD provided with the device.

UM Config HiOS-2A GRS1040 351


Release 7.0 11/2017
Appendix
B.4 List of RFCs

B.4 List of RFCs

RFC 768 UDP


RFC 783 TFTP
RFC 791 IP
RFC 792 ICMP
RFC 793 TCP
RFC 826 ARP
RFC 854 Telnet
RFC 855 Telnet Option
RFC 951 BOOTP
RFC 1112 IGMPv1
RFC 1157 SNMPv1
RFC 1155 SMIv1
RFC 1212 Concise MIB Definitions
RFC 1213 MIB2
RFC 1493 Dot1d
RFC 1542 BOOTP-Extensions
RFC 1643 Ethernet-like -MIB
RFC 1757 RMON
RFC 1867 Form-Based File Upload in HTML
RFC 1901 Community based SNMP v2
RFC 1905 Protocol Operations for SNMP v2
RFC 1906 Transport Mappings for SNMP v2
RFC 1945 HTTP/1.0
RFC 2068 HTTP/1.1 protocol as updated by draft-ietf-http-v11-spec-rev-03
RFC 2131 DHCP
RFC 2132 DHCP-Options
RFC 2233 The Interfaces Group MIB using SMI v2
RFC 2236 IGMPv2
RFC 2246 The TLS Protocol, Version 1.0
RFC 2346 AES Ciphersuites for Transport Layer Security
RFC 2365 Administratively Scoped IP Multicast
RFC 2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers
RFC 2475 An Architecture for Differentiated Service
RFC 2578 SMIv2
RFC 2579 Textual Conventions for SMI v2
RFC 2580 Conformance statements for SMI v2
RFC 2613 SMON
RFC 2618 RADIUS Authentication Client MIB
RFC 2620 RADIUS Accounting MIB
RFC 2674 Dot1p/Q
RFC 2818 HTTP over TLS
RFC 2851 Internet Addresses MIB
RFC 2863 The Interfaces Group MIB
RFC 2865 RADIUS Client
RFC 2866 RADIUS Accounting

352 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.4 List of RFCs

RFC 2868 RADIUS Attributes for Tunnel Protocol Support


RFC 2869 RADIUS Extensions
RFC 2869bis RADIUS support for EAP
RFC 2933 IGMP MIB
RFC 3164 The BSD Syslog Protocol
RFC 3376 IGMPv3
RFC 3410 Introduction and Applicability Statements for Internet Standard Management Framework
RFC 3411 An Architecture for Describing Simple Network Management Protocol (SNMP) Management
Frameworks
RFC 3412 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 3413 Simple Network Management Protocol (SNMP) Applications
RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol
(SNMPv3)
RFC 3415 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)
RFC 3580 802.1X RADIUS Usage Guidelines
RFC 3584 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network
Management Framework
RFC 3621 Power Ethernet MIB
RFC 4022 Management Information Base for the Transmission Control Protocol (TCP)
RFC 4113 Management Information Base for the User Datagram Protocol (UDP)
RFC 4188 Definitions of Managed Objects for Bridges
RFC 4251 SSH protocol architecture
RFC 4252 SSH authentication protocol
RFC 4253 SSH transport layer protocol
RFC 4254 SSH connection protocol
RFC 4293 Management Information Base for the Internet Protocol (IP)
RFC 4318 Definitions of Managed Objects for Bridges with Rapid Spanning Tree Protocol
RFC 4330 Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
RFC 4363 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering, and Virtual
LAN Extensions
RFC 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery
(MLD) Snooping Switches
RFC 4836 Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units (MAUs)
RFC 5321 Simple Mail Transfer Protocol

UM Config HiOS-2A GRS1040 353


Release 7.0 11/2017
Appendix
B.5 Underlying IEEE Standards

B.5 Underlying IEEE Standards

IEEE 802.1AB Station and Media Access Control Connectivity Discovery


IEEE 802.1D MAC Bridges (switching function)
IEEE 802.1Q Virtual LANs (VLANs, MRP, Spanning Tree)
IEEE 802.1X Port Authentication
IEEE 802.3 Ethernet
IEEE 802.3ac VLAN Tagging
IEEE 802.3x Flow Control
IEEE 802.3af Power over Ethernet

354 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.6 Underlying IEC Norms

B.6 Underlying IEC Norms

IEC 62439 High availability automation networks


MRP – Media Redundancy Protocol based on a ring topology

UM Config HiOS-2A GRS1040 355


Release 7.0 11/2017
Appendix
B.7 Underlying ANSI Norms

B.7 Underlying ANSI Norms

ANSI/TIA-1057 Link Layer Discovery Protocol for Media Endpoint Devices, April 2006

356 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.8 Technical Data

B.8 Technical Data

Switching
Size of the MAC address table 32768
(incl. static filters)
Max. number of statically configured MAC 100
address filters
Max. number of MAC address filters learnable 1024
through IGMP Snooping
Max. number of MAC address entries (MMRP) 512
Number of priority queues 8 Queues
Port priorities that can be set 0..7
MTU (max. length of over-long packets) 12288 Bytes

VLAN
VLAN ID range 1..4042
Number of VLANs max. 512 simultaneously per device
max. 512 simultaneously per port

Access Control Lists (ACL)


Max. number of ACLs 100
Max. number of rules per port 1023
Max. number of rules per ACL 1023
Number of total configurable rules 8184 (8x1023)
Max. number of VLAN assignments (in) 24
Max. number of VLAN assignments (out) 24
Max. number of rules which log an event 8184 (8x1023)
Max. number of Ingress rules 1023
Max. number of Egress rules 1023

UM Config HiOS-2A GRS1040 357


Release 7.0 11/2017
Appendix
B.9 Copyright of integrated Software

B.9 Copyright of integrated Software

The product contains, among other things, Open Source Software files developed by third parties and
licensed under an Open Source Software license.
You can find the license terms in the graphical user interface in the Help > Licenses dialog.

358 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Appendix
B.10 Abbreviations used

B.10 Abbreviations used

ACA AutoConfiguration Adapter


ACL Access Control List
BOOTP Bootstrap Protocol
CLI Command Line Interface
DHCP Dynamic Host Configuration Protocol
FDB Forwarding Database
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ICMP Internet Control Message Protocol
IEEE Institute of Electrical and Electronics Engineers
IGMP Internet Group Management Protocol
IP Internet Protocol
LED Light Emitting Diode
LLDP Link Layer Discovery Protocol
MAC Media Access Control
MIB Management Information Base
MRP Media Redundancy Protocol
MSTP Multiple Spanning Tree Protocol
NMS Network Management System
NTP Network Time Protocol
PC Personal Computer
PTP Precision Time Protocol
QoS Quality of Service
RFC Request For Comment
RM Redundancy Manager
RSTP Rapid Spanning Tree Protocol
SCP Secure Copy
SFP Small Form-factor Pluggable
SFTP SSH File Transfer Protocol
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TP Twisted Pair
UDP User Datagram Protocol
URL Uniform Resource Locator
UTC Coordinated Universal Time
VLAN Virtual Local Area Network

UM Config HiOS-2A GRS1040 359


Release 7.0 11/2017
Appendix
B.10 Abbreviations used

360 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Index

C Index

1 DHCP 29
802.1X 44 DHCP L2 Relay 287
DHCP server 108, 111, 334, 338
A Diameter (Spanning Tree) 178
Access roles 47 Differentiated services 140
Access security 82 DiffServ 129
ACA 64, 329, 329, 359 DiffServ Codepoint 140
Advanced Mode 167, 169 Disabled port 184
AF 140 DoS 97, 98
Aging time 123 DSCP 129, 137, 140
Alarm 232, 329
Alarm messages 230 E
Alarm setting 323 Edge port 184, 189
Alternate port 184, 190 EDS 311, 311
APNIC 30 EF 140
ARIN 30 Email notification 252
ARP 32 Engineering system 324
Assured Forwarding 140 Engineering Station 327
Authentication list 44 EtherNet/IP website 310
Automatic configuration 83 Event log 260
Expedited Forwarding 140
B
Backup port 184, 190 F
Bandwidth 143 Fast\ MRP 164
Best Master Clock algorithm 115 FAQ 365
Boundary clock (PTP) 114 First installation 29
BOOTP 29 Flow control 143
BPDU 179 FuseNet™ 200
BPDU guard 189, 190
Bridge Identifier 176 G
Bridge Protocol Data Unit 179 Gateway 31, 35
GARP 292
C Generic Ethernet Module 311
CA certificate 260 Generic object classes 350
CD-ROM 334, 338 GMRP 292
CIDR 33 Grandmaster (PTP) 115
CIP 310 GSD 323, 324
Classless inter domain routing 33 GSDML 321
Class Selector 140 GSD file 324
Closed circuit 239
Command line interface 19 H
Common Industrial Protocol 310 HaneWin 334, 338
Compatibility (STP) 187 Hardware reset 230
Configuration file 40 HiDiscovery 29, 34, 36, 38, 87, 92, 236, 262, 309
Configuration modifications 230 HIPER-Ring 198
Conformity class 321 Host address 31

D I
Data traffic 97 IANA 30
Daylight saving time 109 IAS 44
Delay measurement (PTP) 116 Icon 323
Delay time (MRP) 167 IEC 61850 302
Delay (PTP) 116 IEEE 802.1X 44
Denial of service 98 IEEE MAC Adresse 249
Denial of Service 97 IGMP snooping 123, 123, 310
Designated bridge 184 Industrial HiVision 11, 40, 57
Designated port 184, 189 Instantiation 350
Destination table 230 Integrated authentication server 44
Device description language 321 IP address 30, 35, 40
Device status 233 IP header 129, 132, 140

UM Config HiOS-2A GRS1040 361


Release 7.0 11/2017
Index

ISO/OSI layer model 32 PTP 107


PTP domain 116
L PuTTY 19
LACNIC 30
LDAP 44 Q
Leave message 123 QoS 130
Link Aggration 164 Query 123
Link monitoring 233, 239
Login page 18 R
Loops 215, 216, 219, 221 Rapid Spanning Tree 163, 163, 164, 184
Loop guard 190, 191 RADIUS 44
RAM (memory) 63
M RCP 164, 223
Mail notification 252 Real time 129
MaxAge 178 Reconfiguration 176
MAC address filter 120 Reconfiguration time (MRP) 167
MAC destination address 32 Record 326, 329
Memory (RAM) 63 Redundancy 175
Message 230 Redundant Coupling Protocol 223
MMS 302 Reference time source 108, 111, 115
Mode 83 Relay contact 239
Module properties 325 Remote diagnostics 239
MRP 163, 164, 166, 167 Report 257
MRP over LAG 172 Report message 123
Multicast 123 Request Packet Interval 311
RFC 352
N Ring 166, 172
Netmask 31, 35 Ring manager 166
Network load 175, 176 Ring Manager 172
Network management 40 Ring/Network coupling 164
Network management station 327 RIPE NCC 30
Non-volatile memory (NVM) 63 RMON probe 264
NVM (non-volatile memory) 63 RM function 166, 172
Root Bridge 179
O Root guard 189, 191
Object classes 350
Root path 181, 182
Object description 350
Root port 184, 190
Object ID 350
Root Path Cost 176
ODVA 310
Router 31
ODVA website 310
Routing Function 311
OpenSSH-Suite 23
RPI 311
Operation monitoring 239
RSTP 187
Option 82 338
RST BPDU 184, 186
Ordinary clock (PTP) 115
RS Who 311
P S
Password 21, 23, 25
Secondary ring (RCP) 223
Path costs 177, 179
Secure shell 19, 22
PC Worx 324
Secure shell 19
PHB 140
Segmentation 230
Polling 230
Service 257
Port Identifier 176, 177
Service Shell Reactivation 60
Port mirroring 264
Setting the time 108
Port number 177
SFP module 248
Port priority 136
Signal contact 239
Port priority (Spanning Tree) 177
Simatic S7 324
Port roles (RSTP) 184
SNMP 230
Port State 185
SNMP trap 230, 232
Precedence 140
SNTP 107
Primary ring (RCP) 223
Software version 75
Priority 131
SSH 19, 19, 22
Priority queue 132
STP compatibility 187
Priority tagged frames 131
STP-BPDU 179
Protection functions (guards) 189
Starting the graphical user interface 18
PROFIBUS Organization 321

362 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Index

Store-and-forward 120
Strict Priority 132
Subidentifier 350
Subnet 35
Subring 164, 201
Sub-ring Manager 208
Sub-ring Redundant Manager 207
Symbol 311, 311, 324
Syslog over TLS 260
System requirements (GUI) 18

T
TCN guard 189, 191
TCP/IP 310, 321
Technical questions 365
Threshold value 323
Topology Change flag 189
ToS 129, 132, 140
Traffic class 132, 137
Traffic shaping 138
Training courses 365
Transmission reliability 230
Transparent clock (PTP) 115
Trap 230, 232
Trap destination table 230
Tree structure (Spanning Tree) 179, 183
Two-Switch coupling, Primary device 214
Two-Switch coupling, Stand-by device 216
Type of Service 132

U
UDP/IP 310, 321
Update 26
User name 21, 23, 25

V
Video 132
VLAN 145
VLAN priority 136
VLAN tag 131, 145
VLAN (HIPER-Ring) 198
VoIP 132
VT100 24
V.24 19, 24

W
Weighted Fair Queuing 133
Weighted Round Robin 133

UM Config HiOS-2A GRS1040 363


Release 7.0 11/2017
Index

364 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Further support

D Further support

Technical questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You find the addresses of our partners on the Internet at http://www.hirschmann.com.
A list of local telephone numbers and email addresses for technical support directly from Hirschmann is
available at https://hirschmann-support.belden.eu.com.
This site also includes a free of charge knowledge base and a software download section.

Hirschmann Competence Center


The Hirschmann Competence Center is ahead of its competitors on three counts with its complete range
of innovative services:
 Consulting incorporates comprehensive technical advice, from system evaluation through network
planning to project planning.
 Training offers you an introduction to the basics, product briefing and user training with certification.
You find the training courses on technology and products currently available at http://
www.hicomcenter.com.
 Support ranges from the first installation through the standby service to maintenance concepts.
With the Hirschmann Competence Center, you decided against making any compromises. Our client-
customized package leaves you free to choose the service components you want to use.
Internet:
http://www.hicomcenter.com

UM Config HiOS-2A GRS1040 365


Release 7.0 11/2017
Readers’ Comments

E Readers’ Comments

What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation of
this product. Your comments and suggestions help us to further improve the quality of our
documentation.

Your assessment of this manual:

Very Good Good Satisfactory Mediocre Poor


Precise description O O O O O
Readability O O O O O
Understandability O O O O O
Examples O O O O O
Structure O O O O O
Comprehensive O O O O O
Graphics O O O O O
Drawings O O O O O
Tables O O O O O

Did you discover any errors in this manual?


If so, on what page?

Suggestions for improvement and additional information:

General comments:

366 UM Config HiOS-2A GRS1040


Release 7.0 11/2017
Readers’ Comments

Sender:

Company / Department:

Name / Telephone number:

Street:

Zip code / City:

E-mail:

Date / Signature:

Dear User,
Please fill out and return this page
 as a fax to the number +49 (0)7127/14-1600 or
 per mail to
Hirschmann Automation and Control GmbH
Department 01RD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen

UM Config HiOS-2A GRS1040 367


Release 7.0 11/2017

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy