ManualCollection GRS1040 HiOS-2A-07000 en
ManualCollection GRS1040 HiOS-2A-07000 en
Reference Manuals
Graphical User Interface
Command Line Interface
User Manual
Configuration
Reference Manual
Graphical User Interface
HiOS-2A GRS1040 (Greyhound Switch)
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.
The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Contents
Safety instructions 9
Key 13
1 Basic Settings 19
1.1 System 20
1.2 Modules 24
1.3 Network 26
1.4 Out of Band 29
1.5 Software 31
1.6 Load/Save 33
1.7 External Memory 42
1.8 Port 44
Configuration 45
Statistics 49
Utilization 51
1.9 Power over Ethernet 52
1.9.1 PoE Global 53
1.9.2 PoE Port 55
1.10 Restart 57
2 Time 59
2.1 Basic Settings 60
Global 61
Daylight saving time 62
2.2 SNTP 65
2.2.1 SNTP Client 66
2.2.2 SNTP Server 69
2.3 PTP 71
2.3.1 PTP Global 72
2.3.2 PTP Boundary Clock 74
2.3.2.1 PTP Boundary Clock Global 75
2.3.2.2 PTP Boundary Clock Port 78
2.3.3 PTP Transparent Clock 81
2.3.3.1 PTP Transparent Clock Global 82
2.3.3.2 PTP Transparent Clock Port 85
3 Device Security 87
5 Switching 191
5.1 Switching Global 192
5.2 Rate Limiter 194
5.3 Filter for MAC Addresses 196
5.4 IGMP Snooping 198
5.4.1 IGMP Snooping Global 199
5.4.2 IGMP Snooping Configuration 200
VLAN ID 201
Port 202
5.4.3 IGMP Snooping Enhancements 204
Wizard : Selection VLAN/Port 206
5.4.4 IGMP Snooping Querier 207
5.4.5 IGMP Snooping Multicasts 209
5.5 MRP-IEEE 210
5.5.1 MRP-IEEE Configuration 211
5.5.2 MRP-IEEE Multiple MAC Registration Protocol 212
Configuration 213
Service requirement 215
Statistics 216
5.5.3 MRP-IEEE Multiple VLAN Registration Protocol 217
Configuration 218
Statistics 220
5.6 GARP 221
5.6.1 GMRP 222
5.6.2 GVRP 224
5.7 QoS/Priority 225
5.7.1 QoS/Priority Global 226
5.7.2 QoS/Priority Port Configuration 227
5.7.3 802.1D/p Mapping 228
5.7.4 IP DSCP Mapping 229
5.7.5 Queue Management 231
5.7.6 DiffServ 233
5.7.6.1 DiffServ Overview 234
5.7.6.2 DiffServ Global 235
5.7.6.3 DiffServ Class 236
5.7.6.4 DiffServ Policy 241
5.7.6.5 DiffServ Assignment 247
5.8 VLAN 249
5.8.1 VLAN Global 250
5.8.2 VLAN Configuration 251
5.8.3 VLAN Port 253
5.8.4 VLAN Voice 254
5.8.5 MAC Based VLAN 256
5.8.6 Subnet Based VLAN 257
5.8.7 Protocol Based VLAN 258
5.9 L2-Redundancy 259
5.9.1 MRP 260
5.9.2 HIPER Ring 263
5.9.3 Spanning Tree 265
5.9.3.1 Spanning Tree Global 266
5.9.3.2 Spanning Tree MSTP 271
5.9.3.3 Spanning Tree Port 274
CIST 275
Guards 278
MSTI <MSTI > 280
5.9.4 Link Aggregation 282
5.9.5 Link Backup 288
5.9.6 FuseNet ™ 290
5.9.6.1 Sub Ring 291
5.9.6.2 Ring/Network Coupling 294
5.9.6.3 Redundant Coupling Protocol 300
6 Diagnostics 303
7 Advanced 393
7.1 DHCP L2 Relay 394
7.1.1 DHCP L2 Relay Configuration 395
Interface 396
VLAN ID 397
7.1.2 DHCP L2 Relay Statistics 398
7.2 DHCP Server 399
7.2.1 DHCP Server Global 400
7.2.2 DHCP Server Pool 401
7.2.3 DHCP Server Lease Table 404
7.3 DNS 405
7.3.1 DNS Client 406
7.3.1.1 DNS Client Global 407
7.3.1.2 DNS Client Current 408
7.3.1.3 DNS Client Static 409
7.3.1.4 DNS Client Static Hosts 411
7.4 Industrial Protocols 412
7.4.1 IEC61850-MMS 413
7.4.2 Modbus TCP 415
7.4.3 PROFINET 417
7.4.4 EtherNet/IP 419
A Index 421
Safety instructions
WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.
The “Configuration” user manual contains the information you need to start operating the device. It takes
you step by step from the first startup operation through to the basic settings for operation in your
environment.
The “Graphical User Interface” reference manual contains detailed information on using the graphical
user interface to operate the individual functions of the device.
The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.
The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
Auto-topology discovery
Browser interface
Client/server structure
Event handling
Event log
Simultaneous configuration of multiple devices
Graphical user interface with network layout
SNMP/OPC gateway
Key
Navigation area
The Navigation area is located on the left side of the graphical user interface.
The Navigation area contains the following elements:
Toolbar
Filter
Menu
You have the option of collapsing the entire Navigation area, for example when displaying the graphical
user interface on small screens. To collapse or expand, you click the small arrow at the top of the
navigation area.
Toolbar
The toolbar at the top of the navigation area contains several buttons.
– When you position the mouse pointer over a button, a tooltip displays further information.
– If the connection to the device is lost, the toolbar is grayed out.
Button Meaning
The device automatically refreshes the toolbar information every 5 seconds.
Clicking the button refreshes the toolbar manually.
When you position the mouse pointer over the button, a tooltip displays the following information:
User:
Name of the logged in user
Device name:
Name of the device
Clicking the button opens the Device Security > User Management dialog.
When you position the mouse pointer over the button, a tooltip displays the summary of the
Diagnostics > System > Configuration Check dialog.
Clicking the button opens the Diagnostics > System > Configuration Check dialog.
Clicking the button logs out the current user and displays the login page.
Displays the remaining time in seconds until the device automatically logs out an inactive user.
Clicking the button opens the Device Security > Management Access > Web dialog. There you
can specify the timeout.
Button Meaning
This button is visible if the configuration profile in the volatile memory (RAM ) differs from the
"Selected" configuration profile in the non-volatile memory (NVM ). Otherwise, the button is hidden.
Clicking the button opens the Basic Settings > Load/Save dialog.
By right-clicking the button you can save the current settings in the non-volatile memory (NVM ).
When you position the mouse pointer over the button, a tooltip displays the following information:
Device Status: This section displays a compressed view of the Device status frame in
the Basic Settings > System dialog. The section displays the alarm that is currently active
and whose occurrence was recorded first.
Security Status: This section displays a compressed view of the Security status
frame in the Basic Settings > System dialog. The section displays the alarm that is currently
active and whose occurrence was recorded first.
Boot Parameter: If you permanently save changes to the settings and at least one boot
parameter differs from the configuration profile used during the last restart, then this section
displays a note.
The following settings cause the boot parameters to change:
– Basic Settings > External Memory dialog, Software auto update parameter
– Basic Settings > External Memory dialog, Config priority parameter
– Device Security > Management Access > Server dialog, SNMP tab, UDP port
parameter
– Diagnostics > System > Selftest dialog, RAM test parameter
– Diagnostics > System > Selftest dialog, SysMon1 is available parameter
– Diagnostics > System > Selftest dialog, Load default config on error parameter
Clicking the button opens the Diagnostics > Status Configuration > Device Status dialog.
Filter
The filter enables you to reduce the number of menu items in the menu. When filtering, the menu
displays only menu items matching the search string entered in the filter field.
Menu
The menu displays the menu items.
You have the option of filtering the menu items. See section “Filter”.
To display the corresponding dialog in the dialog area, you click the desired menu item. If the
selected menu item is a node containing sub-items, then the node expands or collapses while
clicking. The dialog area keeps the previously displayed dialog.
You have the option of expanding or collapsing every node in the menu at the same time. When you
right-click anywhere in the menu, a context menu displays the following entries:
Expand
Expands every node in the menu at the same time. The menu displays the menu items for every
level.
Collapse
Collapses every node in the menu at the same time. The menu displays the top level menu items.
Dialog area
The Dialog area is located on the rigth side of the graphical user interface. When you click a menu item
in the Navigation area, the Dialog area displays the corresponding dialog.
To update the display in the dialog, click the button. Unsaved information in the dialog is lost.
To transfer the changed settings to the volatile memory (RAM ) of the device, click the button.
To keep the changed settings, even after restarting the device, proceed as follows:
Open the Basic Settings > Load/Save dialog.
In the table, highlight the desired configuration profile.
If in the Selected column the checkbox is unmarked, click the button and then the Select
item.
Click the button and then the Save item.
Note: Unintentional changes to the settings may terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function
in the Basic Settings > Load/Save dialog, before changing any settings. Using the function, the
device continuously checks whether it can still be reached from the IP address of the user’s PC. If
the connection is lost, the device loads the configuration profile saved in the non-volatile memory
(NVM ) after the specified time. Afterwards, the device can be accessed again.
Columns
Displays or hides columns.
You recognize hidden columns by an unmarked checkbox in the drop-down list.
Filters
The table only displays the entries whose content matches the specified filter criteria of the
selected column.
You recognize filtered table entries by an emphasized column header.
You have the option of selecting multiple table entries simultaneously and subsequently applying an
action to them. This is useful when you are going to remove multiple table entries at the same time.
Select several consecutive table entries:
Click the first desired table entry to highlight it.
Press and hold the <SHIFT> key.
Click the last desired table entry to highlight every desired table entry.
Select multiple individual table entries:
Click the first desired table entry to highlight it.
Press and hold the <CTRL> key.
Click the next desired table entry to highlight it.
Repeat until every desired table entry is highlighted.
Buttons
Here you find the description of the standard buttons. The special dialog-specific buttons are described
in the corresponding dialog help text.
Button Meaning
Transfers the changes to the volatile memory (RAM ) of the device and applies them to the device.
To save the changes in the non-volatile memory, proceed as follows:
Open the Basic Settings > Load/Save dialog.
In the table, highlight the desired configuration profile.
If in the Selected column the checkbox is unmarked, click the button and then the
Select item.
Click the button and then the Save item.
Updates the fields with the values that are saved in the volatile memory (RAM ) of the device.
1 Basic Settings
1.1 System
Device status
The fields in this frame display the device status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status
Configuration > Device Status dialog.
Parameters Meaning
Alarm counter Displays the number of currently existing alarms.
The icon is visible if there is at least one currently existing alarm.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
The device triggers an alarm if a monitored parameter differs from the desired status. The
Diagnostics > Status Configuration > Device Status dialog, Status tab displays an
overview of the alarms.
Note: The device reports an alarm if you connect one power supply unit exclusively for the supply
voltage to a device with a redundant power supply unit. To avoid this alarm, you deactivate the
monitoring of the missing power supply units in the Diagnostics > Status Configuration >
Device Status dialog.
Security status
The fields in this frame display the security status and inform you about alarms that have occurred.
When an alarm currently exists, the frame is highlighted.
You specify the parameters that the device monitors in the Diagnostics > Status
Configuration > Security Status dialog.
Parameters Meaning
Alarm counter Displays the number of currently existing alarms.
The icon is visible if there is at least one currently existing alarm.
When you position the mouse pointer over the icon, a tooltip displays the cause of the currently
existing alarms and the time at which the device triggered the alarm.
The device triggers an alarm if a monitored parameter differs from the desired status. The
Diagnostics > Status Configuration > Security Status dialog, Status tab displays an
overview of the alarms.
System data
The fields in this frame display operating data and information on the location of the device.
Parameters Meaning
System name Specifies the name for which the device is known in the network.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
The following characters are allowed:
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~
– <device name>-<MAC address> (default setting)
When creating HTTPS X.509 certificates, the application generating the certificate uses the
specified value as the domain name and common name.
The following functions use the specified value as a host name or FQDN (Fully Qualified Domain
Name). For compatibility, it is recommended to use only small letters, since not every system
compares the case in the FQDN. Verify that this name is unique in the whole network.
DHCP client
Syslog
IEC61850-MMS
PROFINET
Note: For compatibility in PROFINET environments, specify the PROFINET device name. In
PROFINET the name is limited to a maximum of 240 characters. Do not begin the name with a
number. Programs read the device name using SNMP and PROFINET DCP.
Location Specifies the location of the device.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Contact person Specifies the contact person for this device.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Device type Displays the product name of the basic device.
Parameters Meaning
Power supply 1 Displays the status of the power supply unit on the relevant voltage supply connection.
Power supply 2
Possible values:
present
defective
notInstalled
unknown
When you position the mouse pointer over the field, a tooltip displays the serial number and the
product code of the power supply.
Uptime Displays the time that has elapsed since this device was last restarted.
Possible values:
Time in the format day(s), ...h ...m ...s
Temperature [°C] Displays the current temperature in the device in °C.
You activate the monitoring of the temperature thresholds in the Diagnostics > Status
Configuration > Device Status dialog.
Upper temp. limit Specifies the upper temperature threshold in °C.
[°C]
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
-99..99 (integer)
If the temperature in the device exceeds this value, the device generates an alarm.
Lower temp. limit Specifies the lower temperature threshold in °C.
[°C]
The “Installation” user manual contains detailed information about setting the temperature
thresholds.
Possible values:
-99..99 (integer)
If the temperature in the device falls below this value, the device generates an alarm.
LED status
This frame displays the states of the device status LEDs at the time of the last update. The
“Installation” user manual contains detailed information about the device status LEDs.
There is currently at least one device status alarm. Therefore, see the Device status
frame above.
Power Device variant with 2 power supply units:
Only one supply voltage is active.
Device variant with 1 power supply unit:
The supply voltage is active.
Device variant with 2 power supply units:
Both supply voltages are active.
RM The device is neither operating as a MRP ring manager nor as a DLR supervisor.
Port status
This frame displays a simplified view of the ports of the device at the time of the last update.
The icons represent the status of the individual ports. In some situations, the following icons interfere
with one another. When you position the mouse pointer over the appropriate port icon, a tooltip
displays a detailed information about the port state.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
1.2 Modules
The device offers you the possibility of inserting or removing the modules during operation (hot plug).
To deny network access, disable a slot. On a disabled slot, a module is recognized and port
configuration is possible. However, the module establishes no network connections as long the slot is
disabled.
As long the Module status column displays the value configurable you can configure the module
and save its preferences.
If you replace the module with an identical module, then the device applies the settings to the new
module immediately.
If you replace the module with a different type of module, then the device applies the factory settings
to the new module.
If you plug a module in an empty slot, then the device configures the module with the its default
settings. If the slot is inactive, then it remains inactive until you mark the checkbox in the Active
column. With the port default settings loaded on the module, access to the network is possible.
Table
Button Meaning
Module Displays the number of the slot to which the entry refers.
Active Activates/deactivates the slot.
Possible values:
marked (default setting)
The slot is active. The device recognizes a module installed in this slot.
unmarked
The slot is inactive.
Type Displays the type of module installed in the slot.
A value of n/a indicates that the slot is empty.
Description Specifies a short description of the installed module.
Version Displays the module version.
Ports Displays how many ports are available on the module.
Serial number Displays the serial number of the module.
A value of n/a indicates that the slot is empty.
Module status Displays the status of the slot.
Possible values:
physical
Indicates that a module is present and active in the slot.
configurable
Indicates that the slot is empty and available for configuration.
remove
Indicates that the slot is empty and deactivated.
fix
Indicates that the module cannot be removed.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
1.3 Network
This dialog allows you to specify the IP, VLAN and HiDiscovery settings required for the access to the
device management through the network.
Management interface
This frame allows you to specify the following settings:
The source from which the device management receives its IP parameters
VLAN in which the management can be accessed
Parameters Meaning
IP address Specifies the source from which the device receives its IP parameters after starting:
assignment
Possible values:
Local
The device uses the IP parameters from the internal memory. You specify the settings for this
in the IP parameter frame.
BOOTP
The device receives its IP parameters from a BOOTP or DHCP server.
The server evaluates the MAC address of the device, then assigns the IP parameters.
DHCP (default setting)
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.
If the server also provides the addresses of DNS servers, the device displays these addresses
in the Advanced > DNS > Cache > Current dialog.
Note: If there is no response from the BOOTP or DHCP server, the device sets the IP address to
0.0.0.0 and makes another attempt to obtain a valid IP address.
VLAN ID Specifies the VLAN in which the device management is accessible through the network. The
device management is accessible through ports that are members of this VLAN.
Possible values:
1..4042 (default setting: 1)
The prerequisite is that the VLAN is already configured. See the Switching > VLAN >
Configuration dialog.
When you click the button after changing the value, the Information window opens. Select
the port, over which you connect to the device in the future. After clicking the Ok button, the new
management VLAN settings are assigned to the port.
– After that the port is a member of the VLAN and transmits the data packets without a VLAN tag
(untagged). See the Switching > VLAN > Configuration dialog.
– The device assigns the port VLAN ID of the management VLAN to the port. See the
Switching > VLAN > Port dialog.
After a short time the device is reachable over the new port in the new management VLAN.
MAC address Displays the MAC address of the device. The device management is accessible via the network
using the MAC address.
BOOTP/DHCP
Parameters Meaning
Client ID Displays the DHCP client ID that the device sends to the BOOTP or DHCP server. If the server is
configured accordingly, it reserves an IP address for this DHCP client ID. Therefore, the device
receives the same IP from the server every time it requests it.
The DHCP client ID that the device sends is the device name specified in the System name field
in the Basic Settings > System dialog.
Parameters Meaning
Operation Enables/disables the HiDiscovery function on the device.
Possible values:
On (default setting)
HiDiscovery is enabled.
You can use the HiDiscovery software to access the device from your PC.
Off
HiDiscovery is disabled.
Access Enables/disables the write access to the device using HiDiscovery.
Possible values:
readWrite (default setting)
The HiDiscovery software is given write access to the device.
With this setting you can change the IP parameters in the device.
readOnly
The HiDiscovery software is given read-only access to the device.
With this setting you can view the IP parameters in the device.
Recommendation: Change the setting to readOnly exclusively after putting the device into
operation.
Signal Activates/deactivates the flashing of the port LEDs as does the function of the same name in the
HiDiscovery software. The function allows you to identify the device in the field.
Possible values:
marked
The flashing of the port LEDs is active.
The port LEDs flash until you disable the function again.
unmarked (default setting)
The flashing of the port LEDs is inactive.
Note: With the HiDiscovery software you access the device through ports that are members of the
same VLAN as the device management exclusively. You specify which VLAN a certain port is
assigned to in the Switching > VLAN > Configuration dialog.
IP parameter
This frame allows you to assign the IP parameters manually. These fields can be edited if you have
selected the Local radio button in the Management interface frame, IP address assignment
option list.
Parameters Meaning
IP address Specifies the IP address under which the device management can be accessed through the
network.
Possible values:
Valid IPv4 address
Netmask Specifies the netmask.
The netmask identifies the network prefix and the host address of the device in the IP address.
Possible values:
Valid IPv4 netmask
Gateway address Specifies the IP address of a router through which the device accesses other devices outside its
own network.
Possible values:
Valid IPv4 address
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to specify the IP address, subnet mask and the IP address assignment method
for accessing to the device management through the Out of Band management port.
The Out of Band management port allows you manage the device and upload configurations using the
following protocols:
SNMP
SSH
Telnet
FTP
SCP
Web Browser
Operation
Parameters Meaning
Operation Enables/disables the Out of Band management port.
Possible values:
On (default setting)
The management port is enabled.
Off
The management port is disabled.
Management interface
Parameters Meaning
IP address Specifies the source from which the device receives its IP parameters after starting:
assignment
Possible values:
Local (default setting)
The device uses the IP parameters from the internal memory.
You specify the settings for this in the IP parameter frame.
DHCP
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.
If the server also provides the addresses of DNS servers, the device displays these addresses
in the Advanced > DNS > Client > Current dialog.
Note: If there is no response from the DHCP server, the device sets the IP address to 0.0.0.0
and makes another attempt to obtain a valid IP address.
MAC address Displays the MAC address of the Out of Band port on the device. This MAC address is different
from the network management MAC address.
Status Displays the status of the Out of Band port.
IP parameter
Parameters Meaning
IP address Specifies the IP address under which the device management can be accessed using the Out of
Band management port.
Possible values:
Valid IPv4 address
(default setting: 192.168.1.1)
Netmask Specifies the netmask. The netmask identifies the network prefix and the host address of the
device in the IP address.
Note: Verify that the netmask of the Out of Band management port is different from the
management port or any router interface subnets.
Possible values:
Valid IPv4 netmask
(default setting: 255.255.255.0)
Gateway address Specifies the IP address of a router through which the device accesses other devices outside its
own network.
Possible values:
Valid IPv4 address
(default setting: 0.0.0.0)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
1.5 Software
This dialog allows you to update the device software and display information about the device software.
You also have the option to restore a backup of the device software saved in the device.
Note: Before updating the device software, follow the version-specific notes in the Readme text file.
Version
Parameters Meaning
Stored version Displays the version number and creation date of the device software stored in the flash memory.
The device loads the device software during the next restart.
Running version Displays the version number and creation date of the device software that the device loaded
during the last restart and is currently running.
Backup version Displays the version number and creation date of the device software saved as a backup in the
flash memory. The device copied this device software into the backup memory during the last
software update or after you clicked the Restore button.
Restore Restores the device software saved as a backup. In the process, the device changes the Stored
version and the Backup version of the device software.
Upon restart, the device loads the Stored version .
Bootcode Displays the version number and creation date of the boot code.
Software update
Parameters Meaning
URL Specifies the path and the file name of the image file with which you update the device software.
The device gives you the following options for updating the device software:
Software update from the PC
If the file is located on your PC or on a network drive, drag and drop the file in the area.
Alternatively click in the area to select the file.
Software update from an FTP server
If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Software update from a TFTP server
If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Software update from an SCP or SFTP server
If the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Updates the device software.
The device installs the selected file in the flash memory, replacing the previously saved device
software. Upon restart, the device loads the installed device software.
The device copies the existing software into the backup memory.
To remain logged in to the device during the software update, move the mouse pointer
occasionally. Alternatively, specify a sufficiently high value in the Device Security >
Management Access > Web dialog, field Web interface session timeout [min] before the
software update.
Alternatively, the device allows you to update the device software by right-clicking in the table if the
image file is located in the external memory.
Table
Parameters Meaning
File location Displays the storage location of the device software.
Possible values:
ram
Volatile memory of the device
flash
Non-volatile memory (NVM ) of the device
sd-card
External SD memory (ACA31)
usb
External USB memory (ACA22)
Index Displays the index of the device software.
For the device software in the flash memory, the index has the following meaning:
1
Upon restart, the device loads this device software.
2
The device copied this device software into the backup area during the last software update.
File name Displays the device-internal file name of the device software.
Firmware Displays the version number and creation date of the device software.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
1.6 Load/Save
This dialog allows you to save the device settings permanently in a configuration profile.
The device can hold several configuration profiles. When you activate an alternative configuration
profile, you change to other device settings. You have the option of exporting the configuration profiles
to your PC or to a server. You also have the option of importing the configuration profiles from your PC
or from a server to the device.
In the default setting, the device saves the configuration profiles unencrypted. When you enter a
password in the Configuration encryption frame, the device saves both the current and the future
configuration profiles in an encrypted format.
Unintentional changes to the settings may terminate the connection between your PC and the device.
To keep the device accessible, enable the Undo configuration modifications function before
changing any settings. If the connection is lost, the device loads the configuration profile saved in the
non-volatile memory (NVM ) after the specified time.
External memory
Parameters Meaning
Selected external Specifies the external memory that the device uses for file operations. On this external memory,
memory the device stores for example copies of the device configuration.
Possible values:
sd
External SD memory (ACA31)
usb
External USB memory (ACA22)
Status Displays the operating state of the selected external memory.
Possible values:
notPresent
No external memory connected.
removed
Someone has removed the external memory from the device during operation.
ok
The external memory is connected and ready for operation.
outOfMemory
The memory space is occupied on the external memory.
genericErr
The device has detected an error.
Configuration encryption
Parameters Meaning
Active Displays whether the configuration encryption is active/inactive on the device.
Possible values:
marked
The configuration encryption is active.
The device loads a configuration profile from the non-volatile memory (NVM ) if it is encrypted
and the password matches the password stored in the device.
unmarked
The configuration encryption is inactive.
The device loads a configuration profile from the non-volatile memory solely (NVM ) if it is
unencrypted.
If in the Basic Settings > External Memory dialog, the Config priority column has the
value first or second and the configuration profile is unencrypted, the Security status frame
in the Basic Settings > System dialog displays an alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab,
Monitor column you specify whether the device monitors the Load unencrypted config from
external memory parameter.
Set password Opens the Set password window that helps you to enter the password needed for the
configuration profile encryption. Encrypting the configuration profiles makes unauthorized access
more difficult.
When you are changing an existing password, enter the existing password in the Old
password field. To display the password in plain text instead of ***** (asterisks), mark the
Display content checkbox.
In the New password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Mark the Save configuration afterwards checkbox to use encryption also for the Selected
configuration profile in the non-volatile memory (NVM ) and in the external memory.
Note: Use this function solely if a maximum of 1 configuration profile is stored in the non-volatile
memory (NVM ) of the device. Before creating additional configuration profiles, decide for or against
permanently activated configuration encryption in the device. Save additional configuration
profiles either unencrypted or encrypted with the same password.
If you are replacing a device with an encrypted configuration profile, for example due to a defect,
you proceed as follows:
Restart the new device and assign the IP parameters.
Open the Basic Settings > Load/Save dialog on the new device.
Encrypt the configuration profile in the new device. See above. Enter the same password you
used in the defective device.
Install the external memory from the defective device in the new device.
Restart the new device.
When it is restarted, the device loads the configuration profile with the settings of the defective
device from the external memory. The device copies the settings into the volatile memory
(RAM ) and into the non-volatile memory (NVM ).
Note: The prerequisite for loading a configuration profile from the external memory is that in the
Basic Settings > External Memory dialog the Config priority column displays the value
first or second. This value is set as the default setting.
Delete Opens the Delete window which helps you to cancel the configuration encryption in the device.
In the Old password field, enter the existing password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Mark the Save configuration afterwards checkbox to remove the encryption also for the
Selected configuration profile in the non-volatile memory (NVM ) and in the external memory.
Note: If you keep additional encrypted configuration profiles in the memory, the device prevents
you from activating or designating these configuration profiles as "Selected".
Information
Parameters Meaning
NVM in sync with Displays whether the configuration profile in the volatile memory (RAM ) and the "Selected"
running config configuration profile in the non-volatile memory (NVM ) are the same.
Possible values:
marked
The configuration profiles are the same.
unmarked
The configuration profiles differ.
External memory in Displays whether the "Selected" configuration profile in the external memory and the "Selected"
sync with NVM configuration profile in the non-volatile memory (NVM ) are the same.
Possible values:
marked
The configuration profiles are the same.
unmarked
The configuration profiles differ.
Possible causes:
– No external memory is connected to the device.
– In the Basic Settings > External Memory dialog, the Backup config when saving
function is disabled.
Parameters Meaning
Operation Enables/disables the Backup config on a remote server when saving function.
Possible values:
Enabled
The Backup config on a remote server when saving function is enabled.
When you save the configuration profile in the non-volatile memory (NVM ), the device
automatically backs up the configuration profile on the remote server specified in the URL field.
Disabled (default setting)
The Backup config on a remote server when saving function is disabled.
URL Specifies path and file name of the backed up configuration profile on the remote server.
Possible values:
Alphanumeric ASCII character string with 0..128 characters
Example: tftp://192.9.200.1/cfg/config.xml
The device supports the following wildcards:
– %d
System date in the format YYYY-mm-dd
– %t
System time in the format HH_MM_SS
– %i
IP address of the device
– %m
MAC address of the device in the format AA-BB-CC-DD-EE-FF
– %p
Product name of the device
Parameters Meaning
Set credentials Opens the Credentials window which helps you to enter the credentials needed to authenticate
on the remote server.
In the User name field, enter the user name.
To display the user name in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters
In the Password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
a..z
A..Z
0..9
#$%&'()*+,-./:;<=>?@_`
Parameters Meaning
Operation Enables/disables the Undo configuration modifications function. Using the function, the
device continuously checks whether it can still be reached from the IP address of the user’s PC.
If the connection is lost, after a specified time period the device loads the “Selected” configuration
profile from the non-volatile memory (NVM ). Afterwards, the device can be accessed again.
Possible values:
On
The function is enabled.
– You specify the time period between the loss of the connection and the loading of the
configuration profile in the field Timeout [s] to recover after connection loss .
– If the non-volatile memory (NVM ) contains multiple configuration profiles, the device loads
the configuration profile designated as “Selected”.
Off (default setting)
The function is disabled.
Disable the function again before you close the graphical user interface. You thus prevent the
device from restoring the configuration profile designated as “Selected”.
Note: Before you enable the function, save the settings in the configuration profile. Current
changes, that are saved temporarily, are therefore maintained in the device.
Timeout [s] to Specifies the time in seconds after which the device loads the “Selected” configuration profile from
recover after the non-volatile memory (NVM ) if the connection is lost.
connection loss
Possible values:
30..600 (default setting: 600)
Specify a sufficiently large value. Take into account the time when you are viewing the dialogs of
the graphical user interface without changing or updating them.
Watchdog IP Displays the IP address of the PC on which you have enabled the function.
address
Possible values:
IPv4 address (default setting: 0.0.0.0)
Table
Parameters Meaning
Storage type Displays the storage location of the configuration profile.
Possible values:
RAM (volatile memory of the device)
In the volatile memory, the device stores the settings for the current operation.
NVM (non-volatile memory of the device)
From the non-volatile memory, the device loads the “Selected” configuration profile during a
restart or when applying the function Undo configuration modifications .
The non-volatile memory provides space for multiple configuration profiles, depending on the
number of settings saved in the configuration profile. The device manages a maximum of 20
configuration profiles in the non-volatile memory.
You can load a configuration profile into the volatile memory (RAM ):
In the table, highlight the configuration profile.
Click the button and then the Activate item.
ENVM (external memory)
On the external memory, the device saves a backup copy of the “Selected” configuration
profile.
The prerequisite is that in the Basic Settings > External Memory dialog you mark the
Backup config when saving checkbox.
Profile name Displays the name of the configuration profile.
Possible values:
running-config
Name of the configuration profile in the volatile memory (RAM ).
config
Name of the factory setting configuration profile in the non-volatile memory (NVM ).
User-defined name
The device allows you to save a configuration profile with a user-specified name by highlighting
an existing configuration profile in the table, clicking the button and then the Save As...
item.
To export the configuration profile as an XML file on your PC, click the link. Then you select the
storage location and specify the file name.
To save the file on a remote server, click the button and then the Export... item.
Modification date Displays the time (UTC) at which a user last saved the configuration profile.
(UTC)
Selected Displays whether the configuration profile is designated as “Selected”.
Possible values:
marked
The configuration profile is designated as “Selected”.
– The device loads the configuration profile into the volatile memory (RAM ) during a restart or
when applying the function Undo configuration modifications .
– When you click the button, the device saves the temporarily saved settings in this
configuration profile.
unmarked
Another configuration profile is designated as “Selected”.
To designate another configuration profile as “Selected”, you highlight the desired configuration
profile in the table, click the button and then the Activate item.
Encrypted Displays whether the configuration profile is encrypted.
Possible values:
marked
The configuration profile is encrypted.
unmarked
The configuration profile is unencrypted.
You activate/deactivate the encryption of the configuration profile in the Configuration
encryption frame.
Parameters Meaning
Encryption verified Displays whether the password of the encrypted configuration profile matches the password
stored in the device.
Possible values:
marked
The passwords match. The device is able to unencrypt the configuration profile.
unmarked
The passwords are different. The device is unable to unencrypt the configuration profile.
Software version Displays the version number of the device software that the device ran when it saved the
configuration profile.
Fingerprint Displays the checksum saved in the configuration profile.
The device calculates the checksum when saving the settings and inserts it into the configuration
profile.
Fingerprint verified Displays whether the checksum saved in the configuration profile is valid.
The device calculates the checksum of the configuration profile marked as “Selected” and
compares it with the checksum saved in this configuration profile.
Possible values:
marked
The calculated and the saved checksum match.
The saved settings are consistent.
unmarked
For the configuration profile marked as “Selected” applies:
The calculated and the saved checksum are different.
The configuration profile contains modified settings.
Possible causes:
– The file is damaged.
– The file system on the external memory is inconsistent.
– A user has exported the configuration profile and changed the XML file outside the device.
For the other configuration profiles the device has not calculated the checksum.
The device verifies the checksum correctly only if the configuration profile has been saved before
as follows:
– on an identical device
– with the same software version, which the device is running
– with a lower or the same level of the device software
such as OS-SwLevel-2A or OS-SwLevel-3S on a device which runs OS-SwLevel-3S
Note: This function identifies changes to the settings in the configuration profile. The function does
not provide protection against operating the device with modified settings.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Removes the configuration profile highlighted in the table from the non-volatile memory (NVM ) or
from the external memory.
If the configuration profile is designated as "Selected", the device prevents you from removing the
configuration profile.
Transfers the settings from the volatile memory (RAM ) into the configuration profile designated as
“Selected” in the non-volatile memory (NVM ).
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked , the device generates a copy of the configuration profile on the external
memory.
Button Meaning
Displays a sub menu with the following items.
Save As... Copies the configuration profile highlighted in the table and saves it with a user-specified name in
the non-volatile memory (NVM ). The device designates the new configuration profile as “Selected”.
Note: Before creating additional configuration profiles, decide for or against permanently activated
configuration encryption in the device. Save additional configuration profiles either unencrypted or
encrypted with the same password.
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked, the device designates the configuration profile of the same name on
the external memory as “Selected”.
Activate Loads the settings of the configuration profile highlighted in the table to the volatile memory (RAM ).
The device terminates the connection to the graphical user interface.
Reload the graphical user interface.
Login again.
The device immediately uses the settings of the configuration profile on the fly.
Enable the Undo configuration modifications function before you activate another
configuration profile. If the connection is lost afterwards, the device loads the last configuration
profile designated as “Selected” from the non-volatile memory (NVM ). The device can then be
accessed again.
If the configuration encryption is inactive, the device loads the configuration profile if it is
unencrypted. If the configuration encryption is active, the device loads the configuration profile if
it is encrypted and the password matches the password stored in the device.
When you activate an older configuration profile, the device takes over the settings of the functions
contained in this software version. The device sets the values of new functions to their default
value.
Select Designates the configuration profile highlighted in the table as “Selected”. In the Selected
column, the checkbox is then marked.
The device loads the settings of this configuration profile to the volatile memory (RAM ) during a
restart or when applying the function Undo configuration modifications .
Designate an unencrypted configuration profile only as “Selected” when the configuration
encryption in the device is disabled.
Designate an encrypted configuration profile only as “Selected” when the following
prerequisites are fulfilled:
– The configuration encryption in the device is enabled.
– The password of the configuration profile matches the password saved in the device.
Otherwise, the device is unable to load and encrypt the settings in the configuration profile the next
time it restarts. For this case you specify in the Diagnostics > System > Selftest dialog
whether the device starts with the default settings or terminates the restart and stops.
Note: You only mark the configuration profiles saved in the non-volatile memory (NVM ).
If in the Basic Settings > External Memory dialog the checkbox in the Backup config when
saving column is marked, the device designates the configuration profile of the same name on
the external memory as “Selected”.
Button Meaning
Import... Opens the Import... window to import a configuration profile.
The prerequisite is that you have exported the configuration profile using the Export... button
or using the link in the Profile name column.
In the Select source drop-down list, select from where the device imports the configuration
profile.
PC/URL
The device imports the configuration profile from the local PC or from a remote server.
External memory
The device imports the configuration profile from the selected external memory. See the
External memory frame.
If PC/URL is selected above, then in the Import profile from PC/URL frame you specify the
configuration profile file to be imported.
– Import from the PC
If the file is located on your PC or on a network drive, drag and drop the file in the area.
Alternatively click in the area to select the file.
– Import from an FTP server
If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
– Import from a TFTP server
If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
– Import from an SCP or SFTP server
If the file is located on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
If External memory is selected above, then in the Import profile from external memory
frame you specify the configuration profile file to be imported.
In the Profile name drop-down list, select the name of the configuration profile to be
imported.
In the Destination frame you specify where the device saves the imported configuration
profile.
In the Profile name field you specify the name under which the device saves the
configuration profile.
In the Storage type field you specify the storage location for the configuration profile. The
prerequisite is that in the Select source drop-down list you have selected the value PC/URL .
RAM
The device saves the configuration profile in the volatile memory (RAM ) of the device. This
replaces the running-config, the device uses the settings of the imported configuration
profile immediately. The device terminates the connection to the graphical user interface.
Reload the graphical user interface. Login again.
NVM
The device saves the configuration profile in the non-volatile memory (NVM ) of the device.
When you import a configuration profile, the device takes over the settings as follows:
– If the configuration profile was exported on the same device or on an identically equipped
device of the same type:
The device takes over the settings completely.
If the device uses modules, also read the help text of the Basic Settings > Modules dialog.
– If the configuration profile was exported on an other device:
The device takes over the settings which it can interpret based on its hardware equipment and
software level.
The remaining settings the device takes over from its running-config configuration profile.
Regarding configuration profile encryption, also read the help text of the Configuration
encryption frame. The device imports a configuration profile under the following conditions:
– The configuration encryption of the device is inactive. The configuration profile is unencrypted.
– The configuration encryption of the device is active. The configuration profile is encrypted with
the same password that the device currently uses.
Button Meaning
Export... Exports the configuration profile highlighted in the table and saves it as an XML file on a remote
server.
To save the file on your PC, click the link in the Profile name column to select the storage
location and specify the file name.
The device gives you the following options for exporting a configuration profile:
Export to an FTP server
To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Export to a TFTP server
To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Export to an SCP or SFTP server
To save the file on an SCP or SFTP server, specify the URL for the file in one of the following
forms:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Ok button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Back to factory... Resets the settings in the device to the default values.
The device deletes the saved configuration profiles from the volatile memory (RAM ) and from
the non-volatile memory (NVM ).
The device deletes the HTTPS certificate used by the web server in the device.
The device deletes the DSA/RSA key (Host Key) used by the SSH server in the device.
If an external memory is connected, the device deletes the configuration profiles saved on the
external memory.
After a brief period, the device reboots and loads the default values.
Back to default Deletes the current operating (running config) settings from the volatile memory (RAM ) .
This dialog allows you to activate functions that the device automatically executes in combination with
the external memory. The dialog also displays the operating state and identifying characteristics of the
external memory.
Table
Parameters Meaning
Type Displays the type of the external memory.
Possible values:
sd
External SD memory (ACA31)
usb
External USB memory (ACA22)
Status Displays the operating state of the external memory.
Possible values:
notPresent
No external memory connected.
removed
Someone has removed the external memory from the device during operation.
ok
The external memory is connected and ready for operation.
outOfMemory
The memory space is occupied on the external memory.
genericErr
The device has detected an error.
Writable Displays whether the device has write access to the external memory.
Possible values:
marked
The device has write access to the external memory.
unmarked
The device has read-only access to the external memory. Possibly the write protection is
activated on the external memory.
Software auto Activates/deactivates the automatic device software update during the restart.
update
Possible values:
marked (default setting)
The automatic device software update during the restart is activated. The device updates the
device software when the following files are located in the external memory:
– the image file of the device software
– a text file "startup.txt" with the content autoUpdate=<image_file_name>.bin
unmarked
The automatic device software update during the restart is deactivated.
Parameters Meaning
SSH key auto Activates/deactivates the loading of the DSA/RSA key from an external memory upon restart.
upload
Possible values:
marked (default setting)
The loading of the DSA/RSA key is activated.
During a restart, the device loads the DSA/RSA key from the external memory when the
following files are located on the external memory:
– SSH RSA key file
– SSH DSA key file
– a text file “startup.txt” with the content
autoUpdateRSA=<filename_of_the_SSH_RSA_key>
autoUpdateDSA=<filename_of_the_SSH_DSA_key>
The device displays messages on the system console of the V.24 interface.
unmarked
The loading of the DSA/RSA key is deactivated.
Note: When loading the DSA/RSA key from the external memory (ENVM ), the device overwrites
the existing keys in the non-volatile memory (NVM ).
Config priority Specifies the memory from which the device loads the configuration profile upon reboot.
Possible values:
disable
The device loads the configuration profile from the non-volatile memory (NVM ).
first, second
The device loads the configuration profile from the external memory designated as first. If
the device does not find a configuration profile there, it loads the configuration profile from the
external memory designated as second, and so on.
If the device does not find a configuration profile on the external memory, it loads the
configuration profile from the non-volatile memory (NVM ).
Note: When loading the configuration profile from the external memory (ENVM ), the device
overwrites the settings of the Selected configuration profile in the non-volatile memory (NVM ).
If the Config priority column has the value first or second and the configuration profile is
unencrypted, the Security status frame in the Basic Settings > System dialog displays an
alarm.
In the Diagnostics > Status Configuration > Security Status dialog, Global tab,
Monitor column you specify whether the device monitors the Load unencrypted config from
external memory parameter.
Backup config when Activates/deactivates creating a copy of the configuration profile on the external memory.
saving
Possible values:
marked (default setting)
Creating a copy is activated. If you click in the Basic Settings > Load/Save dialog the Save
button, the device generates a copy of the configuration profile on the active external memory.
unmarked
Creating a copy is deactivated. The device does not generate a copy of the configuration
profile.
Manufacturer ID Displays the name of the memory manufacturer.
Revision Displays the revision number specified by the memory manufacturer.
Version Displays the version number specified by the memory manufacturer.
Name Displays the product name specified by the memory manufacturer.
Serial number Displays the serial number specified by the memory manufacturer.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
1.8 Port
This dialog allows you to specify settings for the individual ports. The dialog also displays the operating
mode, connection status, bit rate and duplex mode for every port.
[Configuration ]
Table
Parameters Meaning
Port Displays the port number.
Name Name of the port.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
The following characters are allowed:
– <space>
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~
Port on Activates/deactivates the port.
Possible values:
marked (default setting)
The port is active.
unmarked
The port is inactive. The port does not send or receive any data.
State Displays whether the port is currently physically enabled or disabled.
Possible values:
marked
The port is physically enabled.
unmarked
The port is physically disabled.
If the Port on function is active, the Auto-Disable function has disabled the port.
You specify the settings of the Auto-Disable function in the Diagnostics > Ports > Auto-
Disable dialog.
Power state (port Specifies, whether the port is physically switched on or off when you deactivate the port with the
off) Port on function.
Possible values:
marked
The port remains physically enabled. A connected device receives an active link.
unmarked (default setting)
The port is physically disabled.
Auto power down Specifies how the port behaves when no cable is connected.
Possible values:
no-power-save (default setting)
The port remains activated.
auto-power-down
The port changes to the energy-saving mode.
unsupported
The port does not support this function and remains activated.
Parameters Meaning
Automatic Activates/deactivates the automatic selection of the operating mode for the port.
configuration
Possible values:
marked (default setting)
The automatic selection of the operating mode is active.
The port negotiates the operating mode independently using autonegotiation and detects the
devices connected to the TP port automatically (Auto Cable Crossing). This setting has priority
over the manual setting of the port.
Elapse several seconds until the port has set the operating mode.
unmarked
The automatic selection of the operating mode is inactive.
The port operates with the values you specify in the Manual configuration column and in
the Manual cable crossing (Auto. conf. off) column.
Grayed-out display
No automatic selection of the operating mode.
Manual Specifies the operating mode of the ports when the Automatic configuration function is
configuration disabled.
Possible values:
10 Mbit/s HDX
Half duplex connection
10 Mbit/s FDX
Full duplex connection
100 Mbit/s HDX
Half duplex connection
100 Mbit/s FDX
Full duplex connection
1000 Mbit/s FDX
Full duplex connection
2500 Mbit/s FDX
Full duplex connection
Note: The operating modes of the port actually available depend on the device configuration and
the media module used.
Link/Current Displays the operating mode which the port currently uses.
settings
Possible values:
–
No cable connected, no link.
10 Mbit/s HDX
Half duplex connection
10 Mbit/s FDX
Full duplex connection
100 Mbit/s HDX
Half duplex connection
100 Mbit/s FDX
Full duplex connection
1000 Mbit/s FDX
Full duplex connection
2500 Mbit/s FDX
Full duplex connection
Note: The operating modes of the port actually available depend on the device configuration and
the media module used.
Parameters Meaning
Manual cable Specifies the devices connected to a TP port.
crossing (Auto. The prerequisite is that the Automatic configuration function is disabled.
conf. off)
Possible values:
mdi
The device interchanges the send- and receive-line pairs on the port.
mdix (default setting on TP ports)
The device prevents the interchange of the send- and receive-line pairs on the port.
auto-mdix
The device detects the send and receive line pairs of the connected device and automatically
adapts to them.
Example: When you connect an end device with a crossed cable, the device automatically
resets the port from mdix to mdi .
unsupported (default setting on optical ports or TP-SFP ports)
The port does not support this function.
Flow control Activates/deactivates the flow control on the port.
Possible values:
marked (default setting)
The Flow control on the port is active.
The sending and evaluating of pause packets (full-duplex operation) or collisions (half-duplex
operation) is activated on the port.
To enable the flow control in the device, also activate the Flow control function in the
Switching > Global dialog.
Activate the flow control also on the port of the device that is connected to this port.
On an uplink port, activating the flow control can possibly cause undesired sending breaks in
the higher-level network segment (“wandering backpressure”).
unmarked
The Flow control on the port is inactive.
When you are using a redundancy function, you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function will not operate as intended.
Send trap (Link up/ Activates/deactivates the sending of SNMP traps when the device detects changes in the link up/
down) down status for this port.
Possible values:
marked (default setting)
The sending of SNMP traps is active.
The device sends an SNMP trap when it detects a link up/down status change.
unmarked
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
MTU Specifies the maximum allowed size of Ethernet packets on the port in bytes.
Possible values:
1518..12288 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting allows you to increase the size of the Ethernet packets for specific applications. The
following list contains possible applications:
If you use the device in the transfer network with double VLAN tagging, you may require an
MTU that is larger by 4 bytes.
On other interfaces, you specify the maximum permissible size of the Ethernet packets as follows:
– Link Aggregation interfaces
Switching > L2-Redundancy > Link Aggregation dialog, MTU column
Parameters Meaning
Signal Activates/deactivates the port LED flashing. This function allows you to identify the port in the field.
Possible values:
marked
The flashing of the port LED is active.
The port LED flashes until you disable the function again.
unmarked (default setting)
The flashing of the port LED is inactive.
Link monitoring Activates/deactivates the Link monitoring function on the interface.
Use the Link monitoring function for end devices that do not support Far End Fault Indication
(FEFI) on optical links.
Possible values:
marked
The Link monitoring function is active.
If the device recognizes an established link, the port LED illuminates. When the device
recognizes that a link has been lost, the port LED extinguishes.
unmarked (default setting)
The Link monitoring function is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Clear port statistics Resets the counter for the port statistics to 0.
[Statistics ]
This tab displays the following overview per port:
Number of data packets per size category received on and sent from the device
– Packets 64 bytes
– Packets 65 to 127 bytes
– Packets 128 to 255 bytes
– Packets 256 to 511 bytes
– Packets 512 to 1023 bytes
– Packets 1024 to 1518 bytes
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Clear port statistics Resets the counter for the port statistics to 0.
[Utilization ]
This tab displays the utilization (network load) for the individual ports.
Table
Parameters Meaning
Port Displays the port number.
Utilization [%] Displays the current utilization in percent in relation to the time interval specified in the Control
interval [s] column.
The utilization is the relationship of the received data quantity to the maximum possible data
quantity at the currently configured data rate.
Lower threshold [%] Specifies a lower threshold for the utilization. If the utilization of the port falls below this value, the
Alarm column displays an alarm.
Possible values:
0.00..100.00 (default setting: 0.00)
The value 0 deactivates the lower threshold.
Upper threshold [%] Specifies an upper threshold for the utilization. If the utilization of the port exceeds this value, the
Alarm column displays an alarm.
Possible values:
0.00..100.00 (default setting: 0.00)
The value 0 deactivates the upper threshold.
Control interval [s] Specifies the interval in seconds.
Possible values:
1..3600 (default setting: 30)
Alarm Displays the utilization alarm status.
Possible values:
marked
The utilization of the port is below the value specified in the Lower threshold [%] column or
above the value specified in the Upper threshold [%] column. The device sends an SNMP
trap.
unmarked
The utilization of the port is above the value specified in the Lower threshold [%] column
and below the value specified in the Upper threshold [%] column.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Clear port statistics Resets the counter for the port statistics to 0.
In Power over Ethernet (PoE), the Power Source Equipment (PSE) supplies current to powered devices
(PD) such as IP phones through the twisted pair cable.
The product code and the PoE-specific labeling on the PSE device housing indicates whether your
device supports Power over Ethernet . The PoE ports of the device support Power over Ethernet
according to IEEE 802.3at.
The system provides an internal maximum power budget for the ports. The ports reserve power
according to the detected class of a connected powered device. The real delivered power is equal to or
less than the reserved power.
You manage the power output with the Priority parameter. When the sum of the power required by
the connected devices exceeds the power available, the device turns off power supplied to the ports
according to configured priority. The device turns off power supplied to the ports starting with ports
configured as a low priority first. When several ports have a low priority, the device turns off power
starting with the higher numbered ports.
The menu contains the following dialogs:
PoE Global
PoE Port
Based on the settings specified in this dialog, the device provides power to the end-user devices. If the
power consumption reaches the user-specified threshold, the device sends an SNMP trap.
Operation
Parameters Meaning
Operation Enables/disables the Power over Ethernet function.
Possible values:
On (default setting)
The Power over Ethernet function is enabled.
Off
The Power over Ethernet function is disabled.
Configuration
Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps.
The device sends an SNMP trap when the power consumption exceeds the user-specified
threshold.
Possible values:
marked (default setting)
The device sends SNMP traps.
unmarked
The device does not send any SNMP traps.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Threshold [%] Specifies the threshold value for the power consumption in percent.
The device measures the total output power and sends an SNMP trap, if the power output exceeds
this threshold.
Possible values:
0..99 (default setting: 90)
System power
Parameters Meaning
Budget [W] Displays the sum of the power available for the global budget.
Reserved [W] Displays the global reserved power. The device reserves power according to the detected classes
of connected powered devices. Reserved power is equal to or less than the actual delivered
power.
Delivered [W] Displays the actual power delivered to the modules.
Table
Parameters Meaning
Module Device module to which the table entries relate.
Configured power Specifies the power of the modules for the distribution at the ports.
budget [W]
Possible values:
0..n (default setting: n)
Here, n corresponds to the value in the Max. power budget [W] column.
Max. power budget Displays the maximum power available for this module.
[W]
Reserved power Displays the power reserved for the module according to the detected classes of the connected
[W] powered devices.
Delivered power Displays the actual power delivered to powered devices connected to this port.
[W]
Power source Displays the power sourcing equipment for the device.
Possible values:
internal
Internal power source
external
External power source
Threshold [%] Specifies the threshold value for the power consumption of the module in percent. The device
measures the total output power and sends an SNMP trap, if the power output exceeds this
threshold.
Possible values:
0..99 (default setting: 90)
Send trap Activates/deactivates the sending of SNMP traps when the device detects that the threshold value
for the power consumption exceeds.
Possible values:
marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the power consumption of the module exceeds the
user-defined threshold.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
When power consumption is higher than deliverable power, then the device turns off power to the
powered devices (PD) according to the priority levels and port numbers. Should the PDs connected
require more power than the device provides, then the device deactivates the Power over Ethernet
function on the ports. The device disables the Power over Ethernet function on the ports with the
lowest priority first. If multiple ports have the same priority, the device first disables the Power over
Ethernet function on the ports with the higher port number. The device also turns off power to powered
devices (PD) for a specified time period.
Table
Parameters Meaning
Port Displays the port number.
PoE enable Activates/deactivates the PoE power provided to the port.
When the function is activated or deactivated, the device logs an event in the log file (System Log).
Possible values:
marked (default setting)
Providing PoE power to the port is active.
unmarked
Providing PoE power to the port is inactive.
Fast startup Activates/deactivates the Power over Ethernet Fast Startup function on the port.
The prerequisite is that the checkbox in the PoE enable column is marked.
Possible values:
marked
The fast start up function is active. The device sends power to the powered devices (PD)
immediately after turning the power to the device on.
unmarked (default setting)
The fast start up function is inactive. The device sends power to the powered devices (PD)
after loading its own configuration.
Priority Specifies the port priority.
To prevent current overloads, the device disables ports with low priority first. To prevent that the
device disables the ports supplying important devices, specify a high priority for these ports.
Possible values:
critical
high
low (default setting)
Status Displays the status of the port Powered Device (PD) detection.
Possible values:
disabled
The device is in the DISABLED state and is not delivering power to the powered devices.
deliveringPower
The device identified the class of the connected PD and is in the POWER ON state.
fault
The device is in the TEST ERROR state.
otherFault
The device is in the IDLE state.
searching
The device is in a state other than the listed states.
test
The device is in the TEST MODE.
Parameters Meaning
Detected class Displays the power class of the powered device connected to the port.
Possible values:
Class 0
Class 1
Class 2
Class 3
Class 4
Class 0 Activates/deactivates the current of the classes 0 to 4 on the port.
Class 1
Possible values:
Class 2
marked (default setting)
Class 3
unmarked
Class 4
Consumption [W] Displays the current power consumption of the port in watts.
Possible values:
0,0..30,0
Power limit [W] Specifies the maximum power in watts that the port outputs.
This function allows you to distribute the power budget available among the PoE ports as required.
For example, for a connected device not providing a “Power Class”, the port reserves a fixed
amount of 15.4 W (class 0) even if the device requires less power. The surplus power is not
available to any other port.
By specifying the power limit, you reduce the reserved power to the actual requirement of the
connected device. The unused power is available to other ports.
If the exact power consumption of the connected powered device is unknown, then the device
displays the value in the Max. consumption [W] column. The power limit must be greater than
the value in the Max. consumption [W] column.
If the maximum observed power is greater than the set power limit, the device sees the power limit
as invalid. In this case, the device uses the PoE class for the calculation.
Possible values:
0,0..30,0 (default setting: 0)
Max. consumption Displays the maximum power in watts that the device has consumed so far.
[W] You reset the value when you disable PoE on the port or terminate the connection to the
connected device.
Name Specifies the name of the port.
Specify the name of your choice.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
Auto-shutdown Activates/deactivates the Auto-shutdown power function according to the settings.
power
Possible values:
marked
unmarked (default setting)
Disable power at Specifies the time at which the device disables the power for the port upon activation of the Auto-
[hh:mm] shutdown power function.
Possible values:
00:00..23:59 (default setting: 00:00)
Re-enable power at Specifies the time at which the device enables the power for the port upon activation of the Auto-
[hh:mm] shutdown power function.
Possible values:
00:00..23:59 (default setting: 00:00)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
1.10 Restart
This dialog allows you to restart the device, reset port counters and address tables, and delete log files.
Restart
Parameters Meaning
Restart in Displays the remaining time until the device restarts.
To update the display of the remaining time, click the button.
Cancel Aborts a delayed restart.
Cold start... Opens the Restart dialog to initiate an immediate or delayed restart of the device.
If the configuration profile in the volatile memory (RAM ) and the "Selected" configuration profile in
the non-volatile memory (NVM ) differ, the device displays the Warning dialog.
To permanently save the changes, click the Yes button in the Warning dialog.
To discard the changes, click No in the Warning dialog.
In the Restart in field you specify the delay time for the delayed restart.
Possible values:
– 00:00:00..596:31:23 (default setting: 00:00:00)
When the delay time elapsed, the device restarts and goes through the following phases:
The device performs a RAM test if this function is activated in the Diagnostics > System >
Selftest dialog.
The device starts the device software that the Stored version field displays in the Basic
Settings > Software dialog.
The device loads the settings from the "Selected" configuration profile. See the Basic
Settings > Load/Save dialog.
Note: During the restart, the device does not transfer any data. During this time, the device cannot
be accessed by the graphical user interface or other management systems.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Reset MAC address Removes the MAC addresses from the forwarding table that have in the Switching > Filter
table for MAC Addresses dialog the value learned in the Status column.
Reset ARP table Removes the dynamically set up addresses from the ARP table.
See the Diagnostics > System > ARP dialog.
Clear port statistics Resets the counter for the port statistics to 0.
See the Basic Settings > Port dialog, Statistics tab.
Reset IGMP Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
snooping data See the Switching > IGMP Snooping > Global dialog.
Delete log file Removes the logged events from the log file.
See the Diagnostics > Report > System Log dialog.
Delete persistent Removes the log files from the external memory.
log file See the Diagnostics > Report > Persistent Logging dialog.
Clear email Resets the counters in the Information frame to 0.
notification See the Diagnostics > Email Notification > Global dialog.
statistics
2 Time
The device is equipped with a buffered hardware clock. This clock maintains the correct time if the power
supply fails or you disconnect the device from the power supply. After the device is started, the current
time is available to you, for example for log entries.
The hardware clock bridges a power supply downtime of 3 hours. The prerequisite is that the power
supply of the device has been connected continually for at least 5 minutes beforehand.
In this dialog, you specify time-related settings independently of the time synchronization protocol
specified.
[Global ]
In this tab, you specify the system time in the device and the time zone.
Configuration
Parameters Meaning
System time (UTC) Displays the current date and time with reference to Universal Time Coordinated (UTC).
Set time from PC The device uses the time on the PC as the system time.
System time Displays the current date and time with reference to the local time: System time = System time
(UTC) + Local offset [min] + Daylight saving time
Time source Displays the time source from which the device gets the time information.
The device automatically selects the available time source with the greatest accuracy.
Possible values:
local
System clock of the device.
sntp
The SNTP client is activated and the device is synchronized by an SNTP server.
ptp
PTP is activated and the clock of the device is synchronized with a PTP master clock.
Local offset [min] Specifies the difference between the local time and System time (UTC) in minutes: Local
offset [min] = System time − System time (UTC)
Possible values:
-780..840 (default setting: 60)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Operation
Parameters Meaning
Daylight saving Enables/disables the Daylight saving time mode.
time
Possible values:
On
The Daylight saving time mode is enabled.
The device automatically changes between summertime and wintertime.
Off (default setting)
The Daylight saving time mode is disabled.
The times at which the device changes between summertime and wintertime are specified in the
Summertime begin and Summertime end frames.
Profile... Displays the Profile... dialog. There you select a pre-defined profile for the beginning and the
end of summertime. This profile overwrites the settings in the Summertime begin and
Summertime end frames.
Summertime begin
In the first 3 fields you specify the day for the beginning of summertime, and in the last field the time.
The devices switches to summertime when the time in the System time field reaches the value
entered here.
Parameters Meaning
Week Specifies the week in the current month.
Possible values:
none (default setting)
first
second
third
fourth
last
Day Specifies the day of the week.
Possible values:
none (default setting)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Parameters Meaning
Month Specifies the month.
Possible values:
none (default setting)
January
February
March
April
May
June
July
August
September
October
November
December
System time Specifies the time.
Possible values:
<HH:MM> (default setting: 00:00)
Summertime end
In the first 3 fields you specify the day for the end of summertime, and in the last field the time.
The devices switches to wintertime when the time in the System time field reaches the value entered
here.
Parameters Meaning
Week Specifies the week in the current month.
Possible values:
none (default setting)
first
second
third
fourth
last
Day Specifies the day of the week.
Possible values:
none (default setting)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Parameters Meaning
Month Specifies the month.
Possible values:
none (default setting)
January
February
March
April
May
June
July
August
September
October
November
December
System time Specifies the time.
Possible values:
<HH:MM> (default setting: 00:00)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
2.2 SNTP
The Simple Network Time Protocol (SNTP) is a procedure described in the RFC 4330 for time
synchronization in the network.
The device allows you to synchronize the system time in the device as an SNTP client. As the SNTP
server, the device makes the time information available to other devices.
The menu contains the following dialogs:
SNTP Client
SNTP Server
In this dialog, you specify the settings with which the device operates as an SNTP client.
As an SNTP client the device obtains the time information from both SNTP servers and NTP servers
and synchronizes the local clock with the time of the time server.
Operation
Parameters Meaning
Operation Enables/disables the SNTP Client function of the device.
Possible values:
On
The SNTP Client function is enabled.
The device operates as an SNTP client.
Off (default setting)
The SNTP Client function is disabled.
Configuration
Parameters Meaning
Mode Specifies whether the device actively requests the time information from an SNTP server known
and configured in the network (Unicast mode) or passively waits for the time information from a
random SNTP server (Broadcast mode).
Possible values:
unicast (default setting)
The device takes the time information from the configured SNTP server exclusively. The
device sends Unicast requests to the SNTP server and evaluates its responses.
broadcast
The device obtains the time information from one or more SNTP or NTP servers. The device
evaluates the Broadcasts or Multicasts from these servers exclusively.
Request interval [s] Specifies the interval in seconds at which the device requests time information from the SNTP
server.
Possible values:
5..3600 (default setting: 30)
Broadcast recv Specifies the time in seconds a client in broadcast client mode waits before changing the value in
timeout [s] the field from syncToRemoteServer to notSynchronized when the client receives no broadcast
packets.
Possible values:
128..2048 (default setting: 320)
Disable client after Activates/deactivates the disabling of the SNTP client after the device has successfully
successful sync synchronized the time.
Possible values:
marked
The disabling of the SNTP client is active.
The device deactivates the SNTP client after successful time synchronization.
unmarked (default setting)
The disabling of the SNTP client is inactive.
The SNTP client remains active after successful time synchronization.
State
Parameters Meaning
State Displays the status of the SNTP client.
Possible values:
disabled
The SNTP client is disabled.
notSynchronized
The SNTP client is not synchronized with any SNTP or NTP server.
synchronizedToRemoteServer
The SNTP client is synchronized with an SNTP or NTP server.
Table
In the table you specify the settings for up to 4 SNTP servers.
Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
1..4
The device automatically assigns this number.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
After starting, the device sends requests to the SNTP server configured in the first table entry. If
the server does not reply, the device sends its requests to the SNTP server configured in the next
table entry.
If none of the configured SNTP servers responds in the meantime, the SNTP client loses its
synchronization. The device cyclically sends requests to each SNTP server until a server delivers
a valid time. The device synchronizes itself with this SNTP server, even if the other servers can
be reached again later.
Name Specifies the name of the SNTP server.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Address Specifies the IP address of the SNTP server.
Possible values:
Valid IPv4 address or Hostname (default setting: 0.0.0.0)
Destination UDP Specifies the UDP Port on which the SNTP server expects the time information.
port
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Parameters Meaning
Status Displays the connection status between the SNTP client and the SNTP server.
Possible values:
success
The device has successfully synchronized the time with the SNTP server.
badDateEncoded
The time information received contains protocol errors - synchronization failed.
other
– The value 0.0.0.0 is entered for the IP address of the SNTP server - synchronization
failed.
or
– The SNTP client is using a different SNTP server.
requestTimedOut
The device has not received a reply from the SNTP server - synchronization failed.
serverKissOfDeath
The SNTP server is overloaded. The device is requested to synchronize itself with another
SNTP server. If no other SNTP server is available, the device asks at intervals longer than the
setting in the Request interval [s] field, whether the server is still overloaded.
serverUnsychronized
The SNTP server is not synchronized with either a local or an external reference clock -
synchronization failed.
versionNotSupported
The SNTP versions on the client and the server are incompatible with each other -
synchronization failed.
Active Activates/deactivates the connection to the SNTP server.
Possible values:
marked
The connection to the SNTP server is activated.
The SNTP client has access to the SNTP server.
unmarked (default setting)
The connection to the SNTP server is deactivated.
The SNTP client has no access to the SNTP server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the settings with which the device operates as an SNTP server.
The SNTP server provides the Universal Time Coordinated (UTC) without considering local time
differences.
If the setting is appropriate, the SNTP server operates in the broadcast mode: In broadcast mode, the
SNTP server automatically sends broadcast messages or multicast messages according to the
broadcast send interval.
Operation
Parameters Meaning
Operation Enables/disables the SNTP Server function of the device.
Possible values:
On
The SNTP Server function is enabled.
The device operates as an SNTP server.
Off (default setting)
The SNTP Server function is disabled.
Note the setting in the Disable server at local time source checkbox in the Configuration
frame.
Configuration
Parameters Meaning
UDP port Specifies the number of the UDP port on which the SNTP server of the device receives requests
from other clients.
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Broadcast admin Activates/deactivates the Broadcast mode:
mode marked
The SNTP server replies to requests from SNTP clients in Unicast mode and also sends SNTP
packets in Broadcast mode as Broadcasts or Multicasts.
unmarked (default setting)
The SNTP server replies to requests from SNTP clients in the Unicast mode.
Broadcast Specifies the IP address to which the SNTP server of the device sends the SNTP packets in
destination address Broadcast mode.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Broadcast and Multicast addresses are permitted.
Broadcast UDP Specifies the number of the UDP port on which the SNTP server sends the SNTP packets in
port Broadcast mode.
Possible values:
1..65535 (default setting: 123)
Exception: Port 2222 is reserved for internal functions.
Parameters Meaning
Broadcast VLAN ID Specifies the ID of the VLAN in which the SNTP server of the device sends the SNTP packets in
Broadcast mode.
Possible values:
0
The SNTP server sends the SNTP packets in the same VLAN in which the management
access to the device is possible. See the Basic Settings > Network dialog.
1..4042 (default setting: 1)
Broadcast send Specifies the time interval at which the SNTP server of the device sends SNTP broadcast packets.
interval [s]
Possible values:
64..1024 (default setting: 128)
Disable server at Activates/deactivates the disabling of the SNTP Broadcast server when the device is
local time source synchronized to the local clock.
Possible values:
marked
The disabling of the SNTP Broadcast server is active.
The device disables the SNTP Broadcast server when the device is synchronized to the local
clock. The SNTP server continues to reply to requests from SNTP clients. In the SNTP packet,
the SNTP server informs the clients that it is synchronized locally.
unmarked (default setting)
The disabling of the SNTP Broadcast server is inactive.
The SNTP Broadcast server remains active when the device is synchronized to the local clock.
State
Parameters Meaning
State Displays the state of the SNTP server.
Possible values:
disabled
The SNTP server is disabled.
notSynchronized
The SNTP server is not synchronized with either a local or an external reference clock.
syncToLocal
The SNTP server is synchronized with the hardware clock of the device.
syncToRefclock
The SNTP server is synchronized with an external reference clock, for example PTP.
syncToRemoteServer
The SNTP server is synchronized with an SNTP server that is higher than the device in a
cascade.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
2.3 PTP
The Precision Time Protocol (PTP) is a procedure described in the IEEE 1588-2008 standard that
supplies the devices in the network with a precise time. The procedure enables the clocks in the network
to be synchronized to a degree of precision of just a few 100 ns. The protocol uses Multicast
communication, so the load on the network due to the PTP synchronization messages is negligible.
PTP is significantly more accurate than SNTP. If SNTP and PTP are enabled in the device at the same
time, then PTP has priority.
Using the “Best Master Clock” algorithm, the devices determine the devices in the network with the most
accurate time which are to be used as a reference time source (Grandmaster). Subsequently the
participating devices synchronize themselves with this reference time source.
If you want to transport PTP time accurately through your network, use devices with PTP hardware
support exclusively on the transport paths.
The protocol differentiates between the following clocks:
Boundary Clock (BC)
This clock has any number of PTP ports and operates as both PTP master and PTP slave. In its
respective network segment, the clock operates as an Ordinary Clock.
– As PTP slave, the clock synchronizes itself with a PTP master that is higher than the device in the
cascade.
– As PTP master, the clock forwards the time information via the network to PTP slaves that are
higher than the device in the cascade.
Transparent Clock (TC)
This clock has any number of PTP ports. In contrast to the Boundary Clock, this clock corrects the
time information before forwarding it, without synchronizing itself.
In this dialog, you specify basic settings for PTP.
Operation IEEE1588/PTP
Parameters Meaning
Operation Enables/disables the PTP function.
IEEE1588/PTP
Possible values:
On
The PTP function is enabled.
The device synchronizes its clock with PTP.
If SNTP is enabled in the device at the same time, PTP has priority.
Off (default setting)
The PTP function is disabled.
The device transmits the PTP synchronization messages without any correction at every port.
Configuration IEEE1588/PTP
Parameters Meaning
PTP mode Specifies the PTP version and mode of the local clock.
Possible values:
v2-transparent-clock (default setting)
v2-boundary-clock
Parameters Meaning
Sync lower bound Specifies the lower threshold value in nanoseconds for the path difference between the local clock
[ns] and the reference time source (Grandmaster). If the path difference falls below this value one time,
then the local clock is classed as synchronized.
Possible values:
0..999999999 (default setting: 30)
Sync upper bound Specifies the upper threshold in nanoseconds for the path difference between the local clock and
[ns] the reference time source (Grandmaster). If the path difference exceeds this value one time, then
the local clock is classed as unsynchronized.
Possible values:
31..1000000000 (default setting: 5000)
PTP management Activates/deactivates the PTP management defined in the PTP standard.
Possible values:
marked
PTP management is activated.
unmarked (default setting)
PTP management is deactivated.
Status
Parameters Meaning
Is synchronized Displays whether the local clock is synchronized with the reference clock (Grandmaster).
The local clock is synchronized when the path difference between the local clock and the
reference clock (Grandmaster) falls below the synchronization lower threshold one time. This
status is kept until the path difference exceeds the synchronization upper threshold one time.
You specify the synchronization thresholds in the Configuration IEEE1588/PTP frame.
Max. offset absolute Displays the maximum path difference in nanoseconds that has occurred since the local clock was
[ns] synchronized with the reference clock (Grandmaster).
PTP time Displays the date and time for the PTP time scale when the local clock is synchronized with the
reference clock (Grandmaster). Format: Month Day, Year hh:mm:ss AM/PM
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
With this menu you can configure the Boundary Clock mode for the local clock.
The menu contains the following dialogs:
PTP Boundary Clock Global
PTP Boundary Clock Port
In this dialog, you enter general, cross-port settings for the Boundary Clock mode for the local clock.
The Boundary Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select
in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock .
Operation IEEE1588/PTPv2 BC
Parameters Meaning
Priority 1 Specifies priority 1 for the port.
Possible values:
0..255 (default setting: 128)
The “Best Master Clock” algorithm first evaluates priority 1 of the participating devices in order to
determine the reference time source (Grandmaster).
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Priority 2 Specifies priority 2 for the port.
Possible values:
0..255 (default setting: 128)
The “Best Master Clock” algorithm evaluates priority 2 of the participating devices if the previously
evaluated criteria are the same for multiple devices.
The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.
Domain number Assigns the device to a PTP domain.
Possible values:
0..255 (default setting: 0)
The device transmits time information from and to devices in the same domain exclusively.
Status IEEE1588/PTPv2 BC
Parameters Meaning
Two step Displays that the clock is operating in Two-Step mode.
Steps removed Displays the number of communication paths passed through between the local clock of the
device and the reference clock (Grandmaster).
For a PTP slave, the value 1 means that the clock is connected with the reference time source
(Grandmaster) directly via 1 communication path.
Offset to master Displays the measured difference (offset) between the local clock and the reference clock
[ns] (Grandmaster) in nanoseconds. The PTP slave calculates the difference from the time information
received.
In Two-Step mode the time information consists of 2 PTP synchronization messages each, which
the PTP master sends cyclically:
The first synchronization message (sync message) contains an estimated value for the exact
sending time of the message.
The second synchronization message (follow-up message) contains the exact sending time of
the first message.
The PTP slave uses the two PTP synchronization messages to calculate the difference (offset)
from the master and corrects its clock by this difference. Here the PTP slave also considers the
Delay to master [ns] .
Parameters Meaning
Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
The PTP slave sends a “Delay Request” packet to the PTP master and thus determines the exact
sending time of the packet. When it receives the packet, the PTP master generates a time stamp
and sends this in a “Delay Response” packet back to the PTP slave. The PTP slave uses the two
packets to calculate the delay, and considers this starting from the next offset measurement.
The prerequisite is that the delay mechanism value of the slave ports is specified as e2e .
Grandmaster
This frame displays the criteria that the “Best Master Clock” algorithm evaluates when determining the
reference clock (Grandmaster).
The algorithm first evaluates priority 1 of the participating devices. The device with the smallest value
for priority 1 becomes the reference time source (Grandmaster). If the value is the same for multiple
devices, the algorithm takes the next criterion, and if this is also the same, it takes the next criterion after
this one. If every value is the same for multiple devices, the smallest value in the Clock identity field
decides which device becomes the reference time source (Grandmaster).
The device allows you to influence which device in the network becomes the reference clock
(Grandmaster). To do this, you go to the Operation IEEE1588/PTPv2 BC frame and modify the value
in the Priority 1 field or the Priority 2 field.
Parameters Meaning
Priority 1 Displays priority 1 for the device that is currently the reference time source (Grandmaster).
Clock class Class of the reference clock (Grandmaster).
Parameter for the Best Master Clock algorithm.
Clock accuracy Estimated accuracy of the reference clock (Grandmaster).
Parameter for the Best Master Clock algorithm.
Clock variance Variance of the reference clock, also known as the “offset scaled log variance”.
Parameter for the Best Master Clock algorithm.
Priority 2 Displays priority 2 for the device that is currently the reference time source (Grandmaster).
Parameters Meaning
Time source Specifies the time source from which the local clock gets its time information.
Possible values:
atomicClock
gps
terrestrialRadio
ptp
ntp
handSet
other
internalOscillator (default setting)
UTC offset [s] Specifies the difference between the PTP time scale and the UTC.
See the PTP timescale checkbox.
Possible values:
-32768..32767
Note: The default setting is the value valid on the creation date of the device software.
You can find further information in the "Bulletin C" of the Earth Rotation and Reference Systems
Service (IERS): http://www.iers.org/IERS/EN/Publications/Bulletins/bulletins.html
Parameters Meaning
UTC offset valid Specifies whether the value specified in the UTC offset [s] field is correct.
Possible values:
marked
unmarked (default setting)
Time traceable Displays whether the device gets the time from a primary UTC reference, for example from an
NTP server.
Possible values:
marked
unmarked
Frequency Displays whether the device gets the frequency from a primary UTC reference, for example from
traceable an NTP server.
Possible values:
marked
unmarked
PTP timescale Displays whether the device uses the PTP time scale.
Possible values:
marked
unmarked
According to IEEE 1588, the PTP time scale is the TAI atomic time started on 01.01.1970.
In contrast to UTC, TAI does not use leap seconds.
On 01.01.2011, the difference between TAI and UTC was +34 seconds.
Identities
Parameters Meaning
Clock identity Displays the device’s own identification number (UUID).
Parent port identity Displays the port identification number (UUID) of the directly superior master device.
Grandmaster Displays the identification number (UUID) of the reference clock device.
identity
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the Boundary Clock (BC) settings on each individual port.
The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you select
in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock .
Table
Parameters Meaning
Port Displays the port number.
PTP enable Activates/deactivates PTP synchronization message transmission on the port.
Possible values:
marked (default setting)
The transmission is activated. The port sends and receives PTP synchronization messages.
unmarked
The transmission is deactivated. The port blocks PTP synchronization messages.
PTP status Displays the current status of the port.
Possible values:
initializing
Initialization phase
faulty
Faulty mode: error in the PTP protocol.
disabled
PTP is disabled on the port.
listening
Device port is waiting for PTP synchronization messages.
pre-master
PTP pre-master mode
master
PTP master mode
passive
PTP passive mode
uncalibrated
PTP uncalibrated mode
slave
PTP slave mode
Sync interval Specifies the interval in seconds at which the port transmits PTP synchronization messages.
Possible values:
0.25
0.5
1 (default setting)
2
Parameters Meaning
Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
disabled
The measurement of the delay for the PTP synchronization messages for the connected PTP
devices is inactive.
e2e (default setting)
End-to-end: As the PTP slave, the port measures the delay for the PTP synchronization
messages to the PTP master.
The device displays the measured value in the Time > PTP > Boundary Clock > Global
dialog.
p2p
Peer-to-peer: The device measures the delay for the PTP synchronization messages for the
connected PTP devices, provided that these devices support P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select the value p2p in the Delay mechanism column.
P2P delay interval Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
[s] The prerequisite is that you have specified the value p2p on this port and on the port of the remote
terminal.
Possible values:
1 (default setting)
2
4
8
16
32
Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages.
Possible values:
IEEE 802.3 (default setting)
UDP/IPv4
Announce interval Specifies the interval in seconds at which the port transmits messages for the PTP topology
[s] discovery.
Assign the same value to every device of a PTP domain.
Possible values:
1
2 (default setting)
4
8
16
Announce timeout Specifies the number of announce intervals.
Example:
For the default setting (Announce interval [s] = 2 and Announce timeout = 3), the timeout is
3 x 2 s = 6 s.
Possible values:
2..10 (default setting: 3)
Assign the same value to every device of a PTP domain.
E2E delay interval Displays the interval in seconds at which the port measures the End-to-End delay:
[s] If the port is operating as the PTP master, the device assigns the port the value 8.
If the port is operating as the PTP slave, the value is specified by the PTP master connected
to the port.
Parameters Meaning
V1 hardware Specifies whether the port adjusts the length of the PTP synchronization messages when you
compatibility have set in the Network protocol column the value udpIpv4 .
It is possible that other devices in the network expect the PTP synchronization messages to be
the same length as PTPv1 messages.
Possible values:
auto (default setting)
The device automatically detects whether other devices in the network expect the PTP
synchronization messages to be the same length as PTPv1 messages. If this is the case, the
device extends the length of the PTP synchronization messages before transmitting them.
on
The device extends the length of the PTP synchronization messages before transmitting them.
off
The device transmits PTP synchronization messages without changing the length.
Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths.
Possible values:
-2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x·2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the
opposite direction.
VLAN Specifies the VLAN ID with which the device marks the PTP synchronization messages on this
port.
Possible values:
none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
0..4042
You specify VLANs that you have already set up in the device from the list.
Verify that that the port is a member of the VLAN.
See the Switching > VLAN > Configuration dialog.
VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
0..7 (default setting: 4)
If you have specified in the VLAN column the value none , the device ignores the VLAN priority.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
With this menu you can configure the Transparent Clock mode for the local clock.
The menu contains the following dialogs:
PTP Transparent Clock Global
PTP Transparent Clock Port
In this dialog, you enter general, cross-port settings for the Transparent Clock mode for the local clock.
The Transparent Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).
The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock .
Operation IEEE1588/PTPv2 TC
Parameters Meaning
Delay mechanism Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.
Possible values:
e2e (default setting)
As the PTP slave, the port measures the delay for the PTP synchronization messages to the
PTP master.
The device displays the measured value in the Time > PTP > Transparent Clock > Global
dialog.
p2p
The device measures the delay for the PTP synchronization messages for every connected
PTP device, provided that the device supports P2P.
This mechanism saves the device from having to determine the delay again in the case of a
reconfiguration.
If you specify this value, the value IEEE 802.3 is exclusively available in the Network
protocol field.
e2e-optimized
Like e2e , with the following special characteristics:
– The device transmits the delay requests of the PTP slaves solely to the PTP master, even
though these requests are multicast messages. The device thus spares the other devices
from unnecessary multicast requests.
– If the master-slave topology changes, the device relearns the port for the PTP master as
soon as it receives a synchronization message from another PTP master.
– If the device does not know a PTP master, it transmits delay requests to the ports.
disabled
The delay measuring is disabled on the port. The device discards messages for the delay
measuring.
Primary domain Assigns the device to a PTP domain.
Possible values:
0..255 (default setting: 0)
The device transmits time information from and to devices in the same domain exclusively.
Network protocol Specifies which protocol the port uses to transmit the PTP synchronization messages.
Possible values:
ieee8023 (default setting)
udpIpv4
Multi domain mode Activates/deactivates the PTP synchronization message correction in every PTP domain.
Possible values:
marked
The device corrects PTP synchronization messages in every PTP domain.
unmarked (default setting)
The device corrects PTP synchronization messages in the primary PTP domain exclusively.
See the Primary domain field.
Parameters Meaning
VLAN ID Specifies the VLAN ID with which the device marks the PTP synchronization messages on this
port.
Possible values:
none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
0..4042
You specify VLANs that you have already set up in the device from the list.
VLAN priority Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).
Possible values:
0..7 (default setting: 4)
If you have specified the value none in the VLAN ID field the device ignores the specified value.
Local synchronization
Parameters Meaning
Syntonize Activates/deactivates the frequency synchronization of the Transparent Clock with the PTP
master.
Possible values:
marked (default setting)
The frequency synchronization is active.
The device synchronizes the frequency.
unmarked
The frequency synchronization is inactive.
The frequency remains constant.
Synchronize local Activates/deactivates the synchronization of the local system time.
clock
Possible values:
marked
The synchronization is active.
The device synchronizes the local system time with the time received via PTP. The
prerequisite is that the Syntonize checkbox is marked.
unmarked (default setting)
The synchronization is inactive.
The local system time remains constant.
Current master Displays the port identification number (UUID) of the master device on which the device
synchronizes its frequency.
If the value contains zeros exclusively, this is because:
The Syntonize function is disabled.
or
The device cannot find a PTP master.
Offset to master Displays the measured difference (offset) between the local clock and the PTP master in
[ns] nanoseconds. The device calculates the difference from the time information received.
The prerequisite is that the Synchronize local clock function is enabled.
Delay to master [ns] Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.
Prerequisite:
The Synchronize local clock function is enabled.
In the Delay mechanism field, the value e2e is selected.
Status IEEE1588/PTPv2 TC
Parameters Meaning
Clock identity Displays the device’s own identification number (UUID).
The device displays the identities as byte sequences in hexadecimal notation.
The device identification number consists of the MAC address of the device, with the values ff
and fe added between byte 3 and byte 4.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the Transparent Clock (TC) settings on each individual port.
The settings are effective when the local clock operates as the Transparent Clock (TC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock .
Table
Parameters Meaning
Port Displays the port number.
PTP enable Activates/deactivates the transmitting of PTP synchronization messages on the port.
Possible values:
marked (default setting)
The transmitting is active.
The port sends and receives PTP synchronization messages.
unmarked
The transmitting is inactive.
The port blocks PTP synchronization messages.
P2P delay interval Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.
[s] The prerequisite is that you specify the value p2p on this port and on the port of the remote
terminal. See the Delay mechanism option list in the Time > PTP > Transparent Clock >
Global dialog.
Possible values:
1 (default setting)
2
4
8
16
32
P2P delay Displays the measured Peer-to-Peer delay for the PTP synchronization messages.
The prerequisite is that you select in the Delay mechanism option list the radio button p2p . See
the Delay mechanism field in the Time > PTP > Transparent Clock > Global dialog.
Asymmetry Corrects the measured delay value corrupted by asymmetrical transmission paths.
Possible values:
-2000000000..2000000000 (default setting: 0)
The value represents the delay symmetry in nanoseconds.
A measured delay value of x ns corresponds to an asymmetry of x·2 ns.
The value is positive if the delay from the PTP master to the PTP slave is longer than in the
opposite direction.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
3 Device Security
The device allows users to access its management exclusively when they log in with valid login data.
In this dialog you manage the users of the local user management. You also specify the following
settings here:
Settings for the login
Settings for saving the passwords
Specify policy for valid passwords
The methods that the device uses for the authentication you specify in the Device Security >
Authentication List dialog.
Configuration
This frame allows you to specify settings for the login.
Parameters Meaning
Login attempts Number of login attempts possible.
Possible values:
0..5 (default setting: 0)
If the user makes one more unsuccessful login attempt, the device locks access for the user.
The device allows users with the administrator authorization to remove the lock exclusively.
The value 0 deactivates the lock. The user has unlimited attempts to login.
Min. password The device accepts the password if it contains at least the number of characters specified here.
length The device checks the password according to this setting, regardless of the setting for the Policy
check checkbox.
Possible values:
1..64 (default setting: 6)
Password policy
This frame allows you to specify the policy for valid passwords. The device checks every new
password and password change according to this policy.
The settings effect the Password column. The prerequisite is that you mark the checkbox in the
Policy check column.
Parameters Meaning
Upper-case The device accepts the password if it contains at least as many upper-case letters as specified
characters (min.) here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Lower-case The device accepts the password if it contains at least as many lower-case letters as specified
characters (min.) here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Parameters Meaning
Digits (min.) The device accepts the password if it contains at least as many numbers as specified here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Special characters The device accepts the password if it contains at least as many special characters as specified
(min.) here.
Possible values:
0..16 (default setting: 1)
The value 0 deactivates this setting.
Table
Every user requires an active user account to gain management access to the device. The table
allows you to set up and manage user accounts.
To change settings, click the desired parameter in the table and modify the value.
Parameters Meaning
User name Displays the name of the user account.
To create a new user account, click the button.
Active Activates/deactivates the user account.
Possible values:
marked
The user account is active. The device accepts the login of a user with this user name.
unmarked (default setting)
The user account is inactive. The device rejects the login of a user with this user name.
When one user account exists with the administrator access role, this user account is always
active.
Password Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 6..64 characters
The following characters are allowed:
– a..z
– A..Z
– 0..9
– #$%&'()*+,-./:;<=>?@_`
The minimum length of the password is specified in the Configuration frame. The device
differentiates between upper and lower case.
If the checkbox in the Policy check column is marked, the device checks the password
according to the policy specified in the Password policy frame.
The device always checks the minimum length of the password, even if the checkbox in the
Policy check column is unmarked.
Parameters Meaning
Role Specifies the user role that regulates the access of the user to the individual functions of the
device.
Possible values:
unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If an error occurs when another role is
being assigned, the device assigns this role to the user account.
guest (default setting)
The user is authorized to monitor the device.
auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics >
Report > Audit Trail dialog.
operator
The user is authorized to monitor the device and to change the settings – with the exception
of security settings for device access.
administrator
The user is authorized to monitor the device and to change the settings.
The device assigns the Service Type transferred in the response of a RADIUS server as follows
to a user role:
– Administrative-User: administrator
– Login-User: operator
– NAS-Prompt-User: guest
User locked Unlocks the user account.
Possible values:
marked
The user account is locked. The user has no management access to the device.
The device automatically locks a user if the user makes too many unsuccessful log in attempts.
unmarked (grayed out) (default setting)
The user account is unlocked. The user has management access to the device.
Policy check Activates/deactivates the password check.
Possible values:
marked
The password check is activated.
When you set up or change the password, the device checks the password according to the
policy specified in the Password policy frame.
unmarked (default setting)
The password check is deactivated.
SNMP auth type Specifies the authentication protocol that the device applies for user access via SNMPv3.
Possible values:
hmacmd5 (default value)
For this user account, the device uses protocol HMACMD5.
hmacsha
For this user account, the device uses protocol HMACSHA.
SNMP encryption Specifies the encryption protocol that the device applies for user access via SNMPv3.
type
Possible values:
none
No encryption
des (default value)
DES encryption
aesCfb128
AES128 encryption
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the User name field, you specify the name of the user account.
Possible values:
– Alphanumeric ASCII character string with 1..32 characters
In this dialog you manage the authentication lists. In a authentication list you specify which method the
device uses for the authentication. You also have the option to assign pre-defined applications to the
authentication lists.
The device allows users to access its management exclusively when they log in with valid login data.
The device authenticates the users using the following methods:
User management of the device
LDAP
RADIUS
With the port-based access control according to IEEE 802.1X, the device allows connected end devices
to access the network if they log in with valid login data. The device authenticates the end devices using
the following methods:
RADIUS
IAS (Integrated Authentication Server)
In the default setting the following authentication lists are available:
defaultDot1x8021AuthList
defaultLoginAuthList
defaultV24AuthList
Table
Parameters Meaning
Name Displays the name of the list.
To create a new list, click the button.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Parameters Meaning
Policy 1 Specifies the authentication policy that the device uses for access using the application specified
Policy 2 in the Dedicated applications column.
Policy 3
Policy 4 The device gives you the option of a fall-back solution. For this, you specify another policy in each
Policy 5 of the policy fields. Depending on the order of the values entered in each policy, if the
authentication with the specified policy is unsuccessful, the device can use the next policy.
Possible values:
local (default setting)
The device authenticates the users by using the local user management. See the Device
Security > User Management dialog.
You cannot assign this value to the authentication list defaultDot1x8021AuthList.
radius
The device authenticates the users with a RADIUS server in the network. You specify the
RADIUS server in the Network Security > RADIUS > Authentication Server dialog.
reject
The device accepts or rejects the authentication depending on which policy you try first. The
following list contains authentication scenarios:
– If the first policy in the authentication list is local and the device accepts the credentials
of the user, then it logs the user in without attempting the other polices.
– If the first policy in the authentication list is local and the device denies the credentials of
the user, then it attempts to log the user in using the other polices in the order specified.
– If the first policy in the authentication list is radius or ldap and the device rejects a login,
then the login is immediately rejected without attempting to login the user using another
policy.
If there is no response from the RADIUS or LDAP server, the device attempts to
authentication the user with the next policy.
– If the first policy in the authentication list is reject , then the devices immediately rejects
the user login without attempting another policy.
– Verify that the authentication list defaultV24AuthList contains at least one policy
different from reject .
ias
The device authenticates the end devices logging in via 802.1X with the integrated
authentication server (IAS). The integrated authentication server manages the log in data in a
separate database. See the Network Security > 802.1X Port Authentication >
Integrated Authentication Server dialog.
You can only assign this value to the authentication list defaultDot1x8021AuthList.
ldap
The device authenticates the users with authentication data and access role saved in a central
location. You specify the Active Directory server that the device uses in the Network
Security > LDAP > Configuration dialog.
Dedicated Displays the dedicated applications. When users access the device with the relevant application,
applications the device uses the specified policies for the authentication.
To allocate another application to the list or remove the allocation, click the button and then
the Allocate applications item. Allocate one application solely to one list.
Active Activates/deactivates the list.
Possible values:
marked
The list is activated. The device uses the policies in this list when users access the device with
the relevant application.
unmarked (default setting)
The list is deactivated.
Note: If the table does not contain a list, the management access is possible using CLI through the
V.24 interface of the device exclusively. In this case, the device authenticates the user by using the
local user management. See the Device Security > User Management dialog.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Do not move the entry WebInterface to the left field. Otherwise the connection to the device is
lost, after you click the Ok button.
3.3 LDAP
The Lightweight Directory Access Protocol (LDAP) allows you to authenticate and authorize the users
at a central point in the network. A widely used directory service accessible through LDAP is Active
Directory®.
The device forwards the log in data of the user to the authentication server using the LDAP protocol.
The authentication server decides whether the login data is valid and transfers the user’s authorizations
to the device.
Upon successful log on, the device saves the log on data temporarily in the cache. This speeds up the
logon process when users logon again. In this case, no complex LDAP search operation is necessary.
The menu contains the following dialogs:
LDAP Configuration
LDAP Role Mapping
This dialog allows you to specify up to 4 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the log on data to the first authentication server. If no response comes from this
server, the device contacts the next server in the table.
Operation
Parameters Meaning
Operation Enables/disables the LDAP client.
The device uses the LDAP client, if in the Device Security > Authentication List dialog you
specify the value ldap in 1 of the rows Policy 1 to Policy 5 . Prior to this, specify in the Device
Security > LDAP > Role Mapping dialog at least 1 Mapping for this role administrator . This
provides you access to the device as administrator after logging on through LDAP.
Possible values:
On
The LDAP client is enabled.
Off (default setting)
The LDAP client is disabled.
Configuration
Parameters Meaning
Client cache Specifies for how many minutes after successfully logging on the logon data of a user remain valid.
timeout [min] When a user logs on again within this time, no complex LDAP search operation is necessary. The
logon process is much faster.
Possible values:
1..1440 (default setting: 10)
Bind user Specifies the user ID in the form of the “Distinguished Name” (DN) with which the device logs on
to the LDAP server.
This information is necessary if the LDAP server requires a user ID in the form of the
“Distinguished Name” (DN) for the log on. In Active Directory environments, this information is
unnecessary.
The device logs on to the LDAP server with the user ID to find the “Distinguished Name” (DN) for
the users logging on. The device conducts the search according to the settings in the fields Base
DN and User name attribute .
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Bind user password Specifies the password which the device uses together with the user ID specified in the Bind user
field when logging on to the LDAP server.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Base DN Specifies the starting point for the search in the directory tree in the form of the “Distinguished
Name” (DN).
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Parameters Meaning
User name attribute Specifies the LDAP attribute which contains a biunique user name. Afterwards, the user uses the
user name contained in this attribute to log on.
Often the LDAP attributes userPrincipalName, mail, sAMAccountName and uid contain a unique
user name.
The device adds the character string specified in the Default domain field to the user name
under the following condition:
– The user name contained in the attribute does not contain the @ character.
– In the Default domain field, a domain name is specified.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
(default setting: userPrincipalName)
Default domain Specifies the character string which the device adds to user name of users logging on if the user
name does not contain the @ character.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
CA certificate
Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Parameters Meaning
Description Specifies the description.
If you wish, you describe the authentication server here or note additional information.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Address Specifies the IP address or the DNS name of the server.
Possible values:
IPv4 address (default setting: 0.0.0.0)
DNS name in the format <domain>.<tld> or <host>.<domain>.<tld>
_ldap._tcp.<domain>.<tld>
Using this DNS name, the device queries the LDAP server list (SRV Resource Record) from
the DNS server.
Use a DNS name, if in the Connection security row another value than none is specified and
the certificate contains only DNS names of the server. Enable the Client function in the
Advanced > DNS > Client > Global dialog.
Destination TCP Specifies the TCP Port on which the server expects the requests.
port If you have specified the value _ldap._tcp.domain.tld in the Address column, the device
ignores this value.
Possible values:
0..65535 (default setting: 389)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
– LDAP: 389
– LDAP over SSL: 636
– Active Directory Global Catalogue: 3268
– Active Directory Global Catalogue SSL: 3269
Connection security Specifies the protocol which encrypts the communication between the device and the
authentication server.
Possible values:
none
No encryption.
The device establishes an LDAP connection to the server and transmits the communication
including the passwords in clear text.
ssl
Encryption with SSL.
The device establishes a TLS connection to the server and tunnels the LDAP communication
over it.
startTLS (default setting)
Encryption with startTLS extension.
The device establishes an LDAP connection to the server and encrypts the communication.
The prerequisite for encrypted communication is that the device uses the correct time. If the
certificate contains only the DNS names, you specify the DNS name of the server in the Address
row . Enable the Client function in the Advanced > DNS > Client > Global dialog.
If the certificate contains the IP address of the server in the “Subject Alternative Name” field , the
device is able to verify the identity of the server without the DNS configuration.
Server status Displays the connection status and the authentication with the authentication server.
Possible values:
ok
The server is reachable.
If in the Connection security row a value other than none is specified, the device has
verified the certificate of the server.
unreachable
Server is unreachable.
other
The device has not established a connection to the server yet.
Parameters Meaning
Active Activates/deactivates the use of the server.
Possible values:
marked
The device uses the server.
unmarked (default setting)
The device does not use the server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Flush cache Removes the cached log on data of the successfully logged on users.
Configuration
Parameters Meaning
Matching policy Specifies which role the device applies if more than 1 mapping applies to a user.
Possible values:
highest (default setting)
The device applies the role with more extensive authorizations.
first
The device applies the rule which has the lower value in the Index column to the user.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Parameters Meaning
Role Specifies the user role that regulates the access of the user to the individual functions of the
device.
Possible values:
unauthorized
The user is blocked, and the device rejects the user log on.
Assign this value to temporarily lock the user account. If an error occurs when another role is
being assigned, the device assigns this role to the user account.
guest (default setting)
The user is authorized to monitor the device.
auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics >
Report > Audit Trail dialog.
operator
The user is authorized to monitor the device and to change the settings – with the exception
of security settings for device access.
administrator
The user is authorized to monitor the device and to change the settings.
Type Specifies whether a group or an attribute with an attribute value is set in the Parameter column.
Possible values:
attribute (default setting)
The Parameter column contains an attribute with an attribute value.
group
The Parameter column contains the “Distinguished Name” (DN) of a group.
Parameter Specifies a group or an attribute with an attribute value, depending on the setting in the Type
column.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
The device differentiates between upper and lower case.
– If in the Type column the value attribute is specified, you specify the attribute in the form
of Attribute_name=Attribute_value.
Example: l=Germany
– If in the Type column the value group is specified, you specify the “Distinguished Name”
(DN) of a group.
Example: CN=admin-users,OU=Groups,DC=example,DC=com
Active Activates/deactivates the role mapping.
Possible values:
marked (default setting)
The role mapping is active.
unmarked
The role mapping is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
Possible values:
– 1..64
3.4.1 Server
This dialog allows you to set up the server services which enable users or applications to access the
management of the device.
[Information ]
This tab displays as an overview which server services are enabled.
Table
Parameters Meaning
SNMPv1 Displays whether the server service which allows access to the device using SNMP version 1 is
active or inactive. See the SNMP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SNMPv2 Displays whether the server service which allows access to the device using SNMP version 2 is
active or inactive. See the SNMP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SNMPv3 Displays whether the server service which allows access to the device using SNMP version 3 is
active or inactive. See the SNMP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
Telnet server Displays whether the server service which allows access to the device using Telnet is active or
inactive. See the Telnet tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
SSH server Displays whether the server service which allows access to the device using Secure Shell is active
or inactive. See the SSH tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
HTTP server Displays whether the server service which allows access to the device using the Graphical User
Inerface through HTTP is active or inactive. See the HTTP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
HTTPS server Displays whether the server service which allows access to the device using the Graphical User
Inerface through HTTPS is active or inactive. See the HTTP tab.
Possible values:
marked
Server service is active.
unmarked
Server service is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[SNMP ]
This tab allows you to specify settings for the SNMP agent of the device and to enable/disable access
to the device with different SNMP versions.
The SNMP agent enables management access to the device with SNMP-based applications.
Configuration
Parameters Meaning
SNMPv1 Activates/deactivates the access to the device with SNMP version 1.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/
v2 Community dialog.
SNMPv2 Activates/deactivates the access to the device with SNMP version 2.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
You specify the community names in the Device Security > Management Access > SNMPv1/
v2 Community dialog.
SNMPv3 Activates/deactivates the access to the device with SNMP version 3.
Possible values:
marked (default setting)
Access is activated.
unmarked
Access is deactivated.
Network management systems like Industrial HiVision use this protocol to communicate with the
device.
UDP port Specifies the number of the UDP port on which the SNMP agent receives requests from clients.
Possible values:
1..65535 (default setting: 161)
Exception: Port 2222 is reserved for internal functions.
To enable the SNMP agent to use the new port after a change, you proceed as follows:
Click the button.
Select in the Basic Settings > Load/Save dialog the active configuration profile.
Click the button and then the Save item.
Restart the device.
SNMPover802 Activates/deactivates the access to the device through SNMP over IEEE-802.
Possible values:
marked
Access is activated.
unmarked (default setting)
Access is deactivated.
The HiDiscovery software uses SNMP over IEEE-802 to access devices without an IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Telnet ]
This tab allows you to enable/disable the Telnet server in the device and specify its settings.
The Telnet server enables management access to the device remotely through the Command Line
Interface. Telnet connections are unencrypted.
Operation
Parameters Meaning
Operation Enables/disables the Telnet server.
Possible values:
On (default setting)
The Telnet server is enabled.
The management access to the device is possible through the Command Line Interface using
an unencrypted Telnet connection.
Off
The Telnet server is disabled.
Note: If the SSH server is disabled and you also disable Telnet, the access to the Command Line
Interface is only possible through the V.24 interface of the device.
Configuration
Parameters Meaning
TCP port Specifies the number of the TCP port on which the device receives Telnet requests from clients.
Possible values:
1..65535 (default setting: 23)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
Connections Displays how many Telnet connections are currently established to the device.
Connections (max.) Specifies the maximum number of Telnet connections to the device that can be set up
simultaneously.
Possible values:
1..5 (default setting: 5)
Session timeout Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
[min] for the user logged on.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
0
Deactivates the function. The connection remains established in the case of inactivity.
1..160 (default setting: 5)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[SSH ]
This tab allows you to enable/disable the SSH server in the device and specify its settings required for
SSH. The server works with SSH version 2.
The SSH server enables management access to the device remotely through the Command Line
Interface. SSH connections are encrypted.
The SSH server identifies itself to the clients using its public RSA or DSA key. When first setting up the
connection, the client program displays the user the fingerprint of this key. The fingerprint contains a
hexadecimal number sequence that is easy to check. When you make this number sequence available
to the users via a reliable channel, they have the option to compare both fingerprints. If the number
sequences match, the client is connected to the correct server.
The device allows you to create the private and public keys (host keys) required for RSA and DSA
directly on the device. Otherwise you have the option to copy your own keys to the device in PEM format.
As an alternative, the device allows you to load the DSA/RSA key (host key) from an external memory
upon restart. You activate this function in the Basic Settings > External Memory dialog, SSH key
auto upload column.
Operation
Parameters Meaning
Operation Enables/disables the SSH server.
Possible values:
On (default setting)
The SSH server is enabled.
The management access to the device is possible through the Command Line Interface using
an encrypted SSH connection.
The server can solely then be started if there is an RSA or DSA signature on the device.
Off
The SSH server is disabled.
When you disable the SSH server, the existing connections remain established. However, the
device prevents new connections from being set up.
Note: If the Telnet server is disabled and you also disable SSH, the access to the Command Line
Interface is only possible through the V.24 interface of the device.
Configuration
Parameters Meaning
TCP port Specifies the number of the TCP port on which the device receives SSH requests from clients.
Possible values:
1..65535 (default setting: 22)
Exception: Port 2222 is reserved for internal functions.
The server restarts automatically after the port is changed. Existing connections remain in place.
Sessions Displays how many SSH connections are currently established to the device.
Sessions (max.) Specifies the maximum number of SSH connections to the device that can be set up
simultaneously.
Possible values:
1..5 (default setting: 5)
Parameters Meaning
Session timeout Specifies the timeout in minutes. After the user logged on has been inactive for this time, the ends
[min] the connection.
A change in the value takes effect the next time a user logs on to the device.
Possible values:
0
Deactivates the function. The connection remains established in the case of inactivity.
1..160 (default setting: 5)
Fingerprint
The fingerprint is an easy-to-verify string that uniquely identifies the RSA or DSA host key of the SSH
server.
Parameters Meaning
DSA Fingerprint of the public DSA host key of the server.
RSA Fingerprint of the public RSA host key of the server.
After importing a new RSA or DSA host key, the device continues to display the existing fingerprint
until you restart the server.
Signature
Parameters Meaning
DSA present Displays whether a DSA host key is present on the device.
Possible values:
marked
A key is present.
unmarked
No key is present.
RSA present Displays whether an RSA host key is present on the device.
Possible values:
marked
A key is present.
unmarked
No key is present.
Create Generates a host key on the device. The prerequisite is that the SSH server is disabled.
Length of the key created:
2048 bit (RSA)
1024 bit (DSA)
To get the server to use the generated host key, you enable the server.
Alternatively, you have the option to copy your own key to the device in PEM format. See the Key
import frame.
Delete Removes the host key from the device. The prerequisite is that the SSH server is disabled.
Parameters Meaning
Oper status Displays whether the device currently generates a host key.
It is possible that another user triggered this action.
Possible values:
dsa
The device currently generates a DSA host key.
rsa
The device currently generates an RSA host key.
both
The device currently generates a DSA and a RSA host key at the same time.
none
The device does not generate a host key.
Key import
Parameters Meaning
URL Specifies the path and file name of your own DSA/RSA host key.
The device accepts the DSA/RSA key if it has the following key length:
– 2048 bit (RSA)
– 1024 bit (DSA)
The device gives you the following options for copying the key to the device:
Import from the PC
If the host key is located on your PC or on a network drive, drag and drop the file that contains
the key in the area. Alternatively click in the area to select the file.
Import from an FTP server
If the key is on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
Import from a TFTP server
If the key is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
If the key is on an SCP or SFTP server, you specify the URL for the file in the following form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the key specified in the URL field to the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[HTTP ]
This tab allows you to enable/disable the HTTP protocol for the web server and specify the settings
required for HTTP.
The web server provides the graphical user interface via an unencrypted HTTP connection. For security
reasons, disable the HTTP protocol and use the HTTPS protocol instead.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.
Note: If you change the settings in this tab and click the button, the device ends the session and
disconnects every opened connection. To continue working with the graphical user interface, login
again.
Operation
Parameters Meaning
Operation Enables/disables the HTTP protocol for the web server.
Possible values:
On (default setting)
The HTTP protocol is enabled.
The management access to the device is possible through an unencrypted HTTP connection.
If the HTTPS protocol is also enabled, the device automatically redirects the request for a HTTP
connection to an encrypted HTTPS connection.
Off
The HTTP protocol is disabled.
If the HTTPS protocol is enabled, the management access to the device is possible through an
encrypted HTTPS connection.
Note: If the HTTP and HTTPS protocols are disabled, you can enable the HTTP protocol using the
CLI command http server to get to the graphical user interface.
Configuration
Parameters Meaning
TCP port Specifies the number of the TCP port on which the web server receives HTTP requests from
clients.
Possible values:
1..65535 (default setting: 80)
Exception: Port 2222 is reserved for internal functions.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[HTTPS ]
This tab allows you to enable/disable the HTTPS protocol for the web server and specify the settings
required for HTTPS.
The web server provides the graphical user interface via an encrypted HTTP connection.
A digital certificate is required for the encryption of the HTTP connection. The device allows you to
create this certificate yourself or to load an existing certificate onto the device.
The device supports up to 10 simultaneous connections using HTTP or HTTPS.
Note: If you change the settings in this tab and click the button, the device ends the session and
disconnects every opened connection. To continue working with the graphical user interface, login
again.
Operation
Parameters Meaning
Operation Enables/disables the HTTPS protocol for the web server.
Possible values:
On (default setting)
The HTTPS protocol is enabled.
The management access to the device is possible through an encrypted HTTPS connection.
If there is no digital certificate present, the device generates a digital certificate before it
enables the HTTPS protocol.
Off
The HTTPS protocol is disabled.
If the HTTP protocol is enabled, the management access to the device is possible through an
unencrypted HTTP connection.
Note: If the HTTP and HTTPS protocols are disabled, you can enable the HTTPS protocol using the
CLI command https server to get to the graphical user interface.
Configuration
Parameters Meaning
TCP port Specifies the number of the TCP port on which the web server receives HTTPS requests from
clients.
Possible values:
1..65535 (default setting: 443)
Exception: Port 2222 is reserved for internal functions.
Fingerprint
The fingerprint is an easily verified hexadecimal number sequence that uniquely identifies the digital
certificate of the HTTPS server.
After importing a new digital certificate, the device displays the current fingerprint until you restart the
server.
Parameters Meaning
Fingerprint type Specifies which fingerprint the Fingerprint field displays.
Possible values:
sha1
The Fingerprint field displays the SHA1 fingerprint of the certificate.
sha256
The Fingerprint field displays the SHA256 fingerprint of the certificate.
Fingerprint Character sequence of the digital certificate used by the server.
When you change the settings in the Fingerprint type field, click afterwards the button
Certificate
Parameters Meaning
Present Displays whether the digital certificate is present on the device.
Possible values:
marked
The certificate is present.
unmarked
The certificate has been removed.
Create Generates a digital certificate on the device.
Until restarting the web server uses the previous certificate.
To get the web server to use the newly generated certificate, restart the web server. Restarting
the web server is possible solely through the Command Line Interface (CLI).
Alternatively, you have the option of copying your own certificate to the device. See the
Certificate import frame.
Delete Deletes the digital certificate.
Until restarting the web server uses the previous certificate.
Oper status Displays whether the device currently generates or deletes a digital certificate.
It is possible that another user has triggered the action.
Possible values:
none
The device does currently not generate or delete a certificate.
delete
The device currently deletes a certificate.
generate
The device currently generates a certificate.
Note: When loading the graphical user interface, the web browser displays a warning if the device
uses a certificate that is not signed by a certification authority. To continue, add an exception rule for
the certificate in the web browser.
Certificate import
Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
• -----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
as well as
• -----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
– RSA key with 2048 bit length
The device gives you the following options for copying the certificate to the device:
Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog enables you to restrict the management access to the device to specific IP address ranges
and selected IP-based applications.
If the function is disabled, the management access to the device is possible from any IP address and
using every application.
If the function is enabled, the access is restricted. You have management access under the following
conditions exclusively:
– At least one table entry is activated.
and
– You are accessing the device with a permitted application from a permitted IP address range.
Operation
Parameters Meaning
Operation Enables/disables the IP Access Restriction function.
Possible values:
On
The IP Access Restriction function is enabled.
The management access to the device is restricted.
Off (default setting)
The IP Access Restriction function is disabled.
Note: Before you enable the function, verify that at least one active entry in the table allows you
access. Otherwise, the connection to the device terminates when you change the settings. The
management access to the device is possible exclusively using the CLI through the V.24 interface.
Table
You have the option of defining up to 16 table entries and activating them separately.
Parameters Meaning
Index Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
1..16
Address Specifies the IP address of the network from which you allow the management access to the
device. You specify the network range in the Netmask column.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Netmask Specifies the range of the network specified in the Address column.
Possible values:
Valid netmask (default setting: 0.0.0.0)
HTTP Activates/deactivates the HTTP access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Parameters Meaning
HTTPS Activates/deactivates the HTTPS access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
SNMP Activates/deactivates the SNMP access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Telnet Activates/deactivates the Telnet access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
SSH Activates/deactivates the SSH access.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
IEC61850-MMS Activates/deactivates the access to the MMS server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Modbus TCP Activates/deactivates the access to the Modbus TCP server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
EtherNet/IP Activates/deactivates the access to the EtherNet/IP server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
PROFINET Activates/deactivates the access to the PROFINET server.
Possible values:
marked (default setting)
Access is activated for the adjacent IP address range.
unmarked
Access is deactivated.
Active Activates/deactivates the table entry.
Possible values:
marked (default setting)
Table entry is activated. The device restricts the management access to the adjacent IP
address range and the selected IP-based applications.
unmarked
Table entry is deactivated.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
3.4.3 Web
In this dialog, you specify settings for the graphical user interface.
Configuration
Parameters Meaning
Web interface Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
session timeout for the user logged on.
[min]
Possible values:
0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify settings for the Command Line Interface (CLI). You find detailed information
about the Command Line Interface in the “Command Line Interface” reference manual.
[Global ]
This tab allows you to change the CLI prompt and to specify the automatic closing of sessions through
the V.24 interface when they have been inactive.
Configuration
Parameters Meaning
Login prompt Specifies the character string that the device displays in the Command Line Interface (CLI) at the
start of every command line.
Possible values:
Alphanumeric ASCII character string with 0..128 characters
(0x20..0x7E) including space characters
Wildcards
– %d date
– %i IP address
– %m MAC address
– %p product name
– %t time
Default setting: ((GRS))
Changes to this setting are immediately effective in the active CLI session.
V.24 timeout [min] Specifies the time in minutes after which the device automatically closes the session of a logged
on user in the Command Line Interface via the V.24 interface when it has been inactive.
Possible values:
0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged on when inactive.
A change in the value takes effect the next time a user logs on to the device.
For Telnet and SSH, you specify the timeout in the Device Security > Management Access >
Server dialog.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Login banner ]
In this tab, you replace the CLI start screen with your own text.
In the default setting, the CLI start screen displays information about the device, such as the software
version and the device settings. With the function in this tab, you deactivate this information and replace
it with an individually specified text.
To display your own text in the CLI and in the graphical user interface before the login, you use the
Device Security > Pre-login Banner dialog.
Operation
Parameters Meaning
Operation Enables/disables the Login banner function.
Possible values:
On
The Login banner function is enabled.
The device displays the text information specified in the Banner text field to the users that
login to the device using the Command Line Interface (CLI).
Off (default setting)
The Login banner function is disabled.
The CLI start screen displays information about the device. The text information in the Banner
text field is kept.
Banner text
Parameters Meaning
Banner text Specifies the character string that the device displays in the Command Line Interface at the start
of every session.
Possible values:
Alphanumeric ASCII character string with 0..1024 characters
(0x20..0x7E) including space characters
<Tab>
<Line break>
Remaining Displays how many characters are still remaining in the Banner text field for the text information.
characters
Possible values:
1024..0
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the community name for SNMPv1/v2 applications.
Applications send requests via SNMPv1/v2 with a community name in the SNMP data packet header.
Depending on the community name, the application gets read authorization or read and write
authorization for the device.
You activate the access to the device via SNMPv1/v2 in the Device Security > Management
Access > Server dialog.
Table
Parameters Meaning
Community Displays the authorization for SNMPv1/v2 applications to the device:
Write
For requests with the community name entered, the application receives read and write
authorization for the device.
Read
For requests with the community name entered, the application receives read authorization for
the device.
Name Specifies the community name for the adjacent authorization.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
private (default setting for read and write authorizations)
public (default setting for read authorization)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to display a greeting or information text to users before they login to the device.
The users see this text in the login dialog of the graphical user interface (GUI) and of the Command Line
Interface (CLI). Users logging in with SSH see the text - regardless of the client used - before or during
the login.
To display the text in the Command Line Interface (CLI) exclusively, use the settings in the Device
Security > Management Access > CLI dialog.
Operation
Parameters Meaning
Operation Enables/disables the Pre-login Banner function.
Using the Pre-login Banner function, the device displays a greeting or information text in the
login dialog of the Graphical User Interface and of the Command Line Interface.
Possible values:
On
The Pre-login Banner function is enabled.
The device displays the text specified in the Banner text field in the login dialog.
Off (default setting)
The Pre-login Banner function is disabled.
The device does not display a text in the login dialog. If you entered a text in the Banner text
field, this text is saved on the device.
Banner text
Parameters Meaning
Banner text Specifies the greeting or information text that the device displays in the Login dialog of the
graphical user interface (GUI) and of the Command Line Interface (CLI).
Possible values:
Alphanumeric ASCII character string with 0..512 characters
(0x20..0x7E) including space characters
<Tab>
<Line break>
Remaining Displays how many characters are still remaining in the Banner text field.
characters
Possible values:
512..0
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
4 Network Security
This dialog displays the network security rules used in the device.
Parameter
Parameters Meaning
Port/VLAN Specifies whether the device displays VLAN- and/or port-based rules.
Possible values:
All (default setting)
The device displays the VLAN- and port-based rules specified by you.
Port: <Port Number>
The device displays port-based rules for a specific port. This selection is available if you have
specified one or more rules for this port.
VLAN: <VLAN ID>
The device displays VLAN-based rules for a specific VLAN. This selection is available if you
have specified one or more rules for this VLAN.
ACL Displays the ACL rules in the overview.
You edit Access Control Lists in the Network Security > ACL dialog.
All Marks the adjacent checkboxes. The device displays the related rules in the overview.
None Unmarks the adjacent checkboxes. The device does not display any rules in the overview.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to transmit only data packets from desired senders on one port. When this
function is enabled, the device checks the VLAN ID and MAC address of the sender before it transmits
a data packet. The device discards data packets from other senders and logs this event. If the Auto-
Disable function is activated, the device disables the port. This restriction makes MAC Spoofing
attacks more difficult. The Auto-Disable function enables the relevant port again automatically when
the parameters are no longer being exceeded.
In this dialog a Wizard window helps you to connect the ports with one or more desired sources. In the
device these addresses are known as Static entries (/) . To view the specified static addresses,
highlight the relevant port and click the button.
To keep the setup process as simple as possible, the device allows you to record the desired senders
automatically. The device “learns” the senders by evaluating the received data packets. In the device
these addresses are known as Dynamic entries . When a user-defined upper limit has been reached
(Dynamic limit ), the device stops the “learning” on the relevant port and transmits exclusively the data
packets of the senders already recorded. When you adjust the upper limit to the number of expected
senders, you thus make MAC Flooding attacks more difficult.
Note: With the automatic recording of the Dynamic entries , the device always discards the 1st data
packet from unknown senders. Using this 1st data packet, the device checks whether the upper limit
has been reached. The device records the sender until the upper limit is reached. Afterwards, the device
transmits data packets that it receives on the relevant port from this sender.
Operation
Parameters Meaning
Operation Enables/disables the Port Security function.
Possible values:
On
The Port Security function is enabled.
The device checks the VLAN ID and MAC address of the source before it transmits a data
packet.
The device transmits solely a received data packet if its source is desired on the relevant port.
Also activate the checking of the source on the relevant ports.
Off (default setting)
The Port Security function is disabled.
The device transmits every received data packet without checking the source.
Configuration
Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for Port Security .
Possible values:
marked
The Auto-Disable function for Port Security is active.
Also mark the checkbox in the Auto-disable column for the relevant ports.
unmarked (default setting)
The Auto-Disable function for Port Security is inactive.
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the checking of the source on the port.
Possible values:
marked
The device checks every data packet received on the port and transmits it if its source is
desired. Also enable the function in the Operation frame.
unmarked (default setting)
The device transmits every data packet received on the port without checking the source.
Note: If you are operating the device as an active subscriber within an MRP ring, we recommend
you unmark the checkbox.
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Port Security
function is monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that you mark the checkbox Auto-disable in the Configuration frame.
– The device disables the port if the port registers undesired source MAC addresses or more
source MAC addresses than specified in the Dynamic limit column. The “Link status”
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Send trap Activates/deactivates the sending of SNMP traps when the device discards data packets from an
undesired sender on the port.
Possible values:
marked
The device sends an SNMP trap when it discards data packets from an undesired sender on
the port.
unmarked (default setting)
The sending of SNMP traps is deactivated.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Trap interval [s] Specifies the delay time in seconds that the device waits after sending an SNMP trap before
sending the next SNMP trap.
Possible values:
0..3600 (default setting: 0)
The value 0 deactivates the delay time.
Dynamic limit Specifies the upper limit for the number of automatically registered sources (Dynamic entries ).
When the upper limit has been reached, the device stops “learning” on this port.
Adjust the value to the number of expected sources.
If the port registers more senders than specified here, the port disables the Auto-Disable
function. The prerequisite is that you mark the checkbox in the Auto-disable column and the
Auto-disable checkbox in the Configuration frame.
Possible values:
0
Deactivates the automatic registering of sources on this port.
1..600 (default setting: 600)
Parameters Meaning
Static limit Specifies the upper limit for the number of sources connected to the port (Static entries (/) ).
The Wizard window helps you to connect the port with one or more desired sources.
Possible values:
0..64 (default setting: 64)
The value 0 prevents you from connecting a source with the port.
Dynamic entries Displays the number of senders that the device has automatically determined.
See the Wizard window, Dynamic entries field.
Static entries Displays the number of senders that are linked with the port.
See the Wizard window, Static entries (/) field.
Last violating VLAN Displays the VLAN ID and MAC address of an undesired sender whose data packets the device
ID/MAC last discarded on this port.
Sent traps Displays the number of discarded data packets on this port that caused the device to send an
SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Wizard dialog.
In the Wizard dialog you assign the permitted MAC addresses to a port.
Select port
The Wizard window helps you to connect the ports with one or more desired sources.
Parameters Meaning
Port Specifies the port that you assign to the sender in the next step.
Addresses
The Wizard window helps you to connect the ports with one or more desired sources. When you
have specified the settings, click the Finish button.
After closing the Wizard window, click the button to save your settings.
Parameters Meaning
VLAN ID Specifies the VLAN ID of the desired source.
Possible values:
1..4042
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add
button.
MAC address Specifies the MAC address of the desired source.
Possible values:
Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
To transfer the VLAN ID and the MAC address to the Static entries (/) field, click the Add
button.
Add Transfers the values specified in the VLAN ID and MAC address fields to the Static entries
(/) field.
Static entries (/) Displays the VLAN ID and MAC address of desired senders connected to the port.
The device uses this field to display the number of senders connected to the port and the upper
limit. You specify the upper limit for the number of entries in the table, Static limit field.
Note: You cannot assign a MAC address that you assign to this port to any other port.
Remove Removes the entries highlighted in the Static entries (/) field.
Moves the entries highlighted in the Dynamic entries field to the Static entries (/) field.
Moves every entry from the Dynamic entries field to the Static entries (/) field.
If the Dynamic entries field contains more entries than are allowed in theStatic entries (/
) field, the device moves the foremost entries until the upper limit is reached.
Parameters Meaning
Dynamic entries Displays in ascending order the VLAN ID and MAC address of the senders automatically recorded
on this port. The device transmits data packets from these senders when it receives the data
packets on this port.
You specify the upper limit for the number of entries in the table, Dynamic limit field.
The and buttons allow you to transfer entries from this field into the Static entries (/
) field. In this way, you connect the relevant senders with the port.
Note: The device saves the sources connected with the port until you deactivate the checking of the
source on the relevant port or in the Operation frame.
With the port-based access control according to IEEE 802.1X, the device monitors the access to the
network from connected end devices. The device (authenticator) allows an end device (supplicant) to
access the network if it logs in with valid login data. The authenticator and the end devices communicate
via the EAPoL (Extensible Authentication Protocol over LANs) authentication protocol.
The device supports the following methods to authenticate end devices:
radius
A RADIUS server in the network authenticates the end devices.
ias
The Integrated Authentication Server (IAS) implemented in the device authenticates the end devices.
Compared to RADIUS, the IAS provides basic functions exclusively.
The menu contains the following dialogs:
802.1X Global
802.1X Port Configuration
802.1X Port Clients
802.1X EAPOL Port Statistics
802.1X Port Authentication History
802.1X Integrated Authentication Server
This dialog allows you to specify basic settings for the port-based access control.
Operation
Parameters Meaning
Operation Enables/disables the 802.1X Port Authentication function.
Possible values:
On
The 802.1X Port Authentication function is enabled.
The device checks the access to the network from connected end devices.
The port-based access control is enabled.
Off (default setting)
The 802.1X Port Authentication function is disabled.
The port-based access control is disabled.
Configuration
Parameters Meaning
VLAN assignment Activates/deactivates the assigning of the relevant port to a VLAN. This function allows you to
provide selected services to the connected end device in this VLAN.
Possible values:
marked
The assigning is active.
If the end device successfully authenticates itself, the device assigns to the relevant port the
VLAN ID transferred by the RADIUS authentication server.
unmarked (default setting)
The assigning is inactive.
The relevant port is assigned to the VLAN specified in the Network Security > 802.1X Port
Authentication > Port Configuration dialog, Assigned VLAN ID row.
Dynamic VLAN Activates/deactivates the automatic creation of the VLAN assigned by the RADIUS authentication
creation server if the VLAN does not exist.
Possible values:
marked
The automatic VLAN creation is active.
The device creates the VLAN if it does not exist.
unmarked (default setting)
The automatic VLAN creation is inactive.
If the assigned VLAN does not exist, the port remains assigned to the original VLAN.
Monitor mode Activates/deactivates the monitor mode.
Possible values:
marked
The monitor mode is active.
The device monitors the authentication and helps with diagnosing detected errors. If an end
device has not logged in successfully, the device gives the end device access to the network.
unmarked (default setting)
The monitor mode is inactive.
Parameters Meaning
Group size Specifies the size of the MAC address groups. The device splits the MAC address for
authentication into groups. The size of the groups is specified in half bytes, each of which is
represented as 1 character.
Possible values:
1
The device splits the MAC address into 12 groups of 1 character.
Example: A:A:B:B:C:C:D:D:E:E:F:F
2
The device splits the MAC address into 6 groups of 2 characters.
Example: AA:BB:CC:DD:EE:FF
4
The device splits the MAC address into 3 groups of 4 characters.
Example: AABB:CCDD:EEFF
12 (default setting)
The device formats the MAC address as 1 group of 12 characters.
Example: AABBCCDDEEFF
Group separator Specifies the character which separates the groups.
Possible values:
-
dash
:
colon
.
dot
Upper or lower Specifies whether the device formats the authentication data in lowercase or uppercase letters.
case
Possible values:
lower-case
upper-case
Password Specifies the optional password for the clients which use the authentication bypass.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
After entering the field displays ***** (asterisk) instead of the password.
<empty>
The device uses the username of the client also as the password.
Information
Parameters Meaning
Monitor mode Displays to how many end devices the device gave network access even though they did not login
clients successfully.
The prerequisite is that you activate the Monitor mode function. See the Configuration frame.
Non monitor mode Displays the number of end devices to which the device gave network access after successful
clients login.
Policy 1 Displays the method that the device currently uses to authenticate the end devices using
IEEE 802.1X.
You specify the method used in the Device Security > Authentication List dialog.
To authenticate the end devices through a RADIUS server, you assign the radius policy to
the 8021x list.
To authenticate the end devices through the Integrated Authentication Server (IAS) you assign
the ias policy to the 8021x list.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to specify the access settings for every port.
If multiple end devices are connected to a port, the device allows you to authenticate these individually
(multi-client authentication). In this case, the device allows logged in end devices to access the network.
In contrast, the device blocks access for unauthenticated end devices, or for end devices whose
authentication has elapsed.
Table
Parameters Meaning
Port Displays the port number.
Port initialization Activates/deactivates the port initialization in order to activate the access control on the port or
reset it to its initial state. Use this function exclusively to ports in which the Port control column
contains the value auto.
Possible values:
marked
The port initialization is active.
When the initialization is complete, the device changes the value to unmarked again.
unmarked (default setting)
The port initialization is inactive.
The device keeps the current port status.
Port Activates/deactivates the one-time reauthentication request.
reauthentication Use this function exclusively to ports in which the Port control column contains the value auto.
The device also allows you to periodically request the end device to login again. See the Periodic
reauthentication column.
Possible values:
marked
The one-time reauthentication request is active.
The device requests the end device to login again. Afterwards, the device changes the value
to unmarked again.
unmarked (default setting)
The one-time reauthentication request is inactive.
The device keeps the end device logged in.
Authentication Displays the current status of the Authenticator (Authenticator PAE state).
activity
Possible values:
initialize
disconnected
connecting
authenticating
authenticated
aborting
held
forceAuth
forceUnauth
Backend Displays the current status of the connection to the authentication server (Backend
authentication state Authentication state).
Possible values:
request
response
success
fail
timeout
idle
initialize
Parameters Meaning
Authentication state Displays the current status of the authentication on the port (Controlled Port Status).
Possible values:
authorized
The end device is logged in successfully.
unauthorized
The end device is not logged in.
Users (max.) Specifies the upper limit for the number of end devices that the device authenticates on this port
at the same time. This upper limit applies exclusively to ports in which the Port control column
contains the value multiClient.
Possible values:
1..16 (default setting: 16)
Port control Specifies how the device grants access to the network (Port control mode).
Possible values:
forceUnauthorized
The device blocks the access to the network. You use this setting if an end device is connected
to the port that does not receive access to the network.
auto
The device grants access to the network if the end device has logged in successfully. You use
this setting if an end device is connected to the port that logs in at the authenticator.
If other end devices are connected through the same port, they get access to the network
without additional authentication.
forceAuthorized (default setting)
The device grants access to the network. You use this setting if an end device is connected to
the port that receives access to the network without logging in.
multiClient
The device grants access to the network if the end device logs in successfully.
If the end device does not send any EAPoL data packets, the device grants or denies access
to the network individually depending on the MAC address of the end device. See the MAC
authorized bypass column.
You use this setting if multiple end devices are connected to the port.
Quiet period [s] Specifies the time period in seconds in which the authenticator does not accept any more logins
from the end device after an unsuccessful log in attempt (Quiet period [s] ).
Possible values:
0..65535 (default setting: 60)
Transmit period [s] Specifies the period in seconds after which the authenticator requests the end device to login
again. After this waiting period, the device sends an EAP request/identity data packet to the end
device.
Possible values:
1..65535 (default setting: 30)
Supplicant timeout Specifies the period in seconds for which the authenticator waits for the login of the end device.
period [s]
Possible values:
1..65535 (default setting: 30)
Server timeout [s] Specifies the period in seconds for which the authenticator waits for the response from the
authentication server (RADIUS or IAS).
Possible values:
1..65535 (default setting: 30)
Requests (max.) Specifies how many times the authenticator requests the end device to login until the time
specified in the Supplicant timeout period [s] column has elapsed. The device sends an
EAP request/identity data packet to the end device as often as specified here.
Possible values:
0..10 (default setting: 2)
Parameters Meaning
Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port. This value applies
exclusively to ports in which the Port control column contains the value auto.
Possible values:
0..4042 (default setting: 0)
You find the VLAN ID that the authenticator assigned to the ports in the Network Security >
802.1X Port Authentication > Port Clients dialog.
To ports in which the Port control column contains the value multiClient : the device assigns
the VLAN tag based on the MAC address of the end device when it receives data packets without
a VLAN tag.
Assignment reason Displays the cause for the assignment of the VLAN ID. This value applies exclusively to ports in
which the Port control column contains the value auto.
Possible values:
notAssigned (default setting)
radius
guestVlan
unauthenticatedVlan
You find the VLAN ID that the authenticator assigned to the ports in the Network Security >
802.1X Port Authentication > Port Clients dialog.
Reauthentication Specifies the period in seconds after which the authenticator periodically requests the end device
period [s] to login again.
Possible values:
1..65535 (default setting: 3600)
Periodic Activates/deactivates periodic reauthentication requests.
reauthentication
Possible values:
marked
The periodic reauthentication requests are active.
The device periodically requests the end device to login again. You specify this time period in
the Reauthentication period [s] column.
This setting becomes ineffective if the authenticator has assigned the end device the ID of a
Voice, Unauthenticated or Guest VLAN.
unmarked (default setting)
The periodic reauthentication requests are inactive.
The device keeps the end device logged in.
Guest VLAN ID Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
log in during the time period specified in the Guest VLAN period column. This value applies
exclusively to ports in which the Port control column contains the value auto.
This function allows you to grant end devices, without 802.1X support, access to selected services
in the network.
Possible values:
0 (default setting)
The authenticator does not assign a guest VLAN to the port.
When you enable the the MAC-based authentication in the MAC authorized bypass column,
the device automatically sets the value to 0.
1..4042
Parameters Meaning
Unauthenticated Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not
VLAN ID login successfully. This value applies exclusively to ports in which the Port control column
contains the value auto.
This function allows you to grant end devices without valid login data access to selected services
in the network.
Possible values:
0..4042 (default setting: 0)
The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the
port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Table
Parameters Meaning
Port Displays the port number.
User name Displays the user name with which the end device logged in.
MAC address Displays the MAC address of the end device.
Filter ID Displays the name of the filter list that the RADIUS authentication server assigned to the end
device after successful authentication.
The authentication server transfers the filter ID attributes in the Access Accept data packet.
Assigned VLAN ID Displays the VLAN ID that the authenticator assigned to the port after the successful
authentication of the end device.
If for the port in the Network Security > 802.1X Port Authentication > Port
Configuration dialog, Port control column the value multiClient is specified: The device
assigns the VLAN tag based on the MAC address of the end device when it receives data packets
without a VLAN tag.
Assignment reason Displays the reason for the assignment of the VLAN.
Possible values:
default
radius
unauthenticatedVlan
guestVlan
monitorVlan
invalid
The field displays solely a valid value as long as the client is authenticated.
Session timeout Displays the remaining time in seconds until the log in of the end device expires. This value applies
solely if for the port in the Network Security > 802.1X Port Authentication > Port
Configuration dialog, Port control column the value auto or multiClient is specified.
The authentication server assigns the timeout period to the device through RADIUS. The value 0
means that the authentication server has not assigned a timeout.
Termination action Displays the action performed by the device when the login has elapsed.
Possible values:
default
reauthenticate
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog displays which EAPoL data packets the end device has sent and received for the
authentication of the end devices.
Table
Parameters Meaning
Port Displays the port number.
Received packets Displays the total number of EAPOL data packets that the device received on the port.
Transmitted Displays the total number of EAPOL data packets that the device sent on the port.
packets
Start packets Displays the number of EAPOL start data packets that the device received on the port.
Logoff packets Displays the number of EAPOL logoff data packets that the device received on the port.
Response/ID Displays the number of EAP response/identity data packets that the device received on the port.
packets
Response packets Displays the number of valid EAP response data packets that the device received on the port
(without EAP response/identity data packets).
Request/ID packets Displays the number of EAP request/identity data packets that the device received on the port.
Request packets Displays the number of valid EAP request data packets that the device received on the port
(without EAP request/identity data packets).
Invalid packets Displays the number of EAPOL data packets with an unknown frame type that the device received
on the port.
Received error Displays the number of EAPOL data packets with an invalid packet body length field that the
packets device received on the port.
Packet version Displays the protocol version number of the EAPOL data packet that the device last received on
the port.
Source of last Displays the sender MAC address of the EAPOL data packet that the device last received on the
received packet port.
The value 00:00:00:00:00:00 means that the port has not received any EAPOL data packets
yet.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Network Security > 802.1X Port Authentication > Port Authentication History
The device registers the authentication process of the end devices that are connected to its ports. This
dialog displays the information recorded during the authentication.
Table
Parameters Meaning
Port Displays the port number.
Authentification Displays the time at which the authenticator authenticated the end device.
time stamp
Result age Displays since when this entry has been entered in the table.
MAC address Displays the MAC address of the end device.
VLAN ID Displays the ID of the VLAN that was assigned to the end device before the login.
Authentication Displays the status of the authentication on the port.
status
Possible values:
success
The authentication was successful.
failure
The authentication failed.
Access status Displays whether the device grants the end device access to the network.
Possible values:
granted
The device grants the end device access to the network.
denied
The device denies the end device access to the network.
Assigned VLAN ID Displays the ID of the VLAN that the authenticator assigned to the port.
Assignment type Displays the type of the VLAN that the authenticator assigned to the port.
Possible values:
default
radius
unauthenticatedVlan
guestVlan
monitorVlan
notAssigned
Assignment reason Displays the reason for the assignment of the VLAN ID and the VLAN type.
Parameters Meaning
Port Simplifies the table and displays solely the entries relating to the port selected here. This makes
it easier for you to record the table and sort it as you desire.
Possible values:
all
The table displays the entries for every port.
<Port number>
The table displays the entries that apply to the port selected here.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Network Security > 802.1X Port Authentication > Integrated Authentication Server
The Integrated Authentication Server (IAS) allows you to authenticate end devices using IEEE 802.1X.
Compared to RADIUS, the IAS has a very limited range of functions. The authentication is based solely
on the user name and the password.
In this dialog you manage the login data of the end devices. The device allows you to set up up to 100
sets of login data.
To authenticate the end devices through the Integrated Authentication Server you assign you assign in
the Device Security > Authentication List dialog the ias policy to the 8021x list.
Table
Parameters Meaning
User name Displays the user name of the end device.
To create a new user, click the button.
Password Specifies the password with which the user authenticates.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
The device differentiates between upper and lower case.
Active Activates/deactivates the login data.
Possible values:
marked
The login data is active. An end device has the option of logging in through 802.1x using this
login data.
unmarked (default setting)
The login data is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the User name field, you specify the user name of the end device.
4.4 RADIUS
With its factory settings, the device authenticates users based on the local user management. However,
as the size of a network increases, it becomes more difficult to keep the login data of the users
consistent across the devices.
RADIUS (Remote Authentication Dial-In User Service) allows you to authenticate and authorize the
users at a central point in the network. A RADIUS server performs the following tasks here:
Authentication
The authentication server authenticates the users when the RADIUS client at the access point
forwards the users’ login data to the server.
Authorization
The authentication server authorizes logged in users for selected services by assigning various
parameters for the relevant end device to the RADIUS client at the access point.
Accounting
The accounting server records the traffic data that has occurred during the port authentication
according to IEEE 802.1X. This enables you to subsequently determine which services the users
have used, and to what extent.
The device operates in the role of the RADIUS client if you assign the radius policy to an application in
the Device Security > Authentication List dialog. The device forwards the users’ login data to
the primary authentication server. The authentication server decides whether the login data is valid and
transfers the user’s authorizations to the device.
The device assigns the Service Type transferred in the response of a RADIUS server as follows to a
user role existing in the device:
– Administrative-User: administrator
– Login-User: operator
– NAS-Prompt-User: guest
The device also allows you to authenticate end devices with IEEE 802.1X through an authentication
server. To do this, you assign the radius policy to the 8021x list in the Device Security >
Authentication List dialog.
The menu contains the following dialogs:
RADIUS Global
RADIUS Authentication Server
RADIUS Accounting Server
RADIUS Authentication Statistics
RADIUS Accounting Statistics
RADIUS configuration
Parameters Meaning
Retransmits (max.) Specifies how many times the device retransmits an unanswered request to the authentication
server before the device sends the request to an alternative authentication server.
Possible values:
1..15 (default setting: 4)
Timeout [s] Specifies how many seconds the device waits for a response after a request to an authentication
server before it retransmits the request.
Possible values:
1..30 (default setting: 5)
Accounting Activates/deactivates the accounting.
Possible values:
marked
Accounting is active.
The device sends the traffic data to an accounting server specified in the Network Security >
RADIUS > Accounting Server dialog.
unmarked (default setting)
Accounting is inactive.
NAS IP address Specifies the IP address that the device transfers to the authentication server as attribute 4.
(attribute 4) Specify the IP address of the device or another available address.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
In many cases, there is a firewall between the device and the authentication server. In the Network
Address Translation (NAT) in the firewall changes the original IP address, and the authentication
server receives the translated IP address of the device.
The device transfers the IP address in this field unchanged across the Network Address
Translation (NAT).
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Deletes the statistics in the Network Security > RADIUS > Authentication Statistics
dialog and in the Network Security > RADIUS > Accounting Statistics dialog.
This dialog allows you to specify up to 8 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.
The device sends the login data to the specified primary authentication server. If the server does not
respond, the device contacts the specified authentication server that is highest in the table. If no
response comes from this server either, the device contacts the next server in the table.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Name Displays the name of the server.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address Specifies the IP address of the server.
Possible values:
Valid IPv4 address
Destination UDP Specifies the number of the UDP port on which the server receives requests.
port
Possible values:
0..65535 (default setting: 1812)
Exception: Port 2222 is reserved for internal functions.
Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..64 characters
You get the password from the administrator of the authentication server.
Primary server Specifies the authentication server as primary or secondary.
Possible values:
marked
The server is specified as the primary authentication server. The device sends the login data
for authenticating the users to this authentication server.
If you activate multiple servers, the device specifies the last server activated as the primary
authentication server.
unmarked (default setting)
The server is the secondary authentication server. The device sends the login data to the
secondary authentication server if it does not receive a response from the primary
authentication server.
Active Activates/deactivates the connection to the server.
The device uses the server, if you specify in the Device Security > Authentication List
dialog the value radius in one of the rows Policy 1 to Policy 5 .
Possible values:
marked (default setting)
The connection is active. The device sends the login data for authenticating the users to this
server if the preconditions named above are fulfilled.
unmarked
The connection is inactive. The device does not send any login data to this server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
In the Address field, you specify the IP address of the server.
This dialog allows you to specify up to 8 accounting servers. An accounting server records the traffic
data that has occurred during the port authentication according to IEEE 802.1X. The prerequisite is that
you activate in the Network Security > RADIUS > Global menu the Accounting function.
The device sends the traffic data to the first accounting server that can be reached. If it does not
respond, the device contacts the next server in the table.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
1..8
Name Displays the name of the server.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
Address Specifies the IP address of the server.
Possible values:
Valid IPv4 address
Destination UDP Specifies the number of the UDP port on which the server receives requests.
port
Possible values:
0..65535 (default setting: 1813)
Exception: Port 2222 is reserved for internal functions.
Secret Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..16 characters
You get the password from the administrator of the authentication server.
Active Activates/deactivates the connection to the server.
Possible values:
marked (default setting)
The connection is active. The device sends traffic data to this server if the preconditions named
above are fulfilled.
unmarked
The connection is inactive. The device does not send any traffic data to this server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Index field, you specify the index number.
In the Address field, you specify the IP address of the server.
This dialog displays information about the communication between the device and the authentication
server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.
Table
Parameters Meaning
Name Displays the name of the server.
Address Displays the IP address of the server.
Round trip time Displays the time interval in hundredths of a second between the last response received from the
server (Access Reply/Access Challenge) and the corresponding data packet sent (Access
Request).
Access requests Displays the number of access data packets that the device sent to the server. This value does
not take repetitions into account.
Retransmitted Displays the number of access data packets that the device retransmitted to the server.
access-request
packets
Access accepts Displays the number of access accept data packets that the device received from the server.
Access rejects Displays the number of access reject data packets that the device received from the server.
Access challenges Displays the number of access challenge data packets that the device received from the server.
Malformed access Displays the number of malformed access response data packets that the device received from
responses the server (including data packets with an invalid length).
Bad authenticators Displays the number of access response data packets with an invalid authenticator that the device
received from the server.
Pending requests Displays the number of access request data packets that the device sent to the server to which it
has not yet received a response from the server.
Timeouts Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types Displays the number data packets with an unknown data type that the device received from the
server on the authentication port.
Packets dropped Displays the number of data packets that the device received from the server on the authentication
port and then discarded them.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog displays information about the communication between the device and the accounting
server. The table displays the information for each server in a separate row.
To delete the statistic, click in the Network Security > RADIUS > Global dialog the Clear RADIUS
statistics? button.
Table
Parameters Meaning
Name Displays the name of the server.
Address Displays the IP address of the server.
Round trip time Displays the time interval in hundredths of a second between the last response received from the
server (Accounting Response) and the corresponding data packet sent (Accounting Request).
Accounting-request Displays the number of accounting request data packets that the device sent to the server. This
packets value does not take repetitions into account.
Retransmitted Displays the number of accounting request data packets that the device retransmitted to the
accounting-request server.
packets
Received packets Displays the number of accounting response data packets that the device received from the
server.
Malformed packets Displays the number of malformed accounting response data packets that the device received
from the server (including data packets with an invalid length).
Bad authenticators Displays the number of accounting response data packets with an invalid authenticator that the
device received from the server.
Pending requests Displays the number of accounting request data packets that the device sent to the server to which
it has not yet received a response from the server.
Timeouts Displays how many times no response to the server was received before the specified waiting time
elapsed.
Unknown types Displays the number data packets with an unknown data type that the device received from the
server on the accounting port.
Packets dropped Displays the number of data packets that the device received from the server on the accounting
port and then discarded them.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
4.5 DoS
Denial of Service (DoS) is a cyber-attack that aims to bring down specific services or devices. In this
menu you can set up several filters to protect the device from DoS attacks.
The menu contains the following dialogs:
DoS Global
In this dialog, you specify the DoS settings for the TCP/UDP, IP and ICMP protocols.
TCP/UDP
A scanner uses port scans to prepare network attacks. The scanner uses different techniques to
determine running devices and open ports. This frame allows you to activate filters for specific scanning
techniques.
The device supports the detection of the following scan types:
Null scans
Xmas scans
SYN/FIN scans
TCP Offset attacks
TCP SYN attacks
L4 Port attacks
Minimal Header scans
Parameters Meaning
Null Scan filter Activates/deactivates the Null Scan filter.
The Null Scan filter detects incoming data packets with no TCP flags set and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Xmas filter Activates/deactivates the Xmas filter.
The Xmas filter detects incoming data packets with the TCP flags FIN, URG and PUSH set
simultaneously and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
SYN/FIN filter Activates/deactivates the SYN/FIN filter.
The SYN/FIN filter detects incoming data packets with the TCP flags SYN and FIN set
simultaneously and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
TCP Offset Activates/deactivates the TCP Offset protection.
protection The TCP Offset protection detects incoming TCP data packets whose fragment offset field of the
IP header is equal to 1 and discards them.
The TCP Offset protection accepts UDP and ICMP packets whose fragment offset field of the IP
header is equal to 1.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
Parameters Meaning
TCP SYN Activates/deactivates the TCP SYN protection.
protection The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4
source port <1024 and discards them.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
L4 Port protection Activates/deactivates the L4 Port protection.
The L4 Port protection detects incoming TCP and UDP data packets whose source port number
and destination port number are identical and discards them.
Possible values:
marked
The protection is active.
unmarked (default setting)
The protection is inactive.
Min. Header Size Activates/deactivates the Minimal Header filter.
filter The Minimal Header filter detects incoming data packets whose IP payload length in the IP header
less the outer IP header size is smaller than the minimum TCP header size. If this is the first
fragment that the device detects, the device discards the data packet.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Min. TCP header Displays the minimum size of a valid TCP header.
size
IP
This frame allows you to activate or deactivate the Land Attack filter. With the land attack method, the
attacking station sends data packets whose source and destination addresses are identical to those of
the recipient. When you activate this filter, the device detects data packets with identical source and
destination addresses and discards these.
Parameters Meaning
Land Attack filter Activates/deactivates the Land Attack filter.
The Land Attack filter detects incoming IP data packets whose source and destination IP address
are identical and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
ICMP
This dialog provides you with filter options for the following ICMP parameters:
Fragmented data packets
ICMP packets from a specific size upwards
Broadcast pings
Parameters Meaning
Filter fragmented Activates/deactivates the filter for fragmented ICMP packets.
packets The filter detects fragmented ICMP packets and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Filter by packet size Activates/deactivates the filter for incoming ICMP packets.
The filter detects ICMP packets whose size exceeds the packet size specified in the Allowed
packet size [byte] field and discards them.
Possible values:
marked
The filter is active.
unmarked (default setting)
The filter is inactive.
Allowed packet size Specifies the maximum allowed payload size of ICMP packets in bytes.
[byte] Mark the Filter by packet size checkbox if you want the device to discard incoming data
packets whose size exceeds the maximum allowed size for ICMP packets.
Possible values:
0..1472 (default setting: 512)
Drop broadcast Activates/deactivates the filter for Broadcast Pings. Broadcast Pings are a known evidence for
ping Smurf Attacks.
Possible values:
marked
The filter is active.
The device detects Broadcast Pings and drops them.
unmarked (default setting)
The filter is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
DHCP Snooping is a function that supports the network security. DHCP Snooping monitors DHCP
packets between the DHCP client and the DHCP server and acts like a firewall between the unsecured
hosts and the secured DHCP servers.
In this dialog, you configure and monitor the following device properties:
Validate DHCP packets from untrusted sources and filter out invalid packets.
Limit DHCP data traffic from trusted and untrusted sources.
Set up and update the DHCP Snooping binding database. This database contains the MAC address,
IP address, VLAN and port of DHCP clients at untrusted ports.
Validate follow-up requests from untrusted hosts on the basis of the DHCP Snooping binding
database.
You can activate DHCP Snooping globally and for a specific VLAN. You specify the security status
(trusted or untrusted) on individual ports. Verify that the DHCP service can be reached via trusted ports.
For DHCP Snooping you typically configure the user/client ports as untrusted and the uplink ports as
trusted.
The menu contains the following dialogs:
DHCP Snooping Global
DHCP Snooping Configuration
DHCP Snooping Statistics
DHCP Snooping Bindings
This dialog allows you to configure the global DHCP Snooping parameters for your device:
Activate/deactivate DHCP Snooping globally.
Activate/deactivate Auto-Disable globally.
Enable/disable the checking of the source MAC address.
Configure the name, storage location and storing interval for the binding database.
Operation
Parameters Meaning
Operation Enables/disables the DHCP Snooping function globally.
Possible values:
On
Off (default setting)
Configuration
Parameters Meaning
Verify MAC Activates/deactivates the source MAC address verification in the Ethernet packet.
Possible values:
marked
The source MAC address verification is active.
The device compares the source MAC address with the MAC address of the client in the
received DHCP packet.
unmarked (default setting)
The source MAC address verification is inactive.
Auto-disable Activates/deactivates the Auto-Disable function for DHCP Snooping .
Possible values:
marked
The Auto-Disable function for DHCP Snooping is active.
Also mark the checkbox in the Auto-disable column on the Port tab in the Network
Security > DHCP Snooping > Configuration dialog for the relevant ports.
unmarked (default setting)
The Auto-Disable function for DHCP Snooping is inactive.
Binding database
Parameters Meaning
Remote file name Specifies the name of the file in which the device saves the DHCP Snooping binding database.
Note:
The device saves solely dynamic bindings in the persistent binding database. The device saves
static bindings in the configuration profile.
Parameters Meaning
Remote IP address Specifies the remote IP address under which the device saves the persistent DHCP Snooping
binding database. With the value 0.0.0.0 the device saves the binding database locally.
Possible values:
Valid IPv4 address
0.0.0.0 (default setting)
The device saves the DHCP Snooping binding database locally.
Store interval [s] Specifies the time delay in seconds after which the device saves the DHCP Snooping binding
database when it determines a change in the database.
Possible values:
15..86400 (default setting: 300)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to configure DHCP Snooping for individual ports and for individual VLANs.
[Port ]
In this tab, you configure the DHCP Snooping function for individual ports.
Configure a port as trusted/untrusted.
Activate/deactivate the logging of invalid packets for individual ports.
Limit the number of DHCP packets.
Deactivate a port automatically if the DHCP data traffic exceeds the specified limit.
Table
Parameters Meaning
Port Displays the port number.
Trust Activates/deactivates the security status (trusted, untrusted) of the port.
When this function is active, the port is configured as trusted. Typically, you have connected the
trusted port to a DHCP server.
When this function is inactive, the port is configured as untrusted.
Possible values:
marked
The port is specified as trusted. DHCP Snooping forwards permissible client packets through
trusted ports.
unmarked (default setting)
The port is configured as untrusted. On untrusted ports, the device compares the receiver port
with the client port in the binding database.
Log Activates/deactivates the logging of invalid packets that the device determines on this port.
Possible values:
marked
The logging of invalid packets is active.
unmarked (default setting)
The logging of invalid packets is inactive.
Rate limit Specifies the maximum number of DHCP packets per burst interval for this port. If the number of
incoming DHCP packets is currently exceeding the specified limit in a burst interval, the device
discards the additional incoming DHCP packets.
The value -1 deactivates the limitation.
Possible values:
-1 (default setting)
Deactivates the limitation of the number of DHCP packets per burst interval on this port.
0..150 packets per interval
Limits the maximum number of DHCP packets per burst interval on this port.
You specify the burst interval in the Burst interval column.
When you activate the auto-disable function, the device also disables the port. You find the auto-
disable function in the Auto-disable column.
Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of DHCP packets per burst interval in the Rate limit column.
Possible values:
1..15 (default setting: 1)
Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the DHCP Snooping
function is monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > DHCP Snooping > Global dialog the
Auto-disable checkbox in the Configuration frame is marked.
– The device disables the port if the port receives in the time specified in the Burst
interval column more DHCP packets than is specified in the Rate limit field. The “Link
status” LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[VLAN ID ]
In this tab, you configure the DHCP Snooping function for individual VLANs.
Table
Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Active Activates/deactivates the DHCP Snooping function in this VLAN.
The DHCP Snooping function forwards valid DHCP client messages to the trusted ports in VLANs
without the Routing function.
Possible values:
marked
The DHCP Snooping function is active in this VLAN.
unmarked (default setting)
The DHCP Snooping function is inactive in this VLAN.
The device forwards DHCP packets according to the switching settings without monitoring the
packets. The binding database remains unchanged.
Note: To enable DHCP Snooping for a port, enable the DHCP Snooping function globally in the
Network Security > DHCP Snooping > Global dialog. Verify that you assigned the port to a
VLAN in which DHCP Snooping is enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
With DHCP Snooping, the device logs detected errors and generates statistics. In this dialog, you
monitor the DHCP Snooping statistics for each port.
The device logs the following:
Errors detected when validating the MAC address of the DHCP client
DHCP client messages with a detected incorrect port
DHCP server messages to untrusted ports
Table
Parameters Meaning
Port Displays the port number.
MAC verify failures Displays the number of discrepancies between the MAC address of the DHCP client in the
‘chaddr’ field of the DHCP data packet and the source address in the Ethernet packet.
Invalid client Displays the number of incoming DHCP client messages received on the port for which the device
messages expects the client on another port according to the DHCP Snooping binding database.
Invalid server Displays the number of DHCP server messages the device received on the untrusted port.
messages
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
DHCP Snooping uses DHCP messages to set up and update the binding database.
Static bindings
The device allows you to enter up to 1,024 static DHCP Snooping bindings in the database.
Dynamic bindings
The dynamic binding database contains data for clients on untrusted ports exclusively.
This menu allows you to specify the settings for static and dynamic bindings.
Set up new static bindings and set them to active/inactive.
Display, activate/deactivate or delete static bindings that have been set up.
Table
Parameters Meaning
MAC address Specifies the MAC address in the table entry that you bind to a IP address and VLAN ID .
Possible values:
Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
IP address Specifies the IP address for the static DHCP Snooping binding.
Possible values:
Valid Unicast IPv4 address smaller than 224.x.x.x and outside the range 127.0.0.0/8
(default setting: 0.0.0.0)
VLAN ID Specifies the ID of the VLAN to which the table entry applies.
Possible values:
<ID of the VLANs that are set up>
Port Specifies the port for the static DHCP Snooping binding.
Possible values:
Available ports
Remaining binding Displays the remaining time for the dynamic DHCP Snooping binding.
time
Active Activates/deactivates the specified static DHCP Snooping binding.
Possible values:
marked
The static DHCP Snooping binding is active.
unmarked (default setting)
The static DHCP Snooping binding is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address which you bind to an IP address and a
VLAN ID.
Removes the highlighted table entry.
The prerequisite is that the checkbox in the Active column is unmarked.
Also, the device removes the dynamic bindings of this port created with the IP Source Guard
function.
IP Source Guard (IPSG) is a function that supports the network security. The function filters IP data
packets based on the source ID (source IP address or source MAC address) of the subscriber. IPSG
supports you in protecting the network against attacks through IP/MAC address spoofing.
Note: In order for the device to check the IP address and the MAC address of the data packets received
on the port, enable the Verify MAC function.
In order for the device to check the VLAN ID and the MAC address of the source before forwarding the
data packet, additionally enable the Port Security function. See the Network Security > Port
Security dialog.
The menu contains the following dialogs:
IP Source Guard Port
IP Source Guard Bindings
This dialog allows you to display and configure the following device properties for each port:
Include/exclude source MAC addresses for the filtering
Activate/deactivate the IPSG function
Table
Parameters Meaning
Port Displays the port number.
Verify MAC Activates/deactivates the filtering based on the source MAC address if the IPSG function is active.
The device executes this filtering in addition to the filtering based on the source IP address.
Possible values:
marked
Filtering based on the source MAC address is active.
To activate the function, mark the Active checkbox.
unmarked (default setting)
Filtering based on the source MAC address is inactive.
To deactivate the function, also unmark the Active checkbox.
Active Activates/deactivates the IPSG function on the port.
Possible values:
marked
The IPSG function is active.
You also enable the DHCP Snooping function in the Network Security > DHCP Snooping >
Global. dialog.
unmarked (default setting)
The IPSG function is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Table
Parameters Meaning
MAC address Displays the MAC address of the binding.
IP address Displays the IP address of the binding.
VLAN ID Displays the VLAN ID of the binding.
Port Displays the number of the port of the binding.
Hardware status Displays the hardware status of the binding.
The device applies the binding to the hardware solely if the settings are correct. Before the device
applies the static IPSG binding to the hardware, it checks the following prerequisites:
– The Active checkbox is marked.
– The IPSG function on the port is active, in the Network Security > IP Source Guard >
Port dialog the Active checkbox is marked.
Possible values:
marked
The binding is active, the device applies the binding to the hardware.
unmarked
The binding is inactive.
Active Activates/deactivates the specified static IPSG binding between the specified MAC address and
the specified IP address, for the specified VLAN on the specified port.
Possible values:
marked
The static IPSG binding is active.
unmarked (default setting)
The static IPSG binding is inactive.
Note: To make the static binding effective, activate the IPSG function on the corresponding port.
In the Network Security > IP Source Guard > Port dialog, mark the Active checkbox.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address for the static binding.
In the IP address field, you specify the IP address for the static binding.
In the VLAN ID field, you specify the VLAN ID.
In the Port field, you specify the ID of the VLAN.
Removes the highlighted table entry.
The prerequisite is that the checkbox in the Active column is unmarked.
Dynamic ARP Inspection is a function that supports the network security. This function analyzes ARP
packets, logs them, and discards invalid and hostile ARP packets.
The Dynamic ARP Inspection function helps prevent a range of man-in-the-middle attacks. With this
kind of attack, a hostile station listens in on the data traffic from other subscribers by encroaching on the
ARP cache of its unsuspecting neighbors. The hostile station sends ARP requests and ARP responses
and enters the IP address of another subscriber for its own MAC address in the IP-to-MAC address
relationship (binding).
Using the following measures, the Dynamic ARP Inspection function helps ensure that the device
forwards valid ARP requests and ARP responses exclusively.
Listening in on ARP requests and ARP responses on untrusted ports.
Verifying that the determined packets have a valid IP to MAC address relationship (binding) before
the device updates the local ARP cache and before the device forwards the packets to the related
destination address.
Discarding invalid ARP packets.
The device allows you to specify up to 100 active ARP ACLs (access lists). You can activate up to 20
rules for each ARP ACL.
The menu contains the following dialogs:
Dynamic ARP Inspection Global
Dynamic ARP Inspection Configuration
Dynamic ARP Inspection ARP Rules
Dynamic ARP Inspection Statistics
Configuration
Parameters Meaning
Verify source MAC Activates/deactivates the source MAC address verification. The device executes the check in both
ARP requests and ARP responses.
Possible values:
marked
The source MAC address verification is active.
The device checks the source MAC address of the received ARP packets.
– The device transmits ARP packets with a valid source MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid source MAC address.
unmarked (default setting)
The source MAC address verification is inactive.
Verify destination Activates/deactivates the destination MAC address verification. The device executes the check in
MAC ARP responses.
Possible values:
marked
The destination MAC address verification is active.
The device checks the destination MAC address of the incoming ARP packets.
– The device transmits ARP packets with a valid destination MAC address to the related
destination address and updates the local ARP cache.
– The device discards ARP packets with an invalid destination MAC address.
unmarked (default setting)
The checking of the destination MAC address of the incoming ARP packets is inactive.
Verify IP address Activates/deactivates the IP address verification.
In ARP requests, the device checks the source IP address. In ARP responses, the device checks
the destination and source IP address.
The device designates the following IP addresses as invalid:
– 0.0.0.0
– Broadcast addresses 255.255.255.255
– Multicast addresses 224.0.0.0/4 (Class D)
– Class E addresses 240.0.0.0/4 (reserved for subsequent purposes)
– Loopback addresses in the range 127.0.0.0/8.
Possible values:
marked
The IP address verification is active.
The device checks the IP address of the incoming ARP packets. The device transmits ARP
packets with a valid IP address to the related destination address and updates the local ARP
cache. The device discards ARP packets with an invalid IP address.
unmarked (default setting)
The IP address verification is inactive.
Auto-disable Activates/deactivates the Auto-Disable function for Dynamic ARP Inspection .
Possible values:
marked
The Auto-Disable function for Dynamic ARP Inspection is active.
Also mark the checkbox in the Port column on the Auto-disable tab in the Network
Security > Dynamic ARP Inspection > Configuration dialog for the relevant ports.
unmarked (default setting)
The Auto-Disable function for Dynamic ARP Inspection is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Port ]
Table
Parameters Meaning
Port Displays the port number.
Trust Activates/deactivates the monitoring of ARP packets on untrusted ports.
Possible values:
marked
Monitoring is active.
The device monitors ARP packets on untrusted ports.
The device immediately forwards ARP packets on trusted ports.
unmarked (default setting)
Monitoring is inactive.
Rate limit Specifies the maximum number of ARP packets per interval on this port. If the rate of incoming
ARP packets is currently exceeding the specified limit in a burst interval, the device discards the
additional incoming ARP packets. You specify the burst interval in the Burst interval column.
Optionally, the device also deactivates the port if you activate the auto-disable function. You
enable/disable the Auto-Disable function in the Auto-disable column.
Possible values:
-1 (default setting)
Deactivates the limitation of the number of ARP packets per burst interval on this port.
0..300 packets per interval
Limits the maximum number of ARP packets per burst interval on this port.
Burst interval Specifies the length of the burst interval in seconds on this port. The burst interval is relevant for
the rate limiting function.
You specify the maximum number of ARP packets per burst interval in the Rate limit column.
Possible values:
1..15 (default setting: 1)
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that the Dynamic ARP
Inspection function is monitoring on the port.
Possible values:
marked (default setting)
The Auto-Disable function is active on the port.
The prerequisite is that in the Network Security > Dynamic ARP Inspection > Global
dialog the Auto-disable checkbox in the Configuration frame is marked.
– The device disables the port if the port receives in the time specified in the Burst
interval column more ARP packets than is specified in the Rate limit field. The “Link
status” LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
unmarked
The Auto-Disable function on the port is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[VLAN ID ]
Table
Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Log Activates/deactivates the logging of invalid ARP packets that the device determines in this VLAN.
The device treats an ARP packet as invalid if it detects an error when checking the IP, source MAC
or destination MAC address, or when checking the IP-to-MAC address relationship (binding).
Possible values:
marked
The logging of invalid packets is active.
The device registers invalid ARP packets.
unmarked (default setting)
The logging of invalid packets is inactive.
Binding check Activates/deactivates the checking of incoming ARP packets that the device receives on untrusted
ports and on VLANs for which the Dynamic ARP Inspection function is active. For these ARP
packets the device checks the ARP ACL and the DHCP Snooping relationship (bindings).
Possible values:
marked (default setting)
The binding check of ARP packets is active.
unmarked
The binding check of ARP packets is inactive.
ACL strict Activates/deactivates the strict checking of incoming ARP packets based on the ARP ACL rules
specified.
Possible values:
marked
The strict checking is active.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the .ARP
ACL column.
unmarked (default setting)
The strict checking is inactive.
The device checks the incoming ARP packets based on the ARP ACL rule specified in the .ARP
ACL column and subsequently on the entries in the DHCP Snooping database.
ARP ACL Specifies the ARP ACL that the device uses.
Possible values:
<rule name>
You specify the rules in the Network Security > Dynamic ARP Inspection > ARP Rules
dialog.
Active Activates/deactivates the Dynamic ARP Inspection function in this VLAN.
Possible values:
marked
The Dynamic ARP Inspection function is active in this VLAN.
unmarked (default setting)
The Dynamic ARP Inspection function is inactive in this VLAN.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to specify rules for checking and filtering ARP packets.
Table
Parameters Meaning
Name Displays the name of the ARP rule.
Source IP address Specifies the source address of the IP data packets to which the device applies the rule.
Possible values:
Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
Source MAC Specifies the source address of the MAC data packets to which the device applies the rule.
address
Possible values:
Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
Active Activates/deactivates the rule.
Possible values:
marked (default setting)
The rule is active.
unmarked
The rule is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Name field, you specify the name of the ARP rule.
In the Source IP address field, you specify the source IP address of the ARP rule.
In the Source MAC address field, you specify the source MAC address of the ARP rule.
This window displays the number of discarded and forwarded ARP packets in an overview.
Table
Parameters Meaning
VLAN ID Displays the VLAN ID to which the table entry relates.
Packets forwarded Displays the number of ARP packets that the device forwards after checking them using the
Dynamic ARP Inspection function.
Packets dropped Displays the number of ARP packets that the device discards after checking them using the
Dynamic ARP Inspection function.
DHCP drops Displays the number of ARP packets that the device discards after checking the DHCP Snooping
relationship (binding).
DHCP permits Displays the number of ARP packets that the device forwards after checking the DHCP Snooping
relationship (binding).
ACL drops Displays the number of ARP packets that the device discards after checking them using the ARP
ACL rules.
ACL permits Displays the number of ARP packets that the device forwards after checking them using the ARP
ACL rules.
Bad source MAC Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the source MAC address.
Bad destination Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
MAC function detected an error in the destination MAC address.
Invalid IP address Displays the number of ARP packets that the device discards after the Dynamic ARP Inspection
function detected an error in the IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
4.9 ACL
In this menu, you specify the settings for the Access Control Lists (ACL). Access Control Lists contain
rules which the device applies successively to the data stream on its ports or VLANs.
If a data packet complies with the criteria of one or more rules, the device applies the action specified
in the first rule applying to the data stream. The device ignores the rules following. Possible actions
include:
permit : The device transmits the data packet to a port or to a VLAN.
If desired, the device transmits a copy of the data packets to a further port
deny : The device drops the data packet.
In the default setting, the device forwards every data packet. Once you assign an Access Control List
to an interface or VLAN, there is changing this behavior. The device enters at the end of an Access
Control List an implicit Deny-All rule. Consequently, the device discards data packets that do not meet
any of the rules. If you want a different behavior, add a "permit" rule at the end of your Access Control
Lists.
Proceed as follows to set up Access Control Lists and rules:
If you wish you create time profile. See the Network Security > ACL > Time Profile dialog. The
device applies Access Control Lists with a time profile at specified times instead of permanently.
Create a rule and specify the rule settings. See the Network Security > ACL > IPv4 Rule dialog,
or the Network Security > ACL > MAC Rule dialog.
Assign the Access Control List to the Ports and VLANs of the device. See the Network Security >
ACL > Assignment dialog.
The menu contains the following dialogs:
ACL IPv4 Rule
ACL MAC Rule
ACL Assignment
ACL Time Profile
In this dialog, you specify the rules that the device applies to the IP data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an Access
Control List successively, beginning with the rule with the lowest value in the Index column.
The device allows you to filter according to the following criteria:
Source or destination IP address of a data packet
Type of the transmitting protocol
Source or destination port of a data packet
Classification according to DSCP
Classification according to ToS
Table
Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Index Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, the device processes the rule with the lowest
value first.
Active Activates/deactivates the Access Control List or the rule within an Access Control List.
Possible values (for an Access Control List):
marked (default setting)
The Access Control List is active. The device applies the associated active rules to the data
stream.
unmarked
The Access Control List is inactive.
Possible values (for rules within an Access Control List):
marked (default setting)
The rule is active. The device applies the rule to the data stream if the associated Access
Control List is also active.
unmarked
The rule is inactive.
Match every packet Specifies to which IP data packets the device applies the rule.
Possible values:
marked (default setting)
The device applies the rule to every IP data packet.
unmarked
The device applies the rule to IP data packets depending on the value in the following fields:
– Source IP address , Destination IP address , Protocol
– DSCP , TOS priority , TOS mask
– ICMP type , ICMP code
– IGMP type
– Established
– Packet fragmented
– TCP flag
Parameters Meaning
Source IP address Specifies the source address of the IP data packets to which the device applies the rule.
Possible values:
?.?.?.? (default setting)
The device applies the rule to IP data packets with any source address.
Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified source address. The inverse
bit mask allows you to specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a
source address in the range from 192.168.1.0 to ….127.
Destination IP Specifies the destination address of the IP data packets to which the device applies the rule.
address
Possible values:
?.?.?.? (default setting)
The device applies the rule to IP data packets with any destination address.
Valid IPv4 address
The device applies the rule to IP data packets with the specified destination address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified destination address. The
inverse bit mask allows you to specify the address range with bit-level accuracy.
Example 192.168.1.1/0.0.0.127: The device applies the rule to IP data packets with a
destination address in the range from 192.168.1.0 to ….127.
Protocol Specifies the protocol type of the IP data packets to which the device applies the rule.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the protocol type.
icmp
igmp
ip-in-ip
tcp
udp
ip
Source TCP/UDP Specifies the source port of the IP data packets to which the device applies the rule. The
port prerequisite is that you specify in the Protocol column the value TCP or UDP.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the source port.
1..65535
The device applies the rule solely to IP data packets containing the specified source port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
These operators are allowed only in rules which the device applies to the received data
packets. See the Network Security > ACL > Assignment dialog: Direction column =
inbound.
Parameters Meaning
Destination TCP/ Specifies the destination port of the IP data packets to which the device applies the rule. The
UDP port prerequisite is that you specify in the Protocol column the value TCP or UDP.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the destination port.
1..65535
The device applies the rule exclusively to IP data packets containing the specified destination
port.
To specify a port range, you can use one of the following operators:
– <
Range below the specified port number
– >
Range above the specified port number
– !=
Entire port range except the specified port
These operators are allowed only in rules which the device applies to the received data
packets. See the Network Security > ACL > Assignment dialog: Direction column =
inbound.
DSCP Specifies the Differentiated Service Code Point (DSCP value) in the header of the IP data packets
to which the device applies the rule.
Possible values:
– (default setting)
The device applies the rule to every IP data packet without considering the DSCP value.
0..63
The device applies the rule solely to IP data packets containing the specified DSCP value.
TOS priority Specifies the IP precedence (ToS value) in the header of the IP data packets to which the device
applies the rule.
Possible values:
any (default setting)
The device applies the rule to every IP data packet without considering the ToS value.
0..7
The device applies the rule solely to IP data packets containing the specified ToS value.
TOS mask Specifies the bit mask for the ToS value in the header of the IP data packets to which the device
applies the rule. The prerequisite is that you specify in the TOS priority column a ToS value.
Possible values:
any (default setting)
The device applies the rule to IP data packets and considers the ToS value completely.
1..1f
The device applies the rule to IP data packets and considers the bits of the ToS value specified
in the bit mask.
ICMP type Specifies the ICMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
-1 (default setting)
ICMP type matching is inactive.
0..255
The device applies the rule to every IP data packet and considers the specified ICMP type.
ICMP code Specifies the ICMP code in the TCP header of the IP data packets to which the device applies the
rule. The prerequisite is that, in the ICMP type field, you specify an ICMP value.
Possible values:
-1 (default setting)
ICMP code matching is inactive.
0..255
The device applies the rule to every IP data packet and considers the specified ICMP code.
Parameters Meaning
IGMP type Specifies the IGMP type in the TCP header of the IP data packets to which the device applies the
rule.
Possible values:
0 (default setting)
IGMP type matching is inactive.
1..255
The device applies the rule to every IP data packet and considers the specified IGMP type.
Established Activates/deactivates applying the ACL rule to TCP data packets which have either the RST bit,
or the ACK bit set in the TCP header.
Possible values:
marked
The device applies the rule to every IP data packet in which the RST bit, or the ACK bit is set
in the TCP header.
unmarked (default setting)
Matching is inactive.
Packet fragmented Activates/deactivates applying the ACL rule to fragmented packets.
Possible values:
marked
The device applies the ACL rule to fragmented packets.
unmarked (default setting)
Matching is inactive.
TCP flag Specifies the TCP flag and mask value.
The device allows you to enter multiple values, by separating the values with a comma.
Specify the flags as either + or -.
Possible values:
- (default setting)
TCP flag matching is inactive.
-
When you use this value in combination with the following flags, the device considers packets
in which the flag is not set.
+
When you use this value in combination with the following flags, the device considers packets
in which the flag is set.
fin
Indicates that the sending device has finished its transmission.
syn
Indicates that the Synchronize sequence numbers are significant. Only the first packet sent
from each end device has this flag set.
rst
Indicates a reset on the link.
psh
Indicates the push function, in which a device asks to push the buffered data to the receiving
application.
ack
Indicates that the Acknowledgment field is significant. Every packet, after the initial syn packet
sent by the client, has this flag set.
urg
Indicates that the Urgent pointer field is significant.
Action Specifies how the device handles received IP data packets when it applies the rule.
Possible values:
permit (default setting)
The device transmits the IP data packets.
deny
The device drops the IP data packets.
Parameters Meaning
Redirection port Specifies the port on which the device transmits the IP data packets. The prerequisite is that you
specify in the Action column the value permit .
Possible values:
– (default setting)
The Redirection port function is disabled.
<Port number>
The device transmits the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Mirror port Specifies the port on which the device transmits a copy of the IP data packets. The prerequisite is
that you specify in the Action column the value permit .
Possible values:
– (default setting)
The Mirror port function is disabled.
<Port number>
The device transmits a copy of the IP data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Assigned queue ID Specifies the priority queue to which the device assigns the IP data packets.
Possible values:
0..7 (default setting: 0)
Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log
dialog.
Possible values:
marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny
rule to IP data packets.
unmarked (default setting)
Logging is deactivated.
The device allows you to activate this function for up to 128 deny rules.
Time profile Specifies whether the device applies the rule permanently or time-controlled.
Possible values:
<empty> (default setting)
The device applies the rule permanently.
[Time Profile]
The device applies the rule solely at the times specifies in the time profile. You edit the time
profile in the Network Security > ACL > Time Profile dialog.
Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column.
The limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
0 (default setting)
No limitation of the data transfer rate.
1..4294967295
When the data transfer rate on the port exceeds the value specified, the device discards
surplus IP data packets. The prerequisite is that you specify in the Burst size column a value
>0. You specify the measurement unit of the limit in the Unit column.
Unit Specifies the measurement unit for the data transfer rate specified in the Rate limit column.
Possible values:
kbps (default setting)
kByte per second
pps
Data packet per second
Parameters Meaning
Burst size Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
0 (default setting)
No limitation of the data volume.
1..128
If during temporary bursts on the port the data volume exceeds the value specified, the device
discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
In the Index field, you specify the number of the rule within the Access Control List. If the
Access Control List contains multiple rules, the device processes the rule with the lowest value
first.
Displays a sub menu with the following items.
In this dialog, you specify the rules that the device applies to the MAC data packets.
An Access Control List (group) contains one or more rules. The device applies the rules of an Access
Control List successively, beginning with the rule with the lowest value in the Index column.
The device allows you to filter according to the following criteria:
Source or destination MAC address of a data packet
Type of the transmitting protocol
Membership of a specific VLAN
Service class of a data packet
Table
Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Index Displays the number of the rule within the Access Control List.
If the Access Control List contains multiple rules, the device processes the rule with the lowest
value first.
Active Activates/deactivates the Access Control List or the rule within an Access Control List.
Possible values (for an Access Control List):
marked (default setting)
The Access Control List is active. The device applies the associated active rules to the data
stream.
unmarked
The Access Control List is inactive.
Possible values (for rules within an Access Control List):
marked (default setting)
The rule is active. The device applies the rule to the data stream if the associated Access
Control List is also active.
unmarked
The rule is inactive.
Match every packet Specifies to which MAC data packets the device applies the rule.
Possible values:
marked (default setting)
The device applies the rule to every MAC data packet.
The device ignores the value in the fields Source MAC address , Destination MAC address ,
Ethertype , Ethertype custom value , VLAN ID , and COS .
unmarked
The device applies the rule to MAC data packets depending on the value in the fields Source
MAC address , Destination MAC address , Ethertype , Ethertype custom value , VLAN
ID , and COS .
Parameters Meaning
Source MAC Specifies the source address of the MAC data packets to which the device applies the rule.
address
Possible values:
??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any source address.
Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose source
address begins with 00:11.
Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask allows you to specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a source address in the range from 00:11:22:33:44:54 to …:57.
Destination MAC Specifies the destination address of the MAC data packets to which the device applies the rule.
address
Possible values:
??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any destination address.
Valid MAC address
The device applies the rule to MAC data packets with the specified destination address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose
destination address begins with 00:11.
Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask allows you to specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a destination address in the range from 00:11:22:33:44:54 to …:57.
Ethertype Specifies the Ethertype keyword of the MAC data packets to which the device applies the rule.
Possible values:
custom (default setting)
The device applies the value specified in the Ethertype custom value column.
appletalk
arp
ibmsna
ipv4
ipv6
ipxold
mplsmcast
mplsucast
netbios
novell
rarp
pppoe
Ethertype custom Specifies the Ethertype value of the MAC data packets to which the device applies the rule. The
value prerequisite is that in the Ethertype column the value custom is specified.
Possible values:
any (default setting)
The device applies the rule to every MAC data packet without considering the Ethertype value.
600..ffff
The device applies the rule exclusively to MAC data packets containing the Ethertype value
specified here.
VLAN ID Specifies the VLAN ID of the MAC data packets to which the device applies the rule.
Possible values:
0 (default setting)
The device applies the rule to every MAC data packet without considering the VLAN ID.
1..4042
Parameters Meaning
COS Specifies the Class of Service (COS) value of the MAC data packets to which the device applies
the rule.
Possible values:
0..7
any (default setting)
The device applies the rule to every MAC data packet without considering the Class of Service
value.
Note: For data packets without a VLAN tag, the device uses the port priority instead of the COS
value.
Action Specifies how the device handles received MAC data packets when it applies the rule.
Possible values:
permit (default setting)
The device transmits the MAC data packets.
deny
The device discards the MAC data packets.
Redirection port Specifies the port on which the device transmits the MAC data packets. The prerequisite is that in
the Action column the value permit is specified.
Possible values:
– (default setting)
The Redirection port function is disabled.
<Port number>
The device transmits the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Mirror port Specifies the port on which the device transmits a copy of the MAC data packets. The prerequisite
is that in the Action column the value permit is specified.
Possible values:
– (default setting)
The Mirror port function is disabled.
<Port number>
The device transmits a copy of the MAC data packets on the specified port.
The device does not provide the option of mirroring IP data packets across VLAN boundaries.
Assigned queue ID Specifies the ID of the priority queue on which the device transmits the MAC data packets.
Possible values:
0..7 (default setting: 0)
Log Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log
dialog.
Possible values:
marked
Logging is activated.
The prerequisite is that you assign the Access Control List in the Network Security > ACL >
Assignment dialog to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny
rule to MAC data packets.
unmarked (default setting)
Logging is deactivated.
The device allows you to activate this function for up to 128 deny rules.
Time profile Specifies whether the device applies the rule permanently or time-controlled.
Possible values:
<empty> (default setting)
The device applies the rule permanently.
[Time Profile]
The device applies the rule solely at the times specifies in the time profile. You edit the time
profile in the Network Security > ACL > Time Profile dialog.
Parameters Meaning
Rate limit Specifies the limit for the data transfer rate for the port specified in the Redirection port column.
The limit applies to the summary of the data sent and received.
This function limits the data stream on the port or in the VLAN:
Possible values:
0 (default setting)
No limitation of the data transfer rate.
1..4294967295
When the data transfer rate on the port exceeds the value specified, the device discards
surplus MAC data packets. The prerequisite is that you specify in the Burst size column a
value >0. You specify the measurement unit of the limit in the Unit column.
Unit Specifies the unit of measurement for the data transfer rate specified in the Rate limit column.
Possible values:
kbps (default setting)
kByte per second
pps
Data packet per second
Burst size Specifies the limit in KByte for the data volume during temporary bursts.
Possible values:
0 (default setting)
No limitation of the data volume.
1..128
If during temporary bursts on the port the data volume exceeds the value specified, the device
discards surplus MAC data packets. The prerequisite is that you specify in the Rate limit
column a value >0.
Recommendation:
If the bandwidth is known:
Burst size = bandwidth x allowed duration of a burst / 8.
If the bandwidth is unknown:
Burst size = 10 x MTU (Maximum Transmission Unit) of the port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Group name field, you specify the name of the Access Control List to which the rule
belongs.
In the Index field, you specify the number of the rule within the Access Control List. If the
Access Control List contains multiple rules, the device processes the rule with the lowest value
first.
Displays a sub menu with the following items.
This dialog allows you to assign one or more Access Control Lists to the ports and VLANs of the device.
By assigning a priority you specify the processing sequence, provided you assign one or more Access
Control Lists to a port or VLAN.
The device applies rules successively, namely in the sequence specified by the rule index. You specify
the priority of a group in the Priority column. The lower the number, the higher the priority. In this
process, the device applies the rules with a high priority before the rules with a low priority.
The assignment of Access Control Lists to ports and VLANs results in the following different types of
ACL:
Port-based IPv4-ACLs
Port-based MAC ACLs
VLAN-based IPv4 ACLs
VLAN-based MAC ACLs
The device allows you to apply the Access Control Lists to data packets received (inbound) or sent
(outbound).
Note: Before you enable the function, verify that at least one active entry in the table allows you access.
Otherwise, the connection to the device terminates when you change the settings. To access the
management functions is possible solely using the CLI through the V.24 interface of the device.
Table
Parameters Meaning
Group name Displays the name of the Access Control List. The Access Control List contains the rules.
Type Displays whether the Access Control List contains MAC rules or IPv4 rules.
Possible values:
mac
The Access Control List contains MAC rules.
ip
The Access Control List contains IPv4 rules.
You edit Access Control Lists with IPv4 rules in the Network Security > ACL > IPv4 Rule
dialog. You edit Access Control Lists with MAC rules in the Network Security > ACL > IPv4
Rule dialog.
Port Displays the port to which the Access Control List is assigned. The field remains empty if the
Access Control List is assigned to a VLAN.
VLAN ID Displays the VLAN to which the Access Control List is assigned. The field remains empty if the
Access Control List is assigned to a port.
Direction Displays whether the device applies the Access Control List to data packets received or sent.
Possible values:
inbound
The device applies the Access Control List to data packets received on the port or in the VLAN.
outbound
The device applies the Access Control List to data packets sent on the port or in the VLAN.
Parameters Meaning
Priority Displays the priority of the Access Control List.
Using the priority, you specify the sequence in which the device applies the Access Control Lists
to the data stream. The device applies the rules in ascending order starting with priority 1.
Possible values:
1..4294967295
If an Access Control List is assigned to a port and to a VLAN with the same priority, the device
applies the rules first to the port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create dialog to assign a rule to a port or a VLAN.
In the Port/VLAN field, you specify the port or the VLAN ID.
In the Priority field, you specify the source MAC address of the ARP rule.
In the Direction field, you specify the data packets to which the device applies the rule.
In the Group name filed, you specify which rule the device assigns to the port or VLAN.
This dialog allows you to edit time profiles. If you assign a time profile to a MAC or IPv4 rule, the device
applies the rule at the times specified in the time profile. If no time profile is assigned, the device applies
the rule permanently.
The device allows you to create up to 100 time profiles with up to 10 time periods.
The device applies the MAC and IPv4 rules during the time specified within the time period.
If you specify time periods using the Absolute option, the device applies the rule one time.
If you specify time periods using the Periodic option, the device applies the rule recurrently.
The implied Deny-All rule of the ACLs is always valid independently of the time control.
Table
Parameters Meaning
Profile name Displays the name of the time profile. The time profile contains the time periods.
Index Displays the number of the time period within the time profile. The device automatically assigns
this number.
Absolute
Start date Specifies the date at which the device starts to apply the one-time rule.
Possible values:
YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
Start time Specifies the time at which the device starts to apply the one-time rule.
Possible values:
hh:mm
Hour:Minute
End date Specifies the date at which the device terminates the one-time rule.
Possible values:
YYYY-MM-DD or DD.MM.YY
(depending on the language preferences of your web browser)
End time Specifies the time at which the device terminates the one-time rule.
Possible values:
hh:mm
Hour:Minute
Periodic
Starting days Specifies the days of the week on which the device periodically starts to apply the rule.
Possible values:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Start time Specifies the time at which the device periodically starts to apply the rule.
Possible values:
hh:mm
Hour:Minute
Parameters Meaning
Ending days Specifies the days of the week on which the device periodically terminates the rule.
Possible values:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
End time Specifies the time at which the device periodically terminates the rule.
Possible values:
hh:mm
Hour:Minute
Note: When you reconfigure a time period specify first the end time and then the start time. Otherwise,
the dialog displays an error message.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create dialog to create a new time period.
In the Profile name field, you specify the name of the time profile to which the time period
belongs.
In the Type field, you specify the type of time period.
– With the Periodic radio button, you specify a time period at which the device activates the
recurring rule.
– With the Absolute radio button, you specify a time period at which the device activates the
rule one time. Within every time profile, exactly one such time period is allowed.
In the Start frame, you specify the time at which the device starts to apply the rule.
In the End frame, you specify the time at which the device terminates to apply the rule.
5 Switching
If a large number of data packets are received in the priority queue of a port at the same time, this can
cause the port memory to overflow. This happens, for example, when the device receives data on a
Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus data packets.
The flow control mechanism described in standard IEEE 802.3 ensures that no data packets are lost
due to a port memory overflowing. Shortly before a port memory is completely full, the device signals to
the connected devices that it is not accepting any more data packets from them.
In full-duplex mode, the device sends a pause data packet.
In half-duplex mode, the device simulates a collision.
Then the connected devices do not send any more data packets for as long as the signaling takes. On
uplink ports, this can possibly cause undesired sending breaks in the higher-level network segment
(“wandering backpressure”).
According to standard IEEE 802.1Q, the device forwards data packets with a VLAN tag in a VLAN ≥1.
However, a small number of applications on connected end devices send or receive data packets with
a VLAN ID=0. When the device receives one of these data packets, before forwarding it the device
overwrites the original value in the data packet with the VLAN ID of the receiving port. When you activate
the VLAN Unaware Mode, this deactivates the VLAN settings in the device. The device then
transparently forwards the data packets and evaluates the priority information contained in the data
packet exclusively.
Configuration
Parameters Meaning
MAC address Displays the MAC address of the device.
Aging time [s] Specifies the aging time in seconds.
Possible values:
10..500000 (default setting: 30)
The device monitors the age of the learned unicast MAC addresses. The device deletes address
entries that exceed a particular age (aging time) from its address table.
You find the address table in the Switching > Filter for MAC Addresses dialog.
Flow control Activates/deactivates the flow control in the device.
Possible values:
marked
The flow control is active in the device.
Additionally activate the flow control on the required ports. See the Basic Settings > Port
dialog, Configuration tab, checkbox in the Flow control column.
unmarked (default setting)
The flow control is inactive in the device.
When you are using a redundancy function, you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function operates sporadically.
Parameters Meaning
VLAN unaware Activates/deactivates the VLAN unaware mode.
mode
Possible values:
marked
The VLAN unaware mode is active.
The device works in the VLAN Unaware bridging mode (802.1Q):
– The device ignores the VLAN settings in the device and the VLAN tags in the data packets.
The device transmits the data packets based on their destination MAC address or
destination IP address in VLAN 1.
– The device ignores the VLAN settings specified in the Switching > VLAN > Configuration
and Switching > VLAN > Port dialogs. Every port is assigned to VLAN 1.
– The device evaluates the priority information contained in the data packet.
Note: You specify the VLAN ID 1 for every function on the device which uses VLAN settings.
Among other things, this applies to static filters, MRP and IGMP Snooping.
unmarked (default setting)
The VLAN unaware mode is inactive.
The device works in the VLAN Aware bridging mode (802.1Q):
– The device evaluates the VLAN tags in the data packets.
– The device transmits the data packets based on their destination MAC address or
destination IP address in the corresponding VLAN.
– The device evaluates the priority information contained in the data packet.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to limit the traffic on the ports in order to help provide reliable operation even with
a large traffic volume. If the traffic on a port exceeds the traffic value entered, the device discards the
excess traffic on this port.
The rate limiter function operates exclusively on Layer 2, and is used to limit the effects of storms of data
packets that flood the device (typically Broadcasts).
The rate limiter function ignores protocol information on higher levels, such as IP or TCP.
In this dialog, you enable the Rate Limiter function. The threshold value specifies the maximum
amount of traffic the port receives. If the traffic on this port exceeds the threshold value, the device
discards the excess traffic on this port.
Parameters Meaning
Port Displays the port number.
Threshold unit Specifies the unit for the threshold value:
Possible values:
percent (default setting)
Specifies the threshold value as a percentage of the data rate of the port.
pps
Specifies the threshold value in data packets per second.
Broadcast mode Activates/deactivates the rate limiter function for received broadcast data packets.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, the device discards the excess broadcast data packets on this
port.
Broadcast Specifies the threshold value for received broadcasts on this port.
threshold
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .
Multicast mode Activates/deactivates the rate limiter function for received multicast data packets.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, the device discards the excess multicast data packets on this
port.
Multicast threshold Specifies the threshold value for received multicasts on this port.
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .
Parameters Meaning
Unknown unicast Activates/deactivates the rate limiter function for received unicast data packets with an unknown
mode destination address.
Possible values:
marked
unmarked (default setting)
If the threshold value is exceeded, the device discards the excess unicast data packets on this
port.
Unicast threshold Specifies the threshold value for received unicasts with an unknown destination address on this
port.
Possible values:
0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
Enter a percentage from 0 through 100 if you select in the Threshold unit column the
value percent .
Enter an absolute value for the data rate if you select in the Threshold unit column the
value pps .
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to display and edit address filters for the address table. Address filters specify the
way the data packets are forwarded in the device based on the destination MAC address.
Each row in the table represents one filter. The device automatically sets up the filters. The device
allows you to set up additional filters manually.
The device transmits the data packets as follows:
If the table contains an entry for the destination address of a data packet, the device transmits the
data packet from the receiving port to the port specified in the table entry.
If there is no table entry for the destination address, the device transmits the data packet from the
receiving port to every other port.
Table
Parameters Meaning
Address Displays the destination MAC address to which the table entry applies.
VLAN ID Displays the ID of the VLAN to which the table entry applies.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
Status Displays how the device has set up the address filter.
Possible values:
learned
Address filter set up automatically by the device based on received data packets.
permanent
Address filter set up manually. The address filter stays set up permanently.
IGMP
Address filter automatically set up by IGMP Snooping.
mgmt
MAC address of the device. The address filter is protected against changes.
invalid
Deletes a manually set up address filter.
MRP-MMRPMRP-MMRP
Multicast address filter automatically set up by MMRP.
<Port number> Displays how the corresponding port transmits data packets which it directs to the adjacent
destination address.
Possible values:
–
The port does not transmit any data packets to the destination address.
learned
The port transmits data packets to the destination address. The device created the filter
automatically based on received data packets.
IGMP learned
The port transmits data packets to the destination address. The device created the filter
automatically based on IGMP.
unicast static
The port transmits data packets to the destination address. A user created the filter.
multicast static
The port transmits data packets to the destination address. A user created the filter.
To delete the learned MAC addresses from the address table, click in the Basic Settings > Restart
dialog the Reset MAC address table button.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Address field, you specify the destination MAC address.
In the VLAN ID field, you specify the ID of the VLAN.
In the Port field, you specify the port.
– Select one port if the destination MAC address is a unicast address.
– Select one or more ports if the destination MAC address is a multicast address.
– Select no port to create a discard filter. The device discards data packets with the
destination MAC address specified in the table entry.
Displays a sub menu with the following items.
Reset MAC address Removes the MAC addresses from the forwarding table that have the value learned in the
table Status column.
The Internet Group Management Protocol (IGMP) is a protocol for dynamically managing Multicast
groups. The protocol describes the distribution of Multicast data packets between routers and end
devices on Layer 3.
The device allows you to use the IGMP Snooping function to also use the IGMP mechanisms on
Layer 2:
Without IGMP Snooping, the device transmits the Multicast data packets to every port.
With the activated IGMP Snooping function, the device transmits the Multicast data packets
exclusively on ports to which Multicast receivers are connected. This reduces the network load. The
device evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2.
Activate the IGMP Snooping function not until the following conditions are fulfilled:
– There is a Multicast router in the network that creates IGMP queries (periodic queries).
– The devices participating in IGMP Snooping forward the IGMP queries.
The device links the IGMP reports with the entries in its address table. If a multicast receiver joins a
multicast group, the device creates a table entry for this port in the Switching > Filter for MAC
Addresses dialog. If the multicast receiver leaves the multicast group, the device removes the table
entry.
The menu contains the following dialogs:
IGMP Snooping Global
IGMP Snooping Configuration
IGMP Snooping Enhancements
IGMP Snooping Querier
IGMP Snooping Multicasts
This dialog allows you to enable the IGMP Snooping protocol in the device and also configure it for each
port and each VLAN.
Operation
Parameters Meaning
Operation Enables/disables the IGMP Snooping function in the device.
Possible values:
On
The IGMP Snooping function is enabled in the device according to RFC 4541 (Considerations
for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD)
Snooping Switches).
Off (default setting)
The IGMP Snooping function is disabled in the device.
The device transmits received query, report, and leave data packets without evaluating them.
Received data packets with a Multicast destination address are transmitted to every port by
the device.
Information
Parameters Meaning
Multicast control Displays the number of Multicast control data packets processed.
packets processed This statistic encompasses the following packet types:
– IGMP Reports
– IGMP Queries version V1
– IGMP Queries version V2
– IGMP Queries version V3
– IGMP Queries with an incorrect version
– PIM or DVMRP packets
The device uses the Multicast control data packets to create the address table for transmitting the
Multicast data packets.
Possible values:
0..231-1
You use the Reset IGMP snooping data button in the Basic Settings > Restart dialog or
the clear igmp-snooping CLI command to reset the IGMP Snooping entries, including the
counter for the processed multicast control data packets.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset IGMP Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.
snooping counters
This dialog allows you to enable the IGMP Snooping function in the device and also configure it for each
port and each VLAN.
[VLAN ID ]
In this tab, you configure the IGMP Snooping function for every VLAN.
Table
Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Active Activates/deactivates the IGMP Snooping function for this VLAN.
The prerequisite is that the IGMP Snooping function is globally enabled.
Possible values:
marked
IGMP Snooping is activated for this VLAN. The VLAN has joined the Multicast data stream.
unmarked (default setting)
IGMP Snooping is deactivated for this VLAN. The VLAN has left the Multicast data stream.
Group membership Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered
interval in the address table when the device does not receive any more report data packets from the
VLAN.
Specify a value larger than the value in the Max. response time column.
Possible values:
2..3600 (default setting: 260)
Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a
query data packet. For their response, the members specify a random time within the response
time. You thus help prevent the multicast group members from responding to the query at the
same time.
Specify a value smaller than the value in the Group membership interval column.
Possible values:
1..25 (default setting: 10)
Fast leave admin Activates/deactivates the Fast Leave function for this VLAN.
mode
Possible values:
marked
If the device receives an IGMP Leave message from a multicast group, when the Fast Leave
function is active it removes the entry immediately from its address table.
unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group, and removes an entry when a VLAN does not send any more
report messages.
MRP expiration Multicast Router Present Expiration Time. Specifies the time in seconds for which the device waits
time for a query on this port that belongs to a VLAN. If the port does not receive a query data packet,
the device removes the port from the list of ports with connected multicast routers.
You have the option of configuring this parameter solely if the port belongs to an existing VLAN.
Possible values:
0
unlimited timeout - no expiration time
1..3600 (default setting: 260)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Port ]
In this tab, you configure the IGMP Snooping function for every port.
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the IGMP Snooping function for this port.
The prerequisite is that the IGMP Snooping function is globally enabled.
Possible values:
marked
IGMP Snooping is active on this port. The device includes the port in the multicast data stream.
unmarked (default setting)
IGMP Snooping is inactive on this port. The port left the multicast data stream.
Group membership Specifies the time in seconds for which a port, from a dynamic multicast group, remains entered
interval in the address table when the device does not receive any more report data packets from the port.
Possible values:
2..3600 (default setting: 260)
Specify the value larger than the value in the Max. response time column.
Max. response time Specifies the time in seconds in which the members of a multicast group should respond to a
query data packet. For their response, the members specify a random time within the response
time. You thus help prevent the multicast group members from responding to the query at the
same time.
Possible values:
1..25 (default setting: 10)
Specify a value lower than the value in the Group membership interval column.
MRP expiration Specifies the Multicast Router Present Expiration Time. The MRP expiration time is the time in
time seconds for which the device waits for a query packet on this port. If the port does not receive a
query data packet, the device removes the port from the list of ports with connected multicast
routers.
Possible values:
0
unlimited timeout - no expiration time
1..3600 (default setting: 260)
Fast leave admin Activates/deactivates the Fast Leave function for this port.
mode
Possible values:
marked
If the device receives an IGMP Leave message from a multicast group, when the Fast Leave
function is active it removes the entry immediately from its address table.
unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group, and removes an entry when a port does not send any more
report messages.
Static query port Activates/deactivates the Static query port mode.
Possible values:
marked
The Static query port mode is active.
The port is a static query port in the VLANs that are set up.
unmarked (default setting)
The Static query port mode is inactive.
The port is not a static query port. The device transmits IGMP report messages to the port
solely if it receives IGMP queries.
VLAN IDs Displays the ID of the VLANs to which the table entry applies.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to select a port for a VLAN ID and to configure the port.
Table
Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
<Port number> Displays for every VLAN set up in the device whether the relevant port is a query port. Additionally,
the field displays whether the device transmits every Multicast stream in the VLAN to this port.
Possible values:
–
The port is not a query port in this VLAN.
L = Learned
The device detected the port as a query port because the port received IGMP queries in this
VLAN. The port is not a statically configured query port.
A = Automatic
The device detected the port as a query port. The prerequisite is that you configure the port as
Learn by LLDP .
S = Static (manual setting)
A user specified the port as a static query port. The device transmits IGMP reports solely to
ports on which it previously received IGMP queries – and to statically configured query ports.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Static checkbox.
P = Learn by LLDP (manual setting)
A user specified the port as Learn by LLDP .
With the Link Layer Discovery Protocol (LLDP), the device detects Hirschmann devices
connected directly to the port. The device denotes the detected query ports with A.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Learn by LLDP checkbox.
F = Forward All (manual setting)
A user specified the port so that the device transmits every received Multicast stream in the
VLAN to this port. Use this setting for diagnostics purposes, for example.
To assign this value, proceed as follows:
Open the Wizard window.
On the Configuration page, mark the Forward all checkbox.
Parameters Meaning
Display categories Enhances the clarity of the display. The table emphasizes the cells which contain the specified
value. This helps to analyze and sort the table according to your needs.
Learned (L)
The table displays cells which contain the value L and possibly further values. Cells which
contain other values than L exclusively, the table displays with the “-“ symbol.
Static (S)
The table displays cells which contain the value S and possibly further values. Cells which
contain other values than S exclusively, the table displays with the “-“ symbol.
Automatic (A)
The table displays cells which contain the value A and possibly further values. Cells which
contain other values than A exclusively, the table displays with the “-“ symbol.
Learn by LLDP
The table displays cells which contain the value P and possibly further values. Cells which
contain other values than P exclusively, the table displays with the “-“ symbol.
Forward all (F)
The table displays cells which contain the value F and possibly further values. Cells which
contain other values than F exclusively, the table displays with the “-“ symbol.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Wizard window that helps you to select and configure the ports.
After closing the Wizard window, click the button to save your settings.
Selection VLAN/Port
Parameters Meaning
VLAN ID Select the ID of the VLAN.
Possible values:
1..4042
Port Select the port.
Possible values:
<Port number>
Configuration
Parameters Meaning
VLAN ID Displays the ID of the selected VLAN.
Port Displays the number of the selected port.
Static Specifies the port as a static query port in the VLANs that are set up. The device transmits IGMP
report messages to the ports at which it receives IGMP queries. Allows you to also transmit IGMP
report messages to other selected ports (enable) or connected Hirschmann devices (Automatic).
Learn by LLDP Specifies the port as Learn by LLDP . Allows directly connected Hirschmann devices to be
detected via LLDP and learned as query ports.
Forward all Specifies the port as Forward all . With the Forward all setting, the device transmits at this
port every data packet with a Multicast address in the destination address field.
The device allows you to send a Multicast stream solely to those ports to which a Multicast receiver is
connected.
To determine which ports Multicast receivers are connected to, the device sends query data packets to
the ports at a definable interval. If a Multicast receiver is connected, it joins the Multicast stream by
responding to the device with a report data packet.
This dialog allows you to configure the Snooping Querier settings globally and for the VLANs that are
set up.
Operation
Parameters Meaning
Operation Enables/disables the IGMP Querier function globally in the device.
Possible values:
On
Off (default setting)
Configuration
In this frame you specify the IGMP Snooping Querier settings for the general query data packets.
Parameters Meaning
Protocol version Specifies the IGMP version of the general query data packets.
Possible values:
1
IGMP v1
2 (default setting)
IGMP v2
3
IGMP v3
Query interval [s] Specifies the time in seconds after which the device generates general query data packets itself
when it has received query data packets from the Multicast router.
Possible values:
1..1800 (default setting: 60)
Expiry interval [s] Specifies the time in seconds after which an active querier switches from the passive state back
to the active state if it has not received any query packets for longer than specified here.
Possible values:
60..300 (default setting: 125)
Table
In the table you specify the Snooping Querier settings for the VLANs that are set up.
Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Parameters Meaning
Active Activates/deactivates the IGMP Snooping Querier function for this VLAN.
Possible values:
marked
The IGMP Snooping Querier function is active for this VLAN.
unmarked (default setting)
The IGMP Snooping Querier function is inactive for this VLAN.
Current state Displays whether the Snooping Querier is active for this VLAN.
Possible values:
marked
The Snooping Querier is active for this VLAN.
unmarked
The Snooping Querier is inactive for this VLAN.
Address Specifies the IP address that the device adds as the source address in generated general query
data packets. You use the address of the multicast router.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Protocol version Displays the IGMP protocol version of the general query data packets.
Possible values:
1
IGMP v1
2
IGMP v2
3
IGMP v3
Max. response time Displays the time in seconds in which the members of a Multicast group should respond to a query
data packet. For their response, the members specify a random time within the response time.
This helps to prevent every Multicast group member to respond to the query at the same time.
Last querier Displays the IP address of the Multicast router from which the last received IGMP query was sent
address out..
Last querier version Displays the IGMP version that the Multicast router used when sending out the last IGMP query
received in this VLAN.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to specify how it transmits data packets with unknown Multicast addresses: Either
the device discards these data packets, floods them to every port, or transmits them solely to the ports
that previously received query packets.
The device also allows you to transmit the data packets with known Multicast addresses to the query
ports.
Configuration
Parameters Meaning
Unknown Specifies how the device transmits the data packets with unknown Multicast addresses.
multicasts
Possible values:
Discard
The device discards data packets with an unknown MAC/IP Multicast address.
Send to all ports (default setting)
The device sends data packets with an unknown MAC/IP Multicast address to the registered
ports.
Send to query ports
The device sends data packets with an unknown MAC/IP Multicast address to the query ports.
Table
In the table you specify the settings for known Multicasts for the VLANs that are set up.
Parameters Meaning
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Known multicasts Specifies how the device transmits the data packets with known Multicast addresses.
Possible values:
send to query and registered ports
The device sends data packets with an unknown MAC/IP Multicast address to the query ports
and to the registered ports.
send to registered ports (default setting)
The device sends data packets with an unknown MAC/IP Multicast address to registered ports.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
5.5 MRP-IEEE
The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE also modified
and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP) and GARP VLAN
Registration Protocol (GVRP). The Multiple MAC Registration Protocol (MMRP) and the Multiple VLAN
Registration Protocol (MVRP) replace these protocols.
MRP-IEEE helps confine traffic to the required areas of the LAN. To confine traffic, the MRP-
IEEE applications distribute attribute values to participating MRP-IEEE devices across a LAN
registering and de-registering multicast group membership and VLAN identifiers.
Registering group participants allows you to reserve resources for specific traffic transversing a LAN.
Defining resource requirements regulates the level of traffic, allowing the devices to determine the
required resources and provides for dynamic maintenance of the allocated resources.
The menu contains the following dialogs:
MRP-IEEE Configuration
MRP-IEEE Multiple MAC Registration Protocol
MRP-IEEE Multiple VLAN Registration Protocol
This dialog allows you to set the various MRP timers. By maintaining a relationship between the various
timer values, the protocol operates efficiently and with less likelihood of unnecessary attribute withdraws
and re-registration. The default timer values effectively maintain these relationships.
Maintain the following relationships when you reconfigure the timers:
To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message, specify
the LeaveTime to: ≥ (2x JoinTime) + 60.
To minimize the volume of rejoining traffic generated following a LeaveAll event, specify the value for
the LeaveAll timer larger than the LeaveTime value.
Table
Parameters Meaning
Port Displays the port number.
Join time [1/100s] Specifies the Join timer which controls the interval between transmit opportunities applied to the
Applicant state machine.
Possible values:
10..100 (default setting: 20)
Leave time [1/100s] Specifies the Leave timer which controls the period that the Registrar state machine waits in the
leave (LV) state before transiting to the empty (MT) state.
Possible values:
20..600 (default setting: 60)
Leave all time [1/ Specifies the LeaveAll timer which controls the frequency with which the LeaveAll state machine
100s] generates LeaveAll PDUs.
Possible values:
200..6000 (default setting: 1000)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The Multiple MAC Registration Protocol (MMRP) allows end devices and MAC switches to register and
de-register group membership and individual MAC address information with switches located in the
same LAN. The switches within the LAN disseminate the information through switches that support
extended filtering services. Using the MAC address information, MMRP allows you to confine multicast
traffic to the required areas of a Layer 2 network.
For an example of how MMRP works, consider a security camera mounted on a mast overlooking a
building. The camera sends multicast packets onto a LAN. You have 2 end devices installed for
surveillance in separate locations. You register the MAC addresses of the camera and the 2 end devices
in the same multicast group. You then specify the MMRP settings on the ports to send the multicast
group packets to the 2 end devices.
[Configuration ]
In this tab, you select active MMRP port participants and set the device to transmit periodic events. The
dialog also allows you to enable VLAN registered MAC address broadcasting.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the status of
the devices associated with the active port.
Operation
Parameters Meaning
Operation Enables/disables the global MMRP function on the device. The device participates in MMRP
message exchanges.
Possible values:
On
The device is a normal participant in MMRP message exchanges.
Off (default setting)
The device ignores MMRP messages.
Configuration
Parameters Meaning
Periodic state Enables/disables the global periodic state machine on the device.
machine
Possible values:
On
With MMRP Operation enabled globally, the device transmits MMRP messages in one-
second intervals, on MMRP participating ports.
Off (default setting)
Disables the periodic state machine on the device.
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the port MMRP participation.
Possible values:
marked (default setting)
With MMRP enabled globally and on this port, the device sends and receives MMRP
messages on this port.
unmarked
Disables the port MMRP participation.
Restricted group Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
registration port.
Possible values:
marked
When enabled and a static filter entry for the MAC address exists on the VLAN concerned, then
the device allows the dynamic registration of MAC address attributes.
unmarked (default setting)
Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Service requirement ]
This tab contains forwarding parameters for each active VLAN, specifying the ports on which multicast
forwarding applies. The device allows you to statically setup VLAN ports as Forward all or Forbidden.
You set the Forbidden MMRP service requirement statically through the graphical user interface or CLI
exclusively.
A port is setup solely as ForwardAll or Forbidden.
Table
Parameters Meaning
VLAN ID Displays the ID of the VLAN.
<Port number> Specifies the service requirement handling for the port.
Possible values:
FA
Specifies the ForwardAll traffic setting on the port. The device forwards traffic destined to
MMRP registered multicast MAC addresses on the VLAN. The device forwards traffic to ports
which MMRP has dynamically setup or ports which the administrator has statically setup as
ForwardAll ports.
F
Specifies the Forbidden traffic setting on the port. The device blocks dynamic MMRP
ForwardAll service requirements. With ForwardAll requests blocked on this port in this VLAN,
the device blocks traffic destined to MMRP registered multicast MAC addresses on this port.
Furthermore, the device blocks MMRP service request for changing this value on this port.
- (default setting)
Disables the forwarding functions on this port.
Learned
Displays values setup by MMRP service requests.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Statistics ]
Devices on a LAN exchange Multiple MAC Registration Protocol Data Units (MMRPDU) to maintain
statuses of devices on an active MMRP port. This tab allows you to monitor the MMRP traffic statistics
for each port.
Information
Parameters Meaning
Transmitted MMRP Displays the number of MMRPDUs transmitted on the device.
PDU
Received MMRP Displays the number of MMRPDUs received on the device.
PDU
Received bad Displays the number of MMRPDUs received with a bad header on the device.
header PDU
Received bad Displays the number of MMRPDUs with a bad data field that were not transmitted on the device.
format PDU
Transmission failed Displays the number of MMRPDUs not transmitted on the device.
Table
Parameters Meaning
Port Displays the port number.
Transmitted MMRP Displays the number of MMRPDUs transmitted on the port.
PDU
Received MMRP Displays the number of MMRPDUs received on the port.
PDU
Received bad Displays the number of MMRPDUs with a bad header that were received on the port.
header PDU
Received bad Displays the number of MMRPDUs with a bad data field that were not transmitted on the port.
format PDU
Transmission failed Displays the number of MMRPDUs not transmitted on the port.
Last received MAC Displays the last MAC address from which the port received MMRPPDUs.
address
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Resets the port statistics counters and the values in the Last received MAC address column.
The Multiple VLAN Registration Protocol (MVRP) provides a mechanism that allows you to distribute
VLAN information and configure VLANs dynamically. For example, when you configure a VLAN on an
active MVRP port, the device distributes the VLAN information to other MVRP enabled devices. Using
the information received, an MVRP enabled device dynamically creates the VLAN trunks on other
MVRP enabled devices as needed.
[Configuration ]
In this tab, you select active MVRP port participants and set the device to transmit periodic events.
A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the status of
the VLANs associated with the active port. Using the periodic events, MVRP enabled switches
dynamically maintain the VLANs.
Operation
Parameters Meaning
Operation Enables/disables the global Applicant Administrative Control which specifies whether the
Applicant state machine participates in MMRP message exchanges.
Possible values:
On
Normal Participant. The Applicant state machine participates in MMRP message exchanges.
Off (default setting)
Non-Participant. The Applicant state machine ignores MMRP messages.
Configuration
Parameters Meaning
Periodic state Enables/disables the periodic state machine on the device.
machine
Possible values:
On
The periodic state machine is enabled.
With MVRP Operation enabled globally, the device transmits MVRP periodic events in 1
second intervals, on MVRP participating ports.
Off (default setting)
The periodic state machine is disabled.
Disables the periodic state machine on the device.
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the port MVRP participation.
Possible values:
marked (default setting)
With MVRP enabled globally and on this port, the device distributes VLAN membership
information to MVRP aware devices connected to this port.
unmarked
Disables the port MVRP participation.
Restricted VLAN Activates/deactivates the Restricted VLAN registration function on this port.
registration
Possible values:
marked
When enabled and a static VLAN registration entry exists, then the device allows you to create
a dynamic VLAN for this entry.
unmarked (default setting)
Disables the Restricted VLAN registration function on this port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Statistics ]
Devices on a LAN exchange Multiple VLAN Registration Protocol Data Units (MVRPDU) to maintain
statuses of VLANs on active ports. This tab allows you to monitor the MVRP traffic.
Information
Parameters Meaning
Transmitted MVRP Displays the number of MVRPDUs transmitted on the device.
PDU
Received MVRP Displays the number of MVRPDUs received on the device.
PDU
Received bad Displays the number of MVRPDUs received with a bad header on the device.
header PDU
Received bad Displays the number of MVRPDUs with a bad data field that the device blocked.
format PDU
Transmission failed Displays the number of failures while adding a message into the MVRP queue.
Message queue Displays the number of MVRPDUs that the device blocked.
failures
Table
Parameters Meaning
Port Displays the port number.
Transmitted MVRP Displays the number of MVRPDUs transmitted on the port.
PDU
Received MVRP Displays the number of MVRPDUs received on the port.
PDU
Received bad Displays the number of MVRPDUs with a bad header that the device received on the port.
header PDU
Received bad Displays the number of MVRPDUs with a bad data field that the device blocked on the port.
format PDU
Transmission failed Displays the number of MVRPDUs that the device blocked on the port.
Registrations failed Displays the number of failed registration attempts on the port.
Last received MAC Displays the last MAC address from which the port received MMRPDUs.
address
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Resets the port statistics counters and the values in the Last received MAC address column.
5.6 GARP
The Generic Attribute Registration Protocol (GARP) is defined by the IEEE to provide a generic
framework so switches can register and deregister attribute values, such as VLAN identifiers and
multicast group membership.
When an attribute for a participant is registered or deregistered according to GARP, the participant is
modified according to specific rules. The participants are a set of reachable end stations and network
devices. The defined set of participants at any given time, along with their attributes, is the reachability
tree for the subset of the network topology. The device forwards the data frames only to the registered
end stations. The station registration helps to prevent attempts to send data to the end stations that are
unreachable.
Note: Before you enable the GMRP function, verify that the MMRP function is disabled.
The menu contains the following dialogs:
GMRP
GVRP
5.6.1 GMRP
The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol (GARP)
that provides a mechanism allowing network devices and end stations to dynamically register group
membership. The devices register group membership information with the devices attached to the same
LAN segment. GARP also allows the devices to disseminate the information across the network devices
that support extended filtering services.
GMRP and GARP are industry-standard protocols defined by the IEEE 802.1P.
Operation
Parameters Meaning
Operation Enables/disables the global GMRP function on the device. The device participates in GMRP
message exchanges.
Possible values:
On
GMRP is enabled.
Off (default setting)
The device ignores GMRP messages.
Multicasts
Parameters Meaning
Unknown Enables/disables the unknown multicast data to be either flooded or discarded.
multicasts
Possible values:
Discard
The device discards unknown multicast data.
Send to all ports (default setting)
The device sends unknown multicast data to every port.
Table
Parameters Meaning
Port Displays the port number.
GMRP active Activates/deactivates the port GMRP participation.
The prerequisite is that the GMRP function is globally enabled.
Possible values:
marked (default setting)
The port GMRP participation is active.
unmarked
The port GMRP participation is inactive.
Service Specifies the ports on which multicast forwarding applies.
requirement
Possible values:
Forward all unregistered groups (default setting)
The device forwards data destined to GMRP -registered multicast MAC addresses on the VLAN.
The device forwards data to the unregistered groups.
Forward all groups
The device forwards data destined to every group, registered or unregistered.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
5.6.2 GVRP
The GARP VLAN Registration Protocol (GVRP) or Generic VLAN Registration Protocol is a protocol that
facilitates control of Virtual Local Area Networks (VLANs) within a larger network. GVRP is a Layer 2
network protocol, used to automatically configure devices in a VLAN network.
GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning, and creating
dynamic VLAN on 802.1Q trunk ports. With GVRP, the device exchanges VLAN configuration
information with other GVRP devices. Thus, the device reduces the unnecessary broadcast and
unknown unicast traffic. Exchanging VLAN configuration information also allows you to dynamically
create and manage VLANs connected through the 802.1Q trunk ports.
Operation
Parameters Meaning
Operation Enables/disables the GVRP function globally on the device. The device participates in GVRP
message exchanges. When the function is disabled, the device ignores GVRP messages.
Possible values:
On
The GVRP function is enabled.
Off (default setting)
The GVRP function is disabled.
Table
Parameters Meaning
Port Displays the port number.
GVRP active Activates/deactivates the port GVRP participation.
The prerequisite is that the GVRP function is globally enabled.
Possible values:
marked (default setting)
The port GVRP participation is active.
unmarked
The port GVRP participation is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
5.7 QoS/Priority
Communication networks transmit a number of applications at the same time that have different
requirements as regards availability, bandwidth and latency periods.
QoS (Quality of Service) is a procedure defined in IEEE 802.1D. It is used to distribute resources in the
network. You therefore have the possibility of providing minimum bandwidth for important applications.
The prerequisite is that the end devices and the devices in the network support prioritized data
transmission. Data packets with high priority are given preference when transmitted by devices in the
network. You transfer data packets with lower priority when there are no data packets with a higher
priority to be transmitted.
The device provides the following setting options:
You specify how the device evaluates QoS/prioritization information for inbound data packets.
For outbound packets, you specify which QoS/prioritization information the device writes in the data
packet (for example priority for management packets, port priority).
Note: Disable flow control if you use the functions in this menu. The flow control is inactive if in the
Switching > Global dialog, Configuration frame the Flow control checkbox is unmarked.
The menu contains the following dialogs:
QoS/Priority Global
QoS/Priority Port Configuration
802.1D/p Mapping
IP DSCP Mapping
Queue Management
DiffServ
The device allows you to maintain access to the management functions, even in situations with heavy
utilization. In this dialog you specify the required QoS/priority settings.
Configuration
Parameters Meaning
VLAN priority for Specifies the VLAN priority for sending management data packets. Depending on the VLAN
management priority, the device assigns the data packet to a specific traffic class and thus to a specific priority
packets queue of the port.
Possible values:
0..7 (default setting: 0)
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
IP DSCP value for Specifies the IP DSCP value for sending management data packets. Depending on the IP DSCP
management value, the device assigns the data packet to a specific traffic class and thus to a specific priority
packets queue of the port.
Possible values:
0 (be/cs0) ..63 (default setting: 0 (be/cs0) )
Some values in the list also have a DSCP keyword, for example 0 (be/cs0) , 10 (af11) and 46
(ef) . These values are compatible with the IP precedence model.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every
IP DSCP value.
Queues per port Displays the number of priority queues per port.
The device has 8 priority queues per port. You assign every priority queue to a specific traffic class
(traffic class according to IEEE 802.1D).
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify for every port how the device processes received data packets based on their
QoS/priority information.
Table
Parameters Meaning
Port Displays the port number.
Port priority Specifies what VLAN priority information the device writes into a data packet if the data packet
contains no priority information. After this, the device transmits the data packet depending on the
value specified in the Trust mode column.
Possible values:
0..7 (default setting: 0)
Trust mode Specifies how the device handles a received data packet if the data packet contains QoS/priority
information.
Possible values:
untrusted
The device transmits the data packet according to the priority specified in the Port priority
column. The device ignores the priority information contained in the data packet.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
trustDot1p (default setting)
The device transmits the data packet according to the priority information in the VLAN tag.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to
every VLAN priority.
trustIpDscp
– If the data packet is an IP packet:
The device transmits the data packet according to the IP DSCP value contained in the data
packet.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class
to every IP DSCP value.
– If the data packet is not an IP packet:
The device transmits the data packet according to the priority specified in the Port
priority column.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic
class to every VLAN priority.
Untrusted traffic Displays the traffic class assigned to the VLAN priority information specified in the Port priority
class column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic
class to every VLAN priority.
Possible values:
0..7
Bandwidth [%] Specifies the egress transmission rate.
Possible values:
0 (default setting)
The bandwidth limitation is disabled.
1..100
The bandwidth limitation is enabled.
This value specifies the percentage of overall link speed for the port in 1% increments.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device transmits data packets with a VLAN tag according to the contained QoS/priority information
with a higher or lower priority.
In this dialog, you assign a traffic class to every VLAN priority. You assign the traffic classes to the
priority queues of the ports.
Table
Parameters Meaning
VLAN priority Displays the VLAN priority.
Traffic class Specifies the traffic class assigned to the VLAN priority.
Possible values:
0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.
Note: Among other things redundancy mechanisms use the highest traffic class. Therefore, select
another traffic class for application data.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device transmits IP data packets according to the DSCP value contained in the data packet with a
higher or lower priority.
In this dialog, you assign a traffic class to every DSCP value. You assign the traffic classes to the priority
queues of the ports.
Table
Parameters Meaning
DSCP value Displays the DSCP value.
Traffic class Specifies the traffic class which is assigned to the DSCP value.
Possible values:
0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to enable and disable the Strict priority function for the traffic classes. When
you disable the Strict priority function, the device processes the priority queues of the ports with
"Weighted Fair Queuing".
You also have the option of assigning a minimum bandwidths to every traffic classes which the device
uses to process the priority queues with "Weighted Fair Queuing"
Table
Parameters Meaning
Traffic class Displays the traffic class.
Strict priority Activates/deactivates the processing of the port priority queue with Strict priority for this
traffic class.
Possible values:
marked (default setting)
The processing of the port priority queue with Strict priority is active.
– The port sends data packets that are in the priority queue with the highest priority
exclusively. If this priority queue is empty, the port sends data packets that are in the priority
queue with the next lower priority.
– The port sends data packets with a lower traffic class after the priority queues with a higher
priority are empty. In unfavorable situations, the port never sends these data packets.
– If you select this setting for a traffic class, the device enables the function also for traffic
classes with a higher priority.
– Use this setting for applications such as VoIP or video that require the least possible delay.
unmarked
The processing of the port priority queue with Strict priority is inactive. The device uses
"Weighted Fair Queuing"/"Weighted Round Robin" (WRR) to process the port priority queue.
– The device assigns a minimum bandwidth to each traffic class.
– Even under a high network load the port transmits data packets with a low traffic class.
– If you select this setting for a traffic class, the device disables the function also for traffic
classes with a lower priority.
Min. bandwidth [%] Specifies the minimum bandwidth for this traffic class when the device is processing the priority
queues of the ports with "Weighted Fair Queuing".
Possible values:
0..100 (default setting: 0 = the device does not reserve any bandwidth for this traffic class)
The value specified in percent refers to the available bandwidth on the port. When you disable the
Strict priority function for every traffic class, the maximum bandwidth is available on the port
for the "Weighted Fair Queuing".
The maximum total of the assigned bandwidths is 100 %.
Max. bandwidth [%] Specifies the shaping rate at which a Traffic Class transmits packets (Queue Shaping).
Possible values:
0 (default setting)
The device does not reserve any bandwidth for this traffic class.
1..100
The device reserves the specified bandwidth for this traffic class. The specified value in
percent refers to the maximum available bandwidth on this port.
For example, using queue shaping allows you to limit the rate of a strict-high priority queue.
Limiting a strict-high priority queue allows the device to also process low-priority queues. To use
queue shaping, you set the maximum bandwidth for a particular queue.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
5.7.6 DiffServ
Differentiated Services (DiffServ) filter data packets in order to prioritize or limit the data stream.
– In a class, you specify the filter criteria.
– In a policy, you link the class with actions.
The device applies the actions of the policy to those data packets that meet the filter criteria of the
assigned class.
To configure DiffServ, perform the following steps:
Create a class with the filter criteria.
Create a policy.
Assign a class with the filter criteria to the policy.
Specify the actions of the policy.
Assign the policy to a port.
Activate the DiffServ function.
The device allows you to use the following per class and per instance configurations:
13 rules per class
28 instances per policy
3 attributes per instance
The menu contains the following dialogs:
DiffServ Overview
DiffServ Global
DiffServ Class
DiffServ Policy
DiffServ Assignment
Port
Parameters Meaning
Port Simplifies the table and displays the entries relating to a specific port. Displaying the table in this
fashion makes it easier for you to sort the table as you desire.
Possible values:
All (default setting)
The table displays the entries for every port.
<Port number>
The table displays the entries that apply to the selected port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Operation
Parameters Meaning
Operation Enables/disables the DiffServ function.
Possible values:
On
The DiffServ function is enabled.
The device processes traffic according to the DiffServ rules.
Off (default setting)
The DiffServ function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the data packets to which the device executes the actions specified in the
Policy dialog. This assignment is called a class.
Only one class can be assigned to a policy. This means each class can contain multiple filter criteria.
Table
Parameters Meaning
Class name Specifies the name of the DiffServ class. The device allows you to change the class name directly
in the table.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Criteria Displays the specified criteria for this rule.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
Create
Parameters Meaning
Class name Specifies the name of the DiffServ class.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Type Specifies the type of Class Rule for matching; this determines the individual match conditions for
the present class rule.
Depending on which value you select, the following visable parameters change.
To match every packet regardless of content, select the value every .
Possible values:
cos (default setting)
dstip
dstl4port
dstmac
every
ipdscp
ipprecedence
iptos
protocol
refclass
srcip
srcl4port
srcmac
cos2
etype
vlanid
vlanid2
Parameters Meaning
Type = cos
COS Specifies the class of service as the match value for the class.
Possible values:
0..7 (default setting: 0)
Parameters Meaning
Type = dstip
Destination IP Specifies the destination IP address as the match value for the class.
address
Possible values:
Valid IP address
Destination IP Specifies the mask for the destination IP address.
address mask
Possible values:
Valid netmask
Parameters Meaning
Type = dstl4port
Destination port Specifies the destination Layer 4 port as the match value for the class.
Possible values:
Valid TCP or UDP port number
Parameters Meaning
Type = dstmac
Destination MAC Specifies the destination MAC address as the match value for the class.
address
Possible values:
Valid MAC address
Parameters Meaning
Destination MAC Specifies the mask for the destination MAC address.
address mask
Possible values:
Valid netmask
Parameters Meaning
Type = ipdscp
DSCP Specifies the IP DiffServ Code Point (DSCP) as the match value for the class.
Possible values:
0..63 (default setting: 0(be/cs0))
Parameters Meaning
Type = ipprecedence
TOS priority Specifies the IP Precedence as the match value for the class. The precedence bits are the high-
order 3 bits of the Service Type octet in the IPv4 header.
Possible values:
0..7 (default setting: 0)
Parameters Meaning
Type = iptos
TOS mask Specifies the IP TOS bits and mask as the match value for the class. The TOS bits are the 8 bits
of the Service Type octet in the IPv4 header.
Possible values:
0x00..0xFF
Parameters Meaning
Type = protocol
Protocol number Specifies the internet protocol number as the match value for the class.
Possible values:
0..255
Some common values are listed here:
– 1
ICMP
– 2
IGMP
– 4
IPv4
– 6
TCP
– 17
UDP
– 255
A rule with this value matches every protocol in the list.
The IANA defined the “Assigned Internet Protocol Numbers” that you enter here.
To find a list of the assigned numbers use the following link: http://www.iana.org/assignments/
protocol-numbers/protocol-numbers.xhtml.
Parameters Meaning
Type = refclass
Ref class Specifies the parent class as a corresponding reference class. This reference class uses the set
of match rules specified in a parent class as the match value.
Possible values:
<Name of the DiffServ Class>
Conditions:
The parent class to which the user binds this rule and the reference class produce the same
results when, the reference class refers solely to the parent class.
Any attempt to delete the parent class while still referenced to by another class fails.
Any subsequent change to the parent class rules changes the reference class rules solely
when, the reference class uses the parent class as the match value.
You add subsequent rules to the parent class compatible with the rules existing in the
reference class.
Parameters Meaning
Type = srcip
Source IP address Specifies the source IP address as the match value for the class.
Possible values:
Valid IP address
Source IP address Specifies the mask for the source IP address.
mask
Possible values:
Valid netmask
Parameters Meaning
Type = srcl4port
Source port Specifies the source Layer 4 port as the match value for the class.
Possible values:
Valid TCP or UDP port number
Parameters Meaning
Type = srcmac
Source MAC Specifies the source MAC address as the match value for the class.
address
Possible values:
Valid MAC address and mask
Source MAC Specifies the mask for the source MAC address.
address mask
Possible values:
Valid netmask
Parameters Meaning
Type = cos2
COS 2 Specifies a secondary class of service as the match value for the class.
Possible values:
0..7 (default setting: 0)
Parameters Meaning
Type = etype
Etype Specifies the Ethertype as the match value for the class.
Possible values:
custom (default setting)
You specify the Ethertype in the Etype value field.
appletalk
arp
ibmsna
ipv4
ipv6
ipx
mplsmcast
mplsucast
netbios
novell
pppoe
rarp
Etype value Specifies the user-defined Ethertype value.
The prerequisite is that in the Etype field you specify the value custom .
Possible values:
0x0600..0xFFFF
Parameters Meaning
Type = vlanid
VLAN ID Specifies the VLAN ID as the match value for the class.
Possible values:
1..4042
Parameters Meaning
Type = vlanid2
VLAN2 ID Specifies the secondary VLAN ID as the match value for the class.
Possible values:
1..4042
In this dialog, you specify which actions the device performs on data packets which fulfill the filter criteria
specified in the Class dialog. This assignment is called a policy.
Only one policy can be assigned to a port. Each policy may contain multiple actions.
Table
Parameters Meaning
Policy name Displays the name of the policy.
To change the value, click the relevant field.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Type Displays the data packets (receiving or sending) to which the device applies the policy.
Possible values:
in
The device applies the policy to data packets that it receives.
out
The device applies the policy to data packets that it sends.
Class name Displays the name of the class that is assigned to the policy.
The filter criteria are specified in the class.
Attribute Displays the action that the device performs on the data packets.
To change an existing action, select the affected row, click the button and then the
Modify attribute item.
To add additional actions to a policy, click the button.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
Modify attribute Specifies the action that the device performs on the data packets.
Create
In this dialog you create a new policy or add further actions to an existing policy.
Parameters Meaning
Policy name Specifies the name of the policy.
To create a new policy, add a new name.
To add more actions to an existing policy, select a name in the list.
Possible values:
Alphanumeric ASCII character string with 1..31 characters
Parameters Meaning
Direction Specifies the data packets (receiving or sending) to which the device applies the policy.
Possible values:
in (default setting)
The device applies the policy to data packets that it receives.
out
The device applies the policy to data packets that it sends.
Class name Assigns the class to the policy.
The filter criteria are specified in the class.
Type Specifies the policy type.
Depending on which value you select, the following visable parameters change.
Possible values:
markCosVal (default setting)
markIpDscpVal
markIpPrecedenceVal
policeSimple
policeTworate
assignQueue
drop
redirect
mirror
markCosAsSecCos
Parameters Meaning
Type Overwrites the priority field in the VLAN tag of the Ethernet packets:
= markCosVal – in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged data packets, the device writes the value to the outer tag (C tag).
– With data packets without VLAN tags, the device adds a priority tag.
Can be combined with Type = redirect and mirror .
COS Specifies the priority value that the device writes to the priority field of the VLAN tag of the Ethernet
packets.
Possible values:
0..7
Parameters Meaning
Type Overwrites the DS field of the IP packets.
= markIpDscpVal The device writes the value specified in the DSCP parameter to the DS field. Subsequent devices
in the network to which the device forwards the IP packets, prioritize the IP packets according to
this setting. For making the device prioritize the IP packets, also enter the IP packets with
Type = assignQueue into the desired queue.
Can be combined with Type = assignQueue , redirect and mirror .
DSCP Specifies the value that the device writes to the DS field of the IP packets.
Possible values:
0..63
Parameters Meaning
Type Overwrites the TOS field of the IP packets.
= markIpPrecede The device writes the value specified in the TOS priority parameter to the TOS field.
nceVal
Can be combined with Type = assignQueue , redirect and mirror .
TOS priority Specifies the value that the device writes to the TOS field of the IP packets.
Possible values:
0..7
Parameters Meaning
Type Limits the classified data stream to the values specified in the Simple C rate and Simple C
= policeSimple burst fields:
– If the transfer rate and burst size of the data stream are below the specified values, the device
applies the action specified in the Conform action field.
– If the transfer rate and burst size of the data stream are above the specified values, the device
applies the action specified in the Non conform action field.
Can be combined with Type = assignQueue , redirect and mirror .
Simple C rate Specifies the committed rate in kbit/s.
Upper limit
Possible values:
1..4294967295
Simple C burst Specifies the committed burst size in kBytes.
Possible values:
0..128
Conform action , In the Conform action field, you specify the action that the device applies to the compliant data
Non conform action stream. Compliant means that the data stream is under the limits specified in the parameters
Simple C rate and Simple C burst .
In the Non conform action field, you specify the action that the device applies to the non-
compliant data stream. Non-compliant means that the data stream is over the limits specified in
the parameters Simple C rate and Simple C burst .
Possible values:
drop
Discards the data packets.
markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
send
Sends the data packets.
markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).
Color conform class Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
blind
The device operates in the color blind mode. The devices designates the complete data stream
received as conform (green).
<Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ >
Class dialog, Criteria column a rule of the type cos , ipdscp , ipprec , cos2 is specified.
The filter criteria of the class selected in the Class name drop-down list above and of the class
selected in this drop-down list, must neither be identical nor exclude each other. Exclusion criteria
are:
– The filter criteria have the same rule type, for example cos and cos . Use classes with a
different rule type, for example cos and ipdscp .
– One of the classes references with the rule type refclass another class that conflicts with the
used classes.
Parameters Meaning
Type Limits the classified data stream to the values specified in the Two rate C rate , Two rate C
= policeTworate burst , Two rate P rate , and Two rate P burst fields.
– The device applies the Conform action action to the data stream if the transfer rate and burst
size are below Two rate C rate and Two rate C burst .
– The device applies the Exceed action action to the data stream if the transfer rate and burst
size are between Two rate C rate and Two rate P rate as well as Two rate C burst
and Two rate P burst .
– The device applies the Non conform action action to the data stream if the transfer rate and
burst size are above Two rate P rate and Two rate P burst .
Can be combined with Type = assignQueue , redirect and mirror .
Two rate C rate Specifies the committed rate in kbit/s.
Possible values:
1..4294967295
Two rate C burst Specifies the committed burst size in kBytes.
Possible values:
0..128
Two rate P rate Specifies the peak rate (max. allowable transfer rate of the data stream) in kbit/s.
Possible values:
1..4294967295
Two rate P burst Specifies the peak burst size (max. allowable burst size) in kBytes.
Possible values:
1..128
Conform action , In the Conform action field, you specify the action that the device applies to the compliant data
Conform value stream. Compliant means that transfer rate and burst size are below Two rate C rate and Two
rate C burst .
Exceed action ,
Exceed value In the Exceed action field, you specify the action that the device applies to the data stream. The
prerequisite is that the transfer rate and burst size are between Two rate C rate and Two rate
Non conform P rate as well as Two rate C burst and Two rate P burst .
action ,
In the Non conform action field, you specify the action that the device applies to the non-
Non conform value
compliant data stream. Non-compliant means that the transfer rate and burst size are above Two
rate P rate and Two rate P burst .
Possible values:
drop
Discards the data packets.
markDscp
Overwrites the DS field of the IP packets.
The device writes the value specified in the adjacent field [0..63] to the DS field.
markPrec
Overwrites the TOS field of the IP packets.
The device writes the value specified in the adjacent field [0..7] to the TOS field.
send
Sends the data packets.
markCos
Overwrites the priority field in the VLAN tag of the Ethernet packets:
– in the VLAN tag, the device overwrites the priority value in the COS parameter.
– With QinQ-tagged Ethernet packets, the device writes the value to the outer tag (C tag).
– With Ethernet packets without VLAN tags, the device adds a priority tag.
markCos2
With QinQ-tagged Ethernet packets, overwrites the priority field in the inner tag (S tag) with the
value specified in the adjacent field [0..7].
markCosAsSecCos
Overwrites the priority field in the outer tag (C tag) with the priority value of the inner tag (S tag).
Parameters Meaning
Color conform class Specifies the class of the received data stream that the devices designates as conform (green).
Possible values:
0 - blind
The device operates in the color blind mode. The devices designates the complete data stream
received as conform (green).
<Name of the DiffServ Class>
The devices designates only this class of the received data stream as conform (green).
Those classes are selectable for which in the Switching > QoS/Priority > DiffServ >
Class dialog, Criteria column a rule of the type cos , ipdscp , ipprec , cos2 is specified.
The filter criteria of the class selected in the Class name drop-down list above and of the class
selected in this drop-down list, must neither be identical nor exclude each other. Exclusion criteria
are:
– The filter criteria have the same rule type, for example cos and cos . Use classes with a
different rule type, for example cos and ipdscp .
– One of the classes references with the rule type refclass another class that conflicts with the
used classes.
Parameters Meaning
Type Changes the priority queue into which the device adds the data packets.
= assignQueue The device enqueues the data packets into the priority queue with the ID specified in the Queue
ID parameter.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = drop , markCosVal and markCosAsSecCos .
Queue ID Specifies the ID of the priority queue into which the device adds the data packets. See the
Traffic class field and the Switching > QoS/Priority > 802.1D/p Mapping dialog.
Possible values:
0..7
Parameters Meaning
Type Discards the data packets.
= drop
Can be combined with Type = mirror if mirror is set up first.
Parameters Meaning
Type The device forwards the received data stream to the port specified in the Redirection
= redirect interface field.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = markCosVal , markIpDscpVal , markIpPrecedenceVal ,
policeSimple , policeTworate , assignQueue and markCosAsSecCos .
Redirection Specifies the destination port.
interface
Possible values:
<Port number>
Number of the destination port. The device forwards the data packets to this port.
Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.
Parameters Meaning
Type The device copies the received data stream and also transfers it to the port specified in the Mirror
= mirror interface field.
Apply this action exclusively to data packets that the device receives.
Can be combined with Type = markCosVal , markIpDscpVal , markIpPrecedenceVal ,
policeSimple , policeTworate , assignQueue and markCosAsSecCos .
Parameters Meaning
Mirror interface Specifies the destination port.
Possible values:
<Port number>
Number of the destination port. The device copies the data packets to this port.
Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.
Parameters Meaning
Type Overrides the priority field in the outer VLAN tag of the Ethernet packets with the priority value of
= markCosAsSecC the inner VLAN tag.
os Apply this action exclusively to data packets that the device receives.
Can be combined with Type = assignQueue , redirect and mirror .
Table
Parameters Meaning
Port Displays the port number.
Direction Displays the interface direction to which you assigned the policy.
Policy name Displays the name of the policy assigned to the interface.
Status Displays the port status.
Active Activates/deactivates the DiffServ parameters associated with this row.
Possible values:
marked
The device forwards traffic according to the specified DiffServ settings.
unmarked
The device forwards traffic without regarding the specified DiffServ settings.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
Create
Parameters Meaning
Port Specifies the port to which the table entry relates.
Possible values:
Available ports
Direction Specifies the direction in which the device applies the policy.
Possible values:
In (default setting)
Out
Policy Specifies the policy assigned to the port.
Possible values:
Available policies
5.8 VLAN
With VLAN (Virtual Local Area Network) you distribute the data traffic in the physical network to logical
subnetworks. This provides you with the following advantages:
High flexibility
– With VLAN you distribute the data traffic to logical networks in the existing infrastructure. Without
VLAN, it would be necessary to have additional devices and complicated cabling.
– With VLAN you specify network segments independently of the location of the individual end
devices.
Improved throughput
– In VLANs data packets can be transferred by priority.
If the priority is high, the device transfers the data traffic of a VLAN preferentially, for example for
time-critical applications such as VoIP phone calls.
– The network load is considerably reduced if data packets and Broadcasts are distributed in small
network segments instead of in the entire network.
Increased security
The distribution of the data traffic among individual logical networks makes unwanted accessing
more difficult and strengthens the system against attacks such as MAC Flooding or MAC Spoofing.
The device supports packet-based “tagged” VLANs according to the IEEE 802.1Q standard. The VLAN
tagging in the data packet indicates the VLAN to which the data packet belongs.
The device transmits the tagged data packets of a VLAN exclusively via ports that are assigned to the
same VLAN. This reduces the network load.
The device learns the MAC addresses for every VLAN separately (independent VLAN learning).
The device prioritizes the received data stream in the following sequence:
Voice VLAN
MAC-based VLAN
IP subnet-based VLAN
Protocol-based VLAN
Port-based VLAN
The menu contains the following dialogs:
VLAN Global
VLAN Configuration
VLAN Port
VLAN Voice
MAC Based VLAN
Subnet Based VLAN
Protocol Based VLAN
This dialog allows you to view general VLAN parameters for the device.
Configuration
Parameters Meaning
Max. VLAN ID Highest ID assignable to a VLAN.
See the Switching > VLAN > Configuration dialog.
VLANs (max.) Displays the maximum number of VLANs possible.
See the Switching > VLAN > Configuration dialog.
VLANs Number of VLANs currently configured in the device.
See the Switching > VLAN > Configuration dialog.
The VLAN ID 1 is always present in the device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Clear... Resets the VLAN settings of the device to the default setting.
Caution: You loose your connection to the device if you have changed the VLAN ID for the
management in the Basic Settings > Network dialog.
In this dialog, you manage the VLANs. To set up a VLAN, create a further row in the table. There you
specify for each port if it transmits data packets of the respective VLAN and if the data packets contain
a VLAN tag.
You distinguish between the following VLANs:
The user sets up static VLANs.
The device sets up dynamic VLANs automatically and removes them if the prerequisites cease to
apply.
For the following functions the device creates dynamic VLANs:
– MRP : If you assign the ring ports a non-existing VLAN, then the device creates this VLAN.
– MVRP : The device creates a VLAN based on the messages of neighboring devices.
Note: The settings are effective solely if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.
Table
Parameters Meaning
VLAN ID ID of the VLAN.
The device supports up to 512 VLANs simultaneously set up.
Possible values:
1..4042
Status Displays how the VLAN is set up.
Possible values:
other
VLAN 1
or
VLAN set up using the 802.1X Port Authentication function. See the Network
Security > 802.1X Port Authentication dialog.
permanent
VLAN set up by the user.
or
VLAN set up using the MRP function. See the Switching > L2-Redundancy > MRP dialog.
VLANs with this setting remain set up after a restart, if you save the changes in the non-volatile
memory.
dynamicMvrp
VLAN set up using the MVRP function. See the Switching > MRP-IEEE > MVRP dialog.
VLANs with this setting are write-protected. The device removes a VLAN from the table as
soon as the last port leaves the VLAN.
Creation time Displays the time of VLAN creation.
The field displays the time stamp for the operating time (system uptime).
Name Specifies the name of the VLAN.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Parameters Meaning
<Port number> Specifies if the respective port transmits data packets of the VLAN and if the data packets contain
a VLAN tag.
Possible values:
- (default setting)
The port is not a member of the VLAN and does not transmit data packets of the VLAN.
T = Tagged
The port is a member of the VLAN and transmits the data packets with a VLAN tag. You use
this setting for uplink ports, for example.
LT = Tagged Learned
The port is a member of the VLAN and transmits the data packets with a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.
F = Forbidden
The port is not a member of the VLAN and does not transmit data packets of this VLAN.
Additionally, the device prevents the port from becoming a VLAN member through the MVRP
function.
U = Untagged (default setting for VLAN 1)
The port is a member of the VLAN and transmits the data packets without a VLAN tag. Use
this setting if the connected device does not evaluate any VLAN tags, for example on end
ports.
LU = Untagged Learned
The port is a member of the VLAN and transmits the data packets without a VLAN tag.
The device created the entry automatically based on the GVRP or MVRP function.
Note: Verify that the port on which the network management station is connected is a member of
the VLAN in which the device transmits the management data. In the default setting, the device
transmits the management data on VLAN 1. Otherwise, the connection to the device terminates
when you transfer the changes to the device. The management access to the device is possible
exclusively using the CLI through the V.24 interface.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the VLAN ID field, you specify the ID of the VLAN.
In this dialog you specify how the device handles received data packets that have no VLAN tag, or
whose VLAN tag differs from the VLAN ID of the port.
This dialog allows you to assign a VLAN to the ports and thus specify the port VLAN ID.
Additionally, you also specify for each port how the device transmits data packets when the VLAN
Unaware mode is disabled if one of the following situations occurs:
The port receives data packets without a VLAN tagging.
The port receives data packets with VLAN priority information (VLAN ID 0, priority tagged).
The VLAN tagging of the data packet differs from the VLAN ID of the port.
Note: The settings are effective solely if the VLAN Unaware Mode is disabled. See the Switching >
Global dialog.
Table
Parameters Meaning
Port Displays the port number.
Port-VLAN ID Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag. The
prerequisite is that you specify in the Acceptable packet types column the value admitAll .
Possible values:
ID of a VLAN you set up (default setting: 1)
When you use the MRP function and you have not assigned a VLAN to the ring ports, you specify
the value 1 here for the ring ports. Otherwise, the device assigns the value to the ring ports
automatically.
Acceptable packet Specifies whether the port transmits or discards received data packets without a VLAN tag.
types
Possible values:
admitAll (default setting)
The port accepts data packets both with and without a VLAN tag.
admitOnlyVlanTagged
The port accepts solely data packets tagged with a VLAN ID ≥ 1.
Ingress filtering Activates/deactivates the ingress filtering.
Possible values:
marked
The ingress filtering is active.
The device compares the VLAN ID in the data packet with the VLANs of which the device is a
member. See the Switching > VLAN > Configuration dialog. If the VLAN ID in the data
packet matches one of these VLANs, the port transmits the data packet. Otherwise, the device
discards the data packet.
unmarked (default setting)
The ingress filtering is inactive.
The device transmits received data packets without comparing the VLAN ID. Thus the port also
transmits data packets with a VLAN ID of which the port is not a member.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority. A
primary benefit of Voice VLAN is safeguarding the quality of voice traffic when data traffic on the port is
high.
The device detects VoIP phones using the Link Layer Discovery Protocol - Media Endpoint Discovery
(LLDP-MED). The device then adds the appropriate port to the member set of the configured Voice
VLAN. The member set is either tagged or untagged. Tagging depends on the Voice VLAN interface
mode (VLAN ID, Dot1p, None, Untagged).
Another benefit of the Voice VLAN feature is that the VoIP phone obtains VLAN ID or priority information
via LLDP-MED from the device. As a result, the VoIP phone sends voice data tagged as priority, or
untagged. This depends on the configured Voice VLAN Interface mode. You activate Voice VLAN on
the port which is connecting to the VoIP phone.
Operation
Parameters Meaning
Operation Enables/disables the voice VLAN function of the device globally.
Possible values:
On
Off (default setting)
Table
Parameters Meaning
Port Displays the port number.
Voice VLAN mode Specifies whether the port transmits or discards received data packets without a voice VLAN
tagging or with voice VLAN priority information.
Possible values:
disabled (default setting)
Deactivates the voice VLAN function for this table entry
none
Allows IP telephone to use its own configuration for sending untagged voice traffic.
vlan/dot1p-priority
The port filters data packets of the voice VLAN using the vlan and dot1p priority tags.
untagged
The port filters data packets without a voice VLAN tag.
vlan
The port filters data packets of the voice VLAN using the vlan tag.
dot1p-priority
The port filters data packets of the voice VLAN using the dot1p priority tags. If you select this
value, additionally specify a proper value in the Priority column.
Parameters Meaning
Data priority mode Specifies the trust mode for the data traffic on the particular port.
The device uses this mode for data traffic on the voice VLAN, when it detects a VoIP telephone
and a PC and when these devices use the same cable for transmitting and receiving data.
Possible values:
trust (default setting)
Using this setting the data traffic processes with normal priority, if voice traffic is present on the
interface.
untrust
If voice traffic is present and the Voice VLAN mode is set to dot1p-priority , the data traffic
uses the priority 0. If the interface transmits data traffic exclusively, the data traffic uses the
normal priority.
Status Displays the status of the Voice VLAN on the port.
Possible values:
marked
The Voice VLAN is enabled.
unmarked
The Voice VLAN is disabled.
VLAN ID Specifies the ID of the VLAN to which the table entry applies.
To forward traffic to this VLAN ID using this filter, select in the Voice VLAN mode column the value
vlan .
Possible values:
0..4042
Priority Specifies the Voice VLAN Priority of the port. The prerequisite is that you specify in the Voice
VLAN mode column the value dot1p-priority .
Possible values:
0 ..7
none
Deactivates the Voice VLAN Priority of the port.
Bypass Activates the Voice VLAN Authentication mode.
authentication If you deactivate the function and set the value in the Voice VLAN mode column to dot1p-
priority , then voice devices require an authentication.
Possible values:
marked (default setting)
If you activated the function in the Dialog Network Security > 802.1X Port
Authentication > Global dialog, set the Port control parameter for this port to the
multiClient value before activating this function. The parameter Port control you find in
the Network Security > 802.1X Port Authentication > Global dialog.
unmarked
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In a MAC-based VLAN, the device forwards traffic based on the source MAC address associated with
a VLAN. User-defined filters determine whether a packet belongs to a particular VLAN.
MAC-based VLANs specify the filtering criteria for untagged or priority-tagged packets exclusively.
Assign a port to a MAC-based VLAN for a specific source MAC address. The device then forwards
untagged packets received with the configured MAC address to the MAC-based VLAN ID. Other
untagged packets are subject to normal VLAN classification rules.
Table
Parameters Meaning
MAC address Displays the MAC address to which the table entry relates.
The device supports up to 256 simultaneous MAC-based VLAN assignments.
Possible values:
Valid MAC address
VLAN ID Displays the ID of the VLAN to which the table entry applies.
Possible values:
1..4042 (set up VLAN IDs)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the MAC address field, you specify the MAC address.
In the VLAN ID field, you specify the ID of the VLAN.
In IP subnet-based VLANs, the device forwards traffic based on the source IP address and subnet mask
associated with the VLAN. User-defined filters determine whether a packet belongs to a particular
VLAN.
IP subnet-based VLANs specify the filtering criteria for untagged packets or priority tagged packets
exclusively. Assign a port to an IP subnet-based VLAN for a specific source address. The device then
forwards untagged packets received with the configured address to the IP subnet-based VLAN ID.
To configure an IP subnet based VLAN, specify an IP address, a subnet mask, and the corresponding
VLAN identifier. If multiple entries apply, the device uses the entry with the longest prefix first.
Table
Parameters Meaning
IP address Displays the IP address to which you assign the subnetwork based VLAN.
The device supports up to 128 VLANs set up simultaneously to subnetwork based VLANs.
Possible values:
Valid IP address
Netmask Displays the netmask to which you assign the subnetwork based VLAN.
Possible values:
Valid IP netmask
VLAN ID Displays the VLAN ID.
Possible values:
1..4042
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the IP address field, you specify the IP address.
In the Netmask field, you specify the netmask.
In the VLAN ID field, you specify the ID of the VLAN.
In a protocol-based VLAN, specified ports bridge traffic based on the L3 protocol (EtherType)
associated with the VLAN. User-defined packet filters determine whether a packet belongs to a
particular VLAN.
Protocol-based VLANs specify the filtering criteria for untagged packets exclusively. Assign a port to a
protocol-based VLAN for a specific protocol. The device then forwards untagged packets received with
the configured protocol to the protocol-based VLAN ID. The device assigns other untagged packets with
the port VLAN ID.
Table
Parameters Meaning
Group ID Displays the group identifier of the protocol-based VLAN entry.
The device supports up to 128 protocol-based VLAN associations simultaneously.
Possible values:
1..128
Name Specifies the group name of the protocol-based VLAN entry.
Possible values:
Alphanumeric ASCII character string with 1..16 characters
VLAN ID Specifies the ID of the VLAN.
Possible values:
1..4042
Port Specifies the ports that are assigned to the group.
Possible values:
<Port number>
Select the ports in the drop-down list.
Ethertype Specifiies the Ethertype value assigned to the VLAN.
The Ethertype is a two-octet field in an Ethernet packet to indicate which protocol the payload
contains.
Possible values:
0x0600..0xFFFF
Ethertype as a hexadecimal number sequence
If you enter a decimal value, the device converts the value into a hexadecimal number
sequence when you click the Add button.
ip
Ethertype keyword for IPv4 (equivalent to 0x0800)
arp
Ethertype keyword for ARP (equivalent to 0x0806)
ipx
Ethertype keyword for IPX (equivalent to 0x8137)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
5.9 L2-Redundancy
5.9.1 MRP
The Media Redundancy Protocol (MRP) is a protocol that allows you to set up high-availability, ring-
shaped network structures. An MRP ring with Hirschmann devices is made up of up to 100 devices that
support the MRP protocol according to IEC 62439.
The ring structure of an MRP ring changes back into a line structure if a section fails. The maximum
switching time can be configured.
The Ring Manager function of the device closes the ends of a backbone in a line structure to a redundant
ring.
Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the MRP ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.
If you work with oversized Ethernet packets (the value in the MTU column for the port is > 1518, see the
Basic Settings > Port dialog), the switching time in reconfiguration of the MRP ring depends on the
following parameters:
Bandwidth of the ring line
Size of the Ethernet packets
Number of devices in the ring
Set the switching time sufficiently large to avoid delays in the MRP packages due to latencies in the
devices. You can find the formula for calculating the switching time in IEC 62439-2, section 9.5.
Operation
Parameters Meaning
Operation Enables/disables the MRP function.
After you configured the parameters for the MRP ring, enable the function here.
Possible values:
On
The MRP function is enabled.
After you configured the devices in the MRP ring, the redundancy is active.
Off (default setting)
The MRP function is disabled.
Parameters Meaning
Port Specifies the number of the port that is operating as a ring port.
Possible values:
<Port number>
Number of the ring port
Parameters Meaning
Operation Displays the operating status of the ring port.
Possible values:
forwarding
The port is enabled, connection exists.
blocked
The port is blocked, connection exists.
disabled
The port is disabled.
not-connected
No connection exists.
Fixed backup Activates/deactivates the backup port function for the Ring port 2 .
Note: The switch over to the primary port can exceed the maximum ring recovery time.
Possible values:
marked
The Ring port 2 backup function is active. If the ring is closed, the ring manager reverts back
to the primary ring port.
unmarked (default setting)
The Ring port 2 backup function is inactive. If the ring is closed, the ring manager continues
to send data on the secondary ring port.
Configuration
Parameters Meaning
Ring manager Enables/disables the Ring manager function.
If there is one device at each end of the line, you activate this function.
Possible values:
On
The Ring manager function is enabled.
The device operates as a ring manager.
Off (default setting)
The Ring manager function is disabled.
The device operates as a ring client.
Advanced mode Activates/deactivates the advanced mode for fast switching times.
Possible values:
marked (default setting)
Advanced mode active.
MRP-capable Hirschmann devices support this mode.
unmarked
Advanced mode inactive.
Select this setting if another device in the ring does not support this mode.
Ring recovery Specifies the maximum switching time in milliseconds for reconfiguration of the ring. This setting
is effective if the device operates as a ring manager.
Possible values:
500ms
200ms (default setting)
Shorter switching times make greater demands on the response time of every individual device in
the ring. Use values lower than 500ms if the other devices in the ring also support this shorter
switching time.
If you are working with oversized Ethernet packets, the number of devices in the ring is limited.
Note that the switching time depends on several parameters. See the description above.
Parameters Meaning
VLAN ID Specifies the ID of the VLAN which you assign to the ring ports.
Possible values:
0 (default setting)
No VLAN assigned.
Assign in the Switching > VLAN > Configuration dialog to the ring ports for VLAN 1 the
value U.
1..4042
VLAN assigned.
If you assign to the ring ports a non-existing VLAN, the device creates this VLAN. In the
Switching > VLAN > Configuration dialog, the device creates an entry in the table for the
VLAN and assigns the value T to the ring ports.
Information
Parameters Meaning
Information Displays messages for the redundancy configuration and the possible causes of errors.
The following messages are possible if the device operates as a ring client or a ring manager:
Redundancy available
The redundancy is set up. When a component of the ring is down, the redundant line takes
over its function.
Configuration error: Error on ringport link.
Error in the cabling of the ring ports.
The following messages are possible if the device operates as a ring manager:
Configuration error: Packets from another ring manager received.
Another device exists in the ring that operates as the ring manager.
Enable the Ring manager function only on one device in the ring.
Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on 1 ring port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Delete ring Disables the redundancy function and resets the settings in the dialog to the default setting.
configuration
The concept of HIPER ring redundancy enables the construction of high-availability, ring-shaped
networks. This device provides a HIPER ring client. This function allows you to extend an existing
HIPER ring or to replace a device already participating as a client in a HIPER ring.
A HIPER ring contains a Ring Manager (RM) which controls the ring. The RM sends watchdog packets
into the ring on both the primary and secondary ports. If the RM receives the watchdog packets on both
ports, then the primary port remains in the forwarding state and the secondary port remains in the
discarding state.
The device operates only in the ring client mode. This means that the device is able to recognize and
forward the watchdog packets on the ring ports and can also forward the change in link status to the RM
for example, LinkDown and LinkUp packets.
The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, the
device only supports HIPER ring in VLAN 1.
Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree protocol for the ports connected to the HIPER ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.
Note: Configure the devices of the HIPER ring individually. Before you connect the redundant link,
complete the configuration of every device of the HIPER ring. You thus avoid loops during the
configuration phase.
Operation
Parameters Meaning
Operation Enables/disables the HIPER Ring client.
Possible values:
On
The HIPER Ring client is enabled.
Off (default setting)
The HIPER Ring client is disabled.
Parameters Meaning
Port Specifies the port number of the primary/secondary ring port.
Possible values:
- (default setting)
No primary/secondary ring port selected.
<Port number>
Number of the ring port
Parameters Meaning
State Displays the state of the primary/secondary ring port.
Possible values:
not-available
The HIPER Ring client is disabled.
or
No primary or secondary ring port selected.
active
The ring port is enabled and logically up.
The primary ring port forwards data packets from the ring to the secondary ring port.
inactive
The ring port is logically down.
As soon as the link goes down on a ring port, the device sends a LinkDown packet to the Ring
Manager on the other ring port.
Information
Parameters Meaning
Mode Displays that the device is able to operate in the ring client mode.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The Spanning Tree Protocol (STP) is a protocol that deactivates redundant paths of a network in order
to avoid loops. If a network component fails on the path, the device calculates the new topology and
reactivates these paths.
The Rapid Spanning Tree Protocol enables fast switching to a newly calculated topology without
interrupting existing connections. RSTP achieves average reconfiguration times of less than a second.
When you use RSTP in a ring with 10 to 20 devices, you can achieve reconfiguration times in the order
of milliseconds.
The device supports the Multiple Spanning Tree Protocol (MSTP) standardized in IEEE 802.1, which is
a further development of the Spanning Tree Protocol (STP).
Note: If you connect the device to the network through twisted pair SFPs instead of through usual
twisted pair ports, the reconfiguration of the network takes slightly longer.
The menu contains the following dialogs:
Spanning Tree Global
Spanning Tree MSTP
Spanning Tree Port
In this dialog, you enable/disable the Spanning Tree function and specify the bridge settings.
Operation
Parameters Meaning
Operation Enables/disables the Spanning Tree function on the device.
Possible values:
On (default setting)
Off
The device behaves transparently. The device floods received Spanning Tree data packets
like multicast data packets to the ports.
Variant
Parameters Meaning
Variant Specifies the protocol used for the Spanning Tree function:
Possible values:
rstp (default setting)
The protocol RSTP is active.
With RSTP (IEEE 802.1Q-2005), the Spanning Tree function is effective in every VLAN that
is set up.
mstp
The protocol MSTP is active.
To avoid recovery times, specify the maximum value 40 in the Tx holds field.
Traps
Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps in case of one of the following events:
– Another bridge takes over the root bridge role.
– The topology changes. A port changes its Port state from forwarding into discarding or
from discarding into forwarding .
Possible values:
marked
The sending of SNMP traps is active.
unmarked (default setting)
The sending of SNMP traps is inactive.
Parameters Meaning
Active Activates/deactivates the Ring only mode , preventing the device to verify the age of the BPDUs.
Possible values:
marked
The Ring only mode is active. Use this setting for applications with RSTP rings with diameters
greater than 40.
unmarked (default setting)
The Ring only mode is inactive.
First port Specifies the port number of the first interface.
Possible values:
<Port number> (default setting: -)
Second port Specifies the port number of the second interface.
Possible values:
<Port number> (default setting: -)
Bridge configuration
Parameters Meaning
Bridge ID Displays the bridge ID of the device.
The device with the numerically lowest bridge ID takes over the role of the root bridge in the
network.
Possible values:
<Bridge priority> / <MAC address>
Value in the Priority field / MAC address of the device
Priority Specifies the bridge priority of the device.
Possible values:
0..61440 in steps of 4096 (default setting: 32768)
Assign the lowest numeric priority in the network to the device to make it the root bridge.
Hello time [s] Specifies the time in seconds between the sending of two configuration messages (Hello data
packets).
Possible values:
1..2 (default setting: 2)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
Due to the interaction with the Tx holds parameter, we recommend not changing the default
setting.
Forward delay [s] Specifies the delay time for the status change in seconds.
Possible values:
4..30 (default setting: 15)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled , discarding , learning , forwarding .
The parameters Forward delay [s] and Max age have the following relationship:
Forward delay [s] ≥ (Max age /2) + 1
If you enter values in the fields that contradict this relationship, the device replaces these values with the last valid
values or with the default value.
Parameters Meaning
Max age Specifies the maximum permissible branch length, for example the number of devices to the root
bridge.
Possible values:
6..40 (default setting: 20)
If the device takes over the role of the root bridge, the other devices in the network use the value
specified here.
Otherwise, the device uses the value specified by the root bridge. See the Root information
frame.
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in
seconds.
Tx holds Limits the maximum transmission rate for sending BPDUs.
Possible values:
1..40 (default setting: 10)
To avoid longer recovery times when using the MSTP protocol, set the maximum value to 40.
When the device sends a BPDU, it increments a counter on this port.
When the counter reaches the value specified here, the port stops sending BPDUs. On the one
hand, this reduces the load generated by RSTP, and on the other a loop may be caused when the
device stops receiving BPDUs.
The device decrements the counter by 1 every second. In the following second, the device sends
a maximum of 1 new BPDU.
BPDU guard Activates/deactivates the BPDU Guard function on the device.
With this function, the device helps protect your network from incorrect configurations, attacks with
STP-BPDUs, and undesired topology changes.
Possible values:
marked
The BPDU guard is active.
– The device applies the function to manually specified edge ports. For these ports, in the
Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox
in the Admin edge port column is marked.
– If an edge port receives an STP-BPDU, the device disables the port. For this port, in the
Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column
is unmarked.
unmarked (default setting)
The BPDU guard is inactive.
To reset the status of the port to the value forwarding , you proceed as follows:
If the port is still receiving BPDUs:
– In the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab unmark
the checkbox in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the
BPDU guard checkbox.
To re-enable the port again you use the Auto-Disable function. Alternatively, proceed as
follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.
BPDU filter (all Activates/deactivates the filtering of STP-BPDUs on every manually specified edge port. For these
admin edge ports) ports, in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the
checkbox in the Admin edge port column is marked.
Possible values:
marked
The BPDU filter is active on every edge port.
The function excludes these ports from Spanning Tree operations.
– The device does not send STP-BPDUs on these ports.
– The device drops any STP-BPDUs received on these ports.
unmarked (default setting)
The global BPDU filter is inactive.
You have the option to explicitly activate the BPDU filter for single ports. See the Port BPDU
filter column in the Switching > L2-Redundancy > Spanning Tree > Port dialog.
Parameters Meaning
Auto-disable Activates/deactivates the Auto-Disable function for the parameters that BPDU guard is
monitoring on the port.
Possible values:
marked
The Auto-Disable function for the BPDU guard is active.
– The device disables an edge port when the port receives an STP-BPDU. The “Link status”
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
unmarked (default setting)
The Auto-Disable function for the BPDU guard is inactive.
Root information
Parameters Meaning
Bridge ID Displays the bridge ID of the current root bridge.
Possible values:
<Bridge priority> / <MAC address>
Priority Displays the bridge priority of the current root bridge.
Possible values:
0..61440 in steps of 4096
Hello time [s] Displays the time in seconds specified by the root bridge between the sending of two configuration
messages (Hello data packets).
Possible values:
1..2
The device uses this specified value. See the Bridge configuration frame.
Forward delay [s] Specifies the delay time in seconds set up by the root bridge for status changes.
Possible values:
4..30
The device uses this specified value. See the Bridge configuration frame.
In the RSTP protocol, the bridges negotiate a status change without a specified delay.
The Spanning Tree protocol uses the parameter to delay the status change between the statuses
disabled , discarding , learning , forwarding .
Max age Specifies the maximum permissible branch length set up by the root bridge, for example the
number of devices to the root bridge.
Possible values:
6..40 (default setting: 20)
The Spanning Tree protocol uses the parameter to specify the validity of STP-BPDUs in
seconds.
Topology information
Parameters Meaning
Bridge is root Displays whether the device currently has the role of the root bridge.
Possible values:
marked
The device currently has the role of the root bridge.
unmarked
Another device currently has the role of the root bridge.
Root port Displays the number of the port from which the current path leads to the root bridge.
If the device takes over the role of the root bridge, the field displays the value 0.
Root path cost Specifies the path cost for the path that leads from the root port of the device to the root bridge of
the layer 2 network.
Possible values:
0..200000000
If the value 0 is specified, the device takes over the role of the root bridge.
Topology changes Displays how many times the device has put a port into the forwarding status via Spanning Tree
since it was started.
Time since topology Displays the time since the last topology change.
change
Possible values:
<days, hours:minutes:seconds>
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog you manage the settings of the global and local MST instances.
In contrast to the local MST instances, the global MST instance is configured permanently in the device.
The global MST instance contains the VLANs that are not explicitly allocated to a local MST instance.
The device supports up to 16 local MST instances. To create a local instance, click the button.
While STP has a single Spanning Tree spanning the network, MSTP allows you to set up one Spanning
Tree per VLAN or group of VLANs. Thus it is possible to specify several smaller Spanning Trees
covering one network.
How to avoid longer convergence times:
Only use devices in the network that support RSTP or MSTP.
Adjust the following parameters to the topology and number of bridges:
– Maximum allowed number of devices to the root bridge
Switching > L2-Redundancy > Spanning Tree > Global dialog, Max age field
– Maximum allowed number of bridges within the MST region in a branch to the root bridge
Switching > L2-Redundancy > Spanning Tree > MSTP dialog, Global CIST parameter
frame, Hops (max.) field
For bridges in an MST region, specify identical values for the following parameters:
Name of the MST region
Revision level of the MST region
Allocation of the VLANs to the MST instances
– Include ports connecting the bridges of an MST region as tagged members in the VLANs set up
on the bridges. You thus avoid potential connection breaks within the MST region when the
topology is changed.
– Include ports connecting an MST region with other MST regions or with the CST region (boundary
ports) as tagged members in the VLANs set up in both regions. You thus avoid potential
connection breaks when topology changes affecting the boundary ports are made.
Parameters Meaning
Name Specifies the name of the MST region to which the device belongs.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Revision level Specifies the version number of the MST region to which the device belongs.
Possible values:
0..65535 (default setting: 1)
Checksum Displays the MD5 checksum of the MST configuration.
Parameters Meaning
Hops (max.) Specifies the maximum number of bridges within the MST region in a branch to the root bridge.
Possible values:
6..40 (default setting: 20)
Parameters Meaning
Attached VLANs Displays the IDs of the VLANs that are assigned only to the global MST instance and to no other
local MST instance.
Possible values:
ID of the statically configured VLANs
(default setting: 1)
Bridge ID Displays the bridge ID of the device.
Possible values:
<Bridge priority> / <MAC address>
The value is made up as follows:
– Value in the Priority field. See the Switching > L2-Redundancy > Spanning Tree >
Global dialog, Bridge configuration frame.
– MAC address of the device.
Root ID Displays the bridge ID of the current CIST root bridge of the whole Layer 2 network.
Possible values:
<Bridge priority> / <MAC address>
The device with the numerically lowest bridge ID takes over the role of the CIST root bridge in the
network. The following devices are able to take over the role of the root bridge:
Bridges not belonging to any MST region
Bridges belonging to the global instance of an MST region
In the whole Layer 2 network, the bridges use the time settings of the CIST root bridge, for
example Hello time [s] .
Regional root ID Displays the Bridge ID of the current root bridge that belongs to the global instance of the MST
region to which this device belongs.
Possible values:
<Bridge priority> / <MAC address>
The values in the Regional root ID and Root ID fields are identical when the regional root
bridge has the lowest bridge ID in the whole Layer 2 network.
Root port Displays the port of the device from which the path leads to the current CIST root bridge of the
whole Layer 2 network.
Possible values:
no Port
The device currently has the role of the root bridge.
<Port number>
The path to the current CIST root bridge of the whole Layer 2 network leads over this port.
Root path cost Displays the path cost for the path that leads from the regional root bridge of the MST region to
the current CIST root bridge of the whole Layer 2 network.
Possible values:
0..200000000
If the value 0 is specified, the regional root bridge simultaneously has the role of the CIST root
bridge.
For the devices within an MST region, the Root path cost values are identical.
If you do not use MSTP, the Root path cost values are identical to the root path costs of
Spanning Tree or Rapid Spanning Tree. In this case, every device considers itself as an own
region.
Internal root path Displays the internal path cost for the path that leads from the root port of the device to the current
cost regional root bridge of the MST region.
Possible values:
0..200000000
If the value 0 is specified, the local bridge simultaneously has the role of the current regional
root bridge.
Table
Parameters Meaning
MSTI Displays the instance number of the local MST instance.
Attached VLANs Displays the IDs of the VLANs that are allocated to this local MST instance.
Priority Specifies the bridge priority of the local MST instance.
Possible values:
0..61440 in steps of 4096 (default setting: 32768)
Assign the lowest numeric priority in this local MST instance to the device to make it the root
bridge.
Bridge ID Displays the bridge ID.
The device with the numerically lowest bridge ID takes over the role of the MSTI (regional) root
bridge in the instance.
Possible values:
<Bridge priority + Number of the instance> / <MAC address>
Sum of the value in the fields Priority and MSTI / MAC address of the device
Time since topology Displays the time that has elapsed since the last topology change within this instance.
change
Topology changes Displays how many times the device has put a port into the forwarding state using Spanning
Tree since the instance was started.
Topology change Displays whether the device has detected a topology change within the instance.
Possible values:
true
The device has detected a topology change.
false
The device has not detected a topology change.
Root ID Displays the bridge ID of the current root bridge in this instance.
Possible values:
<Bridge ID> / <MAC address>
Root path cost Displays the path cost for the path that leads from the root port of the device to the root bridge of
the instance.
Possible values:
0..200000000
If the value 0 is specified, the bridge is simultaneously the root bridge of the instance.
Root port Displays the port of the device from which the current path leads to the root bridge of the instance.
Possible values:
no Port
The device currently has the role of the root bridge.
<Port number>
The path to the current root bridge of the instance leads over this port.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Adds a new table entry.
The device supports up to local 16 instances.
Displays a sub menu with the following items.
Configure VLANs Opens the Configure VLANs dialog to allocate VLANs to the local MST instance which is
highlighted in the table.
In this dialog, you activate the Spanning Tree function on the ports, specify edge ports, and specify the
settings for various protection functions.
[CIST ]
In this tab, you have the option to activate the Spanning Tree function on the ports individually, specify
the settings for edge ports, and view the current values. The abbreviation CIST stands for Common and
Internal Spanning Tree.
Note: Deactivate the Spanning Tree function on the ports that are participating in other Layer 2
redundancy protocols. Otherwise the redundancy protocols may operate differently to the way intended.
This can cause loops.
Table
Parameters Meaning
Port Displays the port number.
STP active Activates/deactivates the Spanning Tree function on the port.
Possible values:
marked (default setting)
unmarked
If the Spanning Tree function is enabled in the device and disabled on the port, the port does not
send STP-BPDUs and drops any STP-BPDUs received.
Port state Displays the transmission status of the port.
Possible values:
discarding
The port is blocked and forwards STP-BPDUs exclusively.
learning
The port is blocked, but it learns the MAC addresses of received data packets.
forwarding
The port forwards data packets.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
manualFwd
The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs.
notParticipate
The port is not participating in STP.
Port role Displays the current role of the port in CIST.
Possible values:
root
Port with the cheapest path to the root bridge.
alternate
Port with the alternative path to the root bridge (currently interrupted).
designated
Port for the side of the tree averted from the root bridge.
backup
Port receives STP-BPDUs from its own device.
master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost Specifies the path costs of the port.
Possible values:
0..200000000 (default setting: 0)
If the value is 0, the device automatically calculates the path costs depending on the data rate of
the port.
Parameters Meaning
Port priority Specifies the priority of the port.
Possible values:
16..240 in steps of 16 (default setting: 128)
This value represents the first 4 bits of the port ID.
Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received port ID Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port in the local MST instance
to the root bridge.
Admin edge port Activates/deactivates the Admin edge port mode. Use the Admin edge port mode if the port
is connected to an end device. This setting allows the edge port to change faster to the forwarding
state after linkup and thus a faster accessibility of the end device.
Possible values:
marked
The Admin edge port mode is active.
The port is connected to an end device.
– After the connection is set up, the port changes to the forwarding status without changing
to the learning status beforehand.
– If the port receives an STP-BPDU, the device deactivates the port if the BPDU Guard
function is active. See the Switching > L2-Redundancy > Spanning Tree > Global
dialog.
unmarked (default setting)
The Admin edge port mode is inactive.
The port is connected to another STP bridge.
After the connection is set up, the port changes to the learning status before changing to the
forwarding status, if applicable.
Auto edge port Activates/deactivates the automatic detection of whether you connect an end device to the port.
The prerequisite is that the checkbox in the Admin edge port column is unmarked.
Possible values:
marked (default setting)
The automatic detection is active.
After the installation of the connection, and after 1.5 × Hello time [s] the device sets the
port to the forwarding status (default setting 1.5 × 2 s) if the port has not received any STP-
BPDUs during this time.
unmarked
The automatic detection is inactive.
After the installation of the connection, and after Max age the device sets the port to the
forwarding status.
(default setting: 20 s)
Parameters Meaning
Oper edge port Displays whether an end device or an STP bridge is connected to the port.
Possible values:
marked
An end device is connected to the port. The port does not receive any STP-BPDUs.
unmarked
An STP bridge is connected to the port. The port receives STP-BPDUs.
Oper PointToPoint Displays whether the port is connected to an STP device via a direct full-duplex link.
Possible values:
true
The port is connected directly to an STP device via a full-duplex link. The direct, decentralized
communication between 2 bridges enables short reconfiguration times.
false
The port is connected in another way, for example via a half-duplex link or via a hub.
Port BPDU filter Activates/deactivates the filtering of STP-BPDUs on the port explicitly.
The prerequisite is that the port is a manually specified edge port. For these ports, the checkbox
in the Admin edge port column is marked.
Possible values:
marked
The BPDU filter is active on the port.
The function excludes the port from Spanning Tree operations.
– The device does not send STP-BPDUs on the port.
– The device drops any STP-BPDUs received on the port.
unmarked (default setting)
The BPDU filter is inactive on the port.
You have the option to globally activate the BPDU filter for every edge port. See the
Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration
frame.
If the BPDU filter (all admin edge ports) checkbox is marked, then the BPDU filter is
still active on the port.
BPDU filter status Displays whether or not the BPDU filter is active on the port.
Possible values:
marked
The BPDU filter is active on the port as a result of the following settings:
– The checkbox in the Port BPDU filter column is marked.
and/or
– The checkbox in the BPDU filter (all admin edge ports) column is marked. See the
Switching > L2-Redundancy > Spanning Tree > Global dialog, Bridge
configuration frame.
unmarked
The BPDU filter is inactive on the port.
BPDU flood Activates/deactivates the BPDU flood mode on the port even if the Spanning Tree function is
inactive on the port. The prerequisite is that the BPDU flood mode is also active for these ports.
Possible values:
marked
The BPDU flood mode is active.
The device floods STP-BPDUs received on the port to the ports for which the Spanning Tree
function is inactive.
unmarked (default setting)
The BPDU flood mode is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Guards ]
This tab allows you to specify the settings for various protection functions on the ports.
Table
Parameters Meaning
Port Displays the port number.
Root guard Activates/deactivates the monitoring of STP-BPDUs on the port. The prerequisite is that the Loop
guard function is inactive.
With this setting the device helps you protect your network from incorrect configurations or attacks
with STP-BPDUs that try to change the topology. This setting is relevant solely for ports with the
STP role designated .
Possible values:
marked
The monitoring of STP-BPDUs is active.
– If the port receives an STP-BPDU with better path information to the root bridge, the device
discards the STP-BPDU and sets the status of the port to the value discarding instead of
to root .
– If there are no STP-BPDUs with better path information to the root bridge, the device resets
the status of the port after 2 × Hello time [s] .
unmarked (default setting)
The monitoring of STP-BPDUs is inactive.
TCN guard Activates/deactivates the monitoring of "Topology Change Notifications" on the port. With this
setting the device helps you protect your network from attacks with STP-BPDUs that try to change
the topology.
Possible values:
marked
The monitoring of "Topology Change Notifications" is enabled.
– The port ignores the Topology Change flag in received STP-BPDUs.
– If the received BPDU contains other information that causes a topology change, the device
processes the BPDU even if the TCN guard is enabled.
Example: The device receives better path information for the root bridge.
unmarked (default setting)
The monitoring of "Topology Change Notifications" is disabled.
If the device receives STP-BPDUs with a Topology Change flag, it deletes the address table
of the port and forwards the Topology Change Notifications.
Loop guard Activates/deactivates the monitoring of loops on the port. The prerequisite is that the Root guard
function is inactive.
With this setting the device prevents loops if the port does not receive any more STP-BPDUs. Use
this setting solely for ports with the STP role alternate , backup or root .
Possible values:
marked
The monitoring of loops is active. This prevents loops for example if you disable the Spanning
Tree function on the remote device or if the connection is interrupted solely in the receiving
direction.
– If the port does not receive any STP-BPDUs for a while, the device sets the status of the
port to the value discarding and the value in the Loop state column to true .
– If the port then receives STP-BPDUs again, the device sets the status of the port to a value
according to Port role and the value in the Loop state column to false .
unmarked (default setting)
The monitoring of loops is inactive.
If the port does not receive any STP-BPDUs for a while, the device sets the status of the port
to the value forwarding .
Parameters Meaning
Loop state Displays whether the loop state of the port is inconsistent.
Possible values:
true
The loop state of the port is inconsistent:
– The port is not receiving any STP-BPDUs and the Loop guard function is enabled.
– The device sets the state of the port to the value discarding . The device thus prevents
any potential loops.
false
The loop state of the port is consistent. The port receives STP-BPDUs.
Trans. into loop Displays how many times the device has set the value in the Loop state column from false to
true .
Trans. out of loop Displays how many times the device has set the value in the Loop state column from true to
false .
BPDU guard effect Displays whether the port received an STP-BPDU as an edge port.
Prerequisite:
– The port is a manually specified edge port. In the Port dialog, the checkbox for this port in the
Admin edge port column is marked.
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, the BPDU Guard
function is active.
Possible values:
marked
The port is an edge port and received an STP-BPDU.
The device deactivates the port. For this port, in the Basic Settings > Port dialog,
Configuration tab the checkbox in the Port on column is unmarked.
unmarked
The port is an edge port and has not received any STP-BPDUs, or the port is not an edge port.
To reset the status of the port to the value forwarding , you proceed as follows:
If the port is still receiving BPDUs:
– In the CIST tab, unmark the checkbox in the Admin edge port column.
or
– In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the
BPDU guard checkbox.
To activate the port, proceed as follows:
– Open the Basic Settings > Port dialog, Configuration tab.
– Mark the checkbox in the Port on column.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Table
Parameters Meaning
Port Displays the port number.
Port state Displays the transmission status of the port.
Possible values:
discarding
The port is blocked and forwards STP-BPDUs exclusively.
learning
The port is blocked, but it learns the MAC addresses of received data packets.
forwarding
The port forwards data packets.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
manualFwd
The Spanning Tree function is disabled on the port.
The port forwards STP-BPDUs.
notParticipate
The port is not participating in STP.
Port role Specifies the current role of the port in the local instance.
Possible values:
root
Port with the cheapest path to the root bridge.
alternate
Port with the alternative path to the root bridge (currently interrupted).
designated
Port for the side of the tree averted from the root bridge.
backup
Port which receives STP-BPDUs from its own device.
master
Port with the cheapest path to the CIST. The port is the CIST root port of the CIST Regional
Root. The port is unique in an MST region.
disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
Port path cost Specifies the path costs of the port in the local instance.
Possible values:
0..200000000 (default setting: 0)
If the value is 0, the device automatically calculates the path costs depending on the data rate
of the port.
Port priority Specifies the priority of the port in the local instance.
Possible values:
16..240 in steps of 16 (default setting: 128)
Parameters Meaning
Received bridge ID Displays the bridge ID of the device from which this port last received an STP-BPDU in the local
instance.
Received port ID Displays the port ID of the device from which this port last received an STP-BPDU.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Received path cost Displays the path cost that the higher-level bridge has from its root port to the root bridge.
Possible values:
For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the possible STP problems in the network.
For the alternate , backup , master , and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
If a port has no connection, or if it has not received any STP-BDPUs yet, the device displays
the values that the port would send with the designated role.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
IEEE 802.1ax defines a Link Aggregation Group (LAG) as the combining of 2 or more, full-duplex point-
to-point links operating at the same rate, on a single switch to increase bandwidth. Furthermore, Link
Aggregation provides for redundancy. When a link goes down, the remaining links in the LAG continue
to forward the traffic.
The device uses a hash function to determine load balancing across the port group. The device
distributes packets on a LAG interface according to the information contained in tags of the packet for
example, MAC, IP, and port information.
Link Aggregation Control Protocol Data Units (LACPDUs) contain 2 fields with 8 binary bits of
information each the Actor periodically sends to a Partner. The fields describe the state of the Actor and
what the Actor knows about the Partner. The 8 bits contain information about the state of the Actor and
Partner. The port transmits LACPDUs when in the active state. In the passive state, the port transmits
LACPDUs solely when requested.
Configuration
Parameters Meaning
Hashing option Specifies the Link Aggregation Hashing option on the device. The device uses the information
contained in packets and frames to generate a port number. The device looks for information tags
in a packet and depending on the tags, for example MAC, IP, and port, chooses an egress port.
The device tags the outgoing traffic with the port number.
Possible values:
sourceMacVlan
The device uses the Source MAC address, VLAN ID, Ethertype, and outgoing port fields of the
packet as a tag.
destMacVlan
The device uses the Destination MAC address, VLAN ID, Ethertype, and outgoing port fields
of the packet as a tag.
sourceDestMacVlan (default setting)
The device uses the Source/Destination MAC address, VLAN ID, Ethertype, and outgoing port
fields of the packet as a tag.
sourceIPsourcePort
The device uses the Source IP address and Source TCP/UDP port fields of the packet as a tag.
destIPdestPort
The device uses the Destination IP address and Destination TCP/UDP port fields of the packet
as a tag.
sourceDestIPPort
The device uses the Source/Destination IP address and source/destination TCP/UDP port
fields of the packet as a tag.
Table
Parameters Meaning
Trunk port Displays the Link Aggregation port number.
Name Specifies the name of the Link Aggregation Group.
Possible values:
Alphanumeric ASCII character string with 1..15 characters
Parameters Meaning
Active Activates/deactivates Link Aggregation Group.
Possible values:
marked (default setting)
The LAG instance is in an „up“ state and processes traffic according to the specified values.
unmarked
The LAG instance, including the member ports, is in a "down" state. The member ports remain
in the LAG instance and block traffic.
STP active Activates/deactivates the Spanning Tree protocol on this LAG interface. After you create the Link
Aggregation instance in the table the device automatically adds the port to the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
Possible values:
marked (default setting)
Enabling the STP mode in this dialog also enables the port in the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
unmarked
Disabling the STP mode in this dialog also disables the port in the Switching > L2-
Redundancy > Spanning Tree > Port dialog.
The prerequisite is that you enable the function globally in the Switching > L2-Redundancy >
Spanning Tree > Global dialog.
Static link Activates/deactivates the Static link aggregation function on the LAG interface.
aggregation
Possible values:
marked
When enabled, the Static link aggregation function provides a stable network and the
administrator manually propagates the aggregation status of the port.
unmarked (default setting)
The device propagates the aggregation status of the port automatically.
Hashing option Specifies the link aggregation tag on the LAG interface.
Possible values:
sourceMacVlan
The device uses the source MAC address, VLAN, Ethertype, and incoming port associated
with the packet as a tag.
destMacVlan
The device uses the destination MAC address, VLAN, Ethertype, and incoming port
associated with the packet as a tag.
sourceDestMacVlan (default setting)
The device uses the source/destination MAC address, VLAN, Ethertype, and incoming port
associated with the packet as a tag.
sourceIPsourcePort
The device uses the Source IP address and Source TCP/UDP port fields of the packet as a tag.
destIPdestPort
The device uses the Destination IP address and Destination TCP/UDP port fields of the packet
as a tag.
sourceDestIPPort
The device uses the Source/Destination IP address and source/destination TCP/UDP port
fields of the packet as a tag.
MTU Specifies the maximum allowed size of Ethernet packets on the interface in bytes.
Possible values:
1518..12288 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)
This setting allows you to increase the size of the Ethernet packets for specific applications.
Parameters Meaning
Active ports (min.) Specifies how many active ports the device uses for the Link Aggregation group.
Possible values:
1..2 (default setting: 2)
1..4 (default setting: 4)
Parameters Meaning
LACP actor admin Specifies the administrative values of the Actor State transmitted in LACPDUs.
state You have the option to combine the values with each other. This allows you administrative control
over the LACPDU parameters. In the drop-down list, select one or more values.
Possible values:
lacpActivity
Specifies whether the port is an active or passive participant. An active participant transmits
LACPDUs periodically. A passive participant transmits LACPDUs when requested. When
selected you set the parameter to active participant.
lacpTimeout
The Actor periodically transmits LACPDUs at either a slow or fast transmission rate depending
on the preference of the partner. You set the parameter to either long timeout or short timeout.
When selected you set the parameter to short timeout.
aggregation
Specifies whether the port is a potential candidate for aggregation or for an individual link.
When selected you set the parameter to aggregatable.
-
The state is unspecified.
When the parameter is unspecified the device displays the following values for the LACPDU
parameters:
– synchronization
The system considers this link to be allocated to the correct LAG, and the group is associated
with a compatible aggregator. Furthermore, the identity of the LAG is consistent with the
system ID, and operational key information transmitted.
– collecting
Collection of incoming frames on this link is definitely enabled. For example, collection is
currently enabled and remains enabled in the absence of administrative changes or changes
in the received protocol information.
– distributing
Distribution is currently disabled and remains disabled in the absence of administrative
changes or changes in received protocol information.
– defaulted
The LACPDUs received by the actor is using the statically configured partner information.
– expired
The LACPDUs received by the actor is in the expired state.
LACP actor port Specifies the LACP actor port priority value for this port.
priority
Possible values:
0..65535 (default setting: 128)
The port with the lower value has the higher priority.
LACP partner port Specifies the default value for the partner key, assigned by administrator or system policy for use
admin key when information about the partner is unknown or expired.
The LAG uses keys to assign membership to partner ports. Specify the same key value for the
local partners participating in the same LAG.
Possible values:
0..65535 (default setting: 0)
If the port is alone in a LAG, then set this value to 0. When the port is in a LAG, then set this
value to correspond with the LAG operational key.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin SysID
– LACP partner admin sys priority
Parameters Meaning
LACP partner Specifies the partner administrative state values.
admin state You have the option to combine the values with each other which allows you administrative control
over the LACPDU parameters. In the drop-down list, select one or more values.
Possible values:
lacpActivity
Specifies whether the port is an active or passive participant. An active participant transmits
LACPDUs periodically. A passive participant transmits LACPDUs when requested. When
selected you set the parameter to active.
lacpTimeout
The Actor periodically transmits LACPDUs at either a slow or fast transmission rate depending
on the preference of the Partner either long timeout or short timeout. When selected you set
the parameter to short timeout.
aggregation
Specifies whether the port is a potential candidate for aggregation or for an individual link.
When selected you set the parameter to aggregatable.
-
The state is unspecified.
Possible values:
synchronization
The system considers this link to be allocated to the correct LAG, and the group is associated
with a compatible aggregator. Furthermore, the identity of the LAG is consistent with the
system ID, and operational key information transmitted.
collecting
Collection of incoming frames on this link is definitely enabled. For example, collection is
currently enabled and remains enabled in the absence of administrative changes or changes
in the received protocol information.
distributing
Distribution is currently disabled and remains disabled in the absence of administrative
changes or changes in received protocol information.
defaulted
The LACPDUs received by the actor is using the statically configured partner information.
expired
The LACPDUs received by the partner is in the expired state.
LACP partner Specifies the port number of the partner port.
admin port
Possible values:
0..65535 (default setting: 0)
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port priority
– LACP partner admin SysID
– LACP partner admin sys priority
LACP partner Specifies the port priority for the partner port.
admin port priority
Possible values:
0..65535 (default setting: 0)
The port with the lower value has the higher priority.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin SysID
– LACP partner admin sys priority
Parameters Meaning
LACP partner Specifies a MAC Address value representing the Partner System ID.
admin SysID
Possible values:
Valid MAC address (default setting: 00:00:00:00:00:00)
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin sys priority
LACP partner Specifies the default value for the system priority component of the system identifier of the partner,
admin sys priority assigned by administrator or system policy for use when the information from the partner is
unknown or expired.
Possible values:
0..65535 (default setting: 0)
The port with the lower value has the higher priority.
To manage the partner ports, you use this parameter in conjunction with the settings in the
following columns:
– LACP partner port admin key
– LACP partner admin port
– LACP partner admin port priority
– LACP partner admin SysID
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Trunk port drop-down list you select the port number of the Link Aggregation Group
trunk.
In the Port drop-down list you select the port to assign to the interface.
With Link Backup, you configure pairs of redundant links. Each pair has a primary port and a backup
port. The primary port forwards traffic until the device detects an error. When the device detects an error
on the primary port, the Link Backup function transfers traffic over to the backup port.
The dialog also allows you to set a fail back option. When you enable the fail back function and the
primary port returns to normal operation, the device first blocks traffic on the backup port and then
forwards traffic on the primary port. This process helps protect the device from causing loops in the
network.
Operation
Parameters Meaning
Operation Enables/disables the Link Backup function globally on the device.
Possible values:
On
Enables the Link Backup function.
Off (default setting)
Disables the Link Backup function.
Table
Parameters Meaning
Primary port Displays the primary port of the interface pair. When you enable the Link Backup function this port
is responsible for forwarding traffic.
Possible values:
Physical ports
Backup port Displays the backup port on which the device forwards traffic when the device detects an error on
the primary port.
Possible values:
Physical ports except for the port you set as the primary port.
Description Specifies the Link Backup pair. Enter a name to identify the Backup pair.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Primary port status Displays the status of the primary port for this Link Backup pair.
Possible values:
forwarding
The link is up, no shutdown, and forwarding traffic.
blocking
The link is up, no shutdown, and blocking traffic.
down
The port is either link down, cable unplugged, or disabled in software, shutdown.
unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.
Parameters Meaning
Backup port status Displays the status of the Backup port for this Link Backup pair.
Possible values:
forwarding
The link is up, no shutdown, and forwarding traffic.
blocking
The link is up, no shutdown, and blocking traffic.
down
The port is either link down, cable unplugged, or disabled in software, shutdown.
unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.
Fail back Activates/deactivates the automatic fail back.
Possible values:
marked (default setting)
The automatic fail back is active.
After the delay timer expires, the backup port changes to blocking and the primary port
changes to forwarding .
unmarked
The automatic fail back is inactive.
The backup port continues forwarding traffic even after the primary port re-establishes a link
or you manually change the admin status of the primary port from shutdown to no shutdown.
Fail back delay [s] Specifies the delay time in seconds that the device waits after the primary port re-establishes a
link. Furthermore, this timer also applies when you manually set the admin status of the primary
port from shutdown to no shutdown. After the delay timer expires, the backup port changes to
blocking and the primary port changes to forwarding .
Possible values:
0..3600 (default setting: 30)
When set to 0, immediately after the primary port re-establishes a link, the backup port
changes to blocking and the primary port changes to forwarding . Furthermore, immediately
after you manually set the admin status of from shutdown to no shutdown, the backup port
changes to blocking and the primary port changes to forwarding .
Active Activates/deactivates the Link Back up pair configuration.
Possible values:
marked
The Link Backup pair is active. The device senses the link and administration status and
forwards traffic according to the pair configuration.
unmarked (default setting)
The Link Backup pair is inactive. The ports forward traffic according to standard switching.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Create
Parameters Meaning
Primary port Specifies the primary port of the backup interface pair. During normal operation this port is
responsible for forwarding the traffic.
Possible values:
Physical ports
Backup port Specifies the backup port to which the device transfers the traffic to when the device detects an
error on the primary port.
Possible values:
Physical ports except for the port you set as the primary port.
5.9.6 FuseNet ™
FuseNet ™ is a family of Hirschmann proprietary protocols which allows you to couple the following
networks:
MRP
HIPER Ring
RSTP
Note: When you use the Ring/Network Coupling protocol to couple networks verify that the networks
only contain Hirschmann devices.
Use the following table to select the FuseNet coupling protocol:
Connected Network
Main Ring MRP RSTP HIPER ring Fast MRP2) DLR2)
MRP Sub Ring 1) Redundant Redundant Ring/Network Redundant
Coupling Coupling Coupling Coupling
Protocol , Protocol , Protocol ,
Ring/Network Ring/Network Ring/Network
Coupling Coupling Coupling
HIPER ring Sub Ring Redundant Ring/Network Redundant Redundant
Coupling Coupling Coupling Coupling
Protocol , Protocol , Protocol ,
Ring/Network Ring/Network Ring/Network
Coupling Coupling Coupling
RSTP Redundant – Redundant Redundant Redundant
Coupling Protocol Coupling Protocol Coupling Protocol Coupling Protocol
Explanation:
– no suitable coupling protocol
1) with MRP configured on different VLANs
2) depending on the device configuration
Note: To avoid loops, only close the redundant line when the settings are specified in every device
participating in the ring.
Operation
Parameters Meaning
Operation Enables/disables the subring function.
Possible values:
On
The subring function is enabled.
Off (default setting)
The subring function is disabled.
Information
Parameters Meaning
Table entries Displays the maximum number of subrings supported by the device.
(max.)
Table
Parameters Meaning
Sub ring ID Displays the unique identifier of this subring.
Possible values:
1..20
Parameters Meaning
Name Specifies the optional name of the subring.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Active Activates/deactivates the subring.
Activate the subring when the configuration of every subring device is complete. Close the subring
only after activating the subring function.
Possible values:
marked
The subring is active.
unmarked (default setting)
The subring is inactive.
Configuration Displays the operational state of the subring configuration.
status
Possible values:
noError
The device detects an acceptable subring configuration.
ringPortLinkError
– The ring port has no link.
– One of the subring lines is connected to one more port of the device. But the subring line
is not connected to one of the ring ports of the device.
multipleSRM
The subring manager receives packets from more than one subring manager in the subring.
noPartnerManager
The subring manager receives its own frames.
concurrentVLAN
The MRP protocol in the base ring uses the VLAN of the subring manager domain.
concurrentPort
One more redundancy protocol uses the ring port of the subring manager domain.
concurrentRedundancy
The subring manager domain is inactive because of one more active redundancy protocol.
trunkMember
The ring port of the subring manager domain is member of a Link Aggregation connection.
sharedVLAN
The subring manager domain is inactive because shared VLAN is active and the main ring also
uses the MRP protocol.
Redundancy Displays the operational state of the ring redundancy in the subring.
available
Possible values:
redGuaranteed
Redundancy reserve is available.
redNotGuaranteed
Loss of redundancy reserve.
Port Specifies the port that connects the device to the subring.
Possible values:
<Port number>
SRM mode Specifies the mode of the subring manager.
A subring has 2 managers simultaneously that couple the subring to the base ring. As long as the
subring is physically closed, 1 manager blocks its subring port.
Possible values:
manager (default setting)
The subring port forwards data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager .
redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
the subring port transmits the data packets.
When this value is set on both devices that couple the subring to the base ring, the device with
the higher MAC address functions as the redundantManager .
singleManager
Use this value when the subring is coupled to the base ring via one single device. The
prerequisite is that there are 2 instances of the subring in the table. Assign this value to both
instances. The subring port of the instance with the higher port number is blocked while the
subring is physically closed.
Parameters Meaning
SRM status Displays the current mode of the subring manager.
Possible values:
manager
The subring port forwards data packets.
redundantManager
The subring port is blocked while the subring is physically closed. If the subring is interrupted,
the subring port transmits the data packets.
singleManager
The subring is coupled to the base ring via one single device. The subring port of the instance
with the higher port number is blocked while the subring is physically closed.
disabled
The subring is inactive.
Port status Displays the connection status of the subring port.
Possible values:
forwarding
The port is passing frames according to the forwarding behavior of IEEE 802.1D.
disabled
The port is dropping every frame.
blocked
The port is dropping every frame with the exception of the following cases:
– The port passes frames used by the selected ring protocol specified to pass blocked ports.
– The port passes frames from other protocols specified to pass blocked ports.
not-connected
The port link is down.
VLAN Specifies the VLAN to which this subring is assigned. If no VLAN exists under the VLAN ID
entered, the device automatically creates it.
Possible values:
Available configured VLANs (default setting: 0)
If you do not want to use a separate VLAN for this subring, you leave the entry as 0.
Partner MAC Displays the MAC address of the subring manager at the other end of the subring.
MRP domain Specifies the MRP domain of the subring manager. Assign the same MRP domain name to every
member of a subring. If you use Hirschmann devices exclusively, you use the default value for the
MRP domain; otherwise adjust this value if necessary. With multiple subrings, the function allows
you to use the same MRP domain name for the subrings.
Possible values:
Permitted MRP domain names (default setting:
255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255)
Protocol Specifies the protocol.
Possible values:
iec-62439-mrp
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
You use the Ring/Network Coupling function to redundantly couple an existing HIPER ring, MRP ring,
or Fast HIPER ring to another network or another ring. Verify that the coupling partners are Hirschmann
devices.
Note: With two-switch coupling, verify that you have configured a HIPER ring, MRP ring, or Fast HIPER
ring before configuring the Ring/Network Coupling function.
In the Ring/Network Coupling dialog, you can perform the following tasks:
display an overview of the existing Ring/Network Coupling
configure a Ring/Network Coupling
create a new Ring/Network Coupling
delete Ring/Network Coupling
enable/disable Ring/Network Coupling
When configuring the coupling ports, specify the following settings in the Basic Settings > Port
dialog:
Note: The operating modes of the port actually available depend on the device configuration and the
media module used.
If you have configured VLANS, note the VLAN configuration of the coupling and partner coupling ports.
In the Ring/Network Coupling configuration, select the following values for the coupling and partner
coupling ports:
VLAN ID 1 and Ingress filtering disabled in the port table
VLAN membership T in the VLAN Configuration table
Independently of the VLAN settings, the device sends the ring coupling frames with VLAN ID 1 and
priority 7. Verify that the device sends VLAN 1 frames tagged in the local ring and in the connected
network. Tagging the VLAN frames maintains the priority of the ring coupling frames.
Note: Avoid to operate the Ring manager function and the two-switch coupling method on the same
device. This can cause loops.
The Ring/Network Coupling function operates with test packets. The devices send their test packets
VLAN-tagged, including the VLAN ID 1 and the highest VLAN priority 7. If the forwarding port is an
untagged member in VLAN 1, then the device also sends test packets.
Operation
Parameters Meaning
Operation Enables/disables the Ring/Network Coupling function.
Possible values:
On
The Ring/Network Coupling function is enabled.
Off (default setting)
The Ring/Network Coupling function is disabled.
Mode
Parameters Meaning
Type Specifies the method used to couple the networks together.
Possible values:
one-switch coupling
Allows you to specify the port settings in the Coupling port and Partner coupling port
frames.
two-switch coupling, master
Allows you to specify the port settings in the Coupling port frame.
two-switch coupling, slave
Allows you to specify the port settings in the Coupling port frame.
two-switch coupling with control line, master
Allows you to specify the port settings in the Coupling port and Control port frames.
two-switch coupling with control line, slave
Allows you to specify the port settings in the Coupling port and Control port frames.
Coupling port
Parameters Meaning
Port Specifies the port to which you connect the redundant link.
Possible values:
-
No port selected.
<Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.
To help prevent continuous loops, the device disables the coupling port in the following cases:
disabling the function
changing the configuration while the connections are operating on the ports
When the device has disabled the coupling port, the Port on checkbox is unmarked in the Basic
Settings > Port dialog, Configuration tab.
State Displays the status of the selected port.
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
Parameters Meaning
Port Specifies the port on which you connect the partner port.
Possible values:
-
No port selected.
<Port number>
If you also have configured ring ports, then specify the coupling and ring ports on different ports.
Parameters Meaning
State Displays the status of the selected port.
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
IP address Displays the IP address of the partner, when the devices are connected.
The prerequisite is that you select a two-switch coupling method and enable the partner in the
network.
Control port
Parameters Meaning
Port Displays the port on which you connect the control line.
Possible values:
-
No port selected.
<Port number>
State Displays the status of the selected port.
Possible values:
active
The port is active.
standby
The port is in stand-by mode.
not-connected
The port is not connected.
not-applicable
The port is incompatible with the configured control mode.
Configuration
Parameters Meaning
Redundancy mode Enables/disables the device to respond to a failure in the remote ring or network.
Possible values:
redundant ring/network coupling
Either the main line or the redundant line is active. Both lines are not active simultaneously. If
the device detects that the link is down between the devices in the connected network, then
the standby device keeps the redundant port in the standby mode.
extended redundancy
The main line and the redundant line are active simultaneously. If the device detects a problem
in the connection between the devices in the connected network, then the standby device
forwards data on the redundant port. With the setting you can maintain continuity in the remote
network.
Note: During the reconfiguration period, package duplications can occur. Therefore, if your
application is able to detect package duplications, then you can select this setting.
Parameters Meaning
Coupling mode The settings in this frame allow you to couple a specific type of network.
Possible values:
ring coupling
The device couples redundant rings. The device allows you to couple rings that use the
following redundancy protocols:
– HIPER ring
– Fast HIPER ring
– MRP ring
network coupling
The device couples network segments. The function allows you to couple mesh and bus
networks together.
Information
Parameters Meaning
Redundancy Displays whether or not the redundancy is available.
available When a component of the ring is down, the redundant line takes over its function.
Possible values:
redGuaranteed
The redundancy is available.
redNotGuaranteed
The redundancy is unavailable.
Configuration You have configured the function incorrectly, or there is no ring port connection.
failure
Possible values:
noError
slaveCouplingLinkError
The coupling line is not connected to the coupling port of the slave device. Instead, the
coupling line is connected to another port of the slave device.
slaveControlLinkError
The control port of the slave device has no data link.
masterControlLinkError
The control line is not connected to the control port of the master device. Instead, the control
line is connected to another port of the master device.
twoSlaves
The control line connects two slave devices.
localPartnerLinkError
The partner coupling line is not connected to the partner coupling port of the slave device.
Instead, the partner coupling line is connected to another port of the slave device in one-
switch coupling mode.
localInvalidCouplingPort
In one-switch coupling mode, the coupling line is not connected on the same device as the
partner line. Instead, the coupling line is connected to another device.
couplingPortNotAvailable
The coupling port is not available because the module to which the port refers is not available
or the port does not exist on this module.
controlPortNotAvailable
The control port is not available because the module to which the port refers is not available
or the port does not exist on this module.
partnerPortNotAvailable
The partner coupling port is not available because the module to which the port refers is not
available or the port does not exist on this module.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Disables the redundancy function and resets the parameters in the dialog to the default setting.
A ring topology provides short transition times with a minimal use of resources. However, this brings the
challenge of coupling these rings redundantly to a higher-level network.
If you want to use a standard protocol such as MRP for the ring redundancy and RSTP coupling the
rings together, the Redundant Coupling Protocol provide options to you.
For the Redundant Coupling Protocol , select the following settings in the Switching > L2-
Redundancy > RCP dialog:
Note: On the ports of the Redundant Coupling Protocol Primary Ring, exclude a combination with
the following redundancy procedures and settings:
Subring
Network/Ring coupling
Operation
Parameters Meaning
Operation Enables/disables the RCP function.
Possible values:
On
The RCP function is enabled.
Off (default setting)
The RCP function is disabled.
Parameters Meaning
Inner port Specifies the number of the inner port in the primary ring. The port is directly connected to the
partner bridge.
Possible values:
- (default setting)
No port selected.
<Port number>
Outer port Specifies the number of the outer port in the primary ring.
Possible values:
- (default setting)
No port selected.
<Port number>
Coupler configuration
Parameters Meaning
Role Specifies the role of the local device.
Possible values:
master
The device operates as master.
slave
The device operates as slave.
auto (default setting)
The device chooses the role.
Current role Displays the current role of the local device. The value can differ from the configured role:
If you have configured both partner bridges as auto , the partner bridge that is currently
coupling the instances takes the master role. The other partner bridge takes the slave role.
If both partner bridges are configured as master or both as slave , the partner bridge with the
smaller Basis MAC address takes the master role.
The other partner bridge takes the slave role.
When the protocol is started, if the partner bridge cannot be found for a bridge in the configured
role master , slave or auto , it sets its own role to listening .
If the device detects a configuration problem, for example if the inner Ring ports are connected
crosswise, the device sets its role to error .
Timeout [ms] Specifies the maximum time in milliseconds during which the slave device waits for test packets
from the master device at the outer ports before it takes over the coupling. This only applies in the
state in which both inner ports of the slave device have lost the connection to the master device.
Configure the timeout longer than the longest assumable interruption time for the redundancy
protocol of the faster instance. Otherwise, loops can occur.
Possible values:
5..60000 (default setting: 250)
Partner MAC Displays the basic MAC address of the partner device.
address
Partner IP address Displays the IP address of the partner device.
Coupling state Displays the coupling status of the local device.
Possible values:
forwarding
Coupling state of the port is forwarding.
blocking
Coupling status of the port is blocking.
Redundancy state Displays whether or not the redundancy is available.
For a master-slave configuration, both bridges display this information.
Possible values:
redAvailable
The redundancy is available.
redNotAvailable
The redundancy is unavailable.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
6 Diagnostics
The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device in order to present its condition in graphic
form.
The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Device Status frame.
[Global ]
Device status
Parameters Meaning
Device status Displays the current status of the device. The device determines the status from the individual
monitored parameters.
Possible values:
error
The device displays this value to indicate a detected error in one of the monitored parameters.
ok
Traps
Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Table
Parameters Meaning
Temperature Activates/deactivates the monitoring of the temperature in the device.
Possible values:
marked (default setting)
Monitoring is active.
In the Device status frame, the value changes to error if the temperature exceeds or falls
below the specified limit.
unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp.
limit [°C] field and Lower temp. limit [°C] field.
Ring redundancy Activates/deactivates the monitoring of the ring redundancy.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
unmarked (default setting)
Monitoring is inactive.
Parameters Meaning
Connection errors Activates/deactivates the monitoring of the port/interface link.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error if the link interrupts on a monitored
port/interface.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored
individually.
unmarked (default setting)
Monitoring is inactive.
Module removal Activates/deactivates the monitoring of the modules.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove a module from the
device.
Further down, you have the option of selecting the modules to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
External memory Activates/deactivates the monitoring of the active external memory.
removal
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove the active external
memory from the device.
unmarked (default setting)
Monitoring is inactive.
You specify the active external memory in the Basic Settings > Load/Save dialog, External
memory frame.
External memory Activates/deactivates the monitoring of the configuration profile in the device and in the external
not in sync memory.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
unmarked (default setting)
Monitoring is inactive.
Power supply Activates/deactivates the monitoring of the power supply unit.
Possible values:
marked (default setting)
Monitoring is active.
In the Device status frame, the value changes to error if the device has a detected power
supply fault.
unmarked
Monitoring is inactive.
Module Activates/deactivates the monitoring of this module.
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error if you remove the module from the
device.
unmarked (default setting)
Monitoring is inactive.
This setting is effective when you mark the Module removal checkbox further up.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Port ]
Table
Parameters Meaning
Propagate Activates/deactivates the monitoring of the link on the port/interface.
connection error
Possible values:
marked
Monitoring is active.
In the Device status frame, the value changes to error if the link on the selected port/
interface is interrupted.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Status ]
Table
Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog gives you an overview of the status of the safety-relevant settings in the device.
The device displays its current status as error or ok in the Security status frame. The device
determines this status from the individual monitoring results.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Security status frame.
[Global ]
Security status
Parameters Meaning
Security status Displays the current status of the security-relevant settings in the device. The device determines
the status from the individual monitored parameters.
Possible values:
error
The device displays this value to indicate a detected error in one of the monitored parameters.
ok
Traps
Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Table
Parameters Meaning
Password default Activates/deactivates the monitoring of the password for the locally set up user accounts user and
settings unchanged admin.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the password for the user or
admin user accounts is the default setting.
unmarked
Monitoring is inactive.
You set the password in the Device Security > User Management dialog.
Min. password Activates/deactivates the monitoring of the Min. password length policy.
length < 8
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the value for the Min.
password length policy is less than 8.
unmarked
Monitoring is inactive.
You specify the Min. password length policy in the Device Security > User Management
dialog in the Configuration frame.
Parameters Meaning
Password policy Activates/deactivates the monitoring of the Password policies settings.
settings
deactivated Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the value for at least one of the
following policies is less than 1:
– Upper-case characters (min.)
– Lower-case characters (min.)
– Digits (min.)
– Special characters (min.)
unmarked
Monitoring is inactive.
You specify the policy settings in the Device Security > User Management dialog in the
Password policy frame.
User account Activates/deactivates the monitoring of the Policy check function.
password policy
check deactivated Possible values:
marked
Monitoring is active.
In the Security status frame, the value changes to error if for at least 1 user account the
Policy check function is inactive.
unmarked (default setting)
Monitoring is inactive.
You activate the Policy check function in the Device Security > User Management dialog.
Telnet server active Activates/deactivates the monitoring of the Telnet server.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the Telnet server.
unmarked
Monitoring is inactive.
You enable/disable the Telnet server in the Device Security > Management Access > Server
dialog, Telnet tab.
HTTP server active Activates/deactivates the monitoring of the HTTP server.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the HTTP server.
unmarked
Monitoring is inactive.
You enable/disable the HTTP server in the Device Security > Management Access > Server
dialog, HTTP tab.
SNMP unencrypted Activates/deactivates the monitoring of the SNMP server.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if at least one of the following
conditions applies:
– The SNMPv1 function is enabled.
– The SNMPv2 function is enabled.
– The encryption for SNMPv3 is disabled.
You enable the encryption in the Device Security > User Management dialog, in the
SNMP encryption type column.
unmarked
Monitoring is inactive.
You specify the settings for the SNMP agent in the Device Security > Management Access >
Server dialog, SNMP tab.
Parameters Meaning
Access to system Activates/deactivates the monitoring of the system monitor.
monitor with V.24 When the system monitor is activated, the user has the possibility to change to the system monitor
possible via a V.24 connection.
Possible values:
marked
Monitoring is active.
In the Security status frame, the value changes to error if you activate the system
monitor.
unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the system monitor in the Diagnostics > System > Selftest dialog.
Saving the Activates/deactivates the monitoring of the configuration profile in the external memory.
configuration profile
on the external Possible values:
marked
memory possible
Monitoring is active.
In the Security status frame, the value changes to error if you activate the saving of the
configuration profile in the external memory.
unmarked (default setting)
Monitoring is inactive.
You activate/deactivate the saving of the configuration profile in the external memory in the Basic
Settings > External Memory dialog.
Load unencrypted Activates/deactivates the monitoring of loading unencrypted configuration profiles from the
config from external external memory.
memory
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error when the settings allow the
device to load an unencrypted configuration profile from the external memory.
The Security status frame in the Basic Settings > System dialog, displays an alarm if
the following preconditions are fulfilled:
– The configuration profile stored in the external memory is unencrypted.
and
– The Config priority column in the Basic Settings > External Memory dialog has
the value first or second.
unmarked
Monitoring is inactive.
Link interrupted on Activates/deactivates the monitoring of the link on the active ports.
enabled device
ports Possible values:
marked
Monitoring is active.
In the Security status frame, the value changes to error if the link interrupts on an active
port. In the Port tab, you have the option of selecting the ports to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
Access with Activates/deactivates the monitoring of the HiDiscovery function.
HiDiscovery
Possible values:
possible
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the HiDiscovery
function.
unmarked
Monitoring is inactive.
You enable/disable the HiDiscovery function in the Basic Settings > Network dialog.
Parameters Meaning
IEC61850-MMS Activates/deactivates the monitoring of the IEC61850-MMS function.
active
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the IEC61850-MMS
function.
unmarked
Monitoring is inactive.
You enable/disable the IEC61850-MMS function in the Industrial Protocols > IEC61850-MMS
dialog, Operation frame.
Modbus TCP active Activates/deactivates the monitoring of the Modbus TCP function.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the Modbus TCP
function.
unmarked
Monitoring is inactive.
You enable/disable the Modbus TCP function in the Advanced > Industrial Protocols >
Modbus TCP dialog, Operation frame.
EtherNet/IP active Activates/deactivates the monitoring of the EtherNet/IP function.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the EtherNet/IP
function.
unmarked
Monitoring is inactive.
You enable/disable the EtherNet/IP function in the Advanced > Industrial Protocols >
EtherNet/IP dialog, Operation frame.
PROFINET active Activates/deactivates the monitoring of the PROFINET function.
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if you enable the PROFINET
function.
unmarked
Monitoring is inactive.
You enable/disable the PROFINET function in the Advanced > Industrial Protocols >
PROFINET dialog, Operation frame.
Self-signed HTTPS Activates/deactivates the monitoring of the HTTPS certificate.
certificate present
Possible values:
marked (default setting)
Monitoring is active.
In the Security status frame, the value changes to error if the HTTPS server uses a self-
created digital certificate.
unmarked
Monitoring is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Port ]
Table
Parameters Meaning
Link interrupted on Activates/deactivates the monitoring of the link on the active ports.
enabled device
Possible values:
ports
marked
Monitoring is active.
In the Security status frame, the value changes to error when the port is enabled (Basic
Settings > Port dialog, Configuration tab, Port on checkbox is marked) and the link is
down on the port.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Link interrupted on enabled device ports
checkbox in the Diagnostics > Status Configuration > Security Status dialog, Global
tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Status ]
Table
Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The signal contact is a potential-free relay contact. The device thus allows you to perform remote
diagnosis. The device uses the relay contact to signal the occurrence of events by opening the relay
contact and interrupting the closed circuit.
Note: The device can contain several signal contacts. Each contact contains the same monitoring
functions. Several contacts allow you to group various functions together providing flexibility in system
monitoring.
The menu contains the following dialogs:
Signal Contact 1 / Signal Contact 2
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1
In this dialog you specify the trigger conditions for the signal contact.
The signal contact gives you the following options:
Monitoring the correct operation of the device.
Signaling the device status of the device.
Signaling the security status of the device.
Controlling external devices by manually setting the signal contacts.
The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Signal contact status frame.
[Global ]
Configuration
Parameters Meaning
Mode Specifies which events the signal contact indicates.
Possible values:
Manual setting (default setting for Signal Contact 2 , if present)
You use this setting to manually open or close the signal contact, for example to turn on or off
a remote device. See the Contact option list.
Monitoring correct operation (default setting)
Using this setting the signal contact indicates the status of the parameters specified in the table
below.
Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog. In addition, you can read
the status in the Signal contact status frame.
Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog. In addition, you can
read the status in the Signal contact status frame.
Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status
Configuration > Security Status dialog. In addition, you can read the status in the
Signal contact status frame.
Contact Toggles the signal contact manually. The prerequisite is that you select in the Mode drop-down list
the value Manual setting .
Possible values:
open
The signal contact is opened.
close
The signal contact is closed.
Parameters Meaning
Signal contact Displays the current status of the signal contact.
status
Possible values:
Opened (error)
The signal contact is opened. The circuit is interrupted.
Closed (ok)
The signal contact is closed. The circuit is closed.
Trap configuration
Parameters Meaning
Send trap Activates/deactivates the sending of SNMP traps when the device detects changes in the
monitored functions.
Possible values:
marked
The sending of SNMP traps is active.
The device sends an SNMP trap when the device detects a change in the monitored functions..
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Parameters Meaning
Temperature Activates/deactivates the monitoring of the temperature in the device.
Possible values:
marked (default setting)
Monitoring is active.
The signal contact opens if the temperature exceeds / falls below the threshold values.
unmarked
Monitoring is inactive.
You specify the temperature thresholds in the Basic Settings > System dialog, Upper temp.
limit [°C] field and Lower temp. limit [°C] field.
Ring redundancy Activates/deactivates the monitoring of the ring redundancy.
Possible values:
marked
Monitoring is active.
The signal contact opens in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
unmarked (default setting)
Monitoring is inactive.
Connection errors Activates/deactivates the monitoring of the port/interface link.
Possible values:
marked
Monitoring is active.
The signal contact opens if the link interrupts on a monitored port/interface.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored
individually.
unmarked (default setting)
Monitoring is inactive.
Module removal Activates/deactivates the monitoring of the modules.
Possible values:
marked
Monitoring is active.
The signal contact opens if you remove a module from the device.
Further down, you have the option of selecting the modules to be monitored individually.
unmarked (default setting)
Monitoring is inactive.
Parameters Meaning
External memory Activates/deactivates the monitoring of the active external memory.
removed
Possible values:
marked
Monitoring is active.
The signal contact opens if you remove the active external memory from the device.
unmarked (default setting)
Monitoring is inactive.
You specify the active external memory in the Basic Settings > Load/Save dialog, External
memory frame.
External memory Activates/deactivates the monitoring of the configuration profile in the device and in the external
not in sync with memory.
NVM
Possible values:
marked
Monitoring is active.
The signal contact opens in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
unmarked (default setting)
Monitoring is inactive.
Power supply Activates/deactivates the monitoring of the power supply unit.
Possible values:
marked (default setting)
Monitoring is active.
The signal contact opens if the device has a detected power supply fault.
unmarked
Monitoring is inactive.
Module Activates/deactivates the monitoring of this module.
Possible values:
marked
Monitoring is active.
The signal contact opens if you remove this module from the device.
unmarked (default setting)
Monitoring is inactive.
This setting is effective when you mark the Module removal checkbox further up.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Port ]
Table
Parameters Meaning
Propagate Activates/deactivates the monitoring of the link on the port/interface.
connection error
Possible values:
marked
Monitoring is active.
The signal contact opens if the link interrupts on the selected port/interface.
unmarked (default setting)
Monitoring is inactive.
This setting takes effect when you mark the Connection errors checkbox in the Global tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Status ]
Table
Parameters Meaning
Timestamp Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.
Cause Displays the event which caused the SNMP trap.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to track changes in the network using the MAC address of the devices in the
network. The device saves the combination of port and MAC address in its MAC address table. When
the device (un)learns the MAC address of a (dis)connected device, the device sends an SNMP trap.
This function is intended for ports to which you connect end devices and thus the MAC address changes
infrequently.
Operation
Parameters Meaning
Operation Enables/disables the MAC Notification function on the device.
Possible values:
On
The MAC Notification function is enabled.
Off (default setting)
The MAC Notification function is disabled.
Configuration
Parameters Meaning
Interval [s] Specifies the send interval in seconds. When the device (un)learns the MAC address of a
(dis)connected device, it sends an SNMP trap after this time.
Possible values:
0..2147483647 (default setting: 30)
Before sending an SNMP trap, the device registers up to 20 MAC addresses. If the device detects
a high number of changes, it sends the SNMP trap before the send interval expires.
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the MAC Notification function on the port.
Possible values:
marked
The MAC Notification function is active on the port.
The device sends an SNMP trap in case of one of the following events:
– The device learns the MAC address of a newly connected device.
– The device unlearns the MAC address of a disconnected device.
unmarked (default setting)
The MAC Notification function is inactive on the port.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Last MAC address Displays the MAC address of the device last connected on or disconnected from the port.
The device detects the MAC addresses of devices which are connected as follows:
– directly connected to the port
– connected to the port through other devices in the network
Parameters Meaning
Last MAC status Displays the status of the Last MAC address value on this port.
Possible values:
added
The device detected that another device was connected at the port.
removed
The device detected that the connected device was removed from the port.
other
The device did not detect a status.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device offers you the option of sending an SNMP trap as a reaction to specific events. In this dialog,
you specify the trap destinations to which the device sends the SNMP traps.
The events for which the device triggers an SNMP trap, you specify, for example, in the following
dialogs:
in the Diagnostics > Status Configuration > Device Status dialog
in the Diagnostics > Status Configuration > Security Status dialog
in the Diagnostics > Status Configuration > MAC Notification dialog
Operation
Parameters Meaning
Operation Enables/disables the sending of SNMP traps to the trap destinations.
Possible values:
On (default setting)
The sending of SNMP traps is enabled.
Off
The sending of SNMP traps is disabled.
Table
Parameters Meaning
Name Specifies the name of the trap destination.
Possible values:
Alphanumeric ASCII character string with 1..32 characters
Address Specifies the IP address and the port number of the trap destination.
Possible values:
<Valid IPv4 address>:<port number>
Active Activates/deactivates the sending of SNMP traps to this trap destination.
Possible values:
marked (default setting)
The sending of SNMP traps to this trap destination is active.
unmarked
The sending of SNMP traps to this trap destination is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Opens the Create window to add a new entry to the table.
In the Name field you specify a name for the trap destination.
In the Address field you specify the IP address and the port number of the trap destination.
If you choose not to enter a port number, the device automatically adds the port number 162.
6.2 System
This dialog displays the current operating condition of individual components in the device. The
displayed values are a snapshot; they represent the operating condition at the time the dialog was
loaded to the page.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Save system Opens the HTML page in a new web browser window or tab. You can save the HTML page on
information your PC using the appropriate web bowser command.
This dialog provides information about the distribution and state of the flash memory of the device.
Information
Parameters Meaning
Uptime Displays the total operating time of the device since it was delivered.
Possible values:
..d ..h ..m ..s
Day(s) Hour(s) Minute(s) Second(s)
Table
Parameters Meaning
Flash region Displays the name of the respective memory area.
Description Displays a description of what the device uses the memory area for.
Flash sectors Displays how many sectors are assigned to the memory area.
Sector erase Displays how many times the device has overwritten the sectors of the memory area.
operations
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to compare the settings in the device with the settings in its neighboring devices.
For this purpose, the device uses the information that it received from its neighboring devices through
topology recognition (LLDP).
The dialog lists the deviations detected, which affect the performance of the communication between
the device and the recognized neighboring devices.
You update the content of the table by clicking the button. If the table remains empty, the
configuration check was successful and the settings in device are compatible with the settings in the
detected neighboring devices.
Summary
You also find this information, when you position the mouse pointer over the button in the
Toolbar in the top part of the Navigation area.
Parameters Meaning
Error Displays the number of errors that the device detected during the configuration check.
Warning Displays the number of warnings that the device detected during the configuration check.
Information Displays the amount of information that the device detected during the configuration check.
Table
When you highlight a row in the table, the device displays additional information in the area beneath
it.
Parameters Meaning
ID Displays the rule ID of the deviations having occurred. The dialog combines several deviations
with the same rule ID under one rule ID.
Level Displays the level of deviation between the settings in this device and the settings in the detected
neighboring devices.
The device differentiates between the following access statuses:
INFORMATION
The performance of the communication between the two devices is not impaired.
WARNING
The performance of the communication between the two devices is possibly impaired.
ERROR
The communication between the two devices is impaired.
Message Displays the information, warnings and errors having occurred more precisely.
Note: A neighboring device without LLDP support, which forwards LLDP packets, may be the cause
of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch without
management, which ignores the IEEE 802.1D-2004 standard.
In this case, the dialog displays the devices recognized and connected to the neighboring device as
connected to the device itself, even though they are connected to the neighboring device.
Note: If you have set up more than 39 VLANs on the device, then the dialog always displays a
warning. The reason is the limited number of possible VLAN data sets in LLDP packets with a
maximum length. The device compares the first 39 VLANs automatically.
If you have set up 40 or more VLANs on the device, then check the congruence of the further VLANs
manually, if necessary.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Using the IP Address Conflict Detection function the device verifies that its IP address is unique
in the network. For this purpose, the device analyzes received ARP packets.
In this dialog you specify the procedure with which the device detects address conflicts and specify the
required settings for this.
The device displays detected address conflicts in the table.
Whenever the device detects an address conflict, the status LED of the device flashes red 4 times.
Operation
Parameters Meaning
Operation Enables/disables the IP Address Conflict Detection function.
Possible values:
On (default setting)
The IP Address Conflict Detection function is enabled.
The device verifies that its IP address is unique in the network.
Off
The IP Address Conflict Detection function is disabled.
Configuration
Parameters Meaning
Detection mode Specifies the procedure with which the device detects address conflicts.
Possible values:
active and passive (default setting)
The device uses active and passive address conflict detection.
active
Active address conflict detection. The device actively avoids communicating with an IP
address that already exists in the network. The address conflict detection begins as soon as
you connect the device to the network or change its IP parameters.
– The device sends 4 ARP probe data packets at the interval specified in the Detection
delay [ms] field. If the device receives a response to these data packets, there is an
address conflict.
– If the device does not detect an address conflict, it sends 2 gratuitous ARP data packets
as an announcement. The device also sends these data packets when the address conflict
detection is disabled.
– If the IP address already exists in the network, the device changes back to the previously
used IP parameters (if possible).
If the device receives its IP parameters from a DHCP server, it sends a DHCPDECLINE
message back to the DHCP server.
– After the period specified in the Release delay [s] field, the device checks whether the
address conflict still exists. If the device detects 10 address conflicts one after the other, it
extends the waiting time to 60 s for the next check.
– When the address conflict has been resolved, the device management returns to the
network again.
passive
Passive address conflict detection. The device analyzes the data traffic in the network. If
another device in the network is using the same IP address, the device initially “defends” its IP
address. The device stops sending if the other device keeps sending with the same IP
address.
– As a “defence” the device sends gratuituous ARP data packets. The device repeats this
procedure for the number of times specified in the Address protections field.
– If the other device continues sending with the same IP address, after the period specified
in the Release delay [s] field, the device periodically checks whether the address
conflict still exists.
– When the address conflict has been resolved, the device management returns to the
network again.
Send periodic ARP Activates/deactivates the periodic address conflict detection.
probes
Possible values:
marked (default setting)
The periodic address conflict detection is active.
– The device periodically sends an ARP probe data packet every 90 to 150 seconds and
waits for the time specified in the Detection delay [ms] field for a response.
– If the device detects an address conflict, it applies the passive detection mode function. If
the Send trap function is active, the device sends an SNMP trap.
unmarked
The periodic address conflict detection is inactive.
Detection delay Specifies the period in milliseconds for which the device waits for a response after sending a ARP
[ms] data packets.
Possible values:
20..500 (default setting: 200)
Release delay [s] Specifies the period in seconds after which the device checks again whether the address conflict
still exists.
Possible values:
3..3600 (default setting: 15)
Address Specifies how many times the device sends gratuitous ARP data packets in the passive detection
protections mode to “defend” its IP address.
Possible values:
0..100 (default setting: 3)
Parameters Meaning
Protection interval Specifies the period in milliseconds after which the device sends gratuitous ARP data packets
[ms] again in the passive detection mode to “defend” its IP address.
Possible values:
20..5000 (default setting: 200)
Send trap Activates/deactivates the sending of SNMP traps when the device detects address conflicts.
Possible values:
marked
The sending of SNMP traps is active.
The device sends an SNMP trap when it detects an address conflict.
unmarked (default setting)
The sending of SNMP traps is inactive.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Information
Parameters Meaning
Conflict detected Displays whether an address conflict currently exists.
Possible values:
marked
The device detects an address conflict.
unmarked
The device does not detect an address conflict.
Table
Parameters Meaning
Timestamp Displays the time at which the device detected an address conflict.
Port Displays the number of the port on which the device detected the address conflict.
IP address Displays the IP address that is causing the address conflict.
MAC address Displays the MAC address of the device with which the address conflict exists.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
6.2.5 ARP
This dialog displays the MAC and IP addresses of the neighboring devices connected to the device
management.
Table
Parameters Meaning
Port Displays the port number.
IP address Displays the IP address of a device that responded to an ARP query to this port.
MAC address Displays the MAC address of a device that responded to an ARP query to this port.
Last updated Displays the time in seconds since the current settings of the entry were registered in the ARP
table.
Type Displays the type of the ARP entry.
Possible values:
static
Static ARP entry. The ARP entry is kept when the ARP table is deleted.
dynamic
Dynamic ARP entry. The device deletes the ARP entry when the Aging time [s] has been
exceeded, if the device does not receive any data from this device during this time.
local
IP and MAC address of the device management.
Active Displays that the ARP table contains the IP/MAC address assignment as an active entry.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset ARP table Removes the dynamically set up addresses from the ARP table.
6.2.6 Selftest
Configuration
Parameters Meaning
RAM test Activates/deactivates the RAM memory check during the restart.
Possible values:
marked (default setting)
The RAM memory check is activated. During the restart, the device checks the RAM memory.
unmarked
The RAM memory check is deactivated. This shortens the start time for the device.
SysMon1 is Activates/deactivates the access to the system monitor during the restart.
available
Possible values:
marked (default setting)
The device allows you to open the system monitor during the restart.
unmarked
The device starts without the option of opening to the system monitor.
Among other things, the system monitor allows you to update the device software and to delete
saved configuration profiles.
Load default config Activates/deactivates the loading of the default settings if the device does not detect any readable
on error configuration profile when it is restarting.
Possible values:
marked (default setting)
The device loads the default settings.
unmarked
The device interrupts the restart and stops. The management access to the device is possible
exclusively using the CLI through the V.24 interface.
To regain the access to the device through the network, open the system monitor and reset
the settings. Upon restart, the device loads the default settings.
Note: The following settings block your access to the device permanently if the device does not
detect any readable configuration profile when it is restarting. This is the case, for example, if the
password of the configuration profile that you are loading differs from the password set in the device.
SysMon1 is available checkbox is unmarked.
Load default config on error checkbox is unmarked.
To have the device unlocked again, contact your sales partner.
Table
In this table you specify how the device behaves in the case of an error.
Parameters Meaning
Cause Error causes to which the device reacts.
Possible values:
task
The device detects errors in the applications executed, for example if a task terminates or is
not available.
resource
The device detects errors in the resources available, for example if the memory is becoming
scarce.
software
The device detects software errors, for example error in the consistency check.
hardware
The device detects hardware errors, for example in the chip set.
Action Specifies how the device behaves if the adjacent event occurs.
Possible values:
reboot (default setting)
The device triggers a restart.
logOnly
The device registers the detected error in the log file. See the Diagnostics > Report >
System Log dialog.
sendTrap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device allows you to inform multiple recipients by email about events that have occurred.
The device sends the emails immediately or periodically depending on the event severity. Usually you
specify events with a high severity to be sent immediately.
You can specify multiple recipients to which the device sends the emails either immediately or
periodically.
The menu contains the following dialogs:
Email Notification Global
Email Notification Recipients
Email Notification Mail Server
In this dialog, you specify the sender settings. Also, you specify for which event severities the device
sends the emails immediately and for which periodically.
Operation
Parameters Meaning
Operation Enables/disables the sending of emails:
Possible values:
On
The sending of emails is enabled.
Off (default setting)
The sending of emails is disabled.
Certificate
The device can send messages to a server over unsecure networks. To help deny a “man in the middle”
attack, request that the Certificate Authority create a certificate for the server. Configure the server to
use the certificate, then upload the certificate to the device.
When you specify the settings for the mail servers, use the IP address or DNS name provided as Common
Name or Subject Alternative Name in the certificate. Otherwise the certificate validation will fail.
Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.
Sender
Parameters Meaning
Address Specifies the email address of the device.
The device sends the emails using this email address as the sender.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
(default setting: switch@hirschmann.com)
Notification immediate
Here you specify the settings for emails which the device sends immediately.
Parameters Meaning
Severity Specifies the minimum severity of events for which the device immediately sends an email. If an
event of this severity occurs, or of a more urgent severity, the device sends an email to the
recipients.
Possible values:
emergency
alert (default setting)
critical
error
warning
notice
informational
debug
Subject Specifies the subject of the email.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Notification periodic
Here you specify the settings for emails which the device sends periodically.
Parameters Meaning
Severity Specifies the minimum severity of events for which the device periodically sends an email. If an
event of this severity occurs, or of a more urgent severity, the device registers the event in the
buffer. The device sends the buffer content periodically or when the buffer overflows.
If an event of a less urgent severity occurs, the device does not register the event in the buffer.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Subject Specifies the subject of the email.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Sending interval Specifies the send interval in minutes.
[min] If the device has registered at least 1 event, it sends an email with the log file after the time expires.
Possible values:
30..1440 (default setting: 30)
Send Sends an email immediately with the buffer content and clears the buffer.
Information
Parameters Meaning
Sent messages Displays how many times the device has successfully sent an email to the mail server.
Undeliverable Displays how many times the device has unsuccessfully tried to send an email to the mail server.
messages
Time of the last Displays the date and time at which the device has last sent an email to the mail server.
messages sent
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
informational Informal message
debug Debug message
In this dialog, you specify the recipients to which the device sends the emails. The device allows you to
specify up to 10 recipients.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Notification type Specifies whether the device sends the emails to this recipient immediately or periodically.
Possible values:
immediate
The device sends the emails to this recipient immediately.
periodic
The device sends the emails to this recipient periodically.
Address Specifies the email address of the recipient.
Possible values:
Valid email address with up to 255 characters
Active Activates/deactivates the informing of the recipient.
Possible values:
marked (default setting)
The informing of the recipient is active.
unmarked
The informing of the recipient is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the settings for the mail servers. The device supports encrypted and
unencrypted connections to the mail server.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Description Specifies the name of the server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
IP address Specifies the IP address or the DNS name of the server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
DNS name in the format domain.tld or host.domain.tld
If you specify a DNS name, then also enable the Client function in the Advanced > DNS >
Client > Global dialog.
If you establish encrypted connections using the uploaded certificate, then the DNS name
must be equal to the server DNS name mentioned in the certificate.
Destination TCP Specifies the TCP port of the server.
port
Possible values:
1..65535 (default setting: 25)
Exception: Port 2222 is reserved for internal functions.
Frequently used TCP-Ports:
– SMTP 25
– Message Submission 587
Encryption Specifies the protocol which encrypts the connection between the device and the mail server.
Possible values:
none (default setting)
The device establishes an an unencrypted connection to the server.
tlsv1
The device establishes an encrypted connection to the server using the startTLS extension.
User name Specifies the user name of the account which the device uses to authenticate on the mail server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Password Specifies the password of the account which the device uses to authenticate on the mail server.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Timeout [s] Specifies the time in seconds after which the device sends an email again. The prerequisite is that
the device has failed to send the complete email due to a connection error.
Possible values:
1..15 (default setting: 3)
Active Activates/deactivates the use of the mail server.
Possible values:
marked
The mail server is active.
The device sends emails to this mail server.
unmarked (default setting)
The mail server is inactive.
The device does not send emails to this mail server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Connection test Opens the Connection test dialog to send a test email.
If the mail server settings are correct, then the selected recipients receive a test email.
In the Recipient field, you specify to which recipients the device sends the test email:
– immediate
The device sends the test email to the recipients to which the device sends emails
immediately.
– periodic
The device sends the test email to the recipients to which the device sends emails
periodically.
In the Message text field, you specify the text of the test email.
6.4 Syslog
The device allows you to report selected events, independent of the severity of the event, to different
syslog servers. In this dialog, you specify the settings for this function and manage up to 8 syslog
servers.
Operation
Parameters Meaning
Operation Enables/disables the sending of events to the syslog servers.
Possible values:
On
The sending of events is enabled.
The device sends the events specified in the table to the specified syslog servers.
Off (default setting)
The sending of events is disabled.
Certificate
The device can send messages to a server over unsecure networks. To help deny a “man in the
middle” attack, request that the Certificate Authority create a certificate for the server. Configure the
server to use the certificate, then upload the certificate to the device.
When you specify the parameters on the server, verify that you specify the IP address and DNS name
provided in the certificate as the Common Name or Subject Alternative Name. Otherwise the
certificate validation will fail.
Note: In order for the changes to take effect after loading a new certificate, restart the Syslog
function.
Parameters Meaning
URL Specifies the path and file name of the certificate.
The device accepts certificates with the following properties:
– X.509 format
– .PEM file name extension
– Base64-coded, enclosed by
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
For security reason, we recommend to always use a certificate which is signed by a certification
authority.
The device gives you the following options for copying the certificate to the device:
Import from the PC
If the certificate is located on your PC or on a network drive, drag and drop the certificate in the
area. Alternatively click in the area to select the certificate.
Import from an FTP server
If the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<path>/<file name>
Import from a TFTP server
If the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
Import from an SCP or SFTP server
If the certificate is on an SCP or SFTP server, you specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password , to log on to the server.
– scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
Start Copies the certificate specified in the URL field to the device.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
When you delete a table entry, this leaves a gap in the numbering. When you create a new table
entry, the device fills the first gap.
Possible values:
1..8
IP address Specifies the IP address of the syslog server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP Specifies the TCP or UDP port on which the syslog server expects the log entries.
port
Possible values:
1..65535 (default setting: 514)
Transport type Specifies the transport type the device uses to send the events to the syslog server.
Possible values:
udp (default setting)
The device sends the events over the UDP port specified in the Destination UDP port
column.
tls
The device sends the events over TLS on the TCP port specified in the Destination UDP
port column.
Parameters Meaning
Min. severity Specifies the minimum severity of the events. The device sends a log entry for events with this
severity and with more urgent severities to the syslog server.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Type Specifies the type of the log entry transmitted by the device.
Possible values:
systemlog (default setting)
audittrail
Active Activates/deactivates the transmission of events to the syslog server:
marked
The device sends events to the syslog server.
unmarked (default setting)
The transmission of events to the syslog server is deactivated.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
6.5 Ports
6.5.1 SFP
This dialog allows you to look at the SFP transceivers currently connected to the device and their
properties.
Table
The table displays valid values if the device is equipped with SFP transceivers.
Parameters Meaning
Port Displays the port number.
Module type Type of the SFP transceiver, for example M-SFP-SX/LC.
Serial number Displays the serial number of the SFP transceiver.
Connector type Displays the connector type.
Supported Displays whether the device supports the SFP transceiver.
Temperature [°C] Operating temperature of the SFP transceiver in °Celsius.
Tx power [mW] Transmission power of the SFP transceiver in mW.
Rx power [mW] Receiving power of the SFP transceiver in mW.
Tx power [dBm] Transmission power of the SFP transceiver in dBm.
Rx power [dBm] Receiving power of the SFP transceiver in dBm.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This feature tests the cable attached to an interface for short or open circuit. The table displays the cable
status and estimated length. The device also displays the individual cable pairs connected to the port.
When the device detects a short circuit or an open circuit in the cable, it also displays the estimated
distance to the problem.
Information
Parameters Meaning
Port Displays the port number.
Status Status of the Virtual Cable Tester.
Possible values:
active
Cable testing is in progress.
To start the test, click the button and then the Start cable diagnosis... item. This
action opens the Select port dialog.
success
The device displays this entry after performing a successful test.
failure
The device displays this entry after an interruption in the test.
uninitialized
The device displays this entry while in standby.
Table
Parameters Meaning
Cable pair Displays the cable pair to which this entry relates. The device uses the first PHY index supported
to display the values.
Result Displays the results of the cable test.
Possible values:
normal
The cable is functioning properly.
open
There is a break in the cable causing an interruption.
short
Wires in the cable are touching together causing a short circuit.
unknown
The device displays this value for untested cable pairs.
Note: The device displays different values than expected in the following cases:
– If no cable is connected to the port, the device displays the value unknown instead of open .
– If the port is deactivated, the device displays the value short .
Min. length Displays the minimum estimated length of the cable in meters.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .
Max. length Displays the maximum estimated length of the cable in meters.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .
Parameters Meaning
Distance [m] Displays the estimated distance in meters from the end of the cable to the failure location.
The device displays the value 0 if the cable length is unknown or in the Information frame the
Status field displays the value active , failure or uninitialized .
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
The Port Monitor function monitors the adherence to the specified parameters on the ports. If the Port
Monitor function detects that the parameters are being exceeded, the device performs an action.
To apply the Port Monitor function, proceed as follows:
Global tab
Enable the Operation function in the Port Monitor frame.
Activate for each port those parameters that you want the Port Monitor function to monitor.
Link flap , CRC/Fragments and Overload detection tabs
Specify the threshold values for the parameters for each port.
Link speed/Duplex mode detection tab
Activate the allowed combinations of speed and duplex mode for each port.
Global tab
Specify for each port an action that the device carries out when the Port Monitor function detects
that the parameters have been exceeded.
Auto-disable tab
Mark the Auto-disable checkbox for the monitored parameters when you have specified the
auto-disable action at least once.
[Global ]
In this tab, you enable the Port Monitor function and specify the parameters that the Port Monitor
function is monitoring. Also specify the action that the device carries out when the Port Monitor
function detects that the parameters have been exceeded.
Operation
Parameters Meaning
Operation Enables/disables the Port Monitor function globally.
Possible values:
On
The Port Monitor function is enabled.
Off (default setting)
The Port Monitor function is disabled.
Table
Parameters Meaning
Port Displays the port number.
Link flap on Activates/deactivates the monitoring of link flaps on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors link flaps on the port.
– If the device detects too many link flaps, the device executes the action specified in the
Action column.
– On the Link flap tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
CRC/Fragments on Activates/deactivates the monitoring of CRC/fragment errors on the port.
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors CRC/fragment errors on the port.
– If the device detects too many CRC/fragment errors, the device executes the action
specified in the Action column.
– On the CRC/Fragments tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
Duplex mismatch Activates/deactivates the monitoring of duplex mismatches on the port.
detection active
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors duplex mismatches on the port.
– If the device detects a duplex mismatch, the device executes the action specified in the
Action column.
unmarked (default setting)
Monitoring is inactive.
Overload detection Activates/deactivates the overload detection on the port.
on
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors the data load on the port.
– If the device detects a data overload on the port, the device executes the action specified
in the Action column.
– On the Overload detection tab, specify the parameters to be monitored.
unmarked (default setting)
Monitoring is inactive.
Link speed/Duplex Activates/deactivates the monitoring of the link speed and duplex mode on the port.
mode detection on
Possible values:
marked
Monitoring is active.
– The Port Monitor function monitors the link speed and duplex mode on the port.
– If the device detects an unpermitted combination of link speed and duplex mode, the device
executes the action specified in the Action column.
– On the Link speed/Duplex mode detection tab, specify the parameters to be
monitored.
unmarked (default setting)
Monitoring is inactive.
Parameters Meaning
Active condition Displays the monitored parameter that led to the action on the port.
Possible values:
-
No monitored parameter.
The device does not carry out any action.
Link flap
Too many link changes in the observed period.
CRC/Fragments
Too many CRC/fragment errors in the observed period.
Duplex mismatch
Duplex mismatch detected.
Overload detection
Overload detected in the observed period.
Link speed/Duplex mode detection
Impermissible combination of speed and duplex mode detected.
Action Specifies the action that the device carries out when the Port Monitor function detects that the
parameters have been exceeded.
Possible values:
disable port
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
– To re-enable the port, highlight the port and click the button and then the Reset item.
– The Auto-Disable function enables the port again after the specified waiting period when
the parameters are no longer being exceeded. The prerequisite is that on the Auto-
disable tab the checkbox for the monitored parameter is marked.
send trap
The device sends an SNMP trap.
The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics >
Status Configuration > Alarms (Traps) dialog and specify at least 1 trap destination.
auto-disable (default setting)
The device disables the port and sends an SNMP trap.
The “Link status” LED for the port flashes 3× per period.
The prerequisite is that on the Auto-disable tab the checkbox for the monitored parameter
is marked.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently
disabled due to the parameters being exceeded.
– The Auto-Disable function reactivates the port automatically. For this you go to the
Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
Port status Displays the operating state of the port.
Possible values:
up
The port is enabled.
down
The port is disabled.
notPresent
Physical port unavailable.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Auto-disable ]
In this tab, you activate the Auto-Disable function for the parameters monitored by the Port Monitor
function.
Table
Parameters Meaning
Reason Displays the parameters monitored by the Port Monitor function.
Mark the adjacent checkbox so that the Port Monitor function carries out the auto-disable
action when it detects that the monitored parameters have been exceeded.
Auto-disable Activates/deactivates the Auto-Disable function for the adjacent parameters.
Possible values:
marked
The Auto-Disable function for the adjacent parameters is active.
When the adjacent parameters are exceeded, the device carries out the Auto-Disable
function when the value auto-disable is specified in the Action column.
unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Link flap ]
In this tab, you specify individually for every port the following settings:
The number of link changes.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see how many link changes the Port Monitor function has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Link flap on column
is marked on the Global tab.
Table
Parameters Meaning
Port Displays the port number.
Sampling interval Specifies in seconds, the period during which the Port Monitor function monitors a parameter
[s] to detect discrepancies.
Possible values:
1..180 (default setting: 10)
Link flaps Specifies the number of link changes.
If the Port Monitor function detects this number of link changes in the monitored period, the
device performs the specified action.
Possible values:
1..100 (default setting: 5)
Last sampling Displays the number of errors that the device has detected during the period that has elapsed.
interval
Total Displays the total number of errors that the device has detected since the port was enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[CRC/Fragments ]
In this tab, you specify individually for every port the following settings:
The fragment error rate.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the fragment error rate that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the CRC/Fragments on
column is marked on the Global tab.
Table
Parameters Meaning
Port Displays the port number.
Sampling interval Specifies in seconds, the period during which the Port Monitor function monitors a parameter
[s] to detect discrepancies.
Possible values:
5..180 (default setting: 10)
CRC/Fragments Specifies the fragment error rate (in parts per million).
count [ppm] If the Port Monitor function detects this fragment error rate in the monitored period, the device
performs the specified action.
Possible values:
1..1000000 (default setting: 1000)
Last active interval Displays the fragment error rate that the device has detected during the period that has elapsed.
[ppm]
Total [ppm] Displays the fragment error rate that the device has detected since the port was enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
[Overload detection ]
In this tab, you specify individually for every port the following settings:
The load threshold values.
The period during which the Port Monitor function monitors a parameter to detect discrepancies.
You also see the number of data packets that the device has detected up to now.
The Port Monitor function monitors those ports for which the checkbox in the Overload detection
on column is marked on the Global tab.
The Port Monitor function does not monitor any ports that are members of a link aggregation group.
Table
Parameters Meaning
Port Displays the port number.
Traffic type Specifies the type of data packets that the device considers when monitoring the load on the port.
Possible values:
all
The Port Monitor function monitors Broadcast, Multicast and Unicast packets.
bc (default setting)
The Port Monitor function monitors only Broadcast packets.
bc-mc
The Port Monitor function monitors only Broadcast and Multicast packets.
Threshold type Specifies the unit for the data rate.
Possible values:
pps (default setting)
packets per second
kbps
kbit per second
The prerequisite is that the value in the Traffic type column = all.
Parameters Meaning
Lower threshold Specifies the lower threshold value for the data rate.
The Auto-Disable function enables the port again only when the load on the port is lower than
the value specified here.
Possible values:
0..10000000 (default setting: 0)
Upper threshold Specifies the upper threshold value for the data rate.
If the Port Monitor function detects this load in the monitored period, the device performs the
specified action.
Possible values:
0..10000000 (default setting: 0))
Interval [s] Specifies in seconds, the period that the Port Monitor function observes a parameter to detect
that a parameter is being exceeded.
Possible values:
1..20 (default setting: 1)
Packets Displays the number of Broadcast, Multicast and Unicast packets that the device has detected
during the period that has elapsed.
Broadcast packets Displays the number of Broadcast packets that the device has detected during the period that has
elapsed.
Multicast packets Displays the number of Multicast packets that the device has detected during the period that has
elapsed.
Kbit/s Displays the data rate in Kbits per second that the device has detected during the period that has
elapsed.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
Table
Parameters Meaning
Port Displays the port number.
10 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 10 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
10 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 10 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s HDX Activates/deactivates the port monitor to accept a half-duplex and 100 Mbit/s data rate
combination on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
100 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 100 Mbit/s data rate combination
on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
1,000 Mbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 1 Gbit/s data rate combination
on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
Parameters Meaning
2.5 Gbit/s FDX Activates/deactivates the port monitor to accept a full-duplex and 2.5 Gbit/s data rate combination
on the port.
Possible values:
marked
The port monitor allows the speed and duplex combination.
unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
6.5.4 Auto-Disable
The Auto-Disable function allows you to disable monitored ports automatically and enable them again
as you desire.
For example, the Port Monitor function and selected functions in the Network Security menu use
the Auto-Disable function to disable ports when monitored parameters are exceeded.
When the parameters are no longer being exceeded, the Auto-Disable function enables the relevant
port again after a specified waiting period.
[Port ]
This tab displays which ports are currently disabled due to the parameters being exceeded. When you
specify a waiting period in the Reset timer [s] column, the Auto-Disable function automatically
enables the relevant port again when the parameters are no longer being exceeded.
Table
Parameters Meaning
Port Displays the port number.
Reset timer [s] Specifies the waiting period in seconds, after which the Auto-Disable function enables the port
again.
Possible values:
0 (default setting)
The timer is inactive. The port remains disabled.
30..4294967295
The Auto-Disable function enables the port again after the waiting period specified here and
when the parameters are no longer being exceeded.
Error time Displays when the device disabled the port due to the parameters being exceeded.
Remaining time [s] Displays the remaining time in seconds, until the Auto-Disable function enables the port again.
Parameters Meaning
Component Displays the software component in the device that disabled the port.
Possible values:
PORT_MON
Port Monitor
See the Diagnostics > Ports > Port Monitor dialog.
PORT_ML
Port Security
See the Network Security > Port Security dialog.
DHCP_SNP
DHCP Snooping
See the Network Security > DHCP Snooping dialog.
DOT1S
BPDU guard
See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
DAI
Dynamic ARP Inspection
See the Network Security > Dynamic ARP Inspection dialog.
Reason Displays the monitored parameter that led to the port being disabled.
Possible values:
none
No monitored parameter.
The port is enabled.
link-flap
Too many link changes. See the Diagnostics > Ports > Port Monitor dialog, Link flap
tab.
crc-error
Too many CRC/fragment errors. See the Diagnostics > Ports > Port Monitor dialog,
CRC/Fragments tab.
duplex-mismatch
Duplex mismatch detected. See the Diagnostics > Ports > Port Monitor dialog, Global
tab.
dhcp-snooping
Too many DHCP packages from untrusted sources. See the Network Security > DHCP
Snooping > Configuration dialog, Port tab.
arp-rate
Too many ARP packages from untrusted sources. See the Network Security > Dynamic
ARP Inspection > Configuration dialog, Port tab.
bpdu-rate
STP-BPDUs received. See the Switching > L2-Redundancy > Spanning Tree > Global
dialog.
mac-based-port-security
Too many data packets from undesired senders. See the Network Security > Port
Security dialog.
overload-detection
Overload. See the Diagnostics > Ports > Port Monitor dialog, Overload detection
tab.
speed-duplex
Impermissible combination of speed and duplex mode detected. See the Diagnostics >
Ports > Port Monitor dialog, Link speed/Duplex mode detection tab.
Active Displays whether the port is currently disabled due to the parameters being exceeded.
Possible values:
marked
The port is currently disabled.
unmarked
The port is enabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Status ]
This tab displays the monitored parameters for which the Auto-Disable function is activated.
Table
Parameters Meaning
Reason Displays the parameters that the device monitors.
Mark the adjacent checkbox so that the Auto-Disable function disables and, if applicable,
enables the port again when the monitored parameters are exceeded.
Category Displays which function the adjacent parameter belongs to.
Possible values:
port-monitor
The parameter belongs to the Port Monitor function. See the Diagnostics > Port > Port
Monitor dialog.
network-security
The parameter belongs to the functions in the Network Security menu.
l2-redundancy
The parameter belongs to the L2-Redundancy functions. See the Switching > L2-
Redundancy dialog.
Auto-disable Displays whether the Auto-Disable function is activated/deactivated for the adjacent parameter.
Possible values:
marked
The Auto-Disable function for the adjacent parameters is active.
The Auto-Disable function disables and, if applicable, enables the relevant port again when
the monitored parameters are exceeded.
unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset Enables the port highlighted in the table again and resets its counter to 0. This affects the counters
in the following dialogs:
Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
Diagnostics > Ports > Auto-Disable dialog
The Port Mirroring function allows you to copy received and sent data packets from selected ports
to a destination port. You can watch and process the data stream using an analyzer or an RMON probe,
connected to the destination port. The data packets remain unmodified on the source port.
Note: To enable the management access using the destination port, mark the checkbox Allow
management in the Destination port frame before you enable the Port Mirroring function.
Operation
Parameters Meaning
Operation Enables/disables the Port Mirroring function.
Possible values:
On
The Port Mirroring function is enabled.
The device copies the data packets from the selected source ports to the destination port.
Off (default setting)
The Port Mirroring function is disabled.
Destination port
Parameters Meaning
Primary port Specifies the destination port.
Suitable ports are those ports that are not used for the following purposes:
– Source port
– L2 redundancy protocols
Possible values:
no Port (default setting)
No destination port selected.
<Port number>
Number of the destination port. The device copies the data packets from the source ports to
this port.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port
receives.
Note: The destination port needs sufficient bandwidth to absorb the data stream. When the copied
data stream exceeds the bandwidth of the destination port, the device discards surplus data
packets on the destination port.
Secondary port Specifies a second destination port.
The port transmits the same data as the port specified above.
Exception:
– no VLAN mirroring data
– no RSPAN data
Possible values:
no Port (default setting)
No destination port selected.
<Port number>
Number of the destination port. The device copies the data packets from the source ports to
this port.
Parameters Meaning
Allow management Activates/deactivates the management access using the destination port.
Possible values:
marked
The management access using the destination port is active.
The device allows the management access to the device using the destination port without
interrupting the active Port Mirroring session.
– The device duplicates multicasts, broadcasts and unknown unicasts on the destination
port.
– The VLAN settings on the destination port remain unchanged. The prerequisite for
management access via the destination port is that the destination port is not a member of
the management VLAN.
unmarked (default setting)
The management access using the destination port is inactive.
The device prohibits the management access to the device using the destination port.
VLAN mirroring
The VLAN mirroring function allows you to copy ingress data packets in a specific VLAN to the
selected destination port. The device forwards the data stream out of the specified destination port.
Note: The VLAN mirroring function is only available on the primary port.
Parameters Meaning
Source VLAN ID Specifies the VLAN from which the device mirrors data to the destination port.
Possible values:
0 (default setting)
Disables the VLAN mirroring function.
2..4042
The device only allows you to specify a VLAN when no source port is specified.
RSPAN
The RSPAN (Remote Switched Port Analyzer) function extends the mirroring function by allowing the
device to forward the monitored data across multiple devices, on a specific VLAN, to a single
destination.
Note: When you use the device on the path between the source and destination device, specify in
the VLAN ID field the VLAN needed to use the RSPAN function. For this, the Port Mirroring function
is not required and remains disabled.
Parameters Meaning
Source VLAN ID Specifies the source VLAN from which the device mirrors data to the destination VLAN.
Possible values:
0 (default setting: 0)
The source VLAN is inactive.
2..4042
Mirrored ports may not be members of the RSPAN VLAN.
Parameters Meaning
VLAN ID Specifies the VLAN that the device uses to tag and forward mirrored data.
Possible values:
0 (default setting: 0)
The RSPAN VLAN is inactive.
2..4042
The device uses the value to tag and forward mirrored data.
Destination VLAN Specifies the VLAN that the device uses to forward the network traffic to the destination device.
ID
Possible values:
0 (default setting: 0)
The destination VLAN is inactive.
2..4042
The device uses this value to tag data and to forward the network traffic to the destination
device.
Table
Parameters Meaning
Source port Specifies the port number.
Possible values:
<Port number>
Enabled Activates/deactivates the copying of the data packets from this source port to the destination port.
Possible values:
marked
The copying of the data packets is active.
The port is specified as a source port.
unmarked (default setting)
The copying of the data packets is inactive.
(Grayed-out display)
It is not possible to copy the data packets for this port.
Possible causes:
– The port is already specified as a destination port.
– The port is a logical port, not a physical port.
Note: The device allows you to activate every physical port as source port except for the
destination port.
Type Specifies which data packets the device copies to the destination port.
Possible values:
none (default setting)
No data packets.
tx
Data packets that the source port transmits.
rx
Data packets that the source port receives.
txrx
Data packets that the source port transmits and receives.
Note: With the txrx setting the device copies transmitted and received data packets. The
destination ports needs at least a bandwidth that corresponds to the sum of the send and
receive channel of the source ports. For example, for similar ports the destination port is at
100 % capacity when the send and receive channel of a source port are at 50 % capacity
respectively.
On the destination port, the device adds a VLAN tag to the data packets that the source port
transmits. The destination port transmits unmodified the data packets that the source port
receives.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Reset config Resets the settings in the dialog to the default settings and transfers the changes to the volatile
memory of the device (RAM ).
6.6 LLDP
The device allows you to gather information about neighboring devices. For this, the device uses the
Link Layer Discovery Protocol (LLDP). This information enables a network management station to map
the structure of your network.
This menu allows you to configure the topology discovery and to display the information received in table
form.
The menu contains the following dialogs:
LLDP Configuration
LLDP Topology Discovery
This dialog allows you to configure the topology discovery for every port.
Operation
Parameters Meaning
Operation Enables/disables the LLDP function.
Possible values:
On (default setting)
The LLDP function is enabled.
The topology discovery using LLDP is active on the device.
Off
The LLDP function is disabled.
Configuration
Parameters Meaning
Transmit interval [s] Specifies the interval in seconds at which the device transmits LLDP data packets.
Possible values:
5..32768 (default setting: 30)
Transmit interval Specifies the factor for determining the time-to-live value for the LLDP data packets.
multiplier
Possible values:
2..10 (default setting: 4)
The time-to-live value coded in the LLDP header results from multiplying this value with the value
in the Transmit interval [s] field.
Reinit delay [s] Specifies the delay in seconds for the reinitialization of a port.
Possible values:
1..10 (default setting: 2)
If in the Operation column the value Off is specified, the device tries to reinitialize the port after
the time specified here has elapsed.
Transmit delay [s] Specifies the delay in seconds for transmitting successive LLDP data packets after configuration
changes in the device occur.
Possible values:
1..8192 (default setting: 2)
The recommended value is between a minimum of 1 and a maximum of a quarter of the value in
the Transmit interval [s] field.
Notification interval Specifies the interval in seconds for transmitting LLDP notifications.
[s]
Possible values:
5..3600 (default setting: 5)
After transmitting a notification trap, the device waits for a minimum of the time specified here
before transmitting the next notification trap.
Table
Parameters Meaning
Port Displays the port number.
Operation Specifies whether the port transmits and receives LLDP data packets.
Possible values:
transmit
The port transmits LLDP data packets but does not save any information about neighboring
devices.
receive
The port receives LLDP data packets but does not transmit any information to neighboring
devices.
receive and transmit (default setting)
The port transmits LLDP data packets and saves information about neighboring devices.
disabled
The port does not transmit LLDP data packets and does not save information about
neighboring devices.
Notification Activates/deactivates the LLDP notifications on the port.
Possible values:
marked
LLDP notifications are active on the port.
unmarked (default setting)
LLDP notifications are inactive on the port.
Transmit port Activates/deactivates the transmitting of a TLV (Type Length Value) with the port description.
description
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the port description.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the port description.
Transmit system Activates/deactivates the transmitting of a TLV (Type Length Value) with the device name.
name
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the device name.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the device name.
Transmit system Activates/deactivates the transmitting of the TLV (Type Length Value) with the system description.
description
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system description.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system description.
Transmit system Activates/deactivates the transmitting of the TLV (Type Length Value) with the system capabilities.
capabilities
Possible values:
marked (default setting)
The transmitting of the TLV is active.
The device transmits the TLV with the system capabilities.
unmarked
The transmitting of the TLV is inactive.
The device does not transmit a TLV with the system capabilities.
Neighbors (max.) Limits the number of neighboring devices to be recorded for this port.
Possible values:
1..50 (default setting: 10)
Parameters Meaning
FDB mode Specifies which function the device uses to record neighboring devices on this port.
Possible values:
lldpOnly
The device uses LLDP data packets exclusively to record neighboring devices on this port.
macOnly
The device uses learned MAC addresses to record neighboring devices on this port. The
device uses the MAC address exclusively if there is no other entry in the address table (FDB,
Forwarding Database) for this port.
both
The device uses LLDP data packets and learned MAC addresses to record neighboring
devices on this port.
autoDetect (default setting)
If the device receives LLDP data packets at this port, the device works the same as with the
lldpOnly setting. Otherwise, the device works the same as with the macOnly setting.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Devices in networks send notifications in the form of packets which are also known as "LLDPDU" (LLDP
data units). The data that is sent and received via LLDPDU are useful for many reasons. Thus the device
detects which devices in the network are neighbors and via which ports they are connected.
The dialog allows you to display the network and to detect the connected devices along with their
specific features.
[LLDP ]
This tab displays the collected LLDP information for the neighboring devices. This information enables
a network management station to map the structure of your network.
When devices both with and without an active topology discovery function are connected to a port, the
topology table hides the devices without active topology discovery.
When devices without active topology discovery are connected to a port exclusively, then the table
contains one line for this port to represent every device. This line contains the number of connected
devices.
The Forwarding Database (FDB) address table contains MAC addresses of devices that the topology
table hides for the sake of clarity.
If you use 1 port to connect several devices, for example via a hub, the table contains 1 line for each
connected device.
Table
Parameters Meaning
Port Displays the port number.
Neighbor identifier Displays the chassis ID of the neighboring device. This can be the basis MAC address of the
neighboring device, for example.
FDB Displays whether or not the connected device has active LLDP support.
Possible values:
marked
The connected device does not have active LLDP support.
The device uses information from its address table (FDB, Forwarding Database)
unmarked (default setting)
The connected device has active LLDP support.
Neighbor IP Displays the IP address with which the management access to the neighboring device is possible.
address
Neighbor port Displays a description for the port of the neighboring device.
description
Neighbor system Displays the device name of the neighboring device.
name
Neighbor system Displays a description for the neighboring device.
description
Port ID Displays the ID of the port through which the neighboring device is connected to the device.
Autonegotiation Displays whether the port of the neighboring device supports autonegotiation.
supported
Autonegotiation Displays whether autonegotiation is enabled on the port of the neighboring device.
PoE supported Displays whether the port of the neighboring device supports Power over Ethernet (PoE).
PoE enabled Displays whether Power over Ethernet (PoE) is enabled on the port of the neighboring device.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[LLDP-MED ]
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices and network devices. It specifically provides support for VoIP applications. In this
support rule, it provides an additional set of common advertisement, Type Length Value (TLV),
messages. The device uses the TLVs for capabilities discovery such as network policy, Power over
Ethernet, inventory management and location information.
Table
Parameters Meaning
Port Displays the port number.
Device class Displays the device class of the remotely connected device.
A value of notDefined indicates that the device has capabilities not covered by any of the
LLDP-MED classes.
A value of endpointClass1..3 indicates that the device has "endpoint class 1..3" capabilities.
A value of networkConnectivity indicates that the device has network connectivity device
capabilities.
VLAN ID Displays the extension of the VLAN Identifier for the remote system connected to this port, as
defined in IEEE 802.3.
The device uses a value from 1 through 4042 to specify a valid Port VLAN ID.
The device displays the value 0 for priority tagged packets. This means that only the 802.1D
priority is significant and the device uses the default VLAN ID of the ingress port.
Priority Displays the value of the 802.1D priority which is associated with the remote system connected to
the port.
DSCP Displays the value of the Differentiated Service Code Point (DSCP) which is associated with the
remote system connected to the port.
Unknown bit status Displays the unknown bit status of incoming traffic.
A value of true indicates that the network policy for the specified application type is currently
unknown. In this case, the VLAN ID ignores the Layer 2 priority and value of the DSCP field.
A value of false indicates a specified network policy.
Tagged bit status Displays the tagged bit status.
A value of true indicates that the application uses a tagged VLAN.
A value of false indicates that for the specific application the device uses untagged VLAN
operation. In this case, the device ignores both the VLAN ID and the Layer 2 priority fields. The
DSCP value, however, is relevant.
Hardware revision Displays the vendor-specific hardware revision string as advertised by the remote endpoint.
Firmware revision Displays the vendor-specific firmware revision string as advertised by the remote endpoint.
Software revision Displays the vendor-specific software revision string as advertised by the remote endpoint.
Serial number Displays the vendor-specific serial number as advertised by the remote endpoint.
Manufacturer name Displays the vendor-specific manufacturer name as advertised by the remote endpoint.
Model name Displays the vendor-specific model name as advertised by the remote endpoint.
Asset ID Displays the vendor-specific asset tracking identifier as advertised by the remote endpoint.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
6.7 SFlow
sFlow is a standard protocol for monitoring networks. The device contains the sFlow feature which gives
you visibility into network activity, allowing for effective management and control of network resources.
The sFlow monitoring system consists of an sFlow agent and a central sFlow collector. The agent uses
the following forms of sampling:
statistical packet-based sampling of packet flows
time-based sampling of counters
The device combines both types of samples into datagrams. sFlow uses the datagrams to forward the
sampled traffic statistics to an sFlow collector for analysis.
In order to perform packet flow sampling, you configure an instance with a sampling rate. You then
configure the instance with a polling interval for counter sampling.
The menu contains the following dialogs:
SFlow Configuration
SFlow Receiver
This dialog displays device parameters and allows you to set up sFlow instances.
[Global ]
Information
Parameters Meaning
Version Displays the MIB version, the organization responsible for agent implementation, and the device
software revision.
IP address Displays the IP address associated with the agent providing SNMP connectivity.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Sampler ]
Table
Parameters Meaning
Port Displays the physical source of data for the sampler.
Receiver Displays the receiver index associated with the sampler.
Sampling rate Specifies the static sampling rate for the sampling of the packets from this source.
Possible values:
0 (default setting)
Deactivates the sampling.
256..65535
When the ports receives data the device increments to the set value and then samples the
data.
Max. header size Specifies the maximum header size in bytes copied from a sampled packet.
[byte]
Possible values:
20..256 (default setting: 128)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[Poller ]
Table
Parameters Meaning
Port Displays the physical source of data for the poller counter.
Receiver Displays the receiver index associated with the query counter.
Possible values:
0..8 (default setting: 0)
Interval [s] Specifies the maximum number of seconds between successive samples of the counters which
are associated with this data source.
Possible values:
0..86400 (default setting: 0)
A sampling interval with the value 0 deactivates the sampling of the counters.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In order to avoid a condition where 2 persons or organizations attempt to assume control of the same
sampler, the person or organization sets both the Name and Timeout [s] parameters in the same
SNMP set request.
When releasing a sampler, the controlling person or organization deletes the value in the Name column.
The controlling person or organization also restores the other parameters in this row to their default
settings.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Name Specifies the name of the person or company which uses the entry. An empty field indicates that
the entry is currently unused. Edit this field before making changes to other sampler parameters.
Possible values:
Alphanumeric ASCII character string with 0..127 characters
Timeout [s] Displays the time, in seconds, remaining before the sampler is released and stops sampling.
Datagram size Specifies the maximum number of data bytes that are sent in one sample datagram.
[byte]
Possible values:
200..3996 (default setting: 1400)
IP address Specifies the IP address of the sFlow collector.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Destination UDP Specifies the number of the UDP port for sFlow datagrams.
port
Possible values:
1..65535 (default setting: 6343)
Exception: Port 2222 is reserved for internal functions.
Datagram version Displays the version of sFlow datagrams requested.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
6.8 Report
The device allows you to log specific events using the following outputs:
on the console
on one or more syslog servers
on a CLI connection set up using SSH
on a CLI connection set up using Telnet
In this dialog, you specify the required settings. By assigning the severity you specify which events the
device registers.
The dialog allows you to save a ZIP archive with system information on your PC.
Console logging
Parameters Meaning
Operation Enables/disables the Console logging function.
Possible values:
On
The Console logging function is enabled.
The device logs the events on the console.
Off (default setting)
The Console logging function is disabled.
Severity Specifies the minimum severity for the events. The device logs events with this severity and with
more urgent severities.
The device outputs the messages on the V.24 interface.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Buffered logging
The device buffers logged events in 2 separate storage areas so that the log entries for urgent events
are kept.
This dialog allows you to specify the minimum severity for events that the device buffers in the
storage area with a higher priority.
Parameters Meaning
Severity Specifies the minimum severity for the events. The device buffers log entries for events with this
severity and with more urgent severities in the storage area with a higher priority.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
SNMP logging
Parameters Meaning
Log SNMP get Enables/disables the logging of SNMP Get requests.
request
Possible values:
On
The logging is enabled.
The device registers SNMP Get requests as events in the syslog.
In the Severity get request drop-down list, you select the severity for this event.
Off (default setting)
The logging is disabled.
Log SNMP set Enables/disables the logging of SNMP Set requests.
request
Possible values:
On
The logging is enabled.
The device registers SNMP Set requests as events in the syslog.
In the Severity set request drop-down list, you select the severity for this event.
Off (default setting)
The logging is disabled.
Severity get Specifies the severity of the event that the device registers for SNMP Get requests.
request
Possible values:
emergency
alert
critical
error
warning
notice (default setting)
informational
debug
Severity set request Specifies the severity of the event that the device registers for SNMP Set requests.
Possible values:
emergency
alert
critical
error
warning
notice (default setting)
informational
debug
When you enable the logging of SNMP requests, the device sends these as events with the preset
severity notice to the list of syslog servers. The preset minimum severity for a syslog server entry is
critical.
To send SNMP requests to a syslog server, you have a number of options to change the default
settings. Select the ones that meet your requirements best.
Set the severity for which the device creates SNMP requests as events to warning or error and
change the minimum severity for a syslog entry for one or more syslog servers to the same value.
You also have the option of creating a separate syslog server entry for this.
When you set the severity for SNMP requests to critical or higher. The device then sends
SNMP requests as events with the severity critical or higher to the syslog servers.
When you set the minimum severity for one or more syslog server entries to notice or lower.
Then it is possible that the device sends many events to the syslog servers.
CLI logging
Parameters Meaning
Operation Enables/disables the CLI logging function.
Possible values:
On
The CLI logging function is enabled.
The device logs every command received using the Command Line Interface (CLI).
Off (default setting)
The CLI logging function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Download support Generates a ZIP archive which the web browser offers to you for download on your PC.
information The ZIP archive contains system information about the device. You will find an explanation of the
files contained in the ZIP archive in the following section.
Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
informational Informal message
debug Debug message
The device allows you to save log entries permanently in a file on the external memory. Therefore, even
after the device is restarted you have access to the log entries.
In this dialog, you limit the size of the log file and specify the minimum severity for the events to be
saved. If the log file attains the specified size, the device archives this file and saves the following log
entries in a newly created file.
In the table the device displays you the log files held on the external memory. As soon as the specified
maximum number of files has been attained, the device deletes the oldest file and renames the
remaining files. This ensures that there is always enough memory space on the external memory.
Operation
Parameters Meaning
Operation Enables/disables the Persistent Logging function.
Only activate this function when the external memory is available on the device.
Possible values:
On (default setting)
The Persistent Logging function is enabled.
The device saves the log entries in a file on the external memory.
Off
The Persistent Logging function is disabled.
Configuration
Parameters Meaning
Max. file size Specifies the maximum size of the log file in KBytes. If the log file attains the specified size, the
[kbyte] device archives this file and saves the following log entries in a newly created file.
Possible values:
0..4096 (default setting: 1024)
The value 0 deactivates saving of log entries in the log file.
Files (max.) Specifies the number of log files that the device keeps on the external memory.
As soon as the specified maximum number of files has been attained, the device deletes the
oldest file and renames the remaining files.
Possible values:
0..25 (default setting: 4)
The value 0 deactivates saving of log entries in the log file.
Severity Specifies the minimum severity of the events. The device saves the log entry for events with this
severity and with more urgent severities in the log file on the external memory.
Possible values:
emergency
alert
critical
error
warning (default setting)
notice
informational
debug
Parameters Meaning
Log file target Specifies the external memory device for logging.
Possible values:
sd
External SD memory (ACA31)
usb
External USB memory (ACA22)
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
1..25
The device automatically assigns this number.
File name Displays the file name of the log file on the external memory.
Possible values:
messages
messages.X
File size [byte] Displays the size of the log file on the external memory in bytes.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Delete persistent Removes the log files from the external memory.
log file
The device logs important device-internal events in a log file (System Log).
This dialog displays the log file (System Log). The dialog allows you to save the log file in HTML format
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The log file is kept until a restart is performed on the device. After the restart the device creates the file
again.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Save log file Opens the HTML page in a new web browser window or tab. You can save the HTML page on
your PC using the appropriate web bowser command.
Delete log file Removes the logged events from the log file.
This dialog displays the log file (Audit Trail). The dialog allows you to save the log file as an HTML file
on your PC.
In order to search the log file for search terms, use the search function of your web browser.
The device logs system events and writing user actions on the device. This gives you the option of
following WHO changes WHAT on the device WHEN. The prerequisite is that the user role auditor or
administrator is assigned to your user account.
The device logs the following user actions, among others:
A user logging on via CLI (local or remote)
A user logging off manually
Automatic logging off of a user in CLI after a specified period of inactivity
Device restart
Locking of a user account due to too many failed logon attempts
Locking of the management access due to failed logon attempts
Commands executed in CLI, apart from show commands
Changes to configuration variables
Changes to the system time
File transfer operations, including firmware updates
Configuration changes via HiDiscovery
Firmware updates and automatic configuration of the device via the external memory
Opening and closing of SNMP via an HTTPS tunnel
The device does not log passwords. The logged entries are write-protected and remain saved in the
device after a restart.
Note: During the restart, access to the system monitor is possible using the default settings of the
device. When an attacker gains physical access to the device, they are able to reset the device settings
to its default values using the system monitor. After this, the device and log file are accessible using the
standard password. Take appropriate measures to restrict physical access to the device. Otherwise,
deactivate access to the system monitor. See the Diagnostics > System > Selftest dialog, SysMon1
is available checkbox.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Save audit trail file Opens the HTML page in a new web browser window or tab. You can save the HTML page on
your PC using the appropriate web bowser command.
7 Advanced
A network administrator uses the DHCP L2 Relay Agent to add DHCP client information. L3 Relay
Agents and DHCP servers need the DHCP client information to assign an IP address and a
configuration to the clients.
When active, the relay adds Option 82 information configured in this dialog to the packets before it relays
DHCP requests from the clients to the server. The Option 82 fields provide unique information about the
client and relay. This unique identifier consists of a Circuit ID for the client and a Remote ID for the relay.
In addition to the type, length, and multicast fields, the Circuit ID includes the VLAN ID, unit number, slot
number, and port number for the connected client.
The Remote ID consists of a type and length field and either a MAC address, IP address, client identifier,
or a user-defined device description. A client identifier is the user-defined system name for the device.
The menu contains the following dialogs:
DHCP L2 Relay Configuration
DHCP L2 Relay Statistics
This dialog allows you to activate the relay function on an interface and VLAN. When you activate this
function on a port, the device either relays the Option 82 information or drops the information on
untrusted ports. Furthermore, the device allows you to specify the VLAN remote identifier.
Operation
Parameters Meaning
Operation Enables/disables the DHCP L2 Relay function of the device globally.
Possible values:
On
Enables the DHCP Layer 2 Relay function of the device.
Off (default setting)
Disables the DHCP Layer 2 Relay function of the device.
[Interface ]
Table
Parameters Meaning
Port Displays the port number.
Active Activates/deactivates the DHCP L2 Relay function on the port.
The prerequisite is that you enable the function globally.
Possible values:
marked
The DHCP L2 Relay function is active.
unmarked (default setting)
The DHCP L2 Relay function is inactive.
Trusted port Activates/deactivates the secure DHCP L2 Relay mode for the corresponding port.
Possible values:
marked
The device accepts DHCP packets with Option 82 information.
unmarked (default setting)
The device discards DHCP packets received on non-secure ports that contain Option 82
information.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
[VLAN ID ]
Table
Parameters Meaning
VLAN ID VLAN to which the table entry relates.
Active Activates/deactivates the DHCP Layer 2 Relay function on the VLAN.
The prerequisite is that you enable the function globally.
Possible values:
marked
The DHCP Layer 2 Relay function is active.
unmarked (default setting)
The DHCP Layer 2 Relay function is inactive.
Circuit ID Activates or deactivates the addition of the Circuit ID to the Option 82 information.
Possible values:
marked (default setting)
Enables Circuit ID and Remote ID to be sent together.
unmarked
The device sends the Remote ID exclusively.
Remote ID type Specifies the components of the Remote ID for this VLAN.
Possible values:
ip
Specifies the IP address of the device as Remote ID.
mac (default setting)
Specifies the MAC address of the device as Remote ID.
client-id
Specifies the system name of the device as Remote ID.
other
Enter in the Remote ID column user-defined information if you use this value.
Remote ID Displays the Remote ID for the VLAN.
Specify the identifier when yo specify the value other in the Remote ID type column.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
The device monitors the traffic on the ports and displays the results in tabular form.
This table is divided into various categories to aid you in traffic analysis.
Table
Parameters Meaning
Port Displays the port number.
Untrusted server Displays the number of DHCP server messages received with Option 82 information on the
messages with untrusted interface.
Option 82
Untrusted client Displays the number of DHCP client messages received with Option 82 information on the
messages with untrusted interface.
Option 82
Trusted server Displays the number of DHCP server messages received without Option 82 information on the
messages without trusted interface.
Option 82
Trusted client Displays the number of DHCP client messages received without Option 82 information on the
messages without trusted interface.
Option 82
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
With the DHCP server, you manage a database of available IP addresses and configuration information.
When the device receives a request from a client, the DHCP server validates the DHCP client network,
and then leases an IP address. When activated, the DHCP server also allocates configuration
information appropriate for that client. The configuration information specifies, for example, which IP
address, DNS server and the default route a client uses.
The DHCP server assigns an IP address to a client for a user-defined interval. The DHCP client is
responsible for renewing the IP address before the interval expires. If the DHCP client is unable to renew
the address then the address returns to the pool for reassignment.
The menu contains the following dialogs:
DHCP Server Global
DHCP Server Pool
DHCP Server Lease Table
Activate the function either globally or per port according to your requirements.
Operation
Parameters Meaning
Operation Enables/disables the DHCP server function of the device globally.
Possible values:
On
Off (default setting)
Table
Parameters Meaning
Port Displays the port number.
DHCP server active Activates/deactivates the DHCP server function on this port.
The prerequisite is that you enable the function globally.
Possible values:
marked (default setting)
The DHCP server function is active.
unmarked
The DHCP server function is inactive.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Active Activates/deactivates the DHCP server function on this port.
Possible values:
marked
The DHCP server function is active.
unmarked (default setting)
The DHCP server function is inactive.
IP address Specifies the IP address for static IP address assignment. When using dynamic IP address
assignment, this value specifies the start of the IP address range.
Possible values:
Valid IPv4 address
Last IP address Specifies the end of the IP address range when using dynamic IP address assignment.
Possible values:
Valid IPv4 address
Port Displays the port number.
VLAN ID Displays the VLAN to which the table entry relates.
A value of 1 corresponds to the default management VLAN.
Possible values:
1..4042
Parameters Meaning
MAC address Specifies the MAC address of the device leasing the IP address.
Possible values:
Valid Unicast MAC address
Specify the value in one of the following formats:
– without a separator, for example 001122334455
– separated by spaces, for example 00 11 22 33 44 55
– separated by colons, for example 00:11:22:33:44:55
– separated by hyphens, for example 00-11-22-33-44-55
– separated by points, for example 00.11.22.33.44.55
– separated by points after every 4th character, for example 0011.2233.4455
–
For the IP address assignment, the server ignores this variable.
DHCP relay Specifies the IP address of the DHCP relay through which the clients transmit their requests to the
DHCP server. If the DHCP server receives the client's request through another DHCP relay, it
ignores this request.
Possible values:
Valid IPv4 address
IP address of the DHCP relay.
–
Between the client and the DHCP server there is no DHCP relay.
Client ID Specifies the identification of the client device leasing the IP address.
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Remote ID Specifies the identification of the remote device leasing the IP address.
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Circuit ID Specifies the Circuit ID of the device leasing the IP address.
Possible values:
1..80 bytes (format XX XX .. XX)
–
For the IP address assignment, the server ignores this variable.
Hirschmann device Activates/deactivates Hirschmann multicasts.
Activate this function if the device in this IP address range serves only Hirschmann devices.
Possible values:
marked
In this IP address range, the device serves only Hirschmann devices. Hirschmann multicasts
are activated.
unmarked (default setting)
In this IP address range, the device serves the devices of different manufacturers. Hirschmann
multicasts are deactivated.
Configuration URL Specifies the protocol to be used as well as the name and path of the configuration file.
Possible values:
Alphanumeric ASCII character string with 0..70 characters
Example: tftp://192.9.200.1/cfg/config.sav
If you leave this field blank, the device leaves this option field blank in the DHCP message.
Lease time [s] Specifies the lease time in seconds.
Possible values:
1..4294967294 (default setting: 86400)
4294967295
Use this value for assignments unlimited in time and for assignments via BOOTP.
Default gateway Specifies the IP address of the default gateway.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
Parameters Meaning
Netmask Specifies the mask of the network to which the client belongs.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 netmask
WINS server Specifies the IP address of the Windows Internet Name Server which converts NetBIOS names.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
DNS server Specifies the IP address of the DNS server.
A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.
Possible values:
Valid IPv4 address
Hostname Specifies the hostname.
If you leave this field blank, the device leaves this option field blank in the DHCP message.
Possible values:
Alphanumeric ASCII character string with 0..64 characters
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog displays the status of IP address leasing on a per port basis.
Table
Parameters Meaning
Port Displays the port number to which the address is currently being leased.
IP address Displays the leased IP address to which the entry refers.
Status Displays the lease phase.
According to the standard for DHCP operations, there are 4 phases to leasing an IP address:
Discovery, Offer, Request, and Acknowledgement.
Possible values:
bootp
A DHCP client is attempting to discover a DHCP server for IP address allocation.
offering
The DHCP server is validating that the IP address is suitable for the client.
requesting
A DHCP client is acquiring the offered IP address.
bound
The DHCP server is leasing the IP address to a client.
renewing
The DHCP client is requesting an extension to the lease.
rebinding
The DHCP server is assigning the IP address to the client after a successful renewal.
declined
The DHCP server denied the request for the IP address.
released
The IP address is available for other clients.
Remaining lifetime Displays the time remaining on the leased IP address.
Leased MAC Displays the MAC address of the device leasing the IP address.
address
Gateway Displays the Gateway IP address of the device leasing the IP address.
Client ID Displays the client identifier of the device leasing the IP address.
Remote ID Displays the remote identifier of the device leasing the IP address.
Circuit ID Displays the Circuit ID of the device leasing the IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
7.3 DNS
DNS (Domain Name System) is a service in the network that translates host names into IP addresses.
This name resolution gives you the option of contacting other devices using their host names instead of
their IP addresses.
The Client function enables the device to send requests for resolving hostnames in IP addresses to a
DNS server.
The menu contains the following dialogs:
DNS Client Global
DNS Client Current
DNS Client Static
DNS Client Static Hosts
In this dialog, you enable the Client function and the Cache function.
Operation
Parameters Meaning
Operation Enables/disables the Client function.
Possible values:
On
The Client function is enabled.
The device sends requests for resolving hostnames in IP addresses to a DNS server.
Off (default setting)
The Client function is disabled.
Cache
Parameters Meaning
Cache Enables/disables the Cache function.
Possible values:
On (default setting)
The Cache function is enabled.
The device temporarily saves up to 128 DNS server responses (hostname and corresponding
IP address) in the cache. The host name of a new request the device resolves itselves, if the
cache contains a matching entry. This makes sending a new query to the DNS server
unnecessary.
Off
The Cache function is disabled.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
This dialog displays to which DNS servers the device sends requests for resolving hostnames in IP
addresses.
Table
Parameters Meaning
Index Displays the sequential number of the DNS server.
Address Displays the IP address of the DNS server. The device forwards requests for resolving host names
in IP addresses to the DNS server with this IP address.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
In this dialog, you specify the DNS servers to which the device forwards requests for resolving host
names in IP addresses. The device allows you to specify up to 4 IP addresses yourself or to transfer the
IP addresses from a DHCP server.
Configuration
Parameters Meaning
Configuration Specifies the source from which the device obtains the IP address of DNS servers to which the
source device addresses requests.
Possible values:
user
The device uses the IP addresses specified in the table.
mgmt-dhcp (default setting)
The device uses the IP addresses which the DHCP server delivers to the device.
Domain name Specifies the domain name according to RFC1034 which the device adds to hostnames without
a domain suffix.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
Request timeout [s] Specifies the time interval in seconds for sending again a request to the server.
Possible values:
0
Deactivates the function. The device does not send a request to the server again.
1..3600 (default setting: 3)
Request Specifies, how many times the device retransmits a request.
retransmits The prerequisite is that, in the Request timeout [s] field, you specify a value >0.
Possible values:
0..100 (default setting: 2)
Table
Parameters Meaning
Index Displays the sequential number of the DNS server.
The device allows you to specify up to 4 DNS servers.
Address Specifies the IP address of the DNS server.
Possible values:
Valid IPv4 address (default setting: 0.0.0.0)
Active Activates/deactivates the table entry.
The device sends requests to the DNS server configured in the first active table entry. If the device
does not receive a response from this server, it sends requests to the DNS server configured in
the next active table entry.
Possible values:
marked
Allows the DNS client to send requests to this DNS server.
Prerequisites:
Enable the DNS-client function in the Advanced > DNS > Global dialog.
Select in the Configuration frame, Configuration source drop-down-list the value
user.
unmarked (default setting)
The device does not send requests to this DNS server.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
This dialog allows you to specify up to 64 hostnames which you link with one IP address each. Upon a
request for resolving hostnames in IP addresses, the device searches this table for a corresponding
entry. If the device does not find a corresponding entry, it forwards the request.
Table
Parameters Meaning
Index Displays the index number to which the table entry relates.
Possible values:
1..64
Name Specifies the hostname.
Possible values:
Alphanumeric ASCII character string with 0..255 characters
IP address Specifies the IP address under which the host is reachable.
Possible values:
Valid IPv4 address
Active Activates/deactivates the table entry.
Possible values:
marked
The device resolves a request for the host name for this entry.
unmarked
After receiving a request for this host name, the device sends a request to one of the
configured name servers for resolution.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
7.4.1 IEC61850-MMS
Note: IEC61850/MMS does not provide any authentication mechanisms. If the write access for
IEC61850/MMS is activated, every client that can access the device using TCP/IP is capable of
changing the settings of the device. This in turn can result in an incorrect configuration of the device and
to failures in the network.
Activate the write access exclusively if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce the risk of unauthorized access.
This dialog allows you to specify the following MMS server settings:
Activates/deactivates the MMS server.
Activates/deactivates the write access to the MMS server.
The MMS server TCP Port.
The maximum number of MMS server sessions.
Operation
Parameters Meaning
Operation Enables/disables the IEC61850-MMS server.
Possible values:
On
The IEC61850-MMS server is enabled.
Off (default setting)
The IEC61850-MMS server is disabled.
The IEC61850 MIBs stay accessible.
Configuration
Parameters Meaning
Write access Activates/deactivates the write access to the MMS server.
Possible values:
marked
The write access to the MMS server is activated. This setting allows you to change the device
settings using the IEC 61850 MMS protocol.
unmarked (default setting)
The write access to the MMS server is deactivated. The MMS server is accessible as read-
only.
Parameters Meaning
Technical key Specifies the IED name.
The IED name is eligible independently of the system name.
Possible values:
Alphanumeric ASCII character string with 0..32 characters
The following characters are allowed:
– _
– 0..9
– a..z
– A..Z (default setting: KEY)
To get the MMS server to use the IED name, click the button and restart the MMS server.
The connection to connected clients is then interrupted.
TCP port Specifies TCP port for MMS server access.
Possible values:
1..65535 (default setting: 102)
Exception: Port 2222 is reserved for internal functions.
Note: The server restarts automatically after you change the port. In the process, the device
terminates open connections to the server.
Sessions (max.) Specifies the maximum number of MMS server connections.
Possible values:
1..15 (default setting: 5)
Information
Parameters Meaning
Status Displays the current IEC61850-MMS server status.
Possible values:
unavailable
starting
running
stopping
halted
error
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Modbus TCP is a protocol used for Supervisory Control and Data Acquisition (SCADA) system
integration. Modbus TCP is a vendor-neutral protocol used to monitor and control industrial automation
equipment such as Programmable Logic Controllers (PLC), sensors and meters.
This dialog allows you to specify the parameters of the protocol. To monitor and control the parameters
of the device, you need Human-Machine Interface (HMI) software and the memory mapping table. Refer
to the tables located in the Industrial Protocol user manual for the supported objects and memory
mapping.
The dialog allows you to enable the function, activate the write access, control which TCP port the
Human-Machine Interface (HMI) polls for data. You can also specify the number of sessions allowed to
be open at the same time.
Note: Activating the Modbus TCP write-access can cause a possible security risk, because the protocol
does not authenticate user access.
To help minimize the security risks, specify the IP address range located in the Device Security >
Management Access dialog. Enter only the IP addresses assigned to your devices before enabling the
function. Furthermore, the default setting for monitoring function activation in the Diagnostics > Status
Configuration > Security Status > Global tab, is active.
Operation
Parameters Meaning
Operation Enables/disables the Modbus TCP server on the device.
Possible values:
On
The Modbus TCP server is enabled.
Off (default setting)
The Modbus TCP server is disabled.
Configuration
Parameters Meaning
Write access Activates/deactivates the write access to the Modbus TCP parameters.
Note: Activating the Modbus TCP write-access can cause a possible security risk, because the
protocol does not authenticate user access.
Possible values:
marked (default setting)
The Modbus TCP server read/write access is active. This allows you to change the device
configuration using the Modbus TCP protocol.
unmarked
The Modbus TCP server read-only access is active.
TCP port Specifies the TCP port number that the Modbus TCP server uses for communication.
Possible values:
<TCP Port number> (default setting: 502)
Specifying 0 is not allowed.
Parameters Meaning
Sessions (max.) Specifies the maximum number of concurrent sessions that the Modbus TCP server allows.
Possible values:
1..5 (default setting: 5)
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
7.4.3 PROFINET
This dialog allows you to configure the PROFINET protocol on this device used in conjunction with
PROFINET Controllers and PROFINET devices. The device bases the PROFINET function on the
Siemens V2.2 PROFINET stack for common Ethernet controllers. The PROFINET protocol
implemented in the device conforms to Class B for real time responses according to IEC 61158.
Functions that directly affect the PROFINET function require the following default values to be changed.
If you have obtained the device as a specially available PROFINET variant, these values are already
predefined:
Operation
Parameters Meaning
Operation Enables/disables the PROFINET function on the device.
Possible values:
On
The PROFINET function is enabled.
Off (default setting)
The PROFINET function is disabled.
Configuration
Parameters Meaning
Name of station Specifies the name of the device.
Possible values:
Alphanumeric ASCII character string with 0..240 characters
The device prohibits you from using a number as the first character.
Information
Parameters Meaning
Active application Displays how many application realations are active.
relations
Table
Parameters Meaning
Port Displays the port number.
DCP mode Specifies the data stream direction on the port to monitor for DCP packets.
The Programmable Logic Controller (PLC) detects PROFINET devices using the Discovery and
Configuration Protocol (DCP).
The DCP identify request packets are multicast, the responses from the agents are unicast.
Regardless of the settings, the device forwards the received DCP packets to other ports whose
setting is either egress or both.
Management Management
none
none
DCP
ingress
none ingress ingress
DCP
DCP DCP
egress egress
both both
Management Management
none none
Possible values:
none
The agent does not respond to packets received on this port. The port does not forward
packets received on other ports.
ingress
The agent responds to packets received on this port. The port does not forward packets
received on other ports.
egress
The agent does not respond to packets received on this port. The port forwards packets
received on other ports.
both (default setting)
The agent responds to packets received on this port. The port forwards packets received on
other ports.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Parameters Meaning
Displays a sub menu with the following items.
7.4.4 EtherNet/IP
This dialog allows you to activate the EtherNet/IP protocol, to change the SET/GET capability and to
download the EDS file from the device.
Operation
Parameters Meaning
Operation Enables/disables the EtherNet/IP function on the device.
Possible values:
On
The EtherNet/IP function is enabled.
Off (default setting)
The EtherNet/IP function is disabled. The device continues to read the EtherNet/IP data.
Configuration
Parameters Meaning
Write access Activates/deactivates the read/write capability of the EtherNet/IP protocol.
Possible values:
marked
The EtherNet/IP protocol allows set/get requests.
unmarked (default setting)
The EtherNet/IP protocol allows only get requests.
Buttons
You find the description of the standard buttons in section “Buttons” on page 18.
Button Meaning
Displays a sub menu with the following items.
Download EDS file Copies the following information in a zip file onto your PC:
Electronic Data Sheet (EDS) with device related information
device icon
A Index
1 F
802.1D/p mapping 228 Fast\ MRP 290
802.1X 92, 132 FAQ 423
FDB 196
A Filter MAC addresses 196
Access control 132 Fingerprint 110, 113
Access control lists 175 Flash memory 32, 330
Access restriction 116 Flow control 192
ACL 175 Forwarding database 196
Address conflict detection 333 FuseNet 290
Aging time 192, 336
Alarms 327 G
ARP 333 GARP 221
ARP inspection 168 GMRP 222
ARP table 336 Guards 278
Audit trail 391 GVRP 224
Authentication history 141
Authentication list 92 H
Auto disable127, 156, 169, 171, 268, 355, 356, 356, 363 Hardware clock 60
Hardware state 330
B HiDiscovery 26, 27, 106, 314, 391
Boundary clock 74 HIPER ring 263
Bridge 266 Host key 111
HTML 329, 390
C HTTP 112
Cable diagnosis 351 HTTPS 113
Certificate 21, 41, 97, 114, 115, 315, 340, 347 HTTP server 313
CLI 120
Command line interface 120 I
Community names 123 IAS 92, 143
Configuration check 331 IEC61850-MMS 315, 413
Configuration profile 17, 33 IEEE 802.1X 92
Context menu 16 IGMP snooping 198
Counter reset 57 Industrial HiVision 11, 106
Ingress filtering 253
D Ingress rate limiter 194
Daylight saving time 62 Integrated authentication server 92, 143
Device software 31 IPv4 rule 176
Device software backup 31 IP access restriction 116
Device status 20, 305 IP address conflict detection 333
DHCP L2 relay 394 IP DSCP mapping 229
DHCP server 399 IP source guard 165
DHCP snooping 155
DNS 406 L
DNS cache 407 L2 relay 394
DNS client 407 LDAP 92
Domain name system 406 Link aggregation 282
DoS 151 Link backup 288
DSCP 229 LLDP 370
Dynamic ARP inspection 168 Load/save 33
Login banner 122, 124
E Log file 57, 390
EAPOL 140 Loops 265
Egress rate limiter 194
Email notification 339 M
Encryption 33 Mail notification 339
ENVM 32, 37, 42, 307, 314, 322, 389 Management access 26, 116
EtherNet/IP 315, 419 Management VLAN 26
Event severity 342, 387 Manufacturing message specification 413
External memory 32, 37, 42, 389 MAC address table 196
B Further support
Technical questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You find the addresses of our partners on the Internet at http://www.hirschmann.com.
A list of local telephone numbers and email addresses for technical support directly from Hirschmann is
available at https://hirschmann-support.belden.eu.com.
This site also includes a free of charge knowledge base and a software download section.
C Readers’ Comments
What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation of
this product. Your comments and suggestions help us to further improve the quality of our
documentation.
General comments:
Sender:
Company / Department:
Street:
E-mail:
Date / Signature:
Dear User,
Please fill out and return this page
as a fax to the number +49 (0)7127/14-1600 or
per mail to
Hirschmann Automation and Control GmbH
Department 01RD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.
The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Contents
Safety instructions 32
1 Command reference 35
4 Application Lists 63
4.1 appllists 64
4.1.1 appllists set-authlist 64
5 Authentication Lists 67
5.1 authlists 68
5.1.1 authlists add 68
5.1.2 authlists delete 68
5.1.3 authlists set-policy 68
5.1.4 authlists enable 69
5.1.5 authlists disable 70
5.2 show 71
5.2.1 show authlists 71
6 Auto Disable 73
6.1 auto-disable 74
6.1.1 auto-disable reason 74
6.2 auto-disable 75
6.2.1 auto-disable timer 75
6.2.2 auto-disable reset 75
6.3 show 76
6.3.1 show auto-disable brief 76
6.3.2 show auto-disable reasons 76
7 Cabletest 77
7.1 cable-test 78
7.1.1 cable-test 78
8 Class Of Service 79
8.1 classofservice 80
8.1.1 classofservice ip-dscp-mapping 80
8.1.2 classofservice dot1p-mapping 83
8.2 classofservice 84
8.2.1 classofservice trust 84
8.3 cos-queue 85
8.3.1 cos-queue strict 85
8.3.2 cos-queue weighted 85
8.3.3 cos-queue max-bandwidth 85
8.3.4 cos-queue min-bandwidth 86
8.4 show 87
8.4.1 show classofservice ip-dscp-mapping 87
8.4.2 show classofservice dot1p-mapping 87
8.4.3 show classofservice trust 87
8.4.4 show cos-queue 88
10 Clock 95
10.1 clock 96
10.1.1clock set 96
10.1.2clock timezone offset 96
10.1.3clock timezone zone 96
10.1.4clock summer-time mode 97
10.1.5clock summer-time recurring start 97
10.1.6clock summer-time recurring end 98
10.1.7clock summer-time zone 98
10.2 show 99
10.2.1show clock 99
11 Configuration 101
11.1 save 102
11.1.1save profile 102
11.2 config 103
11.2.1config watchdog admin-state 103
11.2.2config watchdog timeout 103
11.2.3config encryption password set 104
11.2.4config encryption password clear 104
11.2.5config envm choose-active 104
11.2.6config envm log-device 105
11.2.7config envm auto-update 105
11.2.8config envm sshkey-auto-update 105
11.2.9config envm config-save 106
11.2.10config envm load-priority 106
11.2.11config profile select 107
11.2.12config profile delete 107
11.2.13config fingerprint verify 107
11.3 copy 108
11.3.1copy sysinfo system envm 108
11.3.2copy sysinfoall system envm 108
11.3.3copy firmware envm 108
11.3.4copy firmware remote 109
11.3.5copy config running-config nvm 109
11.3.6copy config running-config remote 109
11.3.7copy config nvm 110
11.3.8copy config envm 110
11.3.9copy config remote 110
11.3.10copy sfp-white-list remote 111
11.3.11copy sfp-white-list envm 111
11.4 clear 112
11.4.1clear config 112
11.4.2clear factory 112
11.4.3clear sfp-white-list 112
11.5 show 113
11.5.1show running-config xml 113
11.5.2show running-config script 113
11.6 show 114
11.6.1show config envm settings 114
11.6.2show config envm properties 114
11.6.3show config envm active 114
13 Debugging 131
13.1 debug 132
13.1.1debug tcpdump help 132
13.1.2debug tcpdump start cpu 132
13.1.3debug tcpdump stop 132
13.1.4debug tcpdump filter show 133
13.1.5debug tcpdump filter list 133
13.1.6debug tcpdump filter delete 133
13.2 show 134
13.2.1show debug logic-modules 134
13.3 copy 135
13.3.1copy tcpdumpcap nvm envm 135
13.3.2copy tcpdumpcap nvm remote 135
13.3.3copy tcpdumpfilter remote 135
13.3.4copy tcpdumpfilter envm 136
13.3.5copy tcpdumpfilter nvm 136
24 Ethernet IP 261
24.1 ethernet-ip 262
24.1.1ethernet-ip operation 262
24.1.2ethernet-ip write-access 262
24.2 show 263
24.2.1show ethernet-ip 263
24.3 copy 264
24.3.1copy eds-ethernet-ip system remote 264
24.3.2copy eds-ethernet-ip system envm 264
26 GARP VLAN and Multicast Registration Protocol (GVRP and GMRP) 273
26.1 garp 274
26.1.1garp gvrp operation 274
26.1.2garp gmrp operation 274
26.1.3garp gmrp forward-unknown 275
26.2 garp 276
26.2.1garp interface join-time 276
26.2.2garp interface leave-time 276
26.2.3garp interface leave-all-time 277
26.2.4garp gvrp operation 277
26.2.5garp gmrp operation 277
26.2.6garp gmrp forward-all-groups 278
26.3 show 279
26.3.1show garp interface 279
26.3.2show garp gvrp global 279
26.3.3show garp gvrp interface 279
26.3.4show garp gvrp statistics interface 280
26.3.5show garp gmrp global 280
26.3.6show garp gmrp interface 280
26.3.7show garp gmrp statistics interface 280
26.4 show 281
26.4.1show mac-filter-table gmrp 281
27 HiDiscovery 283
27.1 network 284
27.1.1network hidiscovery operation 284
27.1.2network hidiscovery mode 284
27.1.3network hidiscovery blinking 285
27.1.4network hidiscovery relay 285
27.2 show 286
27.2.1show network hidiscovery 286
28 HIPER-Ring 287
28.1 hiper-ring 288
28.1.1hiper-ring operation 288
28.1.2hiper-ring mode 288
28.1.3hiper-ring primary-port 289
28.1.4hiper-ring secondary-port 289
28.2 show 290
28.2.1show hiper-ring global 290
36 Interface 335
36.1 shutdown 336
36.1.1shutdown 336
36.2 auto-negotiate 337
36.2.1auto-negotiate 337
36.3 auto-power-down 338
36.3.1auto-power-down 338
36.4 cable-crossing 339
36.4.1cable-crossing 339
36.5 linktraps 340
36.5.1linktraps 340
36.6 link-loss-alert 341
36.6.1link-loss-alert operation 341
36.7 speed 342
36.7.1speed 342
36.8 name 343
36.8.1name 343
36.9 power-state 344
36.9.1power-state 344
36.10mac-filter 345
36.10.1mac-filter 345
36.11led-signaling 346
36.11.1led-signaling operation 346
36.12show 347
36.12.1show port 347
36.13show 348
36.13.1show link-loss-alert 348
36.14show 349
36.14.1show led-signaling operation 349
38 Intern 357
38.1 help 358
38.2 logout 359
38.3 history 360
38.4 vlan-mode 361
38.4.1vlan-mode 361
38.5 exit 362
38.6 end 363
38.7 serviceshell 364
38.7.1serviceshell deactivate 364
38.8 serviceshell-f 365
38.8.1serviceshell-f deactivate 365
38.9 traceroute 366
38.9.1traceroute maxttl 366
38.10traceroute 367
38.10.1traceroute source 367
38.11reboot 368
38.11.1reboot after 368
38.12ping 369
38.12.1ping 369
38.13ping 370
38.13.1ping source 370
38.14show 371
38.14.1show reboot 371
38.14.2show serviceshell 371
48 Logging 447
48.1 logging 448
48.1.1logging audit-trail 448
48.1.2logging buffered severity 448
48.1.3logging host add 449
48.1.4logging host delete 449
48.1.5logging host enable 450
48.1.6logging host disable 450
48.1.7logging host modify 450
48.1.8logging syslog operation 451
48.1.9logging current-console operation 451
48.1.10logging current-console severity 452
48.1.11logging console operation 452
48.1.12logging console severity 453
48.1.13logging persistent operation 453
48.1.14logging persistent numfiles 454
48.1.15logging persistent filesize 454
48.1.16logging persistent severity-level 454
48.1.17logging email operation 455
48.1.18logging email from-addr 455
48.1.19logging email duration 456
48.1.20logging email severity urgent 456
48.1.21logging email severity non-urgent 457
52 Modbus 487
52.1 modbus-tcp 488
52.1.1modbus-tcp operation 488
52.1.2modbus-tcp write-access 488
52.1.3modbus-tcp port 489
52.1.4modbus-tcp max-sessions 489
52.2 show 490
52.2.1show modbus-tcp 490
62 Profinet IO 555
62.1 profinet 556
62.1.1profinet operation 556
62.1.2profinet name-of-station 556
62.2 profinet 557
62.2.1profinet dcp-mode 557
62.3 copy 558
62.3.1copy gsdml-profinet system remote 558
62.3.2copy gsdml-profinet system envm 558
62.4 show 559
62.4.1show profinet global 559
62.4.2show profinet port 559
65 Radius 581
65.1 authorization 582
65.1.1authorization network radius 582
65.2 radius 583
65.2.1radius accounting mode 583
65.2.2radius server attribute 4 583
65.2.3radius server acct add 584
65.2.4radius server acct delete 584
65.2.5radius server acct modify 584
65.2.6radius server auth add 585
65.2.7radius server auth delete 585
65.2.8radius server auth modify 586
65.2.9radius server retransmit 586
65.2.10radius server timeout 587
65.3 show 588
65.3.1show radius global 588
65.3.2show radius auth servers 588
65.3.3show radius auth statistics 588
65.3.4show radius acct statistics 589
65.3.5show radius acct servers 589
65.4 clear 590
65.4.1clear radius 590
70 Selftest 621
70.1 selftest 622
70.1.1selftest action 622
70.1.2selftest ramtest 622
70.1.3selftest system-monitor 623
70.1.4selftest boot-default-on-error 623
70.2 show 624
70.2.1show selftest action 624
70.2.2show selftest settings 624
71 sFlow 625
71.1 sflow 626
71.1.1sflow receiver 626
71.2 sflow 627
71.2.1sflow poller receiver 627
71.2.2sflow poller interval 627
71.2.3sflow sampler receiver 627
71.2.4sflow sampler rate 628
74 Slot 641
74.1 slot 642
74.1.1slot operation 642
74.1.2slot module 642
74.2 show 643
74.2.1show slot 643
84 System 709
84.1 system 710
84.1.1system name 710
84.1.2system location 710
84.1.3system contact 710
84.1.4system port-led-mode 711
84.1.5system pre-login-banner operation 711
84.1.6system pre-login-banner text 712
84.1.7system resources operation 712
84.2 temperature 713
84.2.1temperature upper-limit 713
84.2.2temperature lower-limit 713
84.3 show 714
84.3.1show eventlog 714
84.3.2show system info 714
84.3.3show system port-led-mode 714
84.3.4show system pre-login-banner 715
84.3.5show system flash-status 715
84.3.6show system temperature limits 715
84.3.7show system temperature extremes 715
84.3.8show system temperature histogram 716
84.3.9show system temperature counters 716
84.3.10show system resources 716
84.3.11show psu slot 716
84.3.12show psu unit 717
85 Telnet 719
85.1 telnet 720
85.1.1telnet server 720
85.1.2telnet timeout 720
85.1.3telnet port 721
85.1.4telnet max-sessions 721
85.2 telnet 722
85.2.1telnet 722
85.3 show 723
85.3.1show telnet 723
87 Traps 729
87.1 snmp 730
87.1.1snmp trap operation 730
87.1.2snmp trap mode 730
89 Users 735
89.1 users 736
89.1.1users add 736
89.1.2users delete 736
89.1.3users enable 736
89.1.4users disable 737
89.1.5users password 737
89.1.6users snmpv3 authentication 737
89.1.7users snmpv3 encryption 738
89.1.8users access-role 738
89.1.9users lock-status 738
89.1.10users password-policy-check 739
89.2 show 740
89.2.1show users 740
Safety instructions
WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.
The “GUI” reference manual contains detailed information on using the graphical interface to operate
the individual functions of the device.
The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.
The “Basic Configuration” user manual contains the information you need to start operating the device.
It takes you step by step from the first startup operation through to the basic settings for operation in
your environment.
The “Redundancy Configuration” user manual document contains the information you require to select
the suitable redundancy procedure and configure it.
The document “HiView User Manual” contains information about the GUI application HiView. This
application offers you the possibility to use the graphical user interface without other applications such
as a Web browser or an installed Java Runtime Environment (JRE).
The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
ActiveX control for SCADA integration
Auto-topology discovery
Browser interface
Client/server structure
Event handling
Event log
Simultaneous configuration of multiple devices
Graphical user interface with network layout
SNMP/OPC gateway
1 Command reference
2.1 address-conflict
no address-conflict operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no address-conflict operation
no address-conflict detection-ongoing
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no address-conflict detection-ongoing
no address-conflict trap-status
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no address-conflict trap-status
2.2 mac-address-conflict
Enable/Disable sending a trap if a packet with the MAC of this device is detected in the network.
no mac-address-conflict operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no mac-address-conflict operation
2.3 show
3.1 mac
3.2 mac
3.3 ip
Set IP parameters.
no ip access-group name
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip access-group name <P-1> vlan [sequence]
no ip access-group del
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip access-group del <P-1> vlan [sequence]
3.4 ip
IP interface commands.
no ip access-group name
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip access-group name <P-1> <P-2> [sequence]
no ip access-group del
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip access-group del <P-1> <P-2> [sequence]
3.5 show
4 Application Lists
4.1 appllists
4.2 show
5 Authentication Lists
5.1 authlists
5.2 show
6 Auto Disable
6.1 auto-disable
no auto-disable reason
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no auto-disable reason <P-1>
6.2 auto-disable
no auto-disable reset
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no auto-disable reset [<P-1>]
6.3 show
7 Cabletest
7.1 cable-test
7.1.1 cable-test
Select port on which to perform the cable test.
Mode: Privileged Exec Mode
Privilege Level: Operator
Format: cable-test <P-1>
Paramete Value Meaning
r
P-1 slot no./port no.
8 Class Of Service
8.1 classofservice
8.2 classofservice
8.3 cos-queue
8.4 show
9.1 cli
9.2 show
9.3 logging
Logging configuration.
no logging cli-command
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no logging cli-command
9.4 show
10 Clock
10.1 clock
10.2 show
11 Configuration
11.1 save
11.2 config
11.3 copy
11.4 clear
11.5 show
11.6 show
11.7 swap
12.1 ip
Set IP parameters.
no ip arp-inspection verify ip
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip arp-inspection verify ip
12.2 clear
12.3 ip
IP commands.
no ip arp-inspection mode
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no ip arp-inspection mode <P-1>
no ip arp-inspection log
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no ip arp-inspection log <P-1>
no ip arp-inspection bind-check
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no ip arp-inspection bind-check <P-1>
12.4 ip
IP interface commands.
no ip arp-inspection trust
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip arp-inspection trust
no ip arp-inspection auto-disable
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip arp-inspection auto-disable
12.5 show
13 Debugging
13.1 debug
13.2 show
13.3 copy
14 Device Monitoring
14.1 device-status
no device-status trap
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no device-status trap
no device-status module
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no device-status module <P-1>
14.2 device-status
no device-status link-alarm
Disable the option
Mode: Interface Range Mode
Privilege Level: Administrator
Format: no device-status link-alarm
14.3 show
15 Device Security
15.1 security-status
no security-status trap
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no security-status trap
15.2 security-status
no security-status no-link
Disable the option
Mode: Interface Range Mode
Privilege Level: Administrator
Format: no security-status no-link
15.3 show
16.1 dhcp-server
no dhcp-server operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dhcp-server operation
16.2 dhcp-server
no dhcp-server operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dhcp-server operation
16.3 show
17.1 dhcp-l2relay
no dhcp-l2relay mode
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dhcp-l2relay mode
17.2 dhcp-l2relay
no dhcp-l2relay mode
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no dhcp-l2relay mode
no dhcp-l2relay circuit-id
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no dhcp-l2relay circuit-id <P-1>
17.3 dhcp-l2relay
no dhcp-l2relay mode
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dhcp-l2relay mode
no dhcp-l2relay trust
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dhcp-l2relay trust
17.4 clear
17.5 show
18 DHCP Snooping
18.1 ip
Set IP parameters.
no ip dhcp-snooping verify-mac
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip dhcp-snooping verify-mac
no ip dhcp-snooping mode
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip dhcp-snooping mode
18.2 clear
18.3 ip
IP commands.
no ip dhcp-snooping mode
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no ip dhcp-snooping mode <P-1>
18.4 ip
IP interface commands.
no ip dhcp-snooping trust
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping trust
no ip dhcp-snooping log
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping log
no ip dhcp-snooping auto-disable
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping auto-disable
18.5 show
19.1 diffserv
19.2 class-map
19.3 policy-map
*){drop |
set-cos-as-sec-cos |
set-cos-transmit <0..7> |
set-dscp-transmit
<af11|af12|af13|af21|af22|
af23|af31|af32|af33|af41|
af42|af43|be|cs0|cs1|cs2|
cs3|cs4|cs5|cs6|cs7|ef> |
set-prec-transmit <0..7> |
set-sec-cos-transmit <0..7> |
transmit}
19.4 service-policy
19.5 service-policy
19.6 show
20.1 dns
20.2 show
21 DoS Mitigation
21.1 dos
no dos tcp-null
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-null
no dos tcp-xmas
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-xmas
no dos tcp-syn-fin
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-syn-fin
no dos tcp-min-header
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-min-header
no dos icmp-fragmented
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos icmp-fragmented
no dos tcp-offset
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-offset
no dos tcp-syn
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos tcp-syn
no dos l4-port
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos l4-port
no dos icmp-smurf-attack
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dos icmp-smurf-attack
21.2 show
22.1 dot1x
no dot1x dynamic-vlan
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dot1x dynamic-vlan
no dot1x system-auth-control
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dot1x system-auth-control
no dot1x monitor
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no dot1x monitor
22.2 dot1x
no dot1x mac-auth-bypass
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dot1x mac-auth-bypass
no dot1x re-authentication
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dot1x re-authentication
no dot1x initialize
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dot1x initialize
no dot1x re-authenticate
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no dot1x re-authenticate
22.3 show
22.4 clear
23.1 link-aggregation
Configure 802.3ad link aggregation parameters to increase bandwidth and provide redundancy by
combining connections.
no link-aggregation modify
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no link-aggregation modify <P-1> name addport deleteport adminmode
linktrap static hashmode min-links
23.2 lacp
no lacp lacpmode
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no lacp lacpmode
23.3 show
24 Ethernet IP
24.1 ethernet-ip
Enable or disable the EtherNet/IP operation on this device. If disabled, the EtherNet/IP protocol is
deactivated, but the EtherNet/IP MIBs can be accessed.
no ethernet-ip operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ethernet-ip operation
no ethernet-ip write-access
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ethernet-ip write-access
24.2 show
24.3 copy
25.1 mac-filter
25.1.1 mac-filter
Static MAC filter configuration.
Mode: Global Config Mode
Privilege Level: Operator
Format: mac-filter <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 Enter the VLAN ID.
no mac-filter
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no mac-filter <P-1> <P-2>
25.2 bridge
Bridge configuration.
25.3 show
25.4 show
25.5 show
25.6 clear
26.1 garp
Configure GARP protocols, GVRP for dynamic VLAN registration and GMRP for dynamic MAC
registration.
26.2 garp
Configure GARP parameters and protocols, GVRP for dynamic VLAN registration and GMRP for
dynamic MAC registration on a port.
26.3 show
26.4 show
27 HiDiscovery
27.1 network
27.2 show
28 HIPER-Ring
28.1 hiper-ring
no hiper-ring operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no hiper-ring operation
28.2 show
29.1 http
no http server
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no http server
29.2 show
30.1 https
no https server
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no https server
30.2 copy
30.3 show
31.1 ias-users
31.2 show
32.1 iec61850-mms
no iec61850-mms operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no iec61850-mms operation
no iec61850-mms write-access
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no iec61850-mms write-access
32.2 show
33.1 ip
Set IP parameters.
no ip igmp operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip igmp operation
33.2 ip
IP interface commands.
no ip igmp operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip igmp operation
33.3 show
34 IGMP Proxy
34.1 ip
Set IP parameters.
no ip igmp-proxy interface
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip igmp-proxy interface <P-1>
34.2 show
35 IGMP Snooping
35.1 igmp-snooping
no igmp-snooping mode
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no igmp-snooping mode
35.2 igmp-snooping
no igmp-snooping vlan-id
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no igmp-snooping vlan-id <P-1> mode fast-leave groupmembership-
interval maxresponse mcrtrexpiretime querier mode address forward-known
forward-all <P-7> static-query-port <P-8> automatic-mode <P-9>
35.3 igmp-snooping
no igmp-snooping mode
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no igmp-snooping mode
no igmp-snooping fast-leave
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no igmp-snooping fast-leave
no igmp-snooping static-query-port
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no igmp-snooping static-query-port
35.4 show
35.5 show
35.6 clear
36 Interface
36.1 shutdown
36.1.1 shutdown
Enable or disable the interface.
Mode: Interface Range Mode
Privilege Level: Operator
Format: shutdown
no shutdown
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no shutdown
36.2 auto-negotiate
36.2.1 auto-negotiate
Enable or disable automatic negotiation on the interface. The cable crossing settings have no effect if
auto-negotiation is enabled. In this case cable crossing is always set to auto. Cable crossing is set to
the value chosen by the user if auto-negotiation is disabled.
Mode: Interface Range Mode
Privilege Level: Operator
Format: auto-negotiate
no auto-negotiate
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no auto-negotiate
36.3 auto-power-down
36.3.1 auto-power-down
Set the auto-power-down mode on the interface.
Mode: Interface Range Mode
Privilege Level: Operator
Format: auto-power-down <P-1>
Paramete Value Meaning
r
P-1 auto-power-save The port goes in a low power mode.
no-power-save The port does not use the automatic power save mode.
36.4 cable-crossing
36.4.1 cable-crossing
Cable crossing settings on the interface. The cable crossing settings have no effect if auto-negotiation
is enabled. In this case cable crossing is always set to auto. Cable crossing is set to the value chosen
by the user if auto-negotiation is disabled.
Mode: Interface Range Mode
Privilege Level: Operator
Format: cable-crossing <P-1>
Paramete Value Meaning
r
P-1 mdi The port does not use the crossover mode.
mdix The port uses the crossover mode.
auto-mdix The port uses the auto crossover mode.
36.5 linktraps
36.5.1 linktraps
Enable/disable link up/down traps on the interface.
Mode: Interface Range Mode
Privilege Level: Operator
Format: linktraps
no linktraps
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no linktraps
36.6 link-loss-alert
no link-loss-alert operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no link-loss-alert operation
36.7 speed
36.7.1 speed
Sets the speed and duplex setting for the interface.
Mode: Interface Range Mode
Privilege Level: Operator
Format: speed <P-1> [<P-2>]
Paramete Value Meaning
r
P-1 10 10 MBit/s.
100 100 MBit/s.
1000 1000 MBit/s.
P-2 full full duplex.
half half duplex.
36.8 name
36.8.1 name
Set or remove a descriptive name for the interface.
Mode: Interface Range Mode
Privilege Level: Operator
Format: name <P-1>
Paramete Value Meaning
r
P-1 string Enter a user-defined text, max. 64 characters.
36.9 power-state
36.9.1 power-state
Enable or disable the power state on the interface. The interface power state settings have no effect if
the interface admin state is enabled.
Mode: Interface Range Mode
Privilege Level: Operator
Format: power-state
no power-state
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no power-state
36.10 mac-filter
36.10.1 mac-filter
static mac filter configuration
Mode: Interface Range Mode
Privilege Level: Operator
Format: mac-filter <P-1> <P-2>
Paramete Value Meaning
r
P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 1..4042 Enter the VLAN ID.
no mac-filter
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no mac-filter <P-1> <P-2>
36.11 led-signaling
no led-signaling operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no led-signaling operation
36.12 show
36.13 show
36.14 show
37 Interface Statistics
37.1 utilization
37.2 clear
37.3 show
38 Intern
38.1 help
38.2 logout
38.3 history
38.4 vlan-mode
38.4.1 vlan-mode
Enter VLAN Configuration Mode.
Mode: Global Config Mode
Privilege Level: Operator
Format: vlan-mode <P-1>
Paramete Value Meaning
r
P-1 all Select all VLAN configured.
vlan Enter single VLAN.
vlan range Enter VLAN range separated by hyphen e.g 1-4.
vlan list Enter VLAN list separated by comma e.g 2,4,6,... .
complex range Enter VLAN range and several VLAN separated by comma for a list
and hyphen for ranges e.g 2-4,6-9,11.
38.5 exit
38.6 end
38.7 serviceshell
38.8 serviceshell-f
38.9 traceroute
38.10 traceroute
38.11 reboot
38.12 ping
38.12.1 ping
Send ICMP echo packets to a specified IP address.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: ping <P-1>
Paramete Value Meaning
r
P-1 string Hostname or IP address.
38.13 ping
38.14 show
39.1 ip
Set IP parameters.
key-id: Configure the authentication key-id for md5 authentication. This field identifies the algorithm
and secret key used to create the message digest appended to the OSPF packet.
hello-interval: Configure the OSPF hello-interval for the virtual link, in seconds. The hello timer
controls the time interval between sending two consecutive hello packets. Set this value to the same
hello-interval value of the virtual neighbors.
dead-interval: Configure the OSPF dead-interval for the virtual link, in seconds. If the timer expires
without the router receiving hello packets from a virtual neighbor, the router declares the neighbor router
as down. Set the timer to at least four times the value of the hello-interval.
transmit-delay: Configure the OSPF transmit-delay for the virtual link, in seconds. Transmit delay
is the time that you estimate it takes to transmit a link-state update packet over the virtual link.
retransmit-interval: Configure the OSPF retransmit-interval for the virtual link, in seconds. The
retransmit interval is the time between two consecutive link-state advertisement transmissions. Link-
state advertisements contain such information as database descriptions and link-state request packets
for adjacencies belonging to virtual link.
nssa: Configure a NSSA(Not-So-Stubby-Area).
add: Add a NSSA.
delete: Delete a NSSA.
modify: Modify the parameters of a NSSA.
translator: Configure the NSSA translator related parameters.
role: Configure the NSSA translator role.
stability-interval: Configure the translator stability interval for the NSSA, in seconds.
summary: Configure the import summary for the specified NSSA.
no-redistribute: Configure route redistribution for the specified NSSA.
default-info: Configure the nssa default information origination parameters.
originate: Configuration whether a Type-7 LSA should be originated into the NSSA.
[metric]: Configure the metric for the NSSA.
[metric-type]: Configure the metric type for default information.
Paramete Value Meaning
r
P-1 A.B.C.D IP address.
P-2 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-3 A.B.C.D IP address.
P-4 a.b.c.d IP subnet mask.
P-5 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-6 A.B.C.D IP address.
P-7 a.b.c.d IP subnet mask.
P-8 advertise Set as advertise.
do-not-advertise Set as do-not-advertise.
P-9 summary-link Configure summary links LSDB type optional mode.
nssa-external-link Configure nssa external link LSDB type optional mode.
P-10 A.B.C.D IP address.
P-11 a.b.c.d IP subnet mask.
P-12 0 Configure the TOS (0 is for Normal Service).
P-13 0 Configure the TOS (0 is for Normal Service).
P-14 no-area-summary Disable the router from sending area link state advertisement
summaries.
send-area-summary Enable the router to send area link state advertisement
summaries. The router floods LSAs within the area using
multicast. Every topology change starts a new flood of LSAs.
P-15 0..16777215 Configure the default cost.
P-16 0 Configure the TOS (0 is for Normal Service).
P-17 A.B.C.D IP address.
P-18 A.B.C.D IP address.
P-19 A.B.C.D IP address.
no ip ospf area
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf area <P-1> range add modify delete add delete stub add
modify summarylsa default-cost delete virtual-link add delete modify
authentication type key key-id hello-interval dead-interval transmit-
delay retransmit-interval nssa add delete modify translator role
stability-interval summary no-redistribute default-info originate
[metric] [metric-type]
no ip ospf operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf operation
no ip ospf 1583compatability
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf 1583compatability
no ip ospf default-metric
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf default-metric <P-1>
no ip ospf re-distribute
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf re-distribute <P-1> [metric] [metric-type] [tag]
[subnets]
no ip ospf distribute-list
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip ospf distribute-list <P-1> <P-2> <P-3>
39.2 ip
IP interface commands.
no ip ospf operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip ospf operation
no ip ospf mtu-ignore
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip ospf mtu-ignore
39.3 show
40.1 ip
Set IP parameters.
40.2 clear
40.3 ip
IP interface commands.
no ip source-guard mode
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip source-guard mode
40.4 show
41 IP Subnet VLAN
41.1 vlan
41.2 show
42.1 network
42.2 clear
42.3 show
42.4 show
43 Ring Coupling
43.1 ring-coupling
43.2 show
44 License Manager
44.1 license
44.2 show
45 Link Backup
45.1 link-backup
no link-backup operation
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no link-backup operation
45.2 link-backup
45.3 show
46.1 lldp
no lldp operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no lldp operation
46.2 show
46.3 lldp
no lldp notification
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no lldp notification
47.1 lldp
47.2 lldp
47.3 show
48 Logging
48.1 logging
Logging configuration.
48.2 show
48.3 copy
48.4 clear
49 MAC Notification
49.1 mac
49.2 mac
49.3 show
50 MAC VLAN
50.1 vlan
50.2 show
51 Management Access
51.1 network
51.2 show
52 Modbus
52.1 modbus-tcp
no modbus-tcp operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no modbus-tcp operation
no modbus-tcp write-access
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no modbus-tcp write-access
52.2 show
53.1 mrp
no mrp operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no mrp operation
53.2 show
54 MRP IEEE
54.1 mrp-ieee
Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.
54.2 show
55.1 mrp-ieee
55.2 show
55.3 mrp-ieee
Configure IEEE MRP protocols, MVRP for dynamic VLAN registration and MMRP for dynamic MAC
registration.
55.4 clear
55.5 mrp-ieee
Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.
55.6 show
56.1 mrp-ieee
Configure IEEE MRP protocols, MVRP for dynamic VLAN registration and MMRP for dynamic MAC
registration.
56.2 mrp-ieee
Configure IEEE MRP parameters and protocols, MVRP for dynamic VLAN registration and MMRP for
dynamic MAC registration on a port.
56.3 show
56.4 clear
57 Out-of-band Management
57.1 network
57.2 show
58.1 vlan
58.2 vlan
58.3 show
59.1 inlinepower
no inlinepower operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no inlinepower operation
no inlinepower slot
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no inlinepower slot budget threshold trap
no inlinepower trap
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no inlinepower trap
59.2 inlinepower
no inlinepower allowed-classes
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no inlinepower allowed-classes <P-1>
no inlinepower auto-shutdown-timer
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no inlinepower auto-shutdown-timer
no inlinepower operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no inlinepower operation
no inlinepower fast-startup
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no inlinepower fast-startup
59.3 show
60 Port Monitor
60.1 port-monitor
no port-monitor operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no port-monitor operation
60.2 port-monitor
no port-monitor reset
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no port-monitor reset [<P-1>]
60.3 show
61 Port Security
61.1 port-security
no port-security operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no port-security operation
61.2 port-security
no port-security operation
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no port-security operation
no port-security violation-traps
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no port-security violation-traps operation [frequency]
61.3 show
62 Profinet IO
62.1 profinet
no profinet operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no profinet operation
62.2 profinet
62.3 copy
62.4 show
63.1 ptp
no ptp operation
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no ptp operation
no ptp management
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no ptp management
63.2 ptp
63.3 show
64 Password Management
64.1 passwords
64.2 show
65 Radius
65.1 authorization
65.2 radius
65.3 show
65.4 clear
66.1 redundant-coupling
no redundant-coupling operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no redundant-coupling operation
66.2 show
67 Remote Authentication
67.1 ldap
no ldap operation
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no ldap operation
67.2 show
67.3 copy
68.1 rmon-alarm
68.2 show
69 Script File
69.1 script
69.2 copy
69.3 show
70 Selftest
70.1 selftest
no selftest ramtest
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no selftest ramtest
no selftest system-monitor
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no selftest system-monitor
no selftest boot-default-on-error
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no selftest boot-default-on-error
70.2 show
71 sFlow
71.1 sflow
Configure sFlow
71.2 sflow
71.3 show
72.1 show
73 Signal Contact
73.1 signal-contact
no signal-contact trap
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no signal-contact <P-1> trap
no signal-contact module
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no signal-contact <P-1> module <P-2>
73.2 signal-contact
no signal-contact link-alarm
Disable the option
Mode: Interface Range Mode
Privilege Level: Administrator
Format: no signal-contact <P-1> link-alarm
73.3 show
74 Slot
74.1 slot
no slot operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no slot <P-1> operation
74.2 show
75.1 monitor
no monitor session
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no monitor session <P-1> destination interface remote vlan source
interface <P-4> direction operation vlan remote vlan mode
75.2 rspan-vlan
75.2.1 rspan-vlan
Set the VLAN used by RSPAN. The VLAN must already be created.
Mode: VLAN Database Mode
Privilege Level: Operator
Format: rspan-vlan <P-1>
Paramete Value Meaning
r
P-1 integer VLAN Mirror Remote VLAN ID List.
75.3 show
75.4 clear
76.1 snmp
76.2 show
77 SNMP Community
77.1 snmp
77.2 show
78 SNMP Logging
78.1 logging
Logging configuration.
78.2 show
79.1 sntp
79.2 show
80 Spanning Tree
80.1 spanning-tree
no spanning-tree operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no spanning-tree operation
no spanning-tree bpdu-filter
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no spanning-tree bpdu-filter
no spanning-tree bpdu-guard
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no spanning-tree bpdu-guard
80.2 spanning-tree
no spanning-tree mode
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree mode
no spanning-tree bpdu-flood
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree bpdu-flood
no spanning-tree edge-auto
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree edge-auto
no spanning-tree edge-port
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree edge-port
no spanning-tree guard-loop
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree guard-loop
no spanning-tree guard-root
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree guard-root
no spanning-tree guard-tcn
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no spanning-tree guard-tcn
80.3 show
81 Subring Management
81.1 sub-ring
no sub-ring operation
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no sub-ring operation
81.2 show
82.1 ssh
no ssh server
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no ssh server
82.2 copy
82.3 show
83 Storm Control
83.1 storm-control
no storm-control flow-control
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no storm-control flow-control
83.2 traffic-shape
83.2.1 traffic-shape bw
Set threshold value
Mode: Interface Range Mode
Privilege Level: Operator
Format: traffic-shape bw <P-1>
Paramete Value Meaning
r
P-1 0..100 Enter a number in the given range.
83.3 mtu
83.3.1 mtu
Set the MTU size (without VLAN tag size, because the VLAN tag is ignored for size calculation).
Mode: Interface Range Mode
Privilege Level: Operator
Format: mtu <P-1>
Paramete Value Meaning
r
P-1 1518..12288 Enter a number in the given range.
83.4 mtu
83.4.1 mtu
Set the MTU size (without VLAN tag size, because the VLAN tag is ignored for size calculation).
Mode: Interface Range Mode
Privilege Level: Operator
Format: mtu <P-1>
Paramete Value Meaning
r
P-1 1518..12288 Enter a number in the given range.
83.5 storm-control
no storm-control flow-control
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no storm-control flow-control
83.6 show
84 System
84.1 system
Set system related values e.g. name of the device, location of the device, contact data for the person
responsible for the device, and pre-login banner text.
84.2 temperature
Configure the upper and lower temperature limits of the device. The device allows you to set the
threshold as an integer from -99 through 99. You configure the temperatures in degrees Celsius.
84.3 show
85 Telnet
85.1 telnet
no telnet server
Disable the option
Mode: Global Config Mode
Privilege Level: Administrator
Format: no telnet server
85.2 telnet
85.2.1 telnet
Establish a telnet connection to a remote host.
Mode: "User Mode" and "Privileged Exec Mode"
Privilege Level: Guest
Format: telnet <P-1> [<P-2>] [<P-3>] [<P-4>] [<P-5>]
Paramete Value Meaning
r
P-1 string Hostname or IP address.
P-2 1..65535 Enter port number between 1 and 65535
P-3 debug Display the current Telnet options.
P-4 line Set the outbound Telnet operational mode as linemode (only takes
effect for the serial connection).
P-5 echo Enable local echo (only takes effect for the serial connection).
85.3 show
86 Time Range
86.1 time
no time range
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no time range <P-1> [absolute] [start] [end] [periodic] to [<P-
12>] <P-13>
86.2 show
87 Traps
87.1 snmp
87.2 show
88 User Management
88.1 show
89 Users
89.1 users
89.2 show
90.1 name
90.1.1 name
Assign a name to a VLAN
Mode: VLAN Database Mode
Privilege Level: Operator
Format: name <P-1> <P-2>
Paramete Value Meaning
r
P-1 1..4042 Enter the VLAN ID.
P-2 string Enter a user-defined text, max. 32 characters.
90.2 vlan-unaware-mode
90.2.1 vlan-unaware-mode
Enable or disable VLAN unaware mode.
Mode: VLAN Database Mode
Privilege Level: Operator
Format: vlan-unaware-mode
no vlan-unaware-mode
Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no vlan-unaware-mode
90.3 vlan
90.4 vlan
no vlan ingressfilter
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no vlan ingressfilter
no vlan tagging
Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no vlan tagging <P-1>
90.5 show
90.6 network
91 Voice VLAN
91.1 voice
no voice vlan
Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no voice vlan
91.2 voice
91.3 show
A Further Support
Technical Questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You will find the addresses of our partners on the Internet at
http://www.hirschmann.com
Contact our support at
https://hirschmann-support.belden.eu.com
With the Hirschmann Competence Center, you have decided against making any compromises. Our
client-customized package leaves you free to choose the service components you want to use.
Internet:
http://www.hicomcenter.com
Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.
The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product site (www.hirschmann.com).
Contents
Safety instructions 9
Key 13
Introduction 15
1 User interfaces 17
1.1 Graphical user interface 18
1.2 Command line interface 19
1.2.1 Preparing the data connection 19
1.2.2 CLI access using Telnet 19
1.2.3 CLI using SSH (Secure Shell) 22
1.2.4 CLI using the V.24 port 24
1.3 System monitor 26
1.3.1 Functional scope 26
1.3.2 Starting the System Monitor 26
11 VLANs 145
11.1 Examples of VLANs 146
11.1.1Example 1 146
11.1.2Example 2 149
11.2 Guest / Unauthenticated VLAN 153
11.3 RADIUS VLAN assignment 155
11.4 Creating a Voice VLAN 156
11.5 MAC based VLANs 157
11.6 IP subnet based VLANs 158
12 Redundancy 161
12.1 Network Topology vs. Redundancy Protocols 162
12.1.1Network topologies 163
12.1.2Redundancy Protocols 164
12.1.3Combinations of Redundancies 164
12.2 Media Redundancy Protocol (MRP) 166
12.2.1Network Structure 166
12.2.2Reconfiguration time 167
12.2.3Advanced mode 167
12.2.4Prerequisites for MRP 167
12.2.5Example Configuration 168
12.2.6MRP over LAG 172
12.3 Spanning Tree 175
12.3.1Basics 176
12.3.2Rules for Creating the Tree Structure 179
12.3.3Examples 181
12.3.4The Rapid Spanning Tree Protocol 184
12.3.5Configuring the device 187
12.3.6Guards 189
12.3.7Ring only mode 192
12.4 Link Aggregation 193
12.4.1Methods of Operation 193
12.4.2Link Aggregation Example 194
12.5 Link Backup 196
12.5.1Fail Back Description 196
12.5.2Example Configuration 197
12.6 HIPER Ring Client 198
12.6.1VLANS on the HIPER Ring 198
12.6.2HIPER Ring over LAG 199
12.7 FuseNet ™ 200
12.8 Subring 201
12.8.1Subring description 201
12.8.2Subring example 203
12.8.3Subring example configuration 204
12.9 Subring with LAG 206
12.9.1Example 206
12.10Ring/Network Coupling 209
12.10.1Methods of Ring/Network Coupling 209
12.10.2Prepare the Ring/Network Coupling 210
12.11RCP 223
12.11.1Example Configuration 224
B Appendix 347
B.1 Literature references 348
B.2 Maintenance 349
B.3 Management Information Base (MIB) 350
B.4 List of RFCs 352
B.5 Underlying IEEE Standards 354
B.6 Underlying IEC Norms 355
B.7 Underlying ANSI Norms 356
B.8 Technical Data 357
B.9 Copyright of integrated Software 358
B.10 Abbreviations used 359
C Index 361
Safety instructions
WARNING
UNCONTROLLED MACHINE ACTIONS
To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.
Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.
Failure to follow these instructions can result in death, serious injury, or equipment damage.
The “Configuration” user manual contains the information you need to start operating the device. It takes
you step by step from the first startup operation through to the basic settings for operation in your
environment.
The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.
The “Graphical User Interface” reference manual contains detailed information on using the graphical
user interface to operate the individual functions of the device.
The “Command Line Interface” reference manual contains detailed information on using the Command
Line Interface to operate the individual functions of the device.
The Industrial HiVision Network Management software provides you with additional options for smooth
configuration and monitoring:
Auto-topology discovery
Browser interface
Client/server structure
Event handling
Event log
Simultaneous configuration of multiple devices
Graphical user interface with network layout
SNMP/OPC gateway
Key
List
Work step
Subheading
Link Cross-reference with link
Note: A note emphasizes an important fact or draws your attention to a dependency.
Courier ASCII representation in the graphical user interface
Introduction
The device has been developed for use in a harsh industrial environment. Accordingly, the installation
process has been kept simple. Thanks to the selected default settings, you only have to enter a few
settings before starting to operate the device.
1 User interfaces
The device allows you to specify the settings of the device using the following user interfaces.
User interface Can be reached through … Prerequisite
Graphical User Interface (GUI) Ethernet (In-Band) Web browser
Command Line Interface (CLI) Ethernet (In-Band) Terminal emulation software
V.24 (Out-of-Band)
System monitor V.24 (Out-of-Band) Terminal emulation software
Table 1: User interfaces for accessing the management of the device
System requirements
To open the graphical user interface, you need the desktop version of a Web browser with HTML5
and JavaScript support.
Note: Third-party software such as Web browsers validate certificates based on criteria such as their
expiration date and current cryptographic parameter recommendations. Old certificates can cause
errors, for example, when they expire or cryptographic recommendations change. Upload your own,
up-to-date certificate or regenerate the certificate with the latest firmware to solve validation conflicts
with third-party software.
The Command Line Interface enables you to use the functions of the device through a local or remote
connection.
The Command Line Interface provides IT specialists with a familiar environment for configuring IT
devices. As an experienced user or administrator, you have knowledge about the basics and about
using Hirschmann devices.
Note: Telnet is only installed as standard in Windows versions before Windows Vista.
Start the Command Prompt program on your computer.
Enter the command telnet <IP_address>.
In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
To select the connection type, select the Telnet radio button in the Connection type range.
Click the Open button to set up the data connection to your device.
CLI appears on the screen with a window for entering the user name. The device enables up to 5
users to have access to the Command Line Interface at the same time.
User: admin
Password:*******
The device displays the CLI start screen with the command prompt:
(GRS) >
In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
To specify the connection type, select the SSH radio button in the Connection type range.
After selecting and setting the required parameters, the device enables you to set up the data
connection using SSH.
Click the Open button to set up the data connection to your device. Depending on the device and the
time at which SSH was configured, setting up the connection takes up to a minute.
When you first login to your device, towards the end of the connection setup, the PuTTY program
displays a security alert message and gives you the option of checking the fingerprint of the key.
Note: For experienced network administrators, another way of accessing your device through an SSH
is by using the OpenSSH Suite. To set up the data connection, enter the following command:
ssh admin@10.149.112.53
admin is the user name.
10.149.112.53 is the IP address of your device.
CLI appears on the screen with a window for entering the user name. The device enables up to 5 users
to have access to the Command Line Interface at the same time.
login as: adminadmin@a.b.c.d's password:
Enter the user name. The default user name is admin. Press the <Enter> key.
Enter the password. The default password is private. Press the <Enter> key. The device offers the
possibility to change the user name and the password later in the Command Line Interface. These
entries are case-sensitive.
Note: This device is a security-relevant product. Change the password during the first startup
procedure.
Connect the device to a terminal using V.24. Alternatively connect the device to a COM port of your
PC using terminal emulation based on VT100 and press any key.
Alternatively you set up the serial data connection to the device using V.24 with the PuTTY program.
Press the <Enter> key.
Figure 8: Serial data connection using V.24 with the PuTTY program
After the data connection has been set up successfully, the device displays a window for entering the
user name.
Enter the user name. The default user name is admin. Press the <Enter> key.
Enter the password. The default password is private. Press the <Enter> key. The device offers the
possibility to change the user name and the password later in the Command Line Interface. These
entries are case-sensitive.
The System Monitor allows you to set basic operating parameters before starting the operating system.
sysMon1>
When you install the device for the first time enter the IP parameters.
The device provides the following options for entering the IP parameters during the first installation:
Entry using the Command Line Interface.
You choose this “Out-of-Band” method if you preconfigure your device outside its operating
environment, or if you restore the network access (“In-Band”) to the device.
Entry using the HiDiscovery protocol.
You choose this “In-Band” method on a previously installed network device or if you have another
Ethernet connection between your PC and the device
Configuration using the external memory.
You choose this method if you are replacing a device with a device of the same type and have already
saved the configuration in the external memory.
Using BOOTP.
You choose this “In-Band” method to configure the installed device using BOOTP. You need a
BOOTP server for this method. The BOOTP server assigns the configuration data to the device using
its MAC address. The DHCP mode is the default mode for the configuration data reference.
Configuration using DHCP.
You choose this “In-Band” method to configure the installed device using DHCP. You need a DHCP
server for this method. The DHCP server assigns the configuration data to the device using its MAC
address or its system name.
Configuration using the graphical user interface.
If the device already has an IP address and is reachable using the network, then the graphical user
interface provides you with another option for configuring the IP parameters.
The first byte of an IP address is the network address. The worldwide leading regulatory board for
assigning network addresses is the IANA ("Internet Assigned Numbers Authority"). If you require an IP
address block, contact your Internet Service Provider (ISP). Your ISP contacts their local higher-level
organization to reserve an IP address block:
APNIC (Asia Pacific Network Information Center)
Asia/Pacific Region
ARIN (American Registry for Internet Numbers)
Americas and Sub-Sahara Africa
LACNIC (Regional Latin-American and Caribbean IP Address Registry)
Latin America and some Caribbean Islands
RIPE NCC (Réseaux IP Européens)
Europe and Surrounding Regions
The IP addresses belong to class A when their first bit is a zero, for example, the first octet is less than
128.
The IP address belongs to class B if the first bit is a one and the second bit is a zero, for example, the
first octet is between 128 and 191.
The IP address belongs to class C when the first 2 bits are a one, for example, the first octet is higher
than 191.
Assigning the host address (host ID) is the responsibility of the network operator. The network operator
alone is responsible for the uniqueness of the assigned IP addresses.
2.1.2 Netmask
Routers and Gateways subdivide large networks into subnetworks. The netmask asssigns the IP
addresses of the individual devices to a particular subnetwork.
You perform subnetwork division using the netmask in much the same way as the division of the network
addresses (net id) into classes A to C.
Set the bits of the host address (host id) that represent the mask to one. Set the remaining host address
bits to zero (see the following examples).
Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B
Example of IP addresses with subnetwork assignment when applying the subnet mask:
Decimal notation
129.218.65.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address
Decimal notation
129.218.129.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address
Juliet
Lorenzo
LAN 1
LAN 2
Figure 13: The management agent is separated from its network management station by a router
The network management station “Romeo” wants to send data to the management agent “Juliet”.
Romeo knows Juliet's IP address and also knows that the router “Lorenzo” knows the way to Juliet.
Romeo therefore puts his message in an envelope and writes Juliet's IP address as the destination
address; for the source address he writes his own IP address on the envelope.
Romeo then places this envelope in a second one with Lorenzo's MAC address as the destination
and his own MAC address as the source. This process is comparable to going from Layer 3 to
Layer 2 of the ISO/OSI base reference model.
Finally, Romeo puts the entire data packet into the mailbox which is comparable to going from
Layer 2 to Layer 1, that means to sending the data packet over the Ethernet.
Lorenzo receives the letter, removes the outer envelope and recognizes from the inner envelope that
the letter is meant for Juliet. He places the inner envelope in a new outer envelope and searches his
address list (the ARP table) for Juliet's MAC address; he writes her MAC address on the outer
envelope as the destination address and his own MAC address as the source address. He then
places the entire data packet in the mail box.
Juliet receives the letter and removes the outer envelope. She finds the inner envelope with Romeo's
IP address. Opening the inner envelope and reading its contents corresponds to transferring the
message to the higher protocol layers of the ISO/OSI layer model.
Juliet would now like to send a reply to Romeo. She places her reply in an envelope with Romeo's
IP address as destination and her own IP address as source. But where is she to send the answer?
For she did not receive Romeo's MAC address. It was lost when Lorenzo replaced the outer
envelope.
In the MIB, Juliet finds Lorenzo listed under the variable hmNetGatewayIPAddr as a means of
communicating with Romeo. She therefore puts the envelope with the IP addresses in a further
envelope with Lorenzo's MAC destination address.
The letter now travels back to Romeo via Lorenzo, the same way the first letter traveled from Romeo
to Juliet.
The term “supernetting” refers to combing a number of class C address ranges. Supernetting enables
you to subdivide class B address ranges to a fine degree.
There are several methods you enter the system configuration, either using BOOTP/DHCP, the
HiDiscovery protocol, the external memory. You have the option of performing the configuration using
the V.24 interface using the CLI.
The device allows you to specifiy the IP parameters using the HiDiscovery protocol or using the CLI over
the V.24 interface.
Entering IP addresses
Note: If a terminal or PC with terminal emulation is unavailable in the vicinity of the installation location,
you can configure the device at your own workstation, then take it to its final installation location.
Set up a connection to the device.
The start screen appears.
Deactivate DHCP.
After entering the IP parameters, you easily configure the device using the graphical user interface.
The HiDiscovery protocol enables you to assign IP parameters to the device using the Ethernet.
You easily configure other parameters using the graphical user interface.
Install the HiDiscovery software on your PC. The software is on the product DVD supplied with the
device.
Note: For security reasons, disable the HiDiscovery function for the device in the graphical user
interface, after you have assigned the IP parameters to the device.
Note: Save the settings so that you will still have the entries after a restart.
With the BOOTP function activated the device sends a boot request message to the BOOTP server. The
boot request message contains the Client ID configured in the Basic Settings > Network dialog. The
BOOTP server enters the Client ID into a database and assigns an IP address. The server answers with
a boot reply message. The boot reply message contains the assigned IP address.
The DHCP (Dynamic Host Configuration Protocol) is a further development of BOOTP, which it has
replaced. The DHCP additionally allows the configuration of a DHCP client using a name instead of
using the MAC address.
For the DHCP, this name is known as the “Client Identifier” in accordance with RFC 2131.
The device uses the name entered under sysName in the system group of the MIB II as the Client
Identifier. You can change the system name using the graphic user interface (see dialog Basic
Settings > System), the Command Line Interface or SNMP.
The device sends its system name to the DHCP server. The DHCP server then uses the system name
to allocate an IP address as an alternative to the MAC address.
The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity of the
configuration parameters (“Lease”) to a specific time period (known as dynamic address allocation).
Before this period (“Lease Duration”) elapses, the DHCP client can attempt to renew this lease.
Alternatively, the client can negotiate a new lease. The DHCP server then allocates a random free
address.
To help avoid this, DHCP servers provide the explicit configuration option of assigning a specific client
the same IP address based on a unique hardware ID (known as static address allocation).
In the default setting, DHCP is activated. As long as DHCP is activated, the device attempts to obtain
an IP address. If it cannot find a DHCP server after restarting, it will not have an IP address. The Basic
Settings > Network dialog offers you the opportunity to activate or to deactivate DHCP.
Note: When using Industrial HiVision network management, ensure that DHCP always allocates the
original IP address to each device.
The appendix contains an example configuration of the BOOTP/DHCP-server.
You assign an IP address to the device using several different methods. This function helps the device
detect IP address conflicts on a network after boot up and the device also checks periodically during
operation. This function is described in RFC 5227.
When enabled, the device sends an SNMP trap informing you that it detected an IP address conflict.
The following list contains the default settings for this function:
– Operation : On
– Detection mode : active and passive
– Send periodic ARP probes : marked
– Detection delay [ms] : 200
– Release delay [s] : 15
– Address protections : 3
– Protection interval [ms] : 200
– Send trap : marked
An authentication list contains the policies that the device applies for authentication when a user
accesses the device using a specific connection.
The prerequisite for a user's access to the device management is that at least one policy is assigned to
the authentication list of the application through which access is performed.
3.1.1 Applications
The device provides an application for each type of connection through which someone accesses the
device:
Access using CLI via a serial connection: Console(V.24)
Access using CLI via SSH: SSH
Access using CLI via Telnet: Telnet
Access using the graphical user interface: WebInterface
The device also provides an application to control the access to the network from connected end
devices using port-based access control: 8021x
3.1.2 Policies
The device allows users to access its management exclusively when they log in with valid login data.
The device authenticates the users using the following policies:
User management of the device
LDAP
RADIUS
With the port-based access control according to IEEE 802.1X, the device allows connected end devices
to access the network if they log in with valid login data. The device authenticates the end devices using
the following policies:
RADIUS
IAS (Integrated Authentication Server)
The device gives you the option of a fall-back solution. For this, you specify more than one policy in the
authentication list. If authentication is unsuccessful using the current policy, the device applies the next
specified policy.
Deactivate the authentication list for those applications by means of which no access to the device
is performed, for example 8021x.
In the Active column of the authentication list defaultDot1x8021AuthList, unmark the
checkbox.
To save the changes temporarily, click the button.
authlists set-policy loginGUI radius Assigns the policies radius, local and reject to the
local reject reject reject authentication list loginGUI.
show authlists Displays the authentication lists that are set up.
authlists enable loginGUI Activates the authentication list loginGUI.
The device allows users to access its management functions when they log in with valid login data. The
device authenticates the users either using the local user management or with a RADIUS server in the
network. To get the device to use the user management, assign the local policy to an authentication
list, see the Device Security > Authentication List dialog.
In the local user management, you manage the user accounts. One user account is usually allocated to
each user.
Change the password for the admin user account before making the device available in the network.
Note: Remember to allocate the password when you are setting up a new user account in the CLI.
To permanently deactivate the user account settings, you delete the user account.
Highlight the row for the relevant user account.
Click the button.
In the Configuration frame you specify the number user login attempts before the device locks
out the user. You also specify the minimum number of characters that defines a password.
Specify the values to meet your requirements.
You specify the number of times that a user attempts to log on to the device in the Login attempts field. The
field allows you to define this value in the range 0..5.
In the above example, the value 0 deactivates the function.
The Min. password length field allows values in the range 1..64.
The dialog displays the policy set up in the Password policy frame.
Adjust the values to meet your requirements.
Values in the range 1 through 16 are allowed.
The value 0 deactivates the relevant policy.
To apply the entries specified in the Configuration and Password policy frames, mark the
checkbox in the Policy check column for a particular user.
To save the changes temporarily, click the button.
3.3 LDAP
Server administrators manage Active Directorys which contain user login credentials for applications
used in the office environment. The Active Directory is hierarchical in nature, containing user names,
passwords, and the authorized read/write permission levels for each user.
This device uses the Lightweight Directory Access Protocol (LDAP) to retrieve user login information
and permission levels from a Active Directory. This provides a “single sign on“ for network devices.
Retrieving the credentials from an Active Directory allows the user to login to the device with the same
credentials used in the office environment.
An LDAP session starts with the device contacting the Directory System Agent (DSA) to search the
Active Directory of an LDAP server. If the server finds multiple entries in the Active Directory for a user,
then the server sends the higher permission level found. The DSA listens for information requests and
sends responses on TCP port 389 for LDAP, or on TCP port 636 for LDAP over SSL (LDAPS). Clients
and servers encode LDAPS requests and responses using the Basic Encoding Rules (BER). The device
opens a new connection for every request and closes the connection after receiving a response from
the server.
The device allows you to upload a CA certificate to validate the server for Secure Socket Level (SSL)
and Transport Layer Security (TLS) sessions. Whereby, the certificate is optional for TLS sessions.
The device is able to cache credentials for up to 1024 users in memory. If the active directory servers
are unreachable, then the users are still able to login using their office credentials.
local.server 10.16.1.2
Open the Device Security > LDAP > LDAP Role Mapping dialog.
To add a table entry, click the button.
When a user logs on to the device, with LDAP configured and enabled, the device searches the
Active Directory for the credentials of the user. If the device finds the user name and the
password is correct, then the device searches for the value specified in the Type column. If the
device finds the attribute and the text in the Parameter column matches the text in the Active
Directory, then the device allows the user to login with the assigned permission level. If the value
attribute is specified in the Type column, specify the value in the Parameter column in the
following form: attributeName=attributeValue.
In the Role column, enter the value operator to specify the user role.
To activate the entry, mark the checkbox in the Active column.
Click the button.
The dialog displays the Create window.
Enter the values received from the server administrator for the administrator role.
To activate the entry, mark the checkbox in the Active column.
Open the Device Security > LDAP > Configuration dialog.
To enable the function, select the On radio button in the Operation frame.
The following table describes how to configure the LDAP function on the device using the CLI
commands. The table displays the commands for Index 1. To configure Index 2, use the same
commands and substitute the appropriate information.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
ldap cache-timeout 1440 Specify the device to flush the non-volatile memory after a day.
ldap client server add 1 local.server Add a connection to the remote authentication client server with
port 389 the host name eu.local and the UDP port 389.
ldap client server modify 1 security Specify the type of security used for the connection.
startTLS
ldap client server modify 1 description Specify the configuration name of the entry.
Primary_AD_Server
ldap basedn Specify the Base Domain Name used to find the Active Directory
ou=Users,ou=City,ou=Country,dc=server,dc on the server.
=local
ldap search-attr userPrincipalName Specify the attribute to search for in the Active Directory which
contains the credential of the users.
ldap bind-user user@company.com Specify the name and domain of the service user.
ldap bind-passwd Ur-123456 Specify the password of the service user.
ldap client server enable 1 Enable the remote authentication client server connection.
ldap mapping add 1 access-role operator Add a remote authentication role mapping entry for the Operator
mapping-type attribute mapping-parameter role. Map the operator role to the attribute containing the word
OPERATOR OPERATOR.
ldap mapping enable 1 Enable the remote authentication role mapping entry.
ldap operation Enable the remote authentication function.
The SNMP protocol allows you to work with a network management system to monitor the device over
the network and change its settings.
To adapt the SNMPv3 parameters of the user account settings to the settings in your network
management system, perform the following steps:
Open the Device Security > User Management dialog.
The dialog displays the user accounts that are set up.
Click the row of the relevant user account in the SNMP auth type field. Select the desired
setting.
Click the row of the relevant user account in the SNMP encryption type field. Select the
desired setting.
To save the changes temporarily, click the button.
When you need assistance with your device, then the service personnel use the Service Shell to monitor
internal conditions, for example switch or CPU registers.
The Service Shell is for service purposes exclusively. This function allows the access on internal
functions of the device. In no case, execute internal functions without service technician instructions.
Executing internal functions such as deleting the content of the NVM (non-volatile memory) possibly
leads to inoperability of your device.
!(GRS) >enable
!(GRS) #?
clear Clear several items.
configure Enter into global config mode.
copy Copy different kinds of items.
debug Service functions to find configuration errors.
exit Exit from current mode.
help Display help for various special keys.
history Show a list of previously run commands.
login Set login parameters.
logout Exit this session.
network Modify network parameters.
ping Send ICMP echo packets to a specified
IP address.
profile Activate or delete configuration profiles.
reboot Reset the device (cold start).
save Save configuration.
serviceshell Enter system mode.
set Set device parameters.
show Display device options and settings.
traceroute Trace route to a specified host.
!(GRS) #serviceshell
-> exit
Au revoir!
!*(GRS) #
To start the Service Shell, enter serviceshell in the privileged exec mode, or enter ser and a
Space character, and press the <Enter> key.
To prevent configuration inconsistencies, log out from the Service Shell before any other user
starts uploading a new configuration to the device.
To end the Service Shell, enter exit and then press the <Enter> key.
Note: When the Service Shell is active, the timeout of the Command Line Interface is inactive.
Note: When you deactivate the Service Shell, then you are still able to configure the device, but you
limit the service personnel to system diagnostics. The deactivation is irreversible, the Service Shell
remains permanently deactivated. In order to reactivate the Service Shell, the device requires
disassembly by the manufacturer.
!(GRS) >enable
!(GRS) #serviceshell?
[deactivate] Disable the service shell access permanently
(Cannot be undone).
<cr> Press Enter to execute the command.
You use the Out of Band function (OoB) to specify the IP address, subnet mask and IP address
assignment method required for access to the device management through the Out of Band interface.
The device management is possible even when there is a high in-band load on internal CPU port. The
device also lets you perform Restricted Management Access by using Out of Band port.
The Out of Band management port allows you manage the device and upload configurations. The Out
of Band port supports:
Industry protocols
for example
– IEC61850-MMS
– Modbus TCP
– EtherNet/IP
Management protocols
for example
– SNMP
– Telnet
– SSH
– HTTP
– HTTPS
– FTP
– SCP
– TFTP
– SFTP
Configuration of the IP address
– DHCP client
– Manually assigning an IP address (default setting: 192.168.1.1/24)
Example
The following example describes how to specify the IP addresses using the Out of Band function
on the selected ports. You can specify the IP parameters to the device by either of these methods:
Select a source and specify the MAC address.
The device adds the IP parameters of the source.
Add the IP parameters manually as the source of the device. Select the Local radio button in the
Management interface frame.
Open the Basic Settings > Out of Band dialog.
To manually assign the IP parameters to the device, select the Local radio button in the
Management interface frame.
To enable the function, select the On radio button in the Operation frame.
If you change the settings of the device during operation, the device stores the changes in its memory
(RAM). After a reboot the settings are lost.
In order to keep the changes after a reboot, the device offers the possibility of saving additional settings
in a configuration profile in the non-volatile memory (NVM). In order to make it possible to quickly switch
to other settings, the non-volatile memory offers storage space for multiple configuration profiles.
If an external memory is connected, the device generates a copy of the configuration profile on the
external memory automatically. This function can be deactivated.
Changes made to settings during operation are stored by the device in its memory (RAM). The
configuration profile in non-volatile memory (NVM) remains unchanged until you explicitly save it. Until
then, the configuration profiles in memory and non-volatile memory differ.
This device helps you recognize changed settings. If the configuration profile in the memory (RAM) differs
from the "selected" configuration profile in the non-volatile memory (NVM), you can recognize the
difference based on the following criteria:
The status bar at the top of the menu displays the icon . If the configuration profiles match,
the icon is hidden.
Tn the Basic Settings > Load/Save dialog, the checkbox in the Information frame is
unmarked. If the configuration profiles match, the checkbox is marked.
show config status
Configuration Storage sync State
--------------------------------
running-config to NV........................out of sync
...
If the copy in the external memory differs from the configuration profile in the non-volatile memory, you
see the difference based on the following criteria:
Tn the Basic Settings > Load/Save dialog, the checkbox in the Information frame is
unmarked. If the configuration profiles match, the checkbox is marked.
show config status
Configuration Storage sync State
--------------------------------
...
NV to ACA...................................out of sync
...
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
save Save the settings in the non-volatile memory (nvm) in the
“selected” configuration profile.
In case the transfer to the remote server is unsuccessful, the device logs this event in the log file (System
Log).
In order to cause the device to automatically generate a copy in external memory during the
saving process, select the checkbox in the Backup config when saving column.
To disable the function, remove the checkmark from the checkbox in the Backup config when
saving column.
To save the changes temporarily, click the button.
To export the configuration profile to your PC, perform the following steps:
Click the link in the Profile name column.
Select the storage location and specify the file name.
Click the Ok button.
The configuration profile is now saved as an XML file in the specified location.
To export the configuration profile to a remote server, perform the following steps:
Through loading of settings, the device allows you to quickly switch to other settings if required.
The device allows you via CLI to copy the settings from the external memory directly into non-volatile
memory.
show config profiles nvm Displays the configuration profiles contained in non-volatile
memory (nvm).
enable Change to the Privileged EXEC mode.
copy config envm profile config3 nvm Copy the configuration profile config3 from the external memory
(envm) to the non-volatile memory (nvm).
To import the configuration profile from the local PC or from a remote server, perform the following
steps:
Import the configuration profile:
If the file is located on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>:<port>/<file name>
If the file is located on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
If the file is located on an SCP or SFTP server, specify the URL for the file in one of the following forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you enter User name
and Password , to log on to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
In the Destination frame, specify where the device saves the imported configuration profile:
In the Profile name field, specify the name under which the device saves the configuration profile.
In the Storage type field, specify the storage location for the configuration profile.
Click the Ok button.
The device copies the configuration profile into the specified memory.
If you specified the value ram in the Destination frame, the device disconnects the graphical
user interface and uses the settings immediately on the fly.
To import the configuration profile from the external memory, perform the following steps:
In the Import profile from external memory frame, Profile name drop-down list, select
the name of the configuration profile to be imported.
The prerequisite is that the external memory contains an exported configuration profile.
In the Destination frame, specify where the device saves the imported configuration profile:
In the Profile name field, specify the name under which the device saves the configuration profile.
Click the Ok button.
The device copies the configuration profile into the non-volatile memory (NVM ) of the device.
If you specified the value ram in the Destination frame, the device disconnects the graphical
user interface and uses the settings immediately on the fly.
If you reset the settings in the device to the delivery state, the device deletes the configuration profiles
in the volatile memory and in the non-volatile memory.
If an external memory is connected, the device also deletes the configuration profiles saved on the
external memory.
The device then reboots and loads the factory settings.
To execute the Clear configs and boot params command, press the <1> key.
To load the factory settings, press the <Enter> key.
The device deletes the configuration profiles in the memory (RAM) and in the non-volatile memory
(NVM).
If an external memory is connected, the device also deletes the configuration profiles saved on the
external memory.
To switch to the main menu, press the <q> key.
To reboot the device with factory settings, press the <q> key.
Hirschmann is continually working on improving and developing their software. Check regularly whether
there is an updated version of the software that provides you with additional benefits. You find
information and software downloads on the Hirschmann product pages on the Internet at
www.hirschmann.com.
The device gives you the following options for updating the device software:
Software update from the PC
Software update from a server
Software update from the external memory
Loading an older software
Note: The device settings are kept after updating the device software.
You see the version of the installed device software on the Login page of the graphical user interface.
If you are already logged in, perform the following steps to display the version of the installed software.
Open the Basic Settings > Software dialog.
The field Running version displays the version number and creation date of the device
software that the device loaded during the last restart and is currently running.
enable Change to the Privileged EXEC mode.
show system info Displays the system information such as the version number and
creation date of the device software that the device loaded during
the last restart and is currently running.
The prerequisite is that the image file of the device software is saved on a data carrier which is
accessible from your PC.
Perform the following steps:
Navigate to the folder where the image file of the device software is saved.
Open the Basic Settings > Software dialog.
Drag and drop the image file in the area. Alternatively click in the area to select the file.
To start the update procedure, click the Start button.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.
To update the software using SFTP or SCP you need a server on which the image file of the device
software is saved.
To update the software using TFTP, SFTP or SCP you need a server on which the image file of the
device software is saved.
Perform the following steps:
Open the Basic Settings > Software dialog.
In the Software update frame, URL field, enter the URL for the image file in the following
form:
When the image file is saved on an FTP server:
ftp://<IP_address>:<port>/<path>/<image_file_name>.bin
When the image file is saved on a TFTP server:
tftp://<IP_address>/<path>/<image_file_name>.bin
When the image file is saved on a SCP or SFTP server:
scp:// or sftp://<IP_address>/<path>/<image_file_name>.bin
scp:// or sftp://<username>:<password>@<IP_address>/<path>/<image_file_name>.bin
If you enter the URL without the user name and password, the device displays the Credentials window.
There you enter credentials needed to log on to the server.
To start the update procedure, click the Start button.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.
enable Change to the Privileged EXEC mode.
copy firmware remote tftp://10.0.1.159/ Transfer the product.bin file from the TFTP server with the IP
product.bin system address 10.0.1.159 to the device.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
Upon restart, the device loads the installed device software.
– Does the image file exist which is specified in the startup.txt file?
– Is the software version of the image file more recent than the software currently running on the
device?
If the criteria are fulfilled, the device starts the update procedure.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device reboots automatically and
loads the new software version.
Check the result of the update procedure. The log file in the Diagnostics > Report > System Log
dialog contains one of the following messages:
S_watson_AUTOMATIC_SWUPDATE_SUCCESS
Software update completed successfully
S_watson_AUTOMATIC_SWUPDATE_ABORTED
Software update aborted
S_watson_AUTOMATIC_SWUPDATE_ABORTED_WRONG_FILE
Software update aborted due to wrong image file
S_watson_AUTOMATIC_SWUPDATE_ABORTED_SAVING_FILE
Software update aborted due to failed saving of the image file to the device
The device allows you to replace the device software with an older version. The basic settings on the
device are kept after replacing the device software.
Note: The settings for functions which are available in the newer device software version exclusively
are lost.
In the default setting, every port is enabled. For a higher level of access security, disable the ports for
which you are not making any connection.
Perform the following steps:
Open the Basic Settings > Port dialog, Configuration tab.
To enable a port, mark the checkbox in the Port on column.
To disable a port, unmark the checkbox in the Port on column.
To save the changes temporarily, click the button.
In the default setting, the ports are set to Automatic configuration operating mode.
Note: The active automatic configuration has priority over the manual configuration.
Perform the following steps:
Open the Basic Settings > Port dialog, Configuration tab.
If the device connected to this port requires a fixed setting:
Deactivate the function. Unmark the checkbox in the Automatic configuration column.
In the Manual configuration column, enter the desired operating mode (transmission rate, duplex mode).
When you plug a module in an empty slot on modular devices, the device configures the module with
the default settings. The default settings allow access to the network. To help prevent unauthorized
network access, deactivate the unused slots.
Perform the following steps:
Open the Basic Settings > Modules dialog.
To deactivate the unused slots, unmark the Active checkbox.
You use the Link monitoring function for end stations that support Far End Fault Indication (FEFI) on
optical links connected with an unsupported SFP. If a device detects a link up, the LED illuminates.
When the device detects the a lost link, the LED extinguishes.
6.4.1 Example
The given example describes activation of the Link monitoring function on the selected ports.
Perform the following steps:
Open the Basic Settings > Port dialog, Configuration tab.
To illuminate the green LED of the Ethernet port, mark the checkbox in the Link monitoring
column.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
link loss alert Enable the Link monitoring function on the interface.
The device supports 2.5 Gbit/s on several interfaces with one of the following SFP transceivers:
M-SFP-2.5-MM/LC EEC
M-SFP-2.5-SM-/LC EEC
M-SFP-2.5-SM/LC EEC
M-SFP-2.5-SM+/LC EEC
Speed is determined by the plugged SFP transceiver. The device has no option to set the speed
manually. Devices with 2.5 Gbit/s ports are unable to support 100 Mbit/s SFP transceivers.
6.5.1 Example
You use the 2.5 Gbit/s to get higher bandwidth for uplinks. To use the 2.5 Gbit/s speed, you need to
insert a proper SFP transceiver for the appropriate port.
In the Basic Settings > Port dialog, the Link/Current settings column displays the value
2.5 Gbit/s FDX for the ports that have inserted a 2.5 Gbit/s SFP transceiver. You cannot change this
speed.
Perform the following steps:
Open the Basic Settings > Port dialog, Configuration tab.
show port 1/1 Displays 2500 full as the Physical Mode of the port.
The device offers functions that help you protect the device against unauthorized access.
After you set up the device, carry out the following steps in order to reduce the risk of unauthorized
access to the device.
Changing the SNMPv1/v2 community
Disabling SNMPv1/v2
Disabling HTTP
Using your own HTTPS certificate
Using your own SSH key
Disabling Telnet
Disabling HiDiscovery
Enable IP access restriction
Adjusting the session timeouts
SNMPv1/v2 works unencrypted. Every SNMP packet contains the IP address of the sender and the
plaintext community name with which the sender accesses the device. If SNMPv1/v2 is enabled, the
device allows anyone who knows the community name to access the device.
The community names public for read accesses and private for write accesses are preset. If you are
using SNMPv1 or SNMPv2, you change the default community name. Treat the community names with
discretion.
Perform the following steps:
Open the Device Security > Management Access > SNMPv1/v2 Community dialog.
The dialog displays the communities that are set up.
For the Write community, specify in the Name column the community name.
Up to 32 alphanumeric characters are allowed.
The device differentiates between upper and lower case.
Specify a different community name than for read access.
If you need SNMPv1 or SNMPv2, use these protocols solely in environments protected from
eavesdropping. SNMPv1 and SNMPv2 do not use encryption. The SNMP packets contain the
community in clear text. We recommend using SNMPv3 in the device and disabling the access using
SNMPv1 and SNMPv2.
Perform the following steps:
Open the Device Security > Management Access > Server dialog, SNMP tab.
The dialog displays the settings of the SNMP server.
To deactivate the SNMPv1 protocol, you unmark the SNMPv1 checkbox.
To deactivate the SNMPv2 protocol, you unmark the SNMPv2 checkbox.
To save the changes temporarily, click the button.
The web server provides the graphical user interface with the protocol HTTP or HTTPS. HTTPS
connections are encrypted, while HTTP connections are unencrypted.
The HTTP protocol is enabled by default. If you disable HTTP, no unencrypted access to the graphical
user interface is possible.
Perform the following steps:
Open the Device Security > Management Access > Server dialog, HTTP tab.
To disable the HTTP protocol, select the Off radio button in the Operation frame.
To save the changes temporarily, click the button.
If the HTTP protocol is disabled, then you can reach the graphical user interface of the device only by
HTTPS. In the address bar of the web browser, enter the string https:// before the IP address of the
device.
When the HTTPS protocol is disabled and you also disable HTTP, then the graphical user interface is
unaccessible. To work with the graphical user interface, enable the HTTPS server using the command
line interface.
Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
https server Enable the HTTPS protocol.
The device allows you to remotely access the management functions of the device using Telnet or SSH.
Telnet connections are unencrypted, while SSH connections are encrypted.
The Telnet server is enabled on the device by default. If you disable Telnet, unencrypted remote access
to the command line interface is no longer possible.
Perform the following steps:
Open the Device Security > Management Access > Server dialog, Telnet tab.
To disable the Telnet server, select the Off radio button in the Operation frame.
To save the changes temporarily, click the button.
If the SSH server is disabled and you also disable Telnet, the access to the Command Line Interface is
only possible through the V.24 interface of the device. To work remotely with the command line
interface, enable SSH.
Perform the following steps:
Open the Device Security > Management Access > Server dialog, SSH tab.
To enable the SSH server, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
HiDiscovery allows you to assign IP parameters to the device over the network during commissioning.
HiDiscovery communicates in the management VLAN without encryption and authentication.
After the device is commissioned, we recommend to setHiDiscoveryto read-only or to disable
HiDiscovery access completely.
Perform the following steps:
Open the Basic Settings > Network dialog.
To take away write permission from the HiDiscovery software, in the HiDiscovery protocol
v1/v2 frame, specify the value readOnly in the Access field.
To disable HiDiscovery access completely, select the Off radio button in the HiDiscovery
protocol v1/v2 frame.
To save the changes temporarily, click the button.
In the default setting, you access the management functions of the device from any IP address and with
the supported protocols.
The IP access restriction allows you to restrict access to the management functions to selected IP
address ranges and selected IP-based protocols.
Example:
The device is to be accessible only from the company network using the graphical user interface. The
administrator has additional remote access using SSH. The company network has the address range
192.168.1.0/24 and remote access from a mobile network with the IP address range 109.237.176.0/
24. The SSH application program knows the fingerprint of the RSA/DSA key.
Parameter Company network Mobile phone network
Network address 192.168.1.0 109.237.176.0
Netmask 24 24
Desired protocols https, snmp ssh
Table 6: Parameters for the IP access restriction
network management access add 2 Create the entry for the address range of the company network.
Number of the next available index in this example: 2.
network management access modify 2 ip Specify the IP address of the company network.
192.168.1.0
network management access modify 2 mask Specify the netmask of the company network.
24
network management access modify 2 ssh Deactivate SSH for the address range of the company network.
disable Repeat the operation for all unwanted protocols.
network management access add 3 Create an entry for the address range of the mobile phone
network.
Number of the next available index in this example: 3.
network management access modify 3 ip Specify the IP address of the mobile phone network.
109.237.176.0
network management access modify 3 mask Specify the netmask of the mobile phone network.
24
network management access modify 3 snmp Deactivate SNMP for the address range of the mobile phone
disable network.
Repeat the operation for all unwanted protocols.
show network management access rules Display the entries that have been configured.
The device allows you to automatically terminate the session upon inactivity of the logged-on user. The
session timeout is the period of inactivity after the last user action.
You can specify a session timeout for the following applications:
CLI sessions using an SSH connection
CLI sessions using a Telnet connection
CLI sessions using a V.24 connection
Graphical user interface
The device checks the data packets to be forwarded in accordance with defined rules. Data packets to
which the rules apply are either forwarded by the device or blocked. When data packets do not
correspond to any of the rules, the device blocks the packets.
Routing ports to which no rules are assigned allow packets to pass. As soon as a rule is assigned, the
assigned rules are processed first. After that, the specified standard action of the device takes effect.
The device provides the following functions for controlling the data stream:
Service request control (Denial of Service, DoS)
Denying access to devices based on their IP or MAC address (Access Control List)
The device observes and monitors the data stream. The device takes the results of the observation and
the monitoring and combines them with the rules for the network security to create what is known as a
status table. Based on this status table, the device decides whether to accept, drop or reject data.
The data packets go through the filter functions of the device in the following sequence:
DoS … if permit or accept, then progress to the next rule
ACL … if permit or accept, then progress to the next rule
With this function, the device supports you in protecting against invalid or falsified data packets targeted
at causing the failure of certain services or devices. You have the option of specifying filters in order to
restrict data stream for protection against denial-of-service attacks. The activated filters check incoming
data packets and discard them as soon as a match with the filter criteria is found.
The Network Security > DoS > Global dialog contains 2 frames in which you activate different filters.
To activate them, mark the corresponding checkboxes.
In the TCP/UDP frame, you activate up to 4 filters that influence TCP and UDP packets exclusively. Using
this filter, you deactivate port scans, which attackers use to try to recognize devices and services
offered. The filters operate as follows:
Filter Action
Activate Null Scan Filter The device detects and discards TCP packets for which no TCP flags are set.
Activate Xmas Filter The device detects and discards TCP packets for which the TCP flags FIN, URG and
PUSH are simultaneously set.
Activate SYN/FIN Filter The device detects and discards TCP packets for which the TCP flags SYN and FIN are
simultaneously set.
Activate Minimal Header Filter The device detects and discards TCP packets for which the TCP header is too short.
Table 7: DoS filters for TCP packets
The ICMP frame offers you 2 filter options for ICMP packets. Fragmentation of incoming ICMP packets
is a sign of an attack. When you activate this filter, the device detects fragmented ICMP packets and
discards them. Using the Allowed packet size [byte] parameter, you can also specify the maximum
permissible size of the payload of the ICMP packets. The device discards data packets that exceed this
byte specification.
Note: You can combine the filters in any way in the Network Security > DoS > Global dialog. When
several filters are selected, a logical Or applies: The device discards a data packet if the first or second
(or the third, etc.) filter applies to it.
8.2 ACL
In this menu you can enter the settings for the Access Control Lists (ACLs).
The device uses access control lists to filter data packets coming in on individual or multiple ports or on
VLANs. In the respective ACL, you create rules that the device uses to carry out filtering. When such a
rule applies to a packet, the device applies the actions defined in the rule to the packet. The following
actions are available:
allow (permit)
discard (deny)
redirect to a certain port (see Redirection port field)
mirror (see Mirror port field)
You can filter incoming data packets according to the following criteria:
The assignment of IP ACLs and MAC ACLs to ports and VLANs results in the following different types
of ACLs:
When you assign both an IP ACL and MAC ACL to the same interface, the device filters the traffic using
the IP ACL first. To filter the traffic using the MAC ACL, create a permit all statement at the end of
the IP ACL.
Within an ACL type, the device processes the rules in order, with the index of the respective role
determining the corresponding order. You can thus specify the priority of a rule using the index or
sequence number when you assign an ACL to a port or VLAN. The following generally applies: the lower
the sequence number, the higher the priority. When processing the rules, the device processes the rule
with the higher priority first.
When several ACL types contain rules that apply to a data packet, the priority of the ACL type decides
which rule the device applies first. Note that the priority of an ACL type is independent of the index or
sequence number of a rule. It is generally true that IP ACLs have a higher priority than MAC ACLs. The
device thus gives preference to IP ACLs over MAC ACLs.
You can create up to 128 MAC ACLs and up to 128 IP ACLs. Each ACL can contain up to 239 rules,
with the device allowing a maximum number of 956 rules regardless of the ACL type. This corresponds
to four completely filled ACLs with 239 rules each.
You can assign a maximum of 239 rules to a single port, irrespectively of the ACL type used.
This means you can simultaneously assign a maximum of 128 MAC ACLs and 128 IP ACLs to a single
port.
You can assign a maximum of 176 rules to a single VLAN, regardless of the ACL type used.
Note: You can assign a single ACL to any number of ports or VLANs.
Note: If you activate the Packet fragmented function for a rule, then the device processes IPv4
fragments with the offset specified as unequal to zero, in accordance to the rule. The device processes
every IPv4 fragment except for the initial IPv4 fragment.
If you assign one or several ACLs to a port or VLAN, the device processes the ACLs corresponding to
their priority when traffic comes in on an interface. If none of the rules contained in the ACLs match an
incoming data packet, the implicit deny rule applies. As a result, the device drops incoming data packets.
Keep in mind that the device directly implements the implicit deny rule.
The ACL menu contains the following dialogs:
ACL IPv4 Rule
ACL MAC Rule
ACL Assignment
In these dialogs you can designate the rules for the various ACL types, configure them, and provide
them with the required priorities. You also take care of the assignment of the rules to certain ports or
VLANs here.
Note: The device allows you to use wildcards with the Source IP address and Destination IP
address parameters. If you enter, for example, 192.168.?.?, the device admits addresses the first two
octets of which start with 192.168.
Note: The prerequisite for changing the values in the Source TCP/UDP port and Destination TCP/
UDP port column is that you specify the value tcp or tcp in the Protocol column.
Note: The prerequisite for changing the value in the Redirection port and Mirror port column is
that you specify the value permit in the Action column.
C B
Port 1 Port 3
IP: 10.0.1.158/24
IP: 10.0.1.159/24
Port 2 Port 4
D A
ip acl rule add 1 2 permit src any any dst Adds a rule to position 2 of the IP ACL with the ID 1 admitting IP
any any data packets.
show acl ip rules 1 Displays the rules of the IP ACL with the ID 1.
ip acl add 2 filter2 Adds an IP ACL with the ID 2 and the name filter2.
ip acl rule add 2 1 deny src 10.0.1.13 Adds a rule to position 1 of the IP ACL with the ID 2 denying IP
0.0.0.0 dst 10.0.1.158 0.0.0.0 data packets from 10.0.1.13 to 10.0.1.158.
ip acl rule add 2 2 permit src any any dst Adds a rule to position 2 of the IP ACL with the ID 2 admitting IP
any any data packets.
show acl ip rules 2 Displays the rules of the IP ACL with the ID 2.
interface 1/1 Change to the interface configuration mode of interface 1/1.
acl ip assign 1 in 1 Assigns the IP ACL with the ID 1 to incoming data packets (in)
on interface 1/1, with a priority of 1 (highest priority).
exit Leaves the interface mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
acl ip assign 2 in 1 Assigns the IP ACL with the ID 2 to incoming data packets (in)
on interface 1/3, with a priority of 1 (highest priority).
exit Leaves the interface mode.
show acl ip assignment 1 Displays the assignment of the IP ACL with ID 1.
show acl ip assignment 2 Displays the assignment of the IP ACL with ID 2.
Note: In the Source MAC address and Destination MAC address fields you can use wildcards in the
FF:??:??:??:??:?? or ??:??:??:??:00:01 form. Use capital letters here.
The MAC authorized bypass function allows clients that do not support 802.1X, such as printers and
fax machines, to authenticate to the network using their MAC address. The device allows you to specify
the format of the MAC address used to authenticate the clients on the RADIUS server.
Example:
Split the MAC address into 6 groups of 2 characters. Use uppercase letters and a colon character as
separator: AA:BB:CC:DD:EE:FF
Use the passwort xY-45uM_e.
Perform the following steps:
Open the Network Security > 802.1X Port Authentication > Global dialog.
The following steps you perform in the MAC authentication bypass format options frame.
In the Group size drop-down list, select the value 2 .
The device splits the MAC address into 6 groups of 2 characters.
In the Group separator drop-down list, select the : character.
In the Upper or lower case drop-down list, select the value upper-case .
In the Password field, enter the password xY-45uM_e.
The device uses this password for every client that authenticates to the RADIUS server. If you
leave the field empty, then the device uses the formatted MAC address also as the password.
To temporarily save the settings, click the button.
Many applications rely on a time that is as correct as possible. The necessary accuracy, and thus the
allowable deviation from the actual time, depends on the application area.
The device offers the following options for synchronizing the time on the network:
The Simple Network Time Protocol (SNTP) is a simple solution for low accuracy requirements. Under
ideal conditions, SNTP achieves an accuracy in the millisecond range. The accuracy depends on the
signal delay.
IEEE 1588 with the Precision Time Protocol (PTP) achieves accuracies on the order of fractions of
microseconds. This method is suitable even for demanding applications up to and including process
control.
PTP is always the better choice if the involved devices support this protocol. PTP is more accurate, has
advanced methods of error correction, and causes a low network load. The implementation of PTP is
comparatively easy.
Note: According to the PTP and SNTP standards, both protocols function in parallel in the same
network. However, since both protocols influence the system time of the device, situations may occur
in which the two protocols conflict with each other.
In the Time > Basic Settings dialog, you specify general settings for the time.
In order to cause the device to apply the time of your PC to the System time field, click the
Set time from PC button.
Based on the value in the Local offset [min] field, the device calculates the time in the
System time (UTC) field: The System time (UTC) comes from the System time minus the
Local offset [min] value and a possible shift due to daylight saving time.
The Time source field displays the origin of the time data. The device automatically selects
the source with the greatest accuracy.
The source is initially local.
If SNTP is active and if the device receives a valid SNTP packet, the device sets its time
source to sntp.
If PTP is active and if the device receives a valid PTP message, the device sets its time source
to ptp. The device prioritizes PTP ahead of SNTP.
The Local offset [min] value specifies the time difference between the local time and the
System time (UTC) .
In order to cause the device to determine the time zone on your PC, click the Set time from
PC button. The device calculates the local time difference from UTC and enters the difference
into the Local offset [min] field.
Note: The device provides the option to obtain the local offset from a DHCP server.
9.2 SNTP
The Simple Network Time Protocol (SNTP) allows you to synchronize the system time in your network.
The device supports the SNTP client and the SNTP server function.
The SNTP server makes the UTC (Universal Time Coordinated) available. UTC is the time relating to
the coordinated world time measurement. The UTC is the same worldwide and ignores local time shifts.
SNTP is a simplified version of NTP (Network Time Protocol). The data packets are identical with SNTP
and NTP. Accordingly, both NTP and SNTP servers serve as a time source for SNTP clients.
Note: Statements in this chapter relating to external SNTP servers also apply to NTP servers.
SNTP knows the following operation modes for the transmission of time:
Unicast
In Unicast operation mode, an SNTP client sends requests to an SNTP server and expects a
response from this server.
Broadcast
In Broadcast operation mode, an SNTP server sends SNTP messages to the network in specified
intervals. SNTP clients receive these SNTP messages and evaluate them.
IP destination address Send SNTP packets to
0.0.0.0 Nobody
224.0.1.1 Multicast address for SNTP messages
255.255.255.255 Broadcast address
Table 8: Target address classes for Broadcast operation mode
Note: An SNTP server in Broadcast operation mode also responds to direct requests using Unicastfrom
SNTP clients. In contrast, SNTP clients work in either Unicast or Broadcast operation mode.
9.2.1 Preparation
Perform the following steps:
To get an overview of how the time is passed on, draw a network plan with the devices participating
in SNTP.
When planning, bear in mind that the accuracy of the time depends on the delays of the SNTP
messages. To minimize delays and their variance, place an SNTP server in each network segment.
Each of these SNTP servers synchronizes its own system time as an SNTP client with its parent
SNTP server (SNTP cascade). The highest SNTP server in the SNTP cascade has the most direct
access to a reference time source.
GPS PLC
SNTP
client
SNTP 192.168.1.11
SNTP
server client
192.168.1.12
192.168.1.1
Switch Switch
Note: For precise time distribution, between SNTP servers and SNTP clients you preferably use
network components (routers and switches) that forward the SNTP packets with a low and uniform
transmission time (latency).
An SNTP client sends its requests to up to 4 configured SNTP servers. If there is no response from
the 1st SNTP server, the SNTP client sends its requests to the 2nd SNTP server. If this request is
also unsuccessful, it sends the request to the 3rd and finally the 4th SNTP server. If none of these
SNTP servers responds, the SNTP client loses its synchronization. The SNTP client periodically
sends requests to each SNTP server until a server delivers a valid time.
Note: The device provides the option of obtaining a list of SNTP server IP addresses from a DHCP
server.
If no reference time source is available to you, determine a device with an SNTP server as a
reference time source. Adjust its system time at regular intervals.
To enable the Broadcast operation mode, select the Broadcast admin mode radio button in
the Configuration frame.
In Broadcast operation mode, the SNTP server sends SNTP messages to the network in
specified intervals. The SNTP server also responds to the requests from SNTP clients in
Unicast operation mode.
In the Broadcast destination address field, you set the IP address to which the SNTP server sends the
SNTP packets. Set a Broadcast address or a Multicast address.
In the Broadcast UDP port field, you specify the number of the UDP port to which the SNTP server sends
the SNTP packets in Broadcast operation mode.
In the Broadcast VLAN ID field, you specify the ID of the VLAN to which the SNTP server sends the SNTP
packets in Broadcast operation mode.
In the Broadcast send interval [s] field, you enter the time interval at which the SNTP server of the device
sends SNTP Broadcast packets.
9.3 PTP
In order for LAN-controlled applications to work without latency, precise time management is required.
With PTP (Precision Time Protocol), IEEE 1588 describes a method that enables precise
synchronization of clocks in the network.
PTP enables synchronization with an accuracy of a few 100 ns. PTP uses Multicasts for the
synchronization messages, which keeps the network load low.
Boundary clock
The transmission time (latency) in routers and switches has a measurable effect on the precision of
the time transmission. To correct such inaccuracies, PTP defines what are known as boundary
clocks.
In a network segment, a boundary clock is the reference time source (master clock) to which the
subordinate slave clocks synchronize. Typically routers and switches take on the role of boundary
clock.
The boundary clock in turn obtains the time from a higher-level reference time source (Grandmaster).
GPS
PLC
Reference
(Grandmaster Clock)
Ordinary Clock
Slave Master
Boundary Clock
Transparent Clock
Switches typically take on the Transparent Clock role to enable high accuracy across the cascades.
The Transparent Clock is a Slave clock that corrects its own transmission time when it forwards
received synchronization messages.
Ordinary Clock
PTP designates the clock in a end device as an “Ordinary Clock”. An Ordinary Clock functions either
as a master clock or slave clock.
Switch
PTP Subdomain 1
Boundary
Clock
PTP Subdomain 2
The device features a number of functions that reduce the network load:
Direct packet distribution
Multicasts
Rate limiter
Prioritization - QoS
Differentiated services
Flow control
The device reduces the network load with direct packet distribution.
On each of its ports, the device learns the sender MAC address of received data packets. The device
stores the combination “port and MAC address” in its MAC address table (FDB).
By applying the “Store and Forward” method, the device buffers data received and checks it for validity
before forwarding it. The device rejects invalid and defective data packets.
10.2 Multicasts
By default, the device floods data packets with a Multicast address, that is, the device forwards the data
packets to all ports. This leads to an increased network load.
The use of IGMP snooping can reduce the network load caused by Multicast data traffic. IGMP snooping
allows the device to send Multicast data packets only on those ports to which devices “interested” in
multicast are connected.
If several IGMP Multicast routers are in the same network, then the device with the smaller IP address
takes over the query function. If there are no Multicast routers on the network, then you have the option
to enable the query function in an appropriately equipped switch.
A switch that connects one Multicast receiver with a Multicast router analyzes the IGMP information with
the IGMP snooping method.
The IGMP snooping method also makes it possible for switches to use the IGMP function. A switch
stores the MAC addresses derived from IP addresses of the Multicast receivers as recognized Multicast
addresses in its MAC address table (FDB). In addition, the switch identifies the ports on which it has
received reports for a specific Multicast address. In this way the switch transmits Multicast packets
exclusively on ports to which Multicast receivers are connected. The other ports do not receive these
packets.
A special feature of the device is the possibility of determining the processing of data packets with
unknown Multicast addresses. Depending on the setting, the device discards these data packets or
forwards them to all ports. By default, the device transmits the data packets only to ports with connected
devices, which in turn receive query packets. You also have the option of additionally sending known
Multicast packets to query ports.
Prerequisite:
The IGMP Snooping function is enabled globally.
Configure Multicasts
The device allows you to configure the exchange of Multicast data packets. The device provides
different options depending on whether the data packets are to be sent to unknown or known
Multicast receivers.
The settings for unknown Multicast addresses are global for the entire device. The following options
can be selected:
The device discards unknown Multicasts.
The device sends unknown Multicasts on every port.
The device sends unknown Multicasts exclusively on ports that have previously received query
messages (query ports).
Note: The exchange settings for unknown Multicast addresses also apply to the reserved IP
addresses from the “Local Network Control Block” (224.0.0.0..224.0.0.255). This behavior may
affect higher-level routing protocols.
For each VLAN, you specify the sending of Multicast packets to known Multicast addresses
individually. The following options can be selected:
The device sends known Multicasts on the ports that have previously received query messages
(query ports) and to the registered ports. Registered ports are ports with Multicast receivers
registered with the corresponding Multicast group. This option ensures that the transfer works with
basic applications without further configuration.
The device sends out known Multicasts only on the registered ports. The advantage of this setting
is that it uses the available bandwidth optimally through direct distribution.
Prerequisite:
The IGMP Snooping function is enabled globally.
The rate limiter function allows you to limit the data traffic on the ports in order to ensure stable operation
even when there is a high level of traffic. The rate limitation is performed individually for each port, as
well as separately for inbound and outbound traffic.
If the data rate on a port exceeds the defined limit, the device discards the overload on this port.
Rate limitation occurs entirely on Layer 2. In the process, the rate limiter function ignores protocol
information on higher levels such as IP or TCP. This may affect the TCP traffic.
To minimize these effects, use the following options:
Limit the rate limitation to certain packet types, for example, Broadcasts, Multicasts, and Unicasts
with an unknown destination address.
Limit the outbound data traffic instead of the inbound traffic. The outbound rate limitation works better
with TCP flow control due to device-internal buffering of the data packets.
Increase the aging time for learned Unicast addresses.
10.4 QoS/Priority
QoS (Quality of Service) is a procedure defined in IEEE 802.1D which is used to distribute resources in
the network. QoS allows you to prioritize the data of important applications.
Prioritizing prevents data traffic with lower priority from interfering with delay-sensitive data traffic,
especially when there is a heavy network load. Delay-sensitive data traffic includes, for example, voice,
video, and real-time data.
The device offers the following options for evaluating this priority information:
trustDot1p
The device assigns VLAN-tagged data packets to the different traffic classes according to their VLAN
priorities. The corresponding allocation is configurable. The device assigns the priority of the
receiving port to data packets it receives without a VLAN tag.
trustIpDscp
The device assigns the IP packets to the different traffic classes according to the DSCP value in the
IP header, even if the packet was also VLAN-tagged. The corresponding allocation is configurable.
The device prioritizes non-IP packets according to the priority of the receiving port.
untrusted
The device ignores the priority information in the data packets and assigns the priority of the receiving
port to them.
7 1 6 6 4 2 42-1500 Octets 4
t
For data packets with VLAN tags, the device evaluates the following information:
Priority information
VLAN tagging, if VLANs are configured
r
ie
ntif
er de
ifi I
ent t
Bi at
Id 3 rm r
, ie
o l
ity l Fo tif
oc r e n
r ot rio ica Id
P it e r P non A N
g B s t
Ta x 8 U Ca Bit VL Bi
2 1 12
4 Octets
Data packets with VLAN tags containing priority information but no VLAN information (VLAN ID = 0), are
known as Priority Tagged Frames.
Note: Network protocols and redundancy mechanisms use the highest traffic class 7. Therefore, select
other traffic classes for application data.
When using VLAN prioritizing, consider the following special features:
End-to-end prioritizing requires the VLAN tags to be transmitted to the entire network. The
prerequisite is that every network component is VLAN-capable.
Routers are not able to send and receive packets with VLAN tags through port-based router
interfaces.
The reserved values range from 0% through 100% of the available bandwidth, in steps of 1%.
A reservation of 0 is equivalent to a "no bandwidth" setting.
The sum of the individual bandwidths may add up to 100%.
If you assign Weighted Fair Queuing to every traffic class, the entire bandwidth of the corresponding
port is available to you.
When you combine Weighted Fair Queuing with Strict Priority, a high Strict Priority network load can
significantly reduce the bandwidth available for Weighted Fair Queuing.
Queue Shaping
Queue Shaping throttles the rate at which queues transmit packets. For example, using Queue
Shaping, you rate-limit a higher strict-priority queue so that it allows a lower strict-priority queue to
send packets even though higher priority packets are still available for transmission. The device
allows you to setup Queue Shaping for any queue. You specify Queue Shaping as the maximum rate
at which traffic passes through a queue by assigning a percentage of the available bandwidth.
IPv4 Network
------------
...
Management VLAN priority....................7
...
IPv4 Network
------------
...
Management IP-DSCP value....................56
RFC 2474 defines the “Differentiated Services” field in the IP header. This field is also called “DiffServ
Codepoint” or DSCP. The DSCP field is used for classification of packets into different quality classes.
The DSCP field replaces the ToS field. The first 3 bits of the DSCP field are used to divide the packets
into classes. The next 3 bits are used to further subdivide the classes on the basis of different criteria.
This results in up to 64 different service classes.
Bits 0 1 2 3 4 5 6 7
Differentiated Services Codepoint Explicit
(DSCP) RFC 2474 Congestion
Class Selector Notification
Codepoints (ECN)
The different DSCP values get the device to employ a different forwarding behavior, what is known as
Per Hop Behavior (PHB). The following PHB classes are defined:
Class Selector (CS0–CS7)
For backward compatibility, the Class Selector PHB assigns the 7 possible IP precedence values
from the previous ToS field to specific DSCP values.
Expedited Forwarding (EF)
For applications with high priority. The Expedited Forwarding PHB reduces delays (latency), jitter,
and packet loss (RFC 2598).
Assured Forwarding (AF)
The Assured Forwarding PHB provides a differentiated schema for handling different data traffic
(RFC 2597).
Default Forwarding/Best Effort
This PHB stands for the dispensation with a specific prioritization.
ToS Meaning Precedence Value Assigned DSCP
Network Control 111 CS7 (111000)
Internetwork Control 110 CS6 (110000)
Critical 101 CS5 (101000)
Flash Override 100 CS4 (100000)
Flash 011 CS3 (011000)
Immediate 010 CS2 (010000)
Priority 001 CS1 (001000)
Routine 000 CS0 (000000)
Table 13: Assigning the IP precedence values to the DSCP value
If a large number of data packets are received in the priority queue of a port at the same time, this can
cause the port memory to overflow. This happens, for example, when the device receives data on a
Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus data packets.
The flow control mechanism described in standard IEEE 802.3 ensures that no data packets are lost
due to a port memory overflowing. Shortly before a port memory is completely full, the device signals to
the connected devices that it is not accepting any more data packets from them.
In full-duplex mode, the device sends a pause data packet.
In half-duplex mode, the device simulates a collision.
The following figure displays how flow control works. Workstations 1, 2, and 3 want to simultaneously
transmit a large amount of data to Workstation 4. The combined bandwidth of Workstations 1, 2, and 3
is greater than the bandwidth of Workstation 4. This causes an overflow on the receive queue of port 4.
The left funnel symbolizes this status.
If the flow control function on ports 1, 2 and 3 of the device is enabled, the device reacts before the
funnel overflows. The funnel on the right illustrates ports 1, 2 and 3 sending a message to the
transmitting devices to control the transmition speed. This results in the receiving port no longer being
overwhelmed and is able to process the incoming traffic.
Port 1 Port 4
Switch
Port 2 Port 3
11 VLANs
In the simplest case, a virtual LAN (VLAN) consists of a group of network participants in one network
segment who can communicate with each other as if they belonged to a separate LAN.
More complex VLANs span out over multiple network segments and are also based on logical (instead
of only physical) connections between network participants. VLANs are an element of flexible network
design. It is easier to reconfiguring logical connections centrally than cable connections.
The device supports independent VLAN learning in accordance with the IEEE 802.1Q standard which
defines the VLAN function.
Using VLANs has many benefits. The following list displays the top benefits:
Flexibility
You have the option of forming user groups based on the function of the participants apart from their
physical location or medium.
Clarity
VLANs give networks a clear structure and make maintenance easier.
The following practical examples provide a quick introduction to the structure of a VLAN.
Note: When configuring VLANs you use an interface for management that will remain unchanged. For
this example, you use either interface 1/6 or the V.24 serial connection to configure the VLANs.
11.1.1 Example 1
The example displays a minimal VLAN configuration (port-based VLAN). An administrator has
connected multiple end devices to a transmission device and assigned them to 2 VLANs. This effectively
prohibits any data transmission between the VLANs, whose members communicate only within their
own VLANs.
A VLAN D
2
1 2 3 4 5
B C VLAN
3
When setting up the VLANs, you create communication rules for every port, which you enter in ingress
(incoming) and egress (outgoing) tables.
The ingress table specifies which VLAN ID a port assigns to the incoming data packets. Hereby, you
use the port address of the end device to assign it to a VLAN.
The egress table specifies on which ports the device sends the packets from this VLAN.
T = Tagged (with a tag field, marked)
U = Untagged (without a tag field, unmarked)
For this example, the status of the TAG field of the data packets has no relevance, so you use the setting
U.
Terminal Port Port VLAN identifier (PVID)
A 1 2
B 2 3
C 3 3
D 4 2
5 1
Table 14: Ingress table
VLAN ID Port
1 2 3 4 5
1 U
2 U U
3 U U
Table 15: Egress table
11.1.2 Example 2
The second example displays a more complex configuration with 3 VLANs (1 to 3). Along with the
Switch from example 1, you use a 2nd Switch (on the right in the example).
A D VLAN E G
2
Management
Station (optional)
1 2 3 4 5 1 2 3 4 5
VLAN 1
B C VLAN F H
3
The terminal devices of the individual VLANs (A to H) are spread over 2 transmission devices
(Switches). Such VLANs are therefore known as distributed VLANs. An optional network management
station is also shown, which enables access to every network component if the VLAN is configured
correctly.
Note: In this case, VLAN 1 has no significance for the end device communication, but it is required for
the administration of the transmission devices via what is known as the Management VLAN.
As in the previous example, uniquely assign the ports with their connected terminal devices to a VLAN.
With the direct connection between the 2 transmission devices (uplink), the ports transport packets for
both VLANs. To differentiate these uplinks you use “VLAN tagging”, which handles the data packets
accordingly. Thus, you maintain the assignment to the respective VLANs.
Perform the following steps:
Add Uplink Port 5 to the ingress and egress tables from example 1.
Create new ingress and egress tables for the right switch, as described in the first example.
The egress table specifies on which ports the device sends the packets from this VLAN.
T = Tagged (with a tag field, marked)
U = Untagged (without a tag field, unmarked)
In this example, tagged packets are used in the communication between the transmission devices
(Uplink), as packets for different VLANs are differentiated at these ports.
Terminal Port Port VLAN identifier (PVID)
A 1 2
B 2 3
C 3 3
D 4 2
Uplink 5 1
Table 16: Ingress table for device on left
VLAN ID Port
1 2 3 4 5
1 U
2 U U T
3 U U T
Table 18: Egress table for device on left
VLAN ID Port
1 2 3 4 5
1 U
2 T U U
3 T U U
Table 19: Egress table for device on right
The communication relationships here are as follows: end devices on ports 1 and 4 of the left device
and end devices on ports 2 and 4 of the right device are members of VLAN 2 and can thus communicate
with each other. The behavior is the same for the end devices on ports 2 and 3 of the left device and the
end devices on ports 3 and 5 of the right device. These belong to VLAN 3.
The end devices “see” their respective part of the network. Participants outside this VLAN cannot be
reached. The device also sends Broadcast, Multicast, and Unicastpackets with unknown (unlearned)
destination addresses exclusively inside a VLAN.
Here, the devices use VLAN tagging (IEEE 801.1Q) within the VLAN with the ID 1 (Uplink). The letter T
in the egress table of the ports indicates VLAN tagging.
The configuration of the example is the same for the device on the right. Proceed in the same way, using
the ingress and egress tables created above to adapt the previously configured left device to the new
environment.
The guest VLAN function allows a device to provide port-based Network Access Control (IEEE 802.1x)
to non-802.1x capable supplicants. This feature provides a mechanism to allow guests to access
external networks exclusively. When you connect non-802.1x capable supplicants to an active
unauthorized 802.1x port, the supplicants send no responds to 802.1x requests. Since the supplicants
send no responses, the port remains in the unauthorized state. The supplicants have no access to
external networks.
The guest VLAN supplicant function is a per-port basis configuration. When you configure a port as a
guest VLAN and connect non-802.1x capable supplicants to this port, the device assigns the supplicants
to the guest VLAN. Adding supplicants to a guest VLAN causes the port to change to the authorized
state allowing the supplicants to access to external networks.
The Unauthenticated VLAN function allows the device to provide service to 802.1x capable supplicants
which authenticate incorrectly. This function allows the unauthorized supplicants to have access to
limited services. When you configure an unauthenticated VLAN on a port with 802.1x port authentication
and the global operation enabled, the device places the port in an unauthenticated VLAN. When a
802.1x capable supplicant incorrectly authenticates on the port, the device adds the supplicant to the
unauthenticated VLAN. If you also configure a guest VLAN on the port, then non-802.1x capable
supplicants use the guest VLAN.
The reauthentication timer counts down when the port has an unauthenticated VLAN assigned. The
unauthenticated VLAN reauthenticates when the time specified in the Reauthentication period [s]
column expires and supplicants are present on the port. If no supplicants are present, the device places
the port in the configured guest VLAN.
The following example explains how to create a Guest VLAN. Create an Unauthorized VLAN in the
same manner.
The RADIUS VLAN assignment feature allows for a RADIUS VLAN ID attribute to be associated with
an authenticated client. When a client authenticates successfully, and the RADIUS server sends a
VLAN attribute, the device associates the client with the RADIUS assigned VLAN. As a result, the device
adds the physical port as an untagged member to the appropriate VLAN and sets the port VLAN ID
(PVID) with the given value.
Use the Voice VLAN feature to separate voice and data traffic on a port, by VLAN and/or priority. A
primary benefit of using Voice VLAN is to safeguard the sound quality of an IP phone when the data
traffic on the port is high.
The device uses the source MAC address to identify and prioritize the voice data flow. Using a MAC
address to identify devices helps prevent a rogue client from connecting to the same port causing the
voice traffic to deteriorate.
Another benefit of the Voice VLAN feature is that a VoIP phone obtains a VLAN ID or priority information
using LLDP-MED. As a result, the VoIP phone sends voice data as tagged, priority tagged or untagged.
This depends on the Voice VLAN Interface configuration.
The following Voice VLAN interface modes are possible. The first 3 methods segregate and prioritize
voice and data traffic. Traffic segregation results in an increased voice traffic quality during high traffic
periods.
Configuring the port to using the vlan mode allows the device to tag the voice data coming from a
VoIP phone with the user-defined voice VLAN ID. The device assigns regular data to the default port
VLAN ID.
Configuring the port to use the dot1p-priority mode allows the device to tag the data coming from
a VoIP phone with VLAN 0 and the user-defined priority. The device assigns the default priority of the
port to regular data.
Configure both the voice VLAN ID and the priority using the vlan/dot1p-priority mode. In this
mode the VoIP phone sends voice data with the user-defined voice VLAN ID and priority information.
The device assigns the default PVID and priority of the port to regular data.
When configured as untagged, the phone sends untagged packets.
When configured as none, the phone uses its own configuration to send voice traffic.
Use the MAC-based VLAN to forward traffic based on the source MAC address associated with the
VLAN. A MAC-based VLAN defines the filtering criteria for untagged or priority tagged packets.
You specify a MAC-based VLAN filter by assigning a specific source address to a MAC-based VLAN.
The device forwards untagged packets received with the source MAC address on the MAC-based VLAN
ID. The other untagged packets are subject to normal VLAN classification rules.
In an IP subnet-based VLAN, the device forwards traffic based on the source IP address and subnet
mask associated with the VLAN. User-defined filters determine whether a packet belongs to a particular
VLAN.
Use the IP subnet-based VLAN to specify the filtering criteria for untagged or priority tagged packets.
For example, assign a specific subnet address to an IP subnet-based VLAN. When the device receives
untagged packets from the subnet address, it forwards them to the IP subnet-based VLAN. Other
untagged packets are subject to normal VLAN classification rules.
To configure an IP subnet-based VLAN, specify an IP address, a subnet mask and the associated VLAN
ID. In case of multiple matching entries, the device associates the VLAN ID to the entry with the longer
prefix first.
In a protocol-based VLAN, the device bridges traffic through specified ports based on the protocol
associated with the VLAN. User-defined packet filters determine whether a packet belongs to a
particular VLAN.
Configure protocol-based VLANs using the value in the Ethertype column as the filtering criteria for
untagged packets. For example, assign a specific protocol to a protocol-based VLAN. When the device
receives untagged packets with the protocol, it forwards them to the protocol-based VLAN. The device
assigns the other untagged packets to the port VLAN ID.
The VLAN-unaware function defines the operation of the device in a LAN segmented by VLANs. The
device accepts packets and processes them according to its inbound rules. Based on the IEEE 802.1Q
specifications, the function governs how the device processes VLAN tagged packets.
Use the VLAN aware mode to apply the user-defined VLAN topology configured by the network
administrator. The device uses VLAN tagging in combination with the IP or Ethernet address when
forwarding packets. The device processes inbound and outbound packets according to the defined
rules. VLAN configuration is a manual process.
Use the VLAN unaware mode to forward traffic as received, without any modification. The device
transmits tagged packets when received as tagged. The device transmits also transmits untagged
packets when received as untagged. Regardless of VLAN assignment mechanisms, the device assigns
packets to VLAN ID 1 and to a Multicast group, indicating that the packet flood domain is according to
the VLAN.
12 Redundancy
When using Ethernet, an important prerequisite is that data packets follow a single (unique) path from
the sender to the receiver. The following network topologies support this prerequisite:
Line topology
Star topology
Tree topology
Meshed topology
For networks with star or tree topologies, redundancy procedures are only possible in connection
with physical loop creation. The result is a meshed topology.
For operating in this network topology, the device provides you with the following redundancy
protocols:
Rapid Spanning Tree (RSTP)
Ring topology
In networks with a line topology, you can use redundancy procedures by connecting the ends of the
line. This creates a ring topology.
For operating in this network topology, the device provides you with the following redundancy
protocols:
Media Redundancy Protocol (MRP)
Rapid Spanning Tree (RSTP)
Note: When you are using a redundancy function, you deactivate the flow control on the participating
device ports. If the flow control and the redundancy function are active at the same time, there is a risk
that the redundancy function will not operate as intended.
MRP RSTP/ Link Link Subring HIPER Fast MRP DLR HSR PRP
MSTP Aggreg. Backup Ring
MRP
RSTP/ 1)
MSTP 3)
Link 4) 4)
Aggreg.
Link
Backup
Subring 4)
HIPER 1)
4)
Ring
Table 21: Overview of redundancy protocols
Symbol Meaning
Combination applicable
1)
Redundant coupling between these network topologies will possibly lead to data loops.
3) In combination with MSTP, the failover times of other redundancy protocols may slightly increase.
4)
Combination applicable on the same port
Since May 2008, the Media Redundancy Protocol (MRP) has been a standardized solution for ring
redundancy in the industrial environment.
MRP is compatible with redundant ring coupling, supports VLANs, and is distinguished by very short
reconfiguration times.
An MRP-Ring consists of up to 50 devices that support the MRP protocol according to IEC 62439. If you
only use Hirschmann devices, up to 100 devices are possible in the MRP-Ring.
You use the fixed MRP redundant port (Fixed Backup) if the primary ring link fails, the Ring Manager
sends data traffic to the secondary ring link. When the primary link is restored, the secondary link
continues to be in use.
Note: You only configure the reconfiguration time with a value less than 500 ms if all the devices in the
ring support the shorter delay time.
Otherwise the devices that only support longer delay times might not be reachable due to overloading.
Loops can occur as a result.
If you are using VLANs, configure every ring port with the following settings:
Deactivate ingress filtering - see the Switching:VLAN:Port Switching > VLAN > Port dialog.
Define the port VLAN ID (PVID) - see the Switching > VLAN > Port dialog.
– PVID = 1 if the device transmits the MRP data packets untagged (VLAN ID = 0 in Switching >
L2-Redundancy > MRP dialog)
By setting the PVID = 1, the device automatically assigns the received untagged packets to
VLAN 1.
– PVID = any if the device transmits the MRP data packets in a VLAN (VLAN ID ≥ 1 in the
Switching > L2-Redundancy > MRP dialog)
Define egress rules - see Switching > VLAN > Configuration dialog.
– U (untagged) for the ring ports of VLAN 1 if the device transmits the MRP data packets untagged
(VLAN ID = 0 in the Switching > L2-Redundancy > MRP dialog, the MRP ring is not assigned to
a VLAN).
– T (tagged) for the ring ports of the VLAN which you assign to the MRP ring. Select T, if the device
transmits the MRP data packets in a VLAN (VLAN ID ≥ 1 in the Switching > L2-Redundancy >
MRP dialog).
1 2 3
1.1 1.2 1.1 1.2 1.1 1.2
RM
The following example configuration describes the configuration of the Ring Manager device (1). You
configure the 2 other devices (2 to 3) in the same way, but without activating the Ring Manager function.
This example does not use a VLAN. You specify 200 ms as the ring recovery time. Every device
supports the advanced mode of the Ring Manager.
Note: You configure optical ports without support for autonegotiation (automatic configuration) with 100
Mbit/s full duplex (FDX) or 1000 Mbit/s full duplex (FDX).
Note: You configure optical ports without support for autonegotiation (automatic configuration) with 100
Mbit/s full duplex (FDX).
Note: Configure all the devices of the MRP-Ring individually. Before you connect the redundant line,
you must have completed the configuration of all the devices of the MRP-Ring. You thus avoid loops
during the configuration phase.
You deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, there is a risk that the
redundancy function will not operate as intended. (Default setting: flow control deactivated globally
and activated on all ports.)
Switch Spanning Tree off on all devices in the network:
Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
Disable the function.
In the state on delivery, Spanning Tree is enabled on the device.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
no spanning-tree operation Switches Spanning Tree off.
show spanning-tree global Displays the parameters for checking.
Enable MRP on every device in the network:
Open the Switching > L2-Redundancy > MRP dialog.
Specify the desired ring ports.
In the Command Line Interface you first define an additional parameter, the MRP domain ID. Configure
all the ring participants with the same MRP domain ID. The MRP domain ID is a sequence of 16 number
blocks (8-bit values).
When configuring with the graphical user interface, the device uses the default value 255 255 255 255
255 255 255 255 255 255 255 255 255 255 255 255.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary 1/1 Specifies port 1/1 as ring port 1.
mrp domain modify port secondary 1/2 Specifies port 1/2 as ring port 2.
Enable the Fixed backup port.
Note: When the device reverts back to the primary port, the maximum ring recovery time may
be exceeded.
If you unmark the Fixed backup checkbox, and the ring is restored, then the Ring Manager
blocks the secondary port and unblocks the primary port.
mrp domain modify port secondary 1/2 Activates the Fixed backup function on the secondary port. The
fixed-backup enable secondary port continues forwarding data after the ring is
restored.
Note: If selecting 200 ms for the ring recovery does not provide the ring stability necessary to meet the
requirements of your network, you select 500 ms.
Switch the operation of the MRP-Ring on.
To save the changes temporarily, click the button.
When all the ring participants are configured, close the line to the ring. To do this, you connect the
devices at the ends of the line via their ring ports.
The Operation field displays the operating state of the ring port.
Possible values:
forwarding
The port is enabled, connection exists.
blocked
The port is blocked, connection exists.
disabled
The port is disabled.
not-connected
No connection exists.
The Information field displays messages for the redundancy configuration and the possible
causes of errors.
The following messages are possible if the device is operating as a ring client or a Ring Manager:
Redundancy available
The redundancy is set up. When a component of the ring is down, the redundant line takes
over its function.
Configuration error: Error on ringport link.
Error in the cabling of the ring ports.
The following messages are possible if the device is operating as a Ring Manager:
Configuration error: Packets from another ring manager received.
Another device exists in the ring that is operating as the Ring Manager.
Activate the Ring manager function on exactly one device in the ring.
Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on 1 ring port.
If applicable, integrate the MRP ring into a VLAN:
In the VLAN ID field, define the MRP VLAN ID. The MRP VLAN ID determines in which of the
configured VLANs the device transmits the MRP packets. To set the MRP VLAN ID, first
configure the VLANs and the corresponding egress rules in the Switching > VLAN >
Configuration dialog.
If the MRP-Ring is not assigned to a VLAN (like in this example), leave the VLAN ID as 0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as U
(untagged) for the ring ports in VLAN 1.
If the MRP-Ring is assigned to a VLAN, enter a VLAN ID >0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as T
(tagged) for the ring ports in the selected VLAN.
mrp domain modify vlan <0..4042> Assigns the VLAN ID.
Network Structure
When configuring an MRP ring with LAGs, the Ring Manager (RM) monitors both ends of the
backbone for continuity. The RM blocks data on the secondary (redundant) port as long as the
backbone is intact. If the RM detects an interruption of the data stream on the ring, then it begins
forwarding data on the secondary port, which restores backbone continuity.
You use LAG instances in MRP rings to increase bandwidth only, in this case MRP provides the
redundancy.
In order for the RM to detect an interruption on the ring, MRP requires a device to block every port in
the LAG instance when a port in the instance is down.
Link
RM Agregation
RM
RM
Example Configuration
In the following example, switch A and switch B link to departments together. The departments
produce traffic too large for the individual port bandwidth to handle. You configure a LAG instance for
the single segment of the MRP ring, increasing the bandwidth of the segment.
The prerequisite for the example configuration is that you begin with an operational MRP ring.
Note: The Spanning Tree Protocol is a protocol for MAC bridges. For this reason, the following
description uses the term bridge for the device.
Local networks are getting bigger and bigger. This applies to both the geographical expansion and the
number of network participants. Therefore, it is advantageous to use multiple bridges, for example:
to reduce the network load in sub-areas,
to set up redundant connections and
to overcome distance limitations.
However, using multiple bridges with multiple redundant connections between the subnetworks can
lead to loops and thus loss of communication across of the network. In order to help avoid this, you can
use Spanning Tree. Spanning Tree enables loop-free switching through the systematic deactivation of
redundant connections. Redundancy enables the systematic reactivation of individual connections as
needed.
RSTP is a further development of the Spanning Tree Protocol (STP) and is compatible with it. If a
connection or a bridge becomes inoperable, the STP required a maximum of 30 seconds to reconfigure.
This is no longer acceptable in time-sensitive applications. RSTP achieves average reconfiguration
times of less than a second. When you use RSTP in a ring topology with 10 to 20 devices, you can even
achieve reconfiguration times in the order of milliseconds.
Note: RSTP reduces a layer 2 network topology with redundant paths into a tree structure (Spanning
Tree) that does not contain any more redundant paths. One of the devices takes over the role of the root
bridge here. The maximum number of devices permitted in an active branch (from the root bridge to the
tip of the branch) is specified by the variable Max Age for the current root bridge. The preset value for
Max Age is 20, which can be increased up to 40.
If the device working as the root is inoperable and another device takes over its function, the Max Age
setting of the new root bridge determines the maximum number of devices allowed in a branch.
Note: The RSTP standard dictates that all the devices within a network work with the (Rapid) Spanning
Tree Algorithm. If STP and RSTP are used at the same time, the advantages of faster reconfiguration
with RSTP are lost in the network segments that are operated in combination.
A device that only supports RSTP works together with MSTP devices by not assigning an MST region
to itself, but rather the CST (Common Spanning Tree).
12.3.1 Basics
Because RSTP is a further development of the STP, all the following descriptions of the STP also apply
to the RSTP.
Bridge parameters
In the context of Spanning Tree, each bridge and its connections are uniquely described by the
following parameters:
Bridge Identifier
Root Path Cost for the bridge ports,
Port Identifier
Bridge Identifier
The Bridge Identifier consists of 8 bytes. The 2 highest-value bytes are the priority. The default
setting for the priority number is 32,768, but the Management Administrator can change this when
configuring the network. The 6 lowest-value bytes of the bridge identifier are the bridge’s MAC
address. The MAC address allows each bridge to have unique bridge identifiers.
The bridge with the smallest number for the bridge identifier has the highest priority.
MSB LSB
80 00 00 80 63 51 74 00
Alternatively, the Administrator can set the path cost. Like the device, the Administrator assigns a
higher path cost to paths with lower transmission speeds. However, since the Administrator can
choose this value freely, he has a tool with which he can give a certain path an advantage among
redundant paths.
The root path cost is the sum of all individual costs of those paths that a data packet has to traverse
from a connected bridge‘s port to the root bridge.
1
PC = 200 000 PC = 200 000 000
PC Path costs
Ethernet (100 Mbit/s)
PC = 200 000
Ethernet (10 Mbit/s)
2 3
Port Identifier
The port identifier consists of 2 bytes. One part, the lower-value byte, contains the physical port
number. This provides a unique identifier for the port of this bridge. The second, higher-value part is
the port priority, which is specified by the Administrator (default value: 128). It also applies here that
the port with the smallest number for the port identifier has the highest priority.
MSB LSB
Diameter
The number of connections between the devices in the network that are furthest removed from each
other is known as the network diameter.
Diameter = 7
1 2 3 4 5 6 7
Root-Bridge
MaxAge
Every STP-BPDU contains a “MessageAge” counter. When a bridge is passed through, the counter
increases by 1.
Before forwarding a STP-BPDU, the bridge compares the “MessageAge” counter with the “MaxAge”
value specified in the device:
If MessageAge < MaxAge, the bridge forwards the STP-BPDU to the next bridge.
If MessageAge = MaxAge, the bridge discards the STP-BPDU.
Root-Bridge
MaxAge= 5
Message
Age= 5
Bridge information
To determine the tree structure, the bridges need more detailed information about the other bridges
located in the network.
To obtain this information, each bridge sends a BPDU (Bridge Protocol Data Unit) to the other
bridges.
The bridge with the smallest number for the bridge identifier is called the root bridge. It is (or will
become) the root of the tree structure.
The structure of the tree depends on the root path costs. Spanning Tree selects the structure so
that the path costs between each individual bridge and the root bridge become as small as
possible.
If there are multiple paths with the same root path costs, the bridge further away from the root
decides which port it blocks. For this purpose, it uses the bridge identifiers of the bridge closer to
the root. The bridge blocks the port that leads to the bridge with the numerically higher ID (a
numerically higher ID is the logically worse one). If 2 bridges have the same priority, the bridge
with the numerically larger MAC address has the numerically higher ID, which is logically the
worse one.
If multiple paths with the same root path costs lead from one bridge to the same bridge, the bridge
further away from the root uses the port identifier of the other bridge as the last criterion (see
figure 40). In the process, the bridge blocks the port that leads to the port with the numerically
higher ID (a numerically higher ID is the logically worse one). If 2 ports have the same priority, the
port with the higher port number has the numerically higher ID, which is logically the worse one.
yes
12.3.3 Examples
2 3
P-BID = 32 768
Note: Because the Administrator does not change the default values for the priorities of the bridges
in the bridge identifier, apart from the value for the root bridge, the MAC address in the bridge
identifier alone determines which bridge becomes the new root bridge if the current root bridge goes
down.
Root Bridge
P-BID = 16 384
2 3
P-BID = 32 768
4 5
Root-Bridge
P-BID = 16 384
6 5
MAC 00:01:02:03:04:06
Port roles
RSTP assigns each bridge port one of the following roles (see figure 47):
Root Port:
This is the port at which a bridge receives data packets with the lowest path costs from the root
bridge.
If there are multiple ports with equally low path costs, the bridge ID of the bridge that leads to the
root (designated bridge) decides which of its ports is given the role of the root port by the bridge
further away from the root.
If a bridge has multiple ports with equally low path costs to the same bridge, the bridge uses the
port ID of the bridge leading to the root (designated bridge) to decide which port it selects locally
as the root port (see figure 43).
The root bridge itself does not have a root port.
Designated port:
The bridge in a network segment that has the lowest root path costs is the designated bridge.
If more than 1 bridge has the same root path costs, the bridge with the smallest value bridge
identifier becomes the designated bridge. The designated port on this bridge is the port that
connects a network segment leading away from the root bridge. If a bridge is connected to a
network segment with more than one port (via a hub, for example), the bridge gives the role of the
designated port to the port with the better port ID.
Edge port
Every network segment with no additional RSTP bridges is connected with exactly one designated
port. In this case, this designated port is also an edge port. The distinction of an edge port is the
fact that it does not receive any RST BPDUs (Rapid Spanning Tree Bridge Protocol Data Units).
Alternate port
This is a blocked port that takes over the task of the root port if the connection to the root bridge
is lost. The alternate port provides a backup connection to the root bridge.
Backup port
This is a blocked port that serves as a backup in case the connection to the designated port of this
network segment (without any RSTP bridges) is lost
Disabled port
This is a port that does not participate in the Spanning Tree Operation, that means, the port is
switched off or does not have any connection.
BID = 16 384
2 3
BID = 40 960
Port states
Depending on the tree structure and the state of the selected connection paths, the RSTP assigns
the ports their states.
STP port state Administrative MAC Operational RSTP Port state Active topology (port role)
bridge port state
DISABLED Disabled FALSE Discardinga Excluded (disabled)
DISABLED Enabled FALSE Discarding a Excluded (disabled)
BLOCKING Enabled TRUE Discardingb Excluded (alternate, backup)
LISTENING Enabled TRUE Discarding b Included (root, designated)
LEARNING Enabled TRUE Learning Included (root, designated)
FORWARDING Enabled TRUE Forwarding Included (root, designated)
Table 24: Relationship between port state values for STP and RSTP
a. The dot1d-MIB displays “Disabled”
b. The dot1d-MIB displays “Blocked”
Based on this information, the bridges participating in RSTP are able to determine port roles
themselves and define the port states of their own ports.
Fast reconfiguration
Why can RSTP react faster than STP to an interruption of the root path?
Introduction of edge-ports:
During a reconfiguration, RSTP switches an edge port into the transmission mode after three
seconds (default setting) and then waits for the “Hello Time” to elapse, to be sure that no bridge
sending BPDUs is connected.
When the user ensures that a end device is connected at this port and will remain connected, there
are no waiting times at this port in the case of a reconfiguration.
Introduction of alternate ports:
As the port roles are already distributed in normal operation, a bridge can immediately switch from
the root port to the alternate port after the connection to the root bridge is lost.
Communication with neighboring bridges (point-to-point connections):
Decentralized, direct communication between neighboring bridges enables reaction without wait
periods to status changes in the spanning tree topology.
Address table:
With STP, the age of the entries in the FDB determines the updating of communication. RSTP
immediately deletes the entries in those ports affected by a reconfiguration.
Reaction to events:
Without having to adhere to any time specifications, RSTP immediately reacts to events such as
connection interruptions, connection reinstatements, etc.
Note: The downside of this fast reconfiguration is the possibility that data packages could be
duplicated and/or arrive at the recipient in the wrong order during the reconfiguration phase of the
RSTP topology. If this is unacceptable for your application, use the slower Spanning Tree Protocol
or select one of the other, faster redundancy procedures described in this manual.
Set up the network to meet your requirements, initially without redundant lines.
You deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, there is a risk that the
redundancy function will not operate as intended. (Default setting: flow control deactivated globally
and activated on all ports.)
Switch MRP off on all devices.
Switch Spanning Tree on on all devices in the network.
In the state on delivery, Spanning Tree is switched on on the device.
Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
Enable the function.
spanning-tree mst priority 0 <0..61440 Specifies the bridge priority of the device.
in 4096er-Schritten>
If applicable, change the values in the Forward delay [s] and Max age fields.
– The root bridge transmits the changed values to the other devices.
spanning-tree forward-time <4..30> Specifies the delay time for the status change in seconds.
spanning-tree max-age <6..40> Specifies the maximum permissible branch length, for example
the number of devices to the root bridge.
show spanning-tree global Displays the parameters for checking.
Note: The parameters Forward delay [s] and Max age have the following relationship:
Forward delay [s] ≥ (Max age /2) + 1
If you enter values in the fields that contradict this relationship, the device replaces these values with
the last valid values or with the default value.
Note: If possible, do not change the value in the “Hello Time” field.
Check the following values in the other devices:
– Bridge ID (bridge priority and MAC address) of the corresponding device and the root bridge.
– Number of the device port that leads to the root bridge.
– Path cost from the root port of the device to the root bridge.
12.3.6 Guards
The device allows you to activate various protection functions (guards) on the device ports.
The following protection functions help protect your network from incorrect configurations, loops and
attacks with STP-BPDUs:
BPDU Guard – for manually specified edge ports (end device ports)
You activate this protection function globally in the device.
Terminal device ports do not normally receive any STP-BPDUs. If an attacker still attempts to feed
in STP-BPDUs at this port, the device deactivates the device port.
If a designated port receives an STP-BPDU with better path information to the root bridge, the device
discards the STP-BPDU and sets the transmission state of the port to discarding instead of root.
If there are no STP-BPDUs with better path information to the root bridge, after 2 x Hello time [s]
the device resets the state of the port to a value according to the port role.
TCN Guard – for ports that receive STP-BPDUs with a Topology Change flag
You activate this protection function separately for every device port.
Hacker
If the protection function is activated, the device ignores Topology Change flags in received STP-
BPDUs. This does not change the content of the address table (FDB) of the device port. However,
additional information in the BPDU that changes the topology is processed by the device.
This protection function prevents the transmission status of a port from unintentionally being changed
to forwarding if the port does not receive any more STP-BPDUs. If this situation occurs, the device
designates the loop status of the port as inconsistent, but does not forward any data packets.
Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
Switch to the CIST tab.
For end device ports, mark the checkbox in the Admin edge port column.
Note: The Root guard and Loop guard functions are mutually exclusive. If you try to activate
the Root guard function while the Loop guard function is activated, the device deactivates the
Loop guard function.
To save the changes temporarily, click the button.
Example
The given example describes the configuration of the Ring only mode function.
Open the Switching > L2-Redundancy > Spanning Tree > Spanning Tree Global dialog.
In the Ring only mode frame, select the port 1/1 in the First port field.
In the Ring only mode frame, select the port 1/2 in the Second port field.
To activate the function, in the Ring only mode frame, mark the Active checkbox.
To save the changes temporarily, click the button.
Link Aggregation using the single switch method helps you overcome 2 limitations with ethernet links,
namely bandwidth, and redundancy.
The first problem that the Link Aggregation Group (LAG) function helps you with is bandwidth limitations
of individual ports. LAG allows you to combine 2 or more links in parallel, creating 1 logical link between
2 devices. The parallel links increase the bandwidth for traffic between the 2 devices.
You typically use Link Aggregation on the network backbone. The function provides you an inexpensive
way to incrementally increase bandwidth.
Furthermore, Link Aggregation provides for redundancy with a seemless failover. With 2 or more links
configured in parallel, when a link goes down, the other links in the group continue to forward traffic.
The device uses a hash option to determine load balancing across the port group. Tagging the egress
traffic allows the device to transmit associated packets across the same link.
The default settings for a new Link Aggregation instance are as follows:
In the Configuration frame, the value in the Hashing option field is sourceDestMacVlan.
In the Active column, the checkbox is marked.
In the Send trap (Link up/down) column, the checkbox is marked.
In the Static link aggregation column, the checkbox is unmarked.
In the Hashing option column, the value is sourceDestMacVlan.
In the Active ports (min.) column, the value is 1.
Hash Algorithm
The frame distributor is responsible for receiving frames from the end devices and transmitting them
over the Link Aggregation Group. The frame distributor implements a distribution algorithm
responsible for choosing the link used for transmitting any given packet. The hash option helps you
achieve load balancing across the group.
The following list contains options which you set for link selection.
Source MAC address, VLAN ID, EtherType, and receiving port
Destination MAC address, VLAN ID, EtherType, and receiving port
Source/Destination MAC address, VLAN ID, EtherType, and receiving port
Source IP address and Source TCP/UDP port
Destination IP address and destination TCP/UDP port
Source/destination IP address and source/destination TCP/UDP port
Switch 1 Switch 2
Server 2 Port 5 Port 5 Server 1
Hub 4 Port 6 Port 1 Port 6 Hub 1
Hub 5 Port 7 Port 2 Port 7 Hub 2
Hub 6 Port 8 Port 8 Hub 3
Link Backup provides a redundant link for traffic on Layer 2 devices. When the device detects an error
on the primary link, then the device transfers traffic to the backup link. You typically use Link Backup in
service-provider or enterprise networks.
You set up the backup links in pairs, one as a primary and one as a backup. When providing redundancy
for enterprise networks for example, the device allows you to set up more than 1 pair. The maximum
number of link backup pairs is: total number of physical ports / 2. Furthermore, the device sends an
SNMP trap when the state of a port participating in a link backup pair changes.
When configuring link backup pairs remember the following rules:
A link pair consists of any combination of physical ports. For example, when 1 port is a 100 Mbit port
and the other is a 1000 Mbit SFP port.
A specific port is a member of 1 link backup pair at any given time.
Verify that the ports of a link backup pair are members of the same VLAN with the same VLAN ID.
When the primary port or backup port is a member of a VLAN then, assign the second port of the pair
to the same VLAN.
The default setting for this function is inactive without any link backup pairs.
Note: Verify that the Spanning Tree Protocol is disabled on the Link Backup ports.
Switch B Switch C
Port 1 Port 2
Switch A
The concept of HIPER Ring Redundancy enables the construction of high-availability, ring-shaped
network structures. The HIPER Ring Client function allows the network administrator to extend an
existing HIPER Ring or replace a client device already participating in a HIPER Ring.
When the device senses that the link on a ring port goes down, the device sends a LinkDown packet to
the Ring Manager (RM) and flushes the FDB table. Once the RM receives the LinkDown packet, it
immediately forwards the data stream over both the primary and secondary ring ports. Thus, the RM is
able to maintain the integrity of the HIPER Ring.
The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, you can
include the ring ports in a LAG instance.
In the default state, the HIPER Ring client is inactive, and the primary and secondary ports are set to no
Port.
Note: Deactivate the Spanning Tree Protocol (STP) for the ring ports in the Switching > L2-
Redundancy > Spanning Tree > Spanning Tree Port dialog, because STP and HIPER Ring have
different reaction times.
12.7 FuseNet ™
FuseNet ™ is a family of Hirschmann proprietary protocols which allows you to couple the following
networks:
– MRP
– HIPER Ring
– RSTP
Note: When you use the Ring/Network Coupling protocol to couple a network to the main ring verify
that the networks contain only Hirschmann devices.
Use the following table to select the FuseNet coupling protocol:
Connected Network
Main Ring MRP RSTP HIPER ring
MRP Sub Ring 1) Redundant Coupling Protocol , Redundant Coupling Protocol ,
Ring/Network Coupling Ring/Network Coupling
HIPER ring Sub Ring Redundant Coupling Protocol , Ring/Network Coupling
Ring/Network Coupling
RSTP Redundant Coupling Protocol – Redundant Coupling Protocol
Explanation:
– no suitable coupling protocol
1) with MRP configured on different VLANs
12.8 Subring
The Sub Ring function is an extension of the Media Redundancy Protocol (MRP). This function allows
you to couple a subring to a main ring using various network structures.
The Subring protocol provides redundancy for devices by coupling both ends of an otherwise flat
network to a main ring.
Setting up subrings has the following advantages:
Through the coupling process, you include the new network segment in the redundancy concept.
Subrings allow easy integration of new areas into existing networks.
Subrings allow you easy mapping of the organizational structure of an area in a network topology.
In an MRP ring, the failover times of the subring in redundancy cases are typically < 100 ms.
RM
1.2 1.1
1.1 1.2
1.1 1.3
SRM 1
1.2
1.2 1.2
1.1 1.1
1.1
SRM 2
1.2 1.3
RM
SRM 1
SRM 2
SRM 4 SRM 3
RM
SRM 1
SRM 2
SRM 3
Figure 52: Special case: A Subring Manager manages 2 subrings (2 instances). The Subring Manager is capable of
managing up to 20 instances.
RM
SRM 1
Figure 53: Special case: a Subring Manager manages both ends of a subring on different ports (Single Subring Manger).
Note: In the previous examples, the Subring Managers couple subrings solely to existing main rings.
The Sub Ring function prohibits cascaded subrings, for example coupling a new subring to another
existing subring.
When you use MRP for the main ring and the subring, then specify the VLAN settings as follows:
VLAN X for the main ring
– on the ring ports of the main ring participants
– on the main ring ports of the Subring Manager
VLAN Y for the Subring
– on the ring ports of the Subring participants
– on the subring ports of the Subring Manager
You can use the same VLAN for multiple subrings.
RM
1.2 1.1
1.1 1.2
1.1 1.3
SRM 1
1.2
1.2
VLAN VLAN 1.2
1.1
1 2 1.1
1.1
SRM 2
1.2 1.3
Note: The MRP domain is a sequence of 16 numbers in the range from 0 to 255. The default value is
255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 . 255 .
255 . 255 . A MRP domain consisting entirely of zeroes is invalid.
The Sub Ring dialog allows you to change the MRP domian ID if required. Otherwise open the
Command Line Interface (CLI) and proceed as follows:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mrp domain delete Deletes the current MRP domain.
mrp domain add domain-id Creates a new MRP domain with the specified MRP domain ID.
0.0.1.1.2.2.3.4.4.111. 222.123.0.0.66.99 Any subsequent MRP domain changes apply to this domain ID.
To activate the Subring Manager function, mark the Active checkbox in the appropriate row.
After you have configured both Subring Managers and the devices participating in the subring,
enable the function and close the redundant link.
To save the changes temporarily, click the button.
There is a Link Aggregation (LAG) connection when at least two parallel redundant connecting lines
exist (known as a trunk) between two devices, and these lines are combined into one logical connection.
The device allows you to use the LAG ports as ring ports with the Sub Ring protocol.
12.9.1 Example
The following example is a simple setup between an MRP ring and a Subring.
Subring configuration
The devices participating in the attached Sub-ring are members of VLAN 200.
SRM1
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 1/1 Adds port 1/1 to the Link Aggregation Group.
link-aggregation modify lag/1 addport 1/2 Adds port 1/2 to the Link Aggregation Group.
link-aggregation modify lag/1 adminmode Activate the Link Aggregation Group.
SRM2
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
link-aggregation add lag/1 Creates a Link Aggregation Group lag/1.
link-aggregation modify lag/1 addport 2/ Adds port 2/7 to the Link Aggregation Group.
7
link-aggregation modify lag/1 addport 2/ Adds port 2/8 to the Link Aggregation Group.
8
link-aggregation modify lag/1 adminmode Activate the Link Aggregation Group.
sub-ring modify 1 mode manager vlan 200 Assign the device the role of Subring Manager in subring 1.
port lag/1 VLAN 200 is the set for the VLAN ID of the domain. The lag/1
port is set as a member in VLAN 200.
sub-ring modify 1 name SRM2 Assign the name SRM2 to the subring 1.
sub-ring enable 1 Activate subring 1.
sub-ring operation Enable the global Subring Manager functionality on this device.
MRC 2, 3
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
mrp domain add default-domain Creates a new MRP domain with the default domain ID.
mrp domain modify port primary lag/1 Specifies port lag/1 as ring port 1.
mrp domain modify port secondary 1/3 Specifies port 1/3 as ring port 2.
mrp domain modify mode client Specifies the device role as ring client.
mrp domain modify operation enable Activates the MRP-Ring.
mrp domain modify vlan 200 Specifies the VLAN ID as 200.
mrp operation Enable the MRP function on the device.
Disable STP
Disable the STP function on every port that you specified as an MRP or Sub-ring port. In the following
steps, port 1/3 is used as an example.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/3 Change to the interface configuration mode of interface 1/3.
no spanning-tree operation Disable the option.
Based on a ring, Ring/Network Coupling allows the redundant coupling of redundant rings or network
segments. Ring/Network Coupling connects 2 rings/network segments through 2 separate paths.
When the devices in the coupled network are Hirschmann devices, the Ring/Network Coupling
function supports the coupling following ring protocols in the primary and secondary rings:
HIPER-Ring
Fast HIPER-Ring
MRP
The Ring/Network Coupling function can also couple network segments of a bus and mesh
structures.
Two ports of one device in the first ring/network connect to one port each of two devices in the
second ring/network (see figure 56). In the One-Switch coupling method, the main line forwards data
and the device blocks the redundant line.
If the main line no longer functions, then the device immediately unblocks the redundant line. When
the main line is restored, the device blocks data on the redundant line. The main line forwards data
again.
The ring coupling detects and handles an error within 500 ms (typically 150 ms).
One port each from two devices in the first ring/network connect to one port each of two devices in
the second ring/network segment (see figure 58).
The device in the redundant line and the device in the main line use control packets to inform each
other about their operating states, using the Ethernet or a control line.
If the main line no longer functions, then the redundant device (Stand-by) immediately unblocks the
redundant line. As soon as the main line is restored, the device on the main line informs the
redundant device of this. The Stand-by device blocks data on the redundant line. The main line
forwards data again.
The ring coupling detects and handles an error within 500 ms (typically 150 ms).
The type of coupling configuration is primarily determined by the network topological and the desired
level of availability (see table 28).
Note: In the following screen shots and diagrams, the following conventions are used:
Blue boxes and lines indicate devices or connections of the items currently being described.
Solid lines indicate a main connection.
Dash lines indicate a stand-by connection.
Dotted lines indicate the control line.
Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
In the Mode frame, Type option list, select the required radio button.
one-switch coupling
two-switch coupling, master
two-switch coupling, slave
two-switch coupling with control line, master
two-switch coupling with control line, slave
Note: Refrain from combining the Rapid Spanning Tree Protocol and Ring/Network Coupling .
One-Switch coupling
RM
5 6
3 4
RM
The main line, indicated by the solid blue line, which is connected to the partner coupling port
provides coupling between the two networks in the normal mode of operation. If the main line is
inoperable, then the redundant line, indicated by the dashed blue line, which is connected to the
coupling port takes over the ring/network coupling. One switch performs the coupling switch-over.
The following settings apply to the device displayed in blue in the selected graphic.
2 1
In the Partner coupling port frame, Port drop-down list, select the port on which you
connect the main line.
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
Connect the redundant line to the Partner coupling port.
In the Partner coupling port frame, the State field displays the status of the Partner
coupling port.
Connect the main line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.
If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
Open the Switching > VLAN > VLAN Port dialog.
Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
Unmark the Ingress filtering checkbox for both coupling ports.
Open the Switching > VLAN > VLAN Configuration dialog.
To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.
In the Configuration frame, Redundancy mode option list, specify the type of redundancy:
With the redundant ring/network coupling setting, either the main line or the redundant line is active. The
setting allows the devices to toggle between both lines.
When you activate the extended redundancy setting, the main line and the redundant line are active
simultaneously. The setting allows you to add redundancy to the coupling network. When the connection
between the coupling devices in the second network becomes inoperable the coupling devices continue to
transmit and receive data.
Note: During the reconfiguration period, packet duplications can occur. Therefore, select this
setting only if your devices detect package duplications.
The Coupling mode describes the type of the backbone network to which you connect the ring
network (see figure 56).
In the Configuration frame, Coupling mode option list, specify the type of the second
network:
If you connect to a ring network, then select the ring coupling radio button.
If you connect to a bus or mesh structure, then select the network coupling radio button.
Perform the following steps to reset the coupling settings to the default state:
Two-Switch coupling
RM
3 4
RM
1 2
In the Mode frame, Type option list, select the two-switch coupling, master radio button.
In the Coupling port frame, Port drop-down list, select the port on which you connect the
network segments.
Configure the Coupling port and the ring ports on different ports.
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
Connect the main line to the Coupling port .
In the Coupling port frame, the State field displays the status of the Coupling port.
If the partner is already operating in the network, then the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy available field displays whether or not the
redundancy is available. The Configuration failure field displays whether or not the settings
are complete and correct.
Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration
If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
Open the Switching > VLAN > VLAN Port dialog.
Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
Unmark the Ingress filtering checkbox for both coupling ports.
Open the Switching > VLAN > VLAN Configuration dialog.
To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.
2 1
Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration
If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
Open the Switching > VLAN > VLAN Port dialog.
Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
Unmark the Ingress filtering checkbox for both coupling ports.
Open the Switching > VLAN > VLAN Configuration dialog.
To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.
Perform the following steps to specify the Redundancy mode and Coupling mode settings:
Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
In the Configuration frame, Redundancy mode option list, select one of the following radio
buttons:
redundant ring/network coupling
With this setting, either the main line or the redundant line is active. The setting allows the devices to toggle
between both lines.
extended redundancy
With this setting, the main line and the redundant line are active simultaneously. The setting allows you to add
redundancy to the second network. When the connection between the coupling devices in the second network
becomes inoperable, the coupling devices continue to transmit and receive data.
During the reconfiguration period, packet duplications can occur. Therefore, select this setting only if your
devices detect package duplications.
Perform the following steps to reset the coupling settings to the default state:
RM
3 4
5
RM
STAND-BY ON STAND-BY ON
1 3 2
Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration
If you have configured VLANs on the coupling ports, perform the following steps to specify the VLAN
settings on the coupling and partner coupling ports:
Open the Switching > VLAN > VLAN Port dialog.
Change the Port-VLAN ID setting to the value of the VLAN ID configured on the ports.
Unmark the Ingress filtering checkbox for both coupling ports.
Open the Switching > VLAN > VLAN Configuration dialog.
To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in the
cells corresponding to both coupling ports on the VLAN 1 row.
To save the changes temporarily, click the button.
The coupling devices send the redundancy packets with the highest priority on VLAN 1.
2 3 1
Note: If you operate the Ring manager function and a two-switch coupling function on the same
device, there is the possibility of creating a loop.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, the device sets the port state of the coupling port to “off” if you perform one of the following
actions:
– disable the operation
– change the configuration
Perform the following steps to specify the Redundancy mode and Coupling mode settings:
Open the Switching > L2-Redundancy > Ring/Network Coupling dialog.
In the Configuration frame, Redundancy mode option list, select one of the following radio
buttons:
redundant ring/network coupling
With this setting, either the main line or the redundant line is active. The setting allows the devices to toggle
between both lines.
extended redundancy
With this setting, the main line and the redundant line are active simultaneously. The setting allows you to add
redundancy to the second network. When the connection between the coupling devices in the second network
becomes inoperable, the coupling devices continue to transmit and receive data.
During the reconfiguration period, packet duplications can occur. Therefore, select this setting only if your
devices detect package duplications.
In the Configuration frame, Coupling mode option list, select one of the following radio
buttons:
If you connect to a ring network, then select the ring coupling radio button.
If you connect to a bus or mesh structure, then select the network coupling radio button.
The Coupling mode describes the type of the backbone network to which you connect the
ring network (see figure 62).
To save the changes temporarily, click the button.
Perform the following steps to reset the coupling settings to the default state:
12.11 RCP
Industrial applications require your networks to have high availability. This also involves maintaining
deterministic, short interruption times for the communication when a network device becomes
inoperable.
A ring topology provides short transition times with a minimal use of resources. However, ring topology
brings the challenge of coupling these rings together redundantly.
If you want to couple a redundancy protocol such as MRP, HIPER-Ring, RSTP, the Redundant Coupling
Protocol (RCP) provides you the required options.
RCP allows you to couple multiple secondary rings to a primary ring (see figure 66). Only the switches
which couple the rings require the Redundant Coupling Protocol function.
You can also use devices other than Hirschmann devices within the coupled networks.
The Redundant Coupling Protocol uses a master and a slave device to transport data between the
networks. Only the master forward frames between the rings.
Using Hirschmann proprietary multicast messages, the RCP master and slave devices inform each
other about their operating state. Configure the devices in the ring which are not coupling devices to
forward the following multicast addresses: 01:80:63:07:00:09 and 01:80:63:07:00:0A. Connect the
master and slave devices as direct neighbors.
You use 4 ports per device to create the redundant coupling. Install the coupling devices with 2 inner
and 2 outer ports in each network. The “Inner Port” connects the master and slave devices together.
The “Outer Port” connects the devices to the network (see figure 66).
If the role is set to AUTO, the coupler devices automatically selects its role as master or slave. If you
want a permanent master or slave device, configure the roles manually.
When the master is no longer reachable using the inner coupling ports, then the slave device waits for
the timeout period to expire before taking over the master role. During the specified timeout period, the
slave attempts to reach the master using the outer coupling ports. If the master is still not reachable,
then the slave assumes the master role. To maintain stability in the network connected to the outer
coupling ports, configure the timeout period for a longer duration than the recovery time in the coupled
rings.
3 4 4 3
Coupler pair
1 2 2 1
Master Slave
Master Slave
1 2 2 1
Coupler pair
3 4 4 3
Note: Disable RSTP on the RCP redundant coupling inner and outer ports not connected to the RSTP
ring. In the example configuration, you disable RSTP on ports 1 and 2 of every device.
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
To enable the function, select the On radio button in the Operation frame.
13 Operation diagnosis
The device immediately reports unusual events which occur during normal operation to the network
management station. This is done by messages called SNMP traps that bypass the polling procedure
(“polling” means querying the data stations at regular intervals). SNMP traps allow you to react quickly
to unusual events.
Examples of such events are:
Hardware reset
Changes to the configuration
Segmentation of a port
The device sends SNMP traps to various hosts to increase the transmission reliability for the messages.
The unacknowledged SNMP trap message consists of a packet containing information about an
unusual event.
The device sends SNMP traps to those hosts entered in the trap destination table. The device allows
you to configure the trap destination table with the network management station using SNMP.
For example, in the following dialogs you specify when the device triggers an SNMP trap:
Basic Settings > Port dialog
Basic Settings > Power over Ethernet > PoE Global dialog
Network Security > Port Security dialog
Switching > L2-Redundancy > Link Aggregation dialog
Diagnostics > Status Configuration > Device Status dialog
Diagnostics > Status Configuration > Security Status dialog
Diagnostics > Status Configuration > Signal Contact dialog
Diagnostics > Status Configuration > MAC Notification dialog
Diagnostics > System > IP Address Conflict Detection dialog
Diagnostics > System > Selftest dialog
Diagnostics > Ports > Port Monitor dialog
The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device in order to present its condition in graphic
form.
The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.
The Global tab of the Diagnostics > Status Configuration > Device Status dialog allows you
to configure the device to send a trap to the management station for the following events:
Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
When the device is operating outside of the user-defined temperature threshold
Loss of the redundancy (in ring manager mode)
The interruption of link connection(s)
Configure at least one port for this feature. In the Port tab of the Diagnostics > Status
Configuration > Device Status dialog in the Propagate connection error row, you specify
which ports the device signals if the link is down.
The removal of the external memory.
The configuration in the external memory is out-of-sync with the configuration in the device.
The removal of a module
Select the corresponding entries to decide which events the device status includes.
Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.
Name Meaning
Temperature If the temperature exceeds or falls below the value specified.
Ring redundancy Enable this function to monitor if ring redundancy is present.
Connection errors Enable this function to monitor every port link event in which the Propagate connection
error checkbox is active.
Module removal Enable this global function to monitor the removal of a module. Also enable the individual
module to monitor.
Table 34: Device Status events
Name Meaning
External memory removal Enable this function to monitor the presence of an external storage device.
External memory not in The device monitors synchronization between the device configuration and the configuration
sync stored on the ENVM.
Power supply Enable this function to monitor the power supply.
Table 34: Device Status events (cont.)
device-status monitor module-removal Monitors the modules. The value in the Device status frame
changes to error if you remove a module from the device.
device-status module 1 Monitors module 1. The value in the Device status frame
changes to error if you remove the module 1 from the device.
In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.
Perform the following steps:
Open the Diagnostics > Status Configuration > Device Status dialog, Global tab.
For the Connection errors parameter, mark the checkbox in the Monitor column.
Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
For the Propagate connection error parameter, mark the checkbox in the column of the
ports to be monitored.
To save the changes temporarily, click the button.
Note: The above CLI commands activate monitoring and trapping for the supported components. If you
want to activate or deactivate monitoring for individual components, you will find the corresponding
syntax in the “Command Line Interface” reference manual or in the help of the CLI console. (Enter a
question mark ? for the CLI prompt.)
The Security Status provides an overview of the overall security of the device. Many processes aid in
system visualization by recording the security status of the device and then presenting its condition in
graphic form. The device displays the overall security status in the Basic Settings > System dialog,
Security status frame.
In the Global tab of the Diagnostics > Status Configuration > Security Status dialog the
device displays its current status as error or ok in the Security status frame. The device determines
this status from the individual monitoring results.
In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.
The device uses the signal contact to control external devices and monitor device functions. Function
monitoring enables you to perform remote diagnostics.
The device reports the operating status using a break in the potential-free signal contact (relay contact,
closed circuit) for the selected mode. The device monitors the following functions:
Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
When the device is operating outside of the user-defined temperature threshold
Events for ring redundancy
Loss of the redundancy (in ring manager mode)
In the default setting, ring redundancy monitoring is inactive. The device is a normal ring participant
and detects an error in the local configuration.
The interruption of link connection(s)
Configure at least one port for this feature. In the Propagate connection error frame, you specify
which ports the device signals if the link is down. In the default setting, link monitoring is inactive.
The removal of the external memory.
The configuration on the external memory does not match that in the device.
The removal of a module
Select the corresponding entries to decide which events the device status includes.
Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.
signal-contact 1 monitor envm-removal Monitors the active external memory. The signal contact opens if
you remove the active external memory from the device.
signal-contact 1 monitor envm-not-in-sync Monitors the configuration profiles in the device and in the
external memory.
The signal contact opens in the following situations:
– The configuration profile solely exists in the device.
– The configuration profile in the device differs from the
configuration profile in the external memory.
signal-contact 1 monitor power-supply 1 Monitors the power supply unit 1. The signal contact opens if the
device has a detected power supply fault.
signal-contact 1 monitor module-removal 1 Monitors module 1. The signal contact opens if you remove
module 1 from the device.
signal-contact 1 trap Enables the device to send an SNMP trap when the status of the
operation monitoring changes.
no signal-contact 1 trap Disabling the SNMP trap
In order to enable the device to monitor an active link without a connection, first enable the global
function, then enable the individual ports.
Perform the following steps:
In the Monitor column, activate the Link interrupted on enabled device ports function.
Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
signal-contact 1 monitor link-failure Monitors the ports/interfaces link. The signal contact opens if the
link interrupts on a monitored port/interface.
interface 1/1 Change to the interface configuration mode of interface 1/1.
signal-contact 1 link-alarm Monitors the port/interface link. The signal contact opens if the
link interrupts on the port/interface.
show signal-contact 1 all Displays signal contact settings for the specified signal contact.
The port statistics table enables experienced network administrators to identify possible detected
problems in the network.
This table displays the contents of various event counters. The packet counters add up the events sent
and the events received. In the Basic Settings > Restart dialog, you can reset the event counters.
Counter Indication of known possible weakness
Received fragments – Non-functioning controller of the connected device
– Electromagnetic interference in the transmission medium
CRC Error – Non-functioning controller of the connected device
– Electromagnetic interference in the transmission medium
– Inoperable component in the network
Collisions – Non-functioning controller of the connected device
– Network over extended/lines too long
– Collision or a detected fault with a data packet
Table 38: Examples indicating known weaknesses
13.7 Auto-Disable
The device can disable a port due to several configurable reasons. Each reason causes the port to “shut
down”. In order to recover the port from the shut down state, you can manually clear the condition which
caused the port to shut down or specify a timer to automatically re-enable the port.
If the configuration displays a port as enabled, but the device detects an error or change in the condition,
the software shuts down that port. In other words, the device software disables the port because of a
detected error or change in the condition.
When a port is auto-disabled, the device effectively shuts down the port and the port blocks traffic. The
port LED blinks green 3 times per period and identifies the reason for the shutdown. In addition, the
device creates a log file entry which lists the causes of the deactivation. When you re-enable the port
after a timeout using the Auto-Disable function, the device generates a log entry.
The Auto-Disable function provides a recovery function which automatically enables an auto-disabled
port after a user-defined time. When this function enables a port, the device sends an SNMP trap with
the port number, but without a value for the Reason parameter.
The Auto-Disable function serves the following purposes:
It assists the network administrator in port analysis.
It reduces the possibility that this port causes the network to be instable.
The Auto-Disable function is available for the following functions:
Link flap (Port Monitor function)
CRC/Fragments (Port Monitor function)
Duplex Mismatch detection (Port Monitor function)
DHCP Snooping
Dynamic ARP Inspection
Spanning Tree
Port Security
Overload detection (Port Monitor function)
Link speed/Duplex mode detection (Port Monitor function)
In the following example, you configure the device to disable a port due to detected violations to the
thresholds specified the Diagnostics > Ports > Port Monitor > CRC/Fragments tab and then
automatically re-enable the disabled port.
In the Action column you can choose how the device reacts to detected errors. In this
example, the device disables port 1/1 for threshold violations and then automatically re-
enables the port.
To allow the device to disable and automatically re-enable the port, select the value auto-disable and
configure the Auto-Disable function. The value auto-disable only works in conjunction with the
Diagnostics > Ports > Auto-Disable function.
The device can also disable a port without auto re-enabling.
To allow the device to disable the port only, select the value disable port .
To manually re-enable a disabled port, highlight the port.
Click the button and then the Reset item.
When you configure the Auto-Disable function, the value disable port also automatically re-enables the
port.
Open the Diagnostics > Ports > Port Monitor dialog, Auto-disable tab.
To allow the device to auto re-enable the port after it was disabled due to detected threshold
violations, mark the checkbox in the CRC error column.
Open the Diagnostics > Ports > Port Monitor dialog, Port tab.
Specify the delay time as 120 s in the Reset timer [s] column for the ports you want to
enable.
Note: The Reset item allows you to enable the port before the time specified in the Reset timer
[s] column counts down.
When the device disables a port due to threshold violations the device allows you to use the following
CLI commands to manually reset the disabled port.
Perform the following steps:
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
auto-disable reset Allows you to enable the port before the Timer counts down.
The SFP status display allows you to look at the current SFP module connections and their properties.
The properties include:
module type
serial number of media module
temperature in º C
transmission power in mW
receive power in mW
IEEE 802.1AB defines the Link Layer Discovery Protocol (LLDP). LLDP allows the user to automatically
detect the LAN network topology.
As the main element, the connection information contains an exact, unique identifier for the connection
end point: MAC (Service Access Point). This is made up of a device identifier which is unique on the
entire network and a unique port identifier for this device.
Chassis identifier (its MAC address)
Port identifier (its port-MAC address)
Description of port
System name
System description
Supported system capabilities
System capabilities currently active
Interface ID of the management address
VLAN-ID of the port
Auto-negotiation status on the port
Medium, half/full duplex setting and port speed setting
Information about the VLANs installed in the device (VLAN-ID and VLAN name, irrespective of
whether the port is a VLAN participant).
A network management station can call up this information from devices with activated LLDP. This
information enables the network management station to map the topology of the network.
Non-LLDP devices normally block the special Multicast LLDP IEEE MAC address used for information
exchange. Non-LLDP devices therefore discard LLDP packets. When positioning a non-LLDP capable
device between 2 LLDP capable devices, the non-LLDP capable device prohibits information
exchanges between the 2 LLDP capable devices.
The Management Information Base (MIB) for a device with LLDP capability holds the LLDP information
in the lldp MIB and in the private HM2-LLDP-EXT-HM-MIB and HM2-LLDP-MIB.
If you use a port to connect several devices, for example via a hub, the table contains a line for each
connected device.
Activating Display FDB Entries at the bottom of the table allows you to display devices without active
LLDP support in the table. In this case, the device also includes information from its FDB (forwarding
database).
If you connect the port to devices with the topology discovery function active, then the devices exchange
LLDP Data Units (LLDPDU) and the topology table displays these neighboring devices.
When a port connects devices without an active topology discovery exclusively, the table contains a line
for this port to represent the connected devices. This line contains the number of connected devices.
The FDB address table contains MAC addresses of devices that the topology table hides for the sake
of clarity.
13.9.2 LLDP-Med
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices. Endpoints include devices such as IP phones, or other Voice over IP (VoIP) devices
or servers and network devices such as switches. It specifically provides support for VoIP applications.
LLDP-MED provides this support using an additional set of common type-length-value (TLV)
advertisement messages, for capabilities discovery, network policy, Power over Ethernet, inventory
management and location information.
The device supports the following TLV messages:
capabilities TLV
Allows LLDP-MED endpoints to determine the capabilities that the connected device supports and
what capabilities the device has enabled.
Network policy TLV
Allows both network connectivity devices and endpoints to advertise VLAN configurations and
associated attributes for the specific application on that port. For example, the device notifies a phone
of the VLAN number. The phone connects to a switch, obtain its VLAN number, and then starts
communicating with the call control.
LLDP-MED provides the following functions:
Network policy discovery, including VLAN ID, 802.1p priority and Diffserv code point (DSCP)
Device location and topology discovery based on LAN-level MAC/port information
Endpoint move detection notification, from network connectivity device to the associated VoIP
management application
Extended device identification for inventory management
Identification of endpoint network connectivity capabilities, for example, multi-port IP Phone with
embedded switch or bridge capability
Application level interactions with the LLDP protocol elements to provide timely startup of LLDP to
support rapid availability of an Emergency Call Service
Applicability of LLDP-MED to Wireless LAN environments, support for Voice over Wireless LAN
Loops in the network cause connection interruptions or data losses. This also applies to temporary
loops. The automatic detection and reporting of this situation allows you to detect it faster and diagnose
it more easily.
An incorrect configuration causes loops, for example, if you deactivate Spanning Tree.
The device allows you to detect the effects typically caused by loops and report this situation
automatically to the network management station. You have the option here to specify the magnitude of
the loop effects that trigger the device to send a report.
BPDU frames sent from the designated port and received on either a different port of the same device
or the same port within a short time, is a typical effect of a loop.
Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab.
Check the value in the fields Port state and Port role . If the Port state field displays
the value discarding and the Port role field displays the value backup, the port is in a loop
status.
or
Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, Guards tab.
Check the value in the Loop state column. If the field displays the value true, the port is in
a loop status.
The device allows you to inform users by email about events that have occurred. Prerequisite is that a
mail server is available through the network on which the device transfers the emails.
Severity Meaning
informational Informal message
debug Debug message
Table 40: Meaning of the severities for events (cont.)
You have the option of specifying the events of which the device informs you. For this, assign the
desired minimum severity to the notification levels of the device.
In the Notification periodic frame, you specify the settings for emails which the device
sends periodically.
Change the value in the Sending interval [min] field to change the interval.
To save the changes temporarily, click the button.
In the Encryption column, specify the protocol which encrypts the connection between the
device and the mail server.
In the Destination TCP port column, specify the TCP port if the mail server uses a port other
than the well-known port.
If the mail server requests an authentication:
In the User name and Password columns, specify the account credentials which the device
uses to authenticate on the mail server.
In the Description column, enter a meaningful name for the mail server.
In the Active column, mark the checkbox.
To save the changes temporarily, click the button.
13.12 Reports
The device buffers logged events in 2 separate storage areas so that the device keeps log entries for
urgent events. Specify the minimum severity for events that the device logs to the buffered storage area
with a higher priority.
Perform the following steps:
To send events to the buffer, specify the desired level in the Buffered logging frame,
Severity field.
To save the changes temporarily, click the button.
When you activate the logging of SNMP requests, the device logs the requests as events in the Syslog.
The Log SNMP get request function logs user requests for device configuration information. The Log
SNMP set request function logs device configuration events. Specify the minimum level for events that
the device logs in the Syslog.
Perform the following steps:
Enable the Log SNMP get request function for the device in order to send SNMP Read
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
Enable the Log SNMP set request function for the device in order to send SNMP Write
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
Choose the desired severity level for the get and set requests.
To save the changes temporarily, click the button.
When active, the device logs configuration changes made using the CLI commands, to the audit trail.
This feature is based on the IEEE 1686 standard for Substation Intelligent Electronic Devices.
Perform the following steps:
Open the Diagnostics > Report > Report Global dialog.
To enable the function, select the On radio button in the CLI logging frame.
To save the changes temporarily, click the button.
The device allows you to save the following system information data in one ZIP file on your PC:
audittrail.html
CLICommands.txt
defaultconfig.xml
script
runningconfig.xml
supportinfo.html
systeminfo.html
systemlog.html
The device creates the file name of the ZIP archive automatically in the format
<IP_address>_<system_name>.zip.
Perform the following steps:
Click the button and then the Download support information item.
Select the directory in which you want to save the support information.
To save the changes temporarily, click the button.
13.12.2 Syslog
The device enables you to send messages about important device internal events to one or more Syslog
servers (up to 8). Additionally, you also include SNMP requests to the device as events in the Syslog.
Note: To display the logged events, open the Diagnostics > Report > Audit Trail dialog or the
Diagnostics > Report > System Log dialog.
Perform the following steps:
Open the Diagnostics > Syslog dialog.
To add a table entry, click the button.
In the IP address column, enter the IP address of the Syslog server.
In the Destination UDP port column, specify the TCP or UDP port on which the Syslog
server expects the log entries.
In the Min. severity column, specify the minimum seriousness level an event must attain
for the device to send a log entry to this Syslog server.
Mark the checkbox in the Active column.
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
In the SNMP logging frame, configure the following settings for read and write SNMP requests:
Perform the following steps:
Open the Diagnostics > Report > Report Global dialog.
Enable the Log SNMP get request function for the device in order to send SNMP Read
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
Enable the Log SNMP set request function for the device in order to send SNMP Write
requests as events to the Syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
Choose the desired severity level for the get and set requests.
To save the changes temporarily, click the button.
logging snmp-requests set severity 5 The value 5 specifies the severity level of the event that the
device logs in case of SNMP SET requests. The value 5 means
Notice.
exit Change to the Privileged EXEC mode.
show logging snmp Display the SNMP logging settings.
Note: You have the option to also send the logged events to one or more Syslog servers.
Note: Specify the IP address or DNS name on the server to match the IP Address or DNS name
provided in the server certificate. You find the values entered in the certificate as the Common Name or
the Subject Alternative Name.
Example
The given example describes the configuration of the Syslog function. By following these steps, the
device allows you to send the TLS encrypted Syslog messages over the TCP port specified in the
Destination UDP port column.
The Syslog messages that are sent from a device to a syslog server may transit over unsecure
networks. To configure a Syslog server over TLS, upload the Certificate Authority (CA) certificate to
the device.
Note: In order for the changes to take effect after loading a new certificate, restart the Syslog
function.
Perform the following steps:
Open the Diagnostics > Syslog dialog.
To initiate a connection with the Syslog servers, select the On radio button in the Operation
frame.
To save the changes temporarily, click the button.
The device validates the certificate received. The device also authenticates the server and starts
sending Syslog messages.
Upload the PEM certificate from the remote server or from the external memory.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
logging host add 1 addr 192.168.3.215 Add index 1 to the Syslog server with IP address
192.168.3.215.
logging host modify 1 port 6512 type Specifying the port number 6512 and logging the events in the
systemlog system log.
logging host modify 1 transport tls Specify the type of transmission as tls.
logging host modify 1 severity Specifying the type of event to log into the system log as
informational informational.
exit Change to the Privileged EXEC mode.
copy syslogcacert evmm Copy CA certificates from external memory to the device.
show logging host Display the Syslog host settings.
watchdog events
locking a user after several unsuccessful login attempts
User login, either locally or remote, using CLI
Manual, user-initiated, logout
Timed logout after a user-defined period of CLI inactivity
file transfer operation including a Firmware Update
Configuration changes using HiDiscovery
Automatic configuration or firmware updates using the external memory
Blocked management access due to invalid login
rebooting
opening and closing SNMP over HTTPS tunnels
Detected power failures
Tcpdump is a packet-sniffing UNIX utility used by network administrators to sniff and analyze traffic on
a network. A couple of reasons for sniffing traffic on a network is to verify connectivity between hosts,
or to analyze the traffic traversing the network.
TCPDump on the device provides the possibility to decode or capture packets received and transmitted
by the Management CPU. This function is available using the debug CLI command. Refer to the
“Command Line Interface” reference manual for further information about the TCPDump function.
The device allows you to forward data packets that pass through the device to a destination port. There
you can monitor and evaluate the data packets.
The device provides you with the following options:
Port Mirroring
VLAN mirroring
Remote SPAN
Switch PLC
Backbone
RMON-Probe
On the destination port, the device exclusively sends the data packets copied from the source ports.
Before you switch on the Port Mirroring function, mark the checkbox Allow management to access
the management functions via the destination port. The device allows access to the management
functions via the destination port without interrupting the active Port Mirroring session.
Note: The device duplicates multicasts, broadcasts and unknown unicasts on the destination port.
The VLAN settings on the destination port remain unchanged. Prerequisite for management access at
the destination port is that the destination port is a member of the management VLAN.
To deactivate the Port Mirroring function and restore the default settings, click the button and
then the Reset config item.
Example configuration
In this example configuration, Sw 4 mirrors data received on VLAN 20 to a network analyzer on the
destination port.
To configure VLAN mirroring on Sw 4 use the following steps:
Create the mirrored VLAN.
Configure VLAN mirroring
Destination
Sw 1 VLAN: 20 Sw 4 port
If: 3/1 If: 3/4
Sw 2 Sw 3
Note: To help prevent erroneous loop detection when you use the RSPAN function. If you connect to
the neighboring devices using separate paths for uplink and RSPAN data, then verify that the Spanning-
Tree Protocol is inactive on both ports of the RSPAN data links. If you use a reflector port, then verify
that the Spanning-Tree protocol is inactive on the links forwarding the RSPAN data.
In the following examples the network administrator desires to mirror the data stream to a network
analyzer located somewhere in the network. The examples demonstrate the various ways to integrate
the source device in your network.
In the examples, the network administrator desires to mirror the data packets received from switch 1,
on port 2/1 of switch 2 to the network analyzer connected to switch 4. The network administrator has
specified VLAN 30 as the RSPAN VLAN ID.
Example 1
In the example, you configure a reflector port on switch 2. Connect the ports 2/3 and 2/4 together
with an ethernet cable. The links between switch 2, switch 3 and switch 4 carry both the RSPAN and
the uplink data stream. Afterwards, perform the following steps:
Sw 2 Sw 3 Sw 4
Reflector 2/3
port 2/2 3/1 3/2 4/1
2/4
2/1 4/2
1/1
Network
Sw 1 Analyzer
RSPAN data only
Uplink and RSPAN data
Uplink data only
Example 2
In this example, the network forwards the RSPAN data and the uplink data on parallel paths from the
source device to the destination device.
Sw 2 Sw 3 Sw 4
2/3 3/3 3/4 4/3
2/2 3/1 3/2 4/1
2/1 4/2
1/1
Network
Sw 1 Analyzer
Example 3
In the example, the source device switch 2 sends the uplink data and the RSPAN data to the
intermediate device switch 3. The intermediate device switch 3 then forwards the combined traffic on
a single link to the destination device switch 4.
Sw 2 Sw 3 Sw 4
2/3 3/3
3/2 4/1
2/2 3/1
2/1 4/2
1/1
Network
Sw 1 Analyzer
13.15 Self-test
The device checks its assets during the boot process and occasionally thereafter. The device checks
system task availability or termination and the available amount of memory. Furthermore, the device
checks for application functionality and if there is any hardware degradation in the chip set.
When the device detects a loss in integrity, the device responds to the degradation with a user-defined
action. The following categories are available for configuration.
task
Action to be taken when a task is unsuccessful.
resource
Action to be taken due to the lack of resources.
software
Action taken for loss of software integrity; for example, code segment checksum or access violations.
hardware
Action taken due to hardware degradation
Configure each category to produce an action when the device detects a loss in integrity. The following
actions are available for configuration.
log only
This action writes a message to the logging file.
send trap
Sends an SNMP trap to the trap destination.
reboot
An error in the category, when activated, will cause the device to reboot
Disabling these functions lets you decrease the time required to restart the device after a cold start. You
find these options in the Diagnostics > System > Selftest dialog, Configuration frame.
RAM test
Activates/deactivates the RAM test function during a cold start.
SysMon1 is available
Activates/deactivates the System Monitor function during a cold start.
Load default config on error
Activates/deactivates the loading of the default device configuration if no readable configuration is
available during a restart.
Note: The following settings block your access to the device permanently if the device does not detect
any readable configuration profile when it is restarting. This is the case, for example, if the password of
the configuration profile that you are loading differs from the password set in the device.
The SysMon1 is available checkbox is unmarked.
The Load default config on error checkbox is unmarked.
Use this feature to test copper cables attached to an interface for a short or open circuit. The test
interrupts traffic flow, when in progress, on this port.
The table displays the state and lengths of each individual pair. The device returns a result with the
following meaning:
normal - indicates that the cable is operating properly
open - indicates an interruption in the cable
short circuit - indicates a short circuit in the cable
untested - indicates an untested cable
Unknown - cable unplugged
SFlow is a standard protocol for monitoring networks. The device provides this function for visibility into
network activity, enabling effective management and control of network resources.
The SFlow monitoring system consists of an SFlow agent, embedded in the device and a central SFlow
collector. The agent uses sampling technology to capture traffic statistics. SFlow instances associated
with individual data sources within the agent perform packet flow and counter sampling. Using SFlow
datagrams the agent forwards the sampled traffic statistics to an SFlow collector for analysis.
The agent uses 2 forms of sampling, a statistical packet based sampling of packet flows and a timed
based sampling of counters. An SFlow datagram contains both types of samples. Packet flow sampling,
based on a sampling rate, sends a steady, but random stream of datagrams to the collector. For time-
based sampling, the agent polls the counters at set intervals to fill the datagrams.
The device implements datagram version 5 for the SFlow agent.
To configure the SFlow agent for a monitoring session, first configure an available receiver. Then,
configure a sampling rate to perform packet flow sampling. Additionally configure a polling interval for
counter sampling.
For example, Company XYZ wishes to monitor data flow on a device. The IP address for the remote
server containing the sFlow collector, is 10.10.10.10. XYZ requires a sample of the first 256 bytes of
every 300th packet. Furthermore, XYZ requires counter polling every 400 s.
Perform the following steps:
Open the Diagnostics > SFlow > Receiver dialog.
For the name of the person or organization controlling the receiver, enter the value XYZ in the
Name column.
For the remote server IP Address, on which the SFlow collector software runs, enter the value
10.10.10.10 in the IP address column.
Open the Diagnostics > SFlow > Configuration dialog, Sampler tab.
In the Receiver column, select the index number of the receiver specified in the previous
steps.
In the Sampling rate column, specify the value 300.
In the Max. header size [byte] column, specify the value 256.
Open the Diagnostics > SFlow > Configuration dialog, Poller tab.
In the Receiver column, select the index number of the receiver specified in the previous
steps.
In the Interval [s] column, specify the value 400.
To save the changes temporarily, click the button.
A DHCP server ("Dynamic Host Configuration Protocol") assigns IP addresses, Gateways, and other
networking definitions such as DNS and NTP parameters to clients.
The DHCP operations fall into 4 basic phases: IP discovery, IP lease offer, IP request, and IP lease
acknowledgment. Use the acronym DORA which stands for Discovery, Offer, Request, and
Acknowledgement to help remember the phases. The server receives client data on UDP port 67 and
sends data to the client on UDP port 68.
The DHCP server provides an IP address pool or "pool", from which it allocates IP addresses to clients.
The pool consists of a list of entries. An entry defines either a specific IP address or an IP address range.
The device allows you to activate the DHCP server globally and per interface.
A network administrator uses the DHCP Layer 2 Relay agent to add DHCP client information. This
information is required by Layer 3 Relay agents and DHCP servers to assign an address and
configuration to a client.
When a DHCP client and server are in the same IP subnet, they exchange IP address requests and
replies directly. However, having a DHCP server on each subnet is expensive and often impractical. An
alternative to having a DHCP server in every subnet is to use the network devices to relay packets
between a DHCP client and a DHCP server located in a different subnet.
A Layer 3 Relay agent is generally a router that has IP interfaces in both the client and server subnets
and routes traffic between them. However, in Layer 2 switched networks, there are one or more network
devices, switches for example, between the client and the Layer 3 Relay agent or DHCP server. In this
case, this device provides a Layer 2 Relay agent to add the information that the Layer 3 Relay agent
and DHCP server require to perform their roles in address and configuration assignment.
The following list contains the default settings for this function:
Global setting:
– Active setting: disable
Interface settings:
– Active setting: disable
– Trusted Port: disable
VLAN settings:
– Active setting: disable
– Circuit ID: enable
– Remote ID Type: mac
– Remote ID: blank
Also, the replay packet of the DHCP server contains the Circuit-ID and the Remote ID. Before
forwarding the answer to the client, the device removes the information from the Option 82 field.
Port 1/2
Switch 1 DHCP
Server
Port 1/VLAN 2
DHCP Client
Verify that VLAN 2 is present then perform the following steps on Switch 1:
Configure VLAN 2, and specify port 1/1 as a member of VLAN 2.
enable Change to the Privileged EXEC mode.
vlan database Change to the VLAN configuration mode.
dhcp-l2relay circuit-id 2 Activate the Circuit ID and the DHCP Option 82 on VLAN 2.
dhcp-l2relay remote-id ip 2 Specify the IP address of the device as the Remote ID on VLAN
2.
dhcp-l2relay mode 2 Activate the DHCP L2 Relay function on VLAN 2.
exit Change to the Privileged EXEC mode.
The Domain Name System (DNS) client queries DNS servers to resolve host names and IP addresses
of network devices. Much like a telephone book, the DNS client converts names of devices into IP
addresses. When the DNS client receives a request to resolve a new name it first queries its internal
static database, then the assigned DNS servers for the information. The DNS client saves the queried
information in a cache for future requests. The device offers the possibility to configure the DNS client
from the DHCP server using the management VLAN. The device also offers you the possibility to assign
host names to IP addresses statically.
The DNS client provides the following user functions:
DNS server list, with space for 4 domain name server IP addresses
static hostname to IP address mapping, with space for 64 configurable static hosts
host cache, with space for 128 entries
14.4 GARP
The Generic Attribute Registration Protocol (GARP ) is defined by the IEEE to provide a generic
framework so switches can register and deregister attribute values, such as VLAN identifiers and
Multicast group membership.
When an attribute for a participant is registered or deregistered according to the GARP function, the
participant is modified according to specific rules. The participants are a set of reachable end stations
and network devices. The defined set of participants at any given time, along with their attributes, is the
reachability tree for the subset of the network topology. The device forwards the data frames only to the
registered end stations. The station registration helps to prevent attempts to send data to the end
stations that are unreachable.
Note: Before you enable the GMRP function, verify that the MMRP function is disabled.
The following example describes the configuration of the GMRP function. The device provides a
constrained multicast flooding facility on a selected port.
Perform the following steps:
Open the Switching > GARP > GMRP dialog.
To provide constrained Multicast Flooding on a port, mark the checkbox in the GMRP active
column.
To save the changes temporarily, click the button.
14.5 MRP-IEEE
The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP ). The IEEE also modified
and replaced the GARP applications, GARP Multicast Registration Protocol (GMRP ) and GARP VLAN
Registration Protocol (GVRP ), with the Multiple MAC Registration Protocol (MMRP ) and the Multiple VLAN
Registration Protocol (MVRP ).
To confine traffic to the required areas of a network, the MRP applications distribute attribute values to
MRP enabled devices across a LAN. The MRP applications register and de-register Multicast group
memberships and VLAN identifiers.
Note: The Multiple Registration Protocol (MRP) requires a loop free network. To help prevent loops in
your network, use a network protocol such as the Media Redundancy Protocol, Spanning Tree Protocol,
or Rapid Spanning Tree Protocol with MRP.
The following list contains various MRP events that the device transmits:
Join - Controls the interval for the next Join message transmission
Leave - Controls the length of time that a switch waits in the Leave state before changing to the
withdraw state
LeaveAll - Controls the frequency with which the switch generates LeaveAll messages
The Periodic timer, when expired, initiates a Join request MRP message that the switch sends to
participants on the LAN. The switches use this message to prevent unnecessary withdraws.
14.5.3 MMRP
When a device receives Broadcast, Multicast or unknown traffic on a port, the device floods the traffic
to the other ports. This process causes unnecessary use of bandwidth on the LAN.
The Multiple MAC Registration Protocol (MMRP ) allows you to control the traffic flooding by distributing
an attribute declaration to participants on a LAN. The attribute values that the MAD component encodes
and transmits on the LAN in MRP messages are Group service requirement information and 48-bit MAC
addresses.
The switch stores the attributes in a filtering database as MAC address registration entries. The
forwarding process uses the filtering database entries solely to transmit dat through those ports
necessary to reach Group member LANs.
Switches facilitate the group distribution mechanisms based on the Open Host Group concept, receiving
packets on the active ports and forward exclusively on ports with group members. This way, any MMRP
participants requiring packets transmitted to a particular group or groups, requests membership in the
group. MAC service users send packets to a particular group from anywhere on the LAN. A group
receives these packets on the LANs attached to registered MMRP participants. MMRP and the MAC
Address Registration Entries thus restrict the packets to required segments of a loop-free LAN.
In order to maintain the registration and deregistration state and to receive traffic, a port declares interest
periodically. Every device on a LAN with the MMRP function enabled maintains a filtering database and
forwards traffic having the group MAC addresses to listed participants.
MMRP example
In this example, Host A intends to listen to traffic destined to group G1. Switch A processes the MMRP
Join request received from host A and sends the request to both of the neighboring switches. The
devices on the LAN now recognize that there is a host interested in receiving traffic destined for group
G1. When Host B starts transmitting data destined for group G1, the data flows on the path of
registrations and Host A receives it.
Switch 1 Switch 2 Switch 3
Port 1 Port 6
Host A Host B
To enable the MMRP ports on switch 1, use the following CLI commands. Substituting the appropriate
interfaces in the CLI commands, enable the MMRP functions and ports on switches 2 and 3.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
mrp-ieee mmrp operation Enabling the MMRP function on the port.
interface 1/2 Change to the interface configuration mode of interface 1/2.
mrp-ieee mmrp operation Enabling the MMRP function on the port.
exit Change to the Configuration mode.
mrp-ieee mrp periodic-state-machine Enabling the Periodic state machine function globally.
mrp-ieee mmrp operation Enabling the MMRP function globally.
14.5.4 MVRP
The Multiple VLAN Registration Protocol (MVRP ) is an MRP application that provides dynamic VLAN
registration and withdraw services on a LAN.
The MVRP function provides a maintenance mechanism for the Dynamic VLAN Registration Entries, and
for transmitting the information to other devices. This information allows MVRP -aware devices to
establish and update their VLAN membership information. When members are present on a VLAN, the
information indicates through which ports the switch forwards traffic to reach those members.
The main purpose of the MVRP function is to allow switches to discover some of the VLAN information
that you otherwise manually set up. Discovering this information allows switches to overcome the
limitations of bandwidth consumption and convergence time in large VLAN networks.
MVRP example
Set up a network comprised of MVRP aware switches (1 - 4) connected in a ring topology with end
device groups, A1, A2, B1, and B2 in 2 different VLANs, A and B. With STP enabled on the switches,
the ports connecting switch 1 to switch 4 are in the discarding state, preventing a loop condition.
Port 8 Port 5
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
To enable the MVRP ports on switch 1, use the following CLI commands. Substituting the appropriate
interfaces in the CLI commands, enable the MVRP functions and ports on switches 2, 3 and 4.
enable Change to the Privileged EXEC mode.
configure Change to the Configuration mode.
interface 1/1 Change to the interface configuration mode of interface 1/1.
mrp-ieee mvrp operation Enabling the MVRP function on the port.
interface 1/2 Change to the interface configuration mode of interface 1/2.
mrp-ieee mvrp operation Enabling the MVRP function on the port.
exit Change to the Configuration mode.
mrp-ieee mvrp periodic-state-machine Enabling the Periodic state machine function globally.
mrp-ieee mvrp operation Enabling the MVRP function globally.
The device supports an CLI client that directly opens a connection to the SSH server using the TCP Port
specified in the Device Security > Management Access > Server dialog, SSH tab. The CLI client
allows you to configure the device using CLI commands.
The prerequisite to using the CLI client is that you enable the function in the Device Security >
Management Access > Server dialog, SSH tab.
For detailed information on CLI commands, review the “Command Line Interface” reference manual.
15 Industry Protocols
For a long time, automation communication and office communication were on different paths. The
requirements and the communication properties were too different.
Office communication moves large quantities of data with low demands with respect to the transfer time.
Automation communication moves small quantities of data with high demands with respect to the
transfer time and availability.
While the transmission devices in the office are usually kept in temperature-controlled, relatively clean
rooms, the transmission devices used in automation are exposed to wider temperature ranges. Dirty,
dusty and damp ambient conditions make additional demands on the quality of the transmission
devices.
With the continued development of communication technology, the demands and the communication
properties have moved closer together. The high bandwidths now available in Ethernet technology and
the protocols they support enable large quantities to be transferred and exact transfer times to be
specified.
With the creation of the first optical LAN to be active worldwide, at the University of Stuttgart in 1984,
Hirschmann laid the foundation for industry-compatible office communication devices. Thanks to
Hirschmann's initiative with the world's first rail hub in the 1990s, Ethernet transmission devices such as
switches, routers and firewalls are now available for the toughest automation conditions.
The desire for uniform, continuous communication structures encouraged many manufacturers of
automation devices to come together and use standards to aid the progress of communication
technology in the automation sector. This is why we now have protocols that enable us to communicate
via Ethernet from the office right down to the field level.
Output Input
Input
Ethernet
Output
Physical Device
Logical Device LN LPHD LN LPN0
LN LBRI
Port Number 1 2 3 4
Figure 74: Bridge model based on Technical Report IEC 61850 90-4
Class Description
LN LLN0 Zero logical node of the Bridge IED:
Defines the logical properties of the device.
LN LPHD Physical Device logical node of the Bridge IED:
Defines the physical properties of the device.
LN LBRI Bridge logical node:
Represents general settings of the bridge functions of the device.
LN LCCH Communication Channel logical node:
Defines the logical Communication Channel that consists of one or more physical device ports.
Table 41: Classes of the bridge model based on TR IEC61850 90-4
Class Description
LN LCCF Channel Communication Filtering logical node:
Defines the VLAN and Multicast settings for the higher-level Communication Channel.
LN LBSP Port Spanning Tree Protocol logical node:
Defines the Spanning Tree statuses and settings for the respective physical device port.
LN LPLD Port Layer Discovery logical node:
Defines the LLDP statuses and settings for the respective physical device port.
LN LPCP Physical Communication Port logical node:
Represents the respective physical device port.
Table 41: Classes of the bridge model based on TR IEC61850 90-4 (cont.)
To start the MMS server, select in the Operation frame the On radio button, and click button.
Afterwards, an MMS client is able to connect to the device and to read and monitor the objects
defined in the bridge model.
NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE
IEC61850/MMS does not provide any authentication mechanisms. If the write access for IEC61850/
MMS is activated, every client that can access the device using TCP/IP is capable of changing the
settings of the device. This in turn can result in an incorrect configuration of the device and to failures
in the network.
Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to eliminate the risk of unauthorized access.
Failure to follow these instructions can result in equipment damage.
To allow the MMS client to change the settings, mark the Write access checkbox, and click the
button.
Offline configuration
The device allows you to download the ICD file using the graphical user interface. This file contains
the properties of the device described with SCL and enables you to configure the substation without
directly connecting to the device.
Open the Advanced > Industrial Protocols > IEC61850-MMS dialog.
To load the ICD file to your PC, click the button and then the Download item.
Modbus TCP is an application layer messaging protocol providing client/server communication between
the client and devices connected in Ethernet TCP/IP networks.
The Modbus TCP function allows you to install the device in networks already using Modbus TCP and
retrieve information saved in the registers in the device.
Request Indication
Modbus Modbus
Client Confirmation Response
Server
Modbus TCP/IP Request, the client creates a request for information and sends it to the server.
Modbus TCP/IP Indication, the server receives a request as an indication that a client requires
information.
Modbus TCP/IP Response, when the required information is available, the server sends a reply
containing the requested information. When the requested information is unavailable, the server
sends an Exception Response to notify the client of the error detected during the processing. The
Exception Response contains an exception code indicating the reason for the detected error.
Modbus TCP/IP Confirmation, the client receives a response from the server, containing the
requested information.
Port Information
Port Statistics
NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE
The Modbus TCP protocol does not provide any authentication mechanisms. If the write access for
Modbus TCP is activated, every client that can access the device using TCP/IP is capable of
changing the settings of the device. This in turn can result in an incorrect configuration of the device
and to failures in the network.
Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to eliminate the risk of unauthorized access.
Failure to follow these instructions can result in equipment damage.
Open the Device Security > Management Access > IP Access Restriction dialog.
To add a table entry, click the button.
Specify the IP address range, in Index row 2, enter 10.17.1.0/29 in the IP address range
column.
Verify that the Modbus TCP function is activated.
To activate the range, mark the Active checkbox.
Open the Diagnostics > Status Configuration > Security Status > Global dialog.
Verify that the Modbus TCP active checkbox contains a mark.
Open the Advanced > Industrial Protocols > Modbus TCP dialog.
The standard Modbus TCP listening port, port 502, is the default value. However, if you wish
to listen on another TCP port, enter the value for the listening port in the TCP port field.
To enable the function, select the On radio button in the Operation frame.
When you enable the Modbus TCP function, the Security Status function detects the activation
and displays an alarm in the Basic Settings > System dialog, Security status frame.
15.3 EtherNet/IP
UDP/IP Unicast
UDP/IP Unicast/Multicast
Controller EtherNet/IP-Stack
EtherNet/IP adds the industry protocol, CIP (Common Industrial Protocol) to the standard Ethernet
protocols. EtherNet/IP implements CIP at the Session layer and above and adapts CIP to the specific
EtherNet/IP technology at the Transport layer and below. In the case of automation applications,
EtherNet/IP implements CIP on the application level. Therefore, EtherNet/IP is ideally suited to the
industrial control technology sector.
TCP UDP
IP
In particular, you will find EtherNet/IP in the USA and in conjunction with Rockwell controllers.
For detailed information on EtherNet/IP , see the ODVA home page at www.odva.org/Home/
ODVATECHNOLOGIES/EtherNetIP.aspx.
Note: If EtherNet/IP and the routing function are enabled at the same time, malfunctions are possible
with EtherNet/IP , for example, in connection with “RS Who”. Therefore, if the routing function is active,
then disable the routing function on the device.
To disable the routing function on the device, open the Routing > Routing Global dialog
and in the Operation frame, click the Off radio button.
Note: Monitoring the I/O connection to the CPU of the device as a failure can result in a system
failure. Therefore, monitoring the I/O connection as a failure criterion is less suitable.
The I/O connection between the programmable logic controller (PLC) and the device can be
interrupted by a management program. For example, a management station can saturate the CPU
of the device with higher priority Real Time (RT) data. In this case, the device can still transmit or
receive data packets and the system remains operational.
Identity object
The device supports the identity object (Class Code 0x01) of EtherNet/IP . The Hirschmann
manufacturer ID is 634. Hirschmann uses the ID 44 (0x2C) to indicate the product type "Managed
Ethernet Switch".
The following table lists the Instance attributes. Only instance 1 is available:
Id Attribute Access Data type Description
Rule
1 Vendor ID Get UINT Hirschmann634
2 Device Type Get UINT Managed Ethernet Switch 44 (0x2C) (0x2C)
3 Product Code Get UINT Product Code: mapping is defined for every device type
4 Revision Get STRUCT of: USINT Revision of the EtherNet/IP implementation, 2.1.
MajorUSINT Minor
5 Status Get WORD Support for the following Bit status only:
Bit 0: Owned (always 1)
Bit 2: Configured (always 1)
Bit 4 -7: Extend Device Status value 3: No I/O connection
established, value 7: At least one I/O connection established,
all in idle mode.
6 Serial number Get UDINT Serial number of the device (contains last 3 Bytes of MAC
address).
7 Product name Get Short String Displayed as "Hirschmann" + product family + product ID +
(max. 32 Byte) software variant.
Note: The device replies to the configuration change Get Request with a Response even if saving
of the configuration has not yet been completed.
The following table lists the Class attributes:
Id Attribute Access Data type Description
Rule
1 Revision Get UINT Revision of this object: 3
2 Max Instance Get UINT Maximum instance number: 1
3 Number of instance Get UINT Number of object instances currently
created: 1
The following table lists the attributes of Instance 1:
Id Attribute Access Data type Description
Rule
1 Status Get DWORD Interface Status:
Bit 0-3: 0 Interface not configured,
1 Interface contains valid config
Bit 6: AcdStatus (default 0)
Bit 7: AcdFault (default 0)
2 Interface Capability Get DWORD Bit 0: BOOTP Client
flags Bit 1: DNS Client
Bit 2: DHCP Client
Bit 3: DHCP-DNS Update
Bit 4: Configuration setable (within CIP),
Other bits reserved (0).
Bit 7: AcdCapable (TRUE shall indicate that
the device is ACD capable)
3 Config Control Set/Get DWORD Bit 0-3: Value 0 using stored config
Value 1 using BOOTP
Value 2 using DHCP
Bit 4: 1 device uses DNS for name
lookup (always 0 because not supp.)
Other bits reserved (0)
4 Physical Link Object Get STRUCT of:UINT Path to the Physical Link Object, always
Path sizeEPATH {0x20,0xF6,0x24,0x01} describing instance
Path 1 of the Ethernet Link Object.
5 Interface Configuration Set/Get STRUCT of:UDINT IP IP Stack Configuration (IP-Address,
addressUDINT Netmask, Gateway, 2 Name servers (DNS,
NetmaskUDINT Gateway if supported) and the domain name).
addressUDINT
Name
server 1UDINTName
server 2STRING Domain
name
6 Host Name Set/Get STRING Host Name (for DHCP DNS Update).
7 Safety Network Not supported
Number
8 TTL Value Get/Set USINT Time to live value for IP multicast packets.
(1–255)
The default values: TTL = 1
9 Mcast Config Get/Set STRUCT of:USINT Alloc Control = 0
Alloc control, Number of IP multicast addresses = 32
USINT reserved, UINT Num Multicast start address = 239.192.1.0
Mcast, UDINT Mcast
Start Addr
10 SelectedAcd Get/Set BOOL Enable ACD (1 default).Disable ACD (0)
11 LastConflictDetected Get STRUCT of:USINT ACD Diagnostic Parameters
AcdActivity,Array of 6 USINT,
RemoteMAC
Array of 28 USINT
ArpPdu
The following table lists the Hirschmann extensions to the TCP/IP Interface Object:
The following table lists the Hirschmann extensions to the Ethernet Link Object:
Id Attribute Access Data type Description
Rule
100=0x64 Ethernet Get USINT Interface/Port Index (ifIndex out of MIBII)
Interface Index
101=0x65 Port Control Get/Set DWORD Bit 0 (RO): Link state
0 link down
1 link up
Bit 1 (R/W): Link admin state
0 disabled
1 enabled
Bit 8 (RO): Access violation alarm
Bit 9 (RO): Utilization alarm
102=0x66 Interface Get USINT The existing Counter out of the private MIB
Utilization hm2IDiagfaceUtilization is used. Utilization
in percentage (Unit 1% = 100, %/100). RX
Interface Utilization.
103=0x67 Interface Get/Set USINT Within this parameter the variable
Utilization Alarm hm2DiagIfaceUtilizationAlarmUpperThresh
Upper old can be accessed. Utilization in
Threshold percentage (Unit 1% = 100). RX Interface
Utilization Upper Limit.
104=0x68 Interface Get/Set USINT Within this parameter the variable
Utilization Alarm hm2DiagIfaceUtilizationAlarmLowerThresh
Lower old can be accessed. Utilization in
Threshold percentage (Unit 1% = 100). RX Interface
Utilization Lower Limit.
105=0x69 Broadcast limit Get/Set USINT Broadcast limiter Service (Egress BC-
Frames limitation, 0 = disabled), Frames/
second
106=0x6A Ethernet Get/Set STRING [max. 64 Bytes] even Interface/Port Description (from MIB II
Interface number of Bytes ifDescr), for example "Unit: 1 Slot: 2 Port: 1
Description - 10/100 Mbit TX", or "unavailable", max. 64
Bytes.
Switch Max Ports Id 0x4 UINT (16 Bit) RO Maximum number of Ethernet
Switch Ports
Switch Action Id 0x9 DWORD (32 Bit) RO, Status of the last
Status executed action (for example config save,
software update, etc.)
Bit 0 Flash Save Configuration In Progress/Flash Write
In Progress
Bit 1 Flash Save Configuration Failed/Flash Write
Failed
Bit 4 Configuration changed (configuration not in sync.
between running configuration
The Hirschmann specific Ethernet Switch Agent Object provides you with the additional vendor
specific service, with the Service-Code 35H for saving the Switch configuration. When you send a
request from your PC to save a device configuration, the device sends a reply after saving the
configuration in the flash memory.
The following table displays an overview of the supported EtherNet/IP requests for the objects
instances.
Service code Identity Object TCP/IP Ethernet Link Switch Agent Base Switch DLR
Interface Object Object Object
Object
Get Attribute All All attributes All attributes All attributes All attributes All attributes All attributes
(0x01)
Set Attribute All - Settable Settable - - Settable
(0x02) attributes attributes (6,9) attributes (4,5)
(3,5,6,8,9,10)
Get Attribute All attributes All attributes All attributes All attributes All attributes All attributes
Single (0x0e)
Set Attribute - Settable Settable Settable - Settable
Single (0x10) attributes attributes attributes (7) attributes (4,5)
(3,5,6,8,9,10,0x (6,9,0x65,
64) 0x67,0x68,0x69,
6C)
Reset (0x05) Parameter(0,1) - - - - -
Save - - - Save switch -
Configuration configuration
(0x35) Vendor
specific
Mac Filter(0x36) - - - Add mac- - -
Vendor Specific filterSTRUCT
of:{ USINT
VLAN-
IDARRAY of 6
USINT MAC
DWORD Port
Mask}
Verify Fault Verify Fault
Location (0x4B) Location
Clear Rapid Clear Rapid
Faults (0x4C) Faults
Service code Identity Object TCP/IP Ethernet Link Switch Agent Base Switch DLR
Interface Object Object Object
Object
Restart Sign On Restart Sign On
(0x4D)
Clear Gateway Clear Gateway
Partial Fault Partial Fault
(0x04E)
15.4 PROFINET
PROFINET enhances the existing Profibus technology for such applications that require fast data
communication and the use of industrial IT functions.
You will find detailed information on PROFINET on the Internet site of the PROFIBUS Organization at
http://www.profibus.com.
The devices conform to class B for PROFINET .
Bus Interface
Slot 0
Compact
SubSl SubSl SubSl SubSl SubSl SubSl SubSl =Subslot
0x8001 0x8002 0x8003 0x8004 0x8005 0x8006
Bus Interface
Bus Interface
Slot 0
Slot 1 Slot ..
Module 1 Module ..
SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl
SubSl SubSl SubSl SubSl 0x 0x 0x 0x 0x 0x 0x 0x
0x8001 0x8002 0x80.. 0x80.n 8001 8002 80.. 80.n 8001 8002 80.. 80.n
Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n
Note: Monitoring the I/O connection to the CPU of the device as a failure can result in a system
failure. Therefore, monitoring the I/O connection as a failure criterion is less suitable.
The I/O connection between the programmable logic controller (PLC) and the device can be
interrupted by a management program. For example, a management station can saturate the CPU
of the device with higher priority Real Time (RT) data. In this case, the device can still transmit or
receive data packets and the system remains operational.
In the hardware configuration, right-click the device and select Object properties from the drop-
down list.
Enter the same name as specified in the Edit Ethernet Node dialog.
Click the Ethernet button.
Enter the IP parameters.
To close the Properties - Ethernet interface... window, click the OK button.
To close the Properties window, click the OK button.
Configuring IO Cycle
In the hardware configuration, click the device.
In the Slot/Module View dialog, right-click the X1 / PN-IO row.
In the drop-down list, select Object properties .
In the Properties window, open the IO Cycle tab.
In the Update Time frame, Update time[ms]: field, select the required update time in ms, for the
IO Cycle.
In the Watchdog Time frame, Number of accepted update cycles with missing IO data
field, select the required number for the IO Cycle.
To close the Properties window, click the OK button.
Note: Beware of Loops! Deactivate RSTP on the device ports between the I/O controller and the I/O
device.
Open the Switching > L2-Redundancy > Spanning Tree > Spanning Tree Port dialog,
CIST tab.
Unmark the STP active checkbox for the relevant ports.
To save the changes temporarily, click the button.
Configuring Topology
Right-click a port, 1 through n, and select Object properties .
In the Properties dialog, open the Topology tab.
In the Partners frame, Partner port field select the required setting for the partner port.
To close the Properties window, click the OK button.
Swapping devices
Hirschmann devices support the device swapping function with an engineering station.
If identical devices are being swapped, the Network management station assigns the parameters of
the original device to the new device.
The device swapping function with Simatic S7 requires the following prerequisites:
S7 300 with SW release from V2.7 (currently available for CPU 319) or S7 400 with SW release
from V5.2
Hirschmann device SW release from 05.0.00
Neighboring device(s) support(s) LLDP
Topology (=neighborhood relationships) is configured and loaded onto SPS
Device swapping requires the following conditions:
the replacement device is exactly the same type as the device to be replaced.
the replacement device is connected to the exact same place in the network (same ports and
neighboring devices).
the replacement device has a PROFINET default configuration. Set the device name to "" (null
string).
If these conditions are met, the Network management station automatically assigns the parameters
of the original device (device name, IP parameters and configuration data) to the replacement device.
Swapping modules
The PROFINET stack in the device detects a change in the connected modules and reports the
change to the engineering station. If a previously configured module is removed from the device, the
engineering station reports an error. If a configured module that was missing is connected, the
Network management station removes the error message.
Topology Discovery
After the user initializes the Topology Discovery, the Network management station looks for
connected devices.
Communication diagnosis
Simatic S7 monitors the communication quality and outputs messages relating to communication
problems.
Alarms
The device supports alarms on the device and port levels.
Record parameters
The device provides records for:
Device parameters
Device status
Port status/parameters
I/O Data
You will find the bit assignment for the transferred I/O data in the following table.
The following example describes the configuration of a DHCP server using the haneWIN DHCP Server
software. This shareware software is a product of IT-Consulting Dr. Herbert Hanewinkel. You can
download the software from https://www.hanewin.net. You can test the software for 30 calendar days
from the date of the first installation, and then decide whether you want to purchase a license.
To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under
Additional Software select haneWIN DHCP-Server . To carry out the installation, follow the installation
assistant.
Start the haneWIN DHCP-Server program.
Note: The installation procedure includes a service that is automatically started in the basic
configuration when Windows is activated. This service is also active if the program itself has not been
started. When started, the service responds to DHCP queries.
Open the window for the program settings in the menu Options > Preferences and select the DHCP
tab.
Specify the settings displayed in the figure.
Click the OK button.
To enter the configuration profiles, select Options > Configuration Profiles in the menu bar.
Specify the name for the new configuration profile.
Click the Add button.
Enter the path and the file name for the configuration file.
Click the Apply button and then the OK button.
To enter the static addresses, in the main window, click the Static button.
The following example describes the configuration of a DHCP server using the haneWIN DHCP Server
software. This shareware software is a product of IT-Consulting Dr. Herbert Hanewinkel. You can
download the software from https://www.hanewin.net. You can test the software for 30 calendar days
from the date of the first installation, and then decide whether you want to purchase a license.
To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under
Additional Software select haneWIN DHCP-Server . To carry out the installation, follow the installation
assistant.
Start the haneWIN DHCP-Server program.
Note: The installation procedure includes a service that is automatically started in the basic
configuration when Windows is activated. This service is also active if the program itself has not been
started. When started, the service responds to DHCP queries.
In the Hardware address field, specify the value Circuit Identifier and the value Remote
Identifier for the switch and port.
The DHCP server assigns the IP address specified in the IP address field to the device that you
connect to the port specified in the Hardware address field.
The hardware address is in the following form:
ciclhhvvvvssmmpprirlxxxxxxxxxxxx
ci
Sub-identifier for the type of the Circuit ID
cl
Length of the Circuit ID.
hh
Hirschmann identifier:
01 if a Hirschmann device is connected to the port, otherwise 00.
vvvv
VLAN ID of the DHCP request.
Default setting: 0001 = VLAN 1
ss
Socket of device at which the module with that port is located to which the device is connected.
Specify the value 00.
mm
Module with the port to which the device is connected.
pp
Port to which the device is connected.
ri
Sub-identifier for the type of the Remote ID
rl
Length of the Remote ID.
xxxxxxxxxxxx
Remote ID of the device (for example MAC address) to which a device is connected.
MAC =
IP = 00:80:63:10:9a:d7
149.218.112.100
DHCP Server
IP =
149.218.112.1
IP =
149.218.112.100
Note: In the default setting, the key is already existing and access using SSH is enabled.
The device allows yout to upload the own SSH key to the device.
Perform the following steps:
Open the Device Security > Management Access > Server dialog, SSH tab.
Disable the SSH server.
To disable the function, select the Off radio button in the Operation frame.
To save the changes temporarily, click the button.
If the host key is located on your PC or on a network drive, drag and drop the file that contains
the key in the area. Alternatively click in the area to select the file.
Click the Start button in the Key import frame to load the key onto the device.
Enable the SSH server.
To enable the function, select the On radio button in the Operation frame.
To save the changes temporarily, click the button.
In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
To select the connection type, select the SSH radio button in the Connection type range.
Click the Open button to set up the data connection to your device.
Just before the connection is established, the PuTTY program displays a security alarm message and
gives you the option of checking the key fingerprint.
The PuTTY program also displays another security alarm message at the specified warning threshold.
For experienced network administrators, another way of accessing your device through an SSH is by
using the OpenSSH Suite. To set up the data connection, enter the following command:
ssh admin@10.0.112.53
Your web browser establishes the connection to the device using the HTTPS protocol. The prerequisite
is that you enable the HTTPS server function in theDevice Security > Management Access > Server
dialog, HTTPS tab.
Note: Third-party software such as web browsers validate certificates based on criteria such as their
expiration date and current cryptographic parameter recommendations. Old certificates can cause
errors, for example, when they expire or cryptographic recommendations change. Upload your own, up-
to-date certificate or regenerate the certificate with the latest firmware to solve validation conflicts with
third-party software.
Note: If you upload or create a certificate, be sure to reboot the device or the HTTPS server in order to
activate the certificate. Restart the server using the Command Line Interface (CLI).
If you make changes to the HTTPS port number, disable the HTTPS server and then enable it again in
order to make the changes effective.
The device uses HTTPS protocol and establishes a new data connection. At the end of the session,
when the user logs out, the device terminates the data connection.
B Appendix
Hirschmann Manual
“Basics of Industrial ETHERNET and TCP/IP”
280 710-834
B.2 Maintenance
Hirschmann is continually working on improving and developing their software. Check regularly whether
there is an updated version of the software that provides you with additional benefits. You find
information and software downloads on the Hirschmann product pages on the Internet
(www.hirschmann.com).
The Management Information Base (MIB) is designed in the form of an abstract tree structure.
The branching points are the object classes. The "leaves" of the MIB are called generic object classes.
If this is required for unique identification, the generic object classes are instantiated, that means the
abstract structure is mapped onto reality, by specifying the port or the source address.
Values (integers, time ticks, counters or octet strings) are assigned to these instances; these values can
be read and, in some cases, modified. The object description or object ID (OID) identifies the object
class. The subidentifier (SID) is used to instantiate them.
Example:
The generic object class hm2PSState (OID = 1.3.6.1.4.1.248.11.11.1.1.1.1.2) is the description
of the abstract information power supply status. However, it is not possible to read any value from
this, as the system does not know which power supply is meant.
Specifying the subidentifier 2 maps this abstract information onto reality (instantiates it), thus identifying
it as the operating status of power supply 2. A value is assigned to this instance and can be read. The
instance get 1.3.6.1.4.1.248.11.11.1.1.1.1.2.1 returns the response 1, which means that the
power supply is ready for operation.
Definition of the syntax terms used:
Integer An integer in the range -231 - 231-1
IP address xxx.xxx.xxx.xxx
(xxx = integer in the range 0..255)
MAC address 12-digit hexadecimal number in accordance with ISO/IEC 8802-3
Object Identifier x.x.x.x… (for example 1.3.6.1.1.4.1.248...)
Octet String ASCII character string
PSID Power supply identifier (number of the power supply unit)
TimeTicks Stopwatch, Elapsed time = numerical value / 100 (in seconds)
numerical value = integer in the range 0-232-1
Timeout Time value in hundredths of a second
time value = integer in the range 0-232-1
Type field 4-digit hexadecimal number in accordance with ISO/IEC 8802-3
Counter Integer (0-232-1), whose value is increased by 1 when certain events occur.
1 iso
3 org
6 dod
1 internet
3 at 12 hm2Platform5 12 Target
4 ip 13 Notification
5 icmp 15 usm
6 tcp 16 vacm
7 udp
11 snmp
16 rmon
17 dot1dBridge
26 snmpDot3MauMGT
A description of the MIB can be found on the product CD provided with the device.
ANSI/TIA-1057 Link Layer Discovery Protocol for Media Endpoint Devices, April 2006
Switching
Size of the MAC address table 32768
(incl. static filters)
Max. number of statically configured MAC 100
address filters
Max. number of MAC address filters learnable 1024
through IGMP Snooping
Max. number of MAC address entries (MMRP) 512
Number of priority queues 8 Queues
Port priorities that can be set 0..7
MTU (max. length of over-long packets) 12288 Bytes
VLAN
VLAN ID range 1..4042
Number of VLANs max. 512 simultaneously per device
max. 512 simultaneously per port
The product contains, among other things, Open Source Software files developed by third parties and
licensed under an Open Source Software license.
You can find the license terms in the graphical user interface in the Help > Licenses dialog.
C Index
1 DHCP 29
802.1X 44 DHCP L2 Relay 287
DHCP server 108, 111, 334, 338
A Diameter (Spanning Tree) 178
Access roles 47 Differentiated services 140
Access security 82 DiffServ 129
ACA 64, 329, 329, 359 DiffServ Codepoint 140
Advanced Mode 167, 169 Disabled port 184
AF 140 DoS 97, 98
Aging time 123 DSCP 129, 137, 140
Alarm 232, 329
Alarm messages 230 E
Alarm setting 323 Edge port 184, 189
Alternate port 184, 190 EDS 311, 311
APNIC 30 EF 140
ARIN 30 Email notification 252
ARP 32 Engineering system 324
Assured Forwarding 140 Engineering Station 327
Authentication list 44 EtherNet/IP website 310
Automatic configuration 83 Event log 260
Expedited Forwarding 140
B
Backup port 184, 190 F
Bandwidth 143 Fast\ MRP 164
Best Master Clock algorithm 115 FAQ 365
Boundary clock (PTP) 114 First installation 29
BOOTP 29 Flow control 143
BPDU 179 FuseNet™ 200
BPDU guard 189, 190
Bridge Identifier 176 G
Bridge Protocol Data Unit 179 Gateway 31, 35
GARP 292
C Generic Ethernet Module 311
CA certificate 260 Generic object classes 350
CD-ROM 334, 338 GMRP 292
CIDR 33 Grandmaster (PTP) 115
CIP 310 GSD 323, 324
Classless inter domain routing 33 GSDML 321
Class Selector 140 GSD file 324
Closed circuit 239
Command line interface 19 H
Common Industrial Protocol 310 HaneWin 334, 338
Compatibility (STP) 187 Hardware reset 230
Configuration file 40 HiDiscovery 29, 34, 36, 38, 87, 92, 236, 262, 309
Configuration modifications 230 HIPER-Ring 198
Conformity class 321 Host address 31
D I
Data traffic 97 IANA 30
Daylight saving time 109 IAS 44
Delay measurement (PTP) 116 Icon 323
Delay time (MRP) 167 IEC 61850 302
Delay (PTP) 116 IEEE 802.1X 44
Denial of service 98 IEEE MAC Adresse 249
Denial of Service 97 IGMP snooping 123, 123, 310
Designated bridge 184 Industrial HiVision 11, 40, 57
Designated port 184, 189 Instantiation 350
Destination table 230 Integrated authentication server 44
Device description language 321 IP address 30, 35, 40
Device status 233 IP header 129, 132, 140
Store-and-forward 120
Strict Priority 132
Subidentifier 350
Subnet 35
Subring 164, 201
Sub-ring Manager 208
Sub-ring Redundant Manager 207
Symbol 311, 311, 324
Syslog over TLS 260
System requirements (GUI) 18
T
TCN guard 189, 191
TCP/IP 310, 321
Technical questions 365
Threshold value 323
Topology Change flag 189
ToS 129, 132, 140
Traffic class 132, 137
Traffic shaping 138
Training courses 365
Transmission reliability 230
Transparent clock (PTP) 115
Trap 230, 232
Trap destination table 230
Tree structure (Spanning Tree) 179, 183
Two-Switch coupling, Primary device 214
Two-Switch coupling, Stand-by device 216
Type of Service 132
U
UDP/IP 310, 321
Update 26
User name 21, 23, 25
V
Video 132
VLAN 145
VLAN priority 136
VLAN tag 131, 145
VLAN (HIPER-Ring) 198
VoIP 132
VT100 24
V.24 19, 24
W
Weighted Fair Queuing 133
Weighted Round Robin 133
D Further support
Technical questions
For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.
You find the addresses of our partners on the Internet at http://www.hirschmann.com.
A list of local telephone numbers and email addresses for technical support directly from Hirschmann is
available at https://hirschmann-support.belden.eu.com.
This site also includes a free of charge knowledge base and a software download section.
E Readers’ Comments
What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation of
this product. Your comments and suggestions help us to further improve the quality of our
documentation.
General comments:
Sender:
Company / Department:
Street:
E-mail:
Date / Signature:
Dear User,
Please fill out and return this page
as a fax to the number +49 (0)7127/14-1600 or
per mail to
Hirschmann Automation and Control GmbH
Department 01RD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen