0% found this document useful (0 votes)

42 views825 pages

ManualCollection BRS HiOS-2S-09600 en

Manual

Uploaded by

amanjeetkumarmishra63

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

42 views825 pages

ManualCollection BRS HiOS-2S-09600 en

Manual

Uploaded by

amanjeetkumarmishra63

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 825

Hirschmann Automation and Control GmbH

BRS HiOS-2S Rel. 09600

Reference Manual
Graphical User Interface

User Manual
Configuration
Reference Manual
Graphical User Interface
BOBCAT Rail Switch
HiOS-2S

RM GUI BRS HiOS-2S Technical support

Release 9.6 12/2023 https://hirschmann-support.belden.com
The naming of copyrighted trademarks in this manual, even when not specially indicated, should not be taken to mean that
these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may
be freely used by anyone.

© 2023 Hirschmann Automation and Control GmbH

Manuals and software are protected by copyright. All rights reserved. The copying, reproduction, translation, conversion into
any electronic medium or machine scannable form is not permitted, either in whole or in part. An exception is the preparation
of a backup copy of the software for your own use.

The performance features described here are binding only if they have been expressly agreed when the contract was made.
This document was produced by Hirschmann Automation and Control GmbH according to the best of the company's
knowledge. Hirschmann reserves the right to change the contents of this document without prior notice. Hirschmann can give
no guarantee in respect of the correctness or accuracy of the information in this document.

Hirschmann can accept no responsibility for damages, resulting from the use of the network components or the associated
operating software. In addition, we refer to the conditions of use specified in the license contract.

You find the latest user documentation for your device at: doc.hirschmann.com

Hirschmann Automation and Control GmbH

Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

2023-12-13
Contents

Contents

Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Notes on the Graphical User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Menu pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Dialog area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1 Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.1 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.2.1 Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
1.2.2 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.2.3 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.3 Out-of-Band over USB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1.4 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
1.5 Load/Save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.6 External Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.7 Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
1.8 Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.8.1 PoE Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
1.8.2 PoE Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.9 Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

2 Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.1 Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.2 SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.2.1 SNTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
2.2.2 SNTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.3 PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.3.1 PTP Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.3.2 PTP Boundary Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.3.2.1 PTP Boundary Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.3.2.2 PTP Boundary Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2.3.3 PTP Transparent Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
2.3.3.1 PTP Transparent Clock Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
2.3.3.2 PTP Transparent Clock Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
2.4 802.1AS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
2.4.1 802.1AS Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
2.4.2 802.1AS Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
2.4.3 802.1AS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

3 Device Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

3.1 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

RM GUI BRS 3
Release 9.6 12/2023
Contents

3.2 Authentication List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

3.3 Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
3.3.1 Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.3.2 IP Access Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
3.3.3 Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
3.3.4 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
3.3.5 SNMPv1/v2 Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
3.4 Pre-login Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

4 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

4.1 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.2 Port Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.3 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
4.3.1 802.1X Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.3.2 802.1X Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
4.3.3 802.1X Port Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
4.3.4 802.1X EAPOL Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
4.3.5 802.1X Port Authentication History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
4.3.6 802.1X Integrated Authentication Server (IAS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
4.4 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
4.4.1 RADIUS Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
4.4.2 RADIUS Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
4.4.3 RADIUS Accounting Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
4.4.4 RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
4.4.5 RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
4.5 DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
4.5.1 DoS Global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
4.6.1 ACL IPv4 Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
4.6.2 ACL MAC Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
4.6.3 ACL Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

5 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
5.1 Switching Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
5.2 Rate Limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
5.3 Filter for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
5.4 IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
5.4.1 IGMP Snooping Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
5.4.2 IGMP Snooping Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
5.4.3 IGMP Snooping Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
5.4.4 IGMP Snooping Querier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
5.4.5 IGMP Snooping Multicasts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.5 Time-Sensitive Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
5.5.1 TSN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
5.5.2 TSN Gate Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
5.5.2.1 TSN Configured Gate Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
5.5.2.2 TSN Current Gate Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
5.6 MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

4 RM GUI BRS
Release 9.6 12/2023
Contents

5.6.1 MRP-IEEE Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

5.6.2 MRP-IEEE Multiple MAC Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
5.6.3 MRP-IEEE Multiple VLAN Registration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
5.7 GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
5.7.1 GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
5.7.2 GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
5.8 QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
5.8.1 QoS/Priority Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
5.8.2 QoS/Priority Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
5.8.3 802.1D/p Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
5.8.4 IP DSCP Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
5.8.5 Queue Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
5.9 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
5.9.1 VLAN Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
5.9.2 VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
5.9.3 VLAN Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.9.4 VLAN Voice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
5.10 L2-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.10.1 MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
5.10.2 HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
5.10.3 Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
5.10.3.1 Spanning Tree Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
5.10.3.2 Spanning Tree Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
5.10.4 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
5.10.5 Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.10.6 FuseNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
5.10.6.1 Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

6 Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
6.1 Status Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
6.1.1 Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
6.1.2 Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
6.1.3 Signal Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
6.1.3.1 Signal Contact 1 / Signal Contact 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
6.1.4 MAC Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
6.1.5 Alarms (Traps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
6.1.5.1 Trap V3 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
6.1.5.2 Trap Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
6.2 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
6.2.1 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
6.2.2 Hardware State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
6.2.3 Configuration Check. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
6.2.4 IP Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
6.2.5 ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
6.2.6 Selftest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
6.3 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
6.4 Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

RM GUI BRS 5
Release 9.6 12/2023
Contents

6.4.1 SFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

6.4.2 TP cable diagnosis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
6.4.3 Port Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
6.4.4 Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
6.4.5 Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
6.5 LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
6.5.1 LLDP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
6.5.2 LLDP Topology Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
6.6 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
6.6.1 Report Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
6.6.2 Persistent Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
6.6.3 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
6.6.4 Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

7 Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
7.1 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
7.1.1 DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
7.1.1.1 DHCP Server Global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
7.1.1.2 DHCP Server Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
7.1.1.3 DHCP Server Lease Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
7.2 DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
7.2.1 DHCP L2 Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
7.2.2 DHCP L2 Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
7.3 Industrial Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
7.3.1 IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
7.3.2 Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
7.3.3 EtherNet/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
7.3.4 PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
7.4 Digital IO Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
7.5 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

A Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

B Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

C Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

6 RM GUI BRS
Release 9.6 12/2023
Safety instructions

Safety instructions

WARNING
UNCONTROLLED MACHINE ACTIONS

To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.

Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.

Failure to follow these instructions can result in death, serious injury, or equipment
damage.

RM GUI BRS 7
Release 9.6 12/2023
Safety instructions

8 RM GUI BRS
Release 9.6 12/2023
About this Manual

About this Manual

The “Configuration” user manual contains the information you need to start operating the device. It
takes you step by step from the first startup operation through to the basic settings for operation in
your environment.

The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.

The “Graphical User Interface” reference manual contains detailed information on using the
graphical user interface to operate the individual functions of the device.

The “Command Line Interface” reference manual contains detailed information on using the
Command Line Interface to operate the individual functions of the device.

The Industrial HiVision Network Management software provides you with additional options for
smooth configuration and monitoring:
 Auto-topology discovery
 Browser interface
 Client/server structure
 Event handling
 Event log
 Simultaneous configuration of multiple devices
 Graphical user interface with network layout
 SNMP/OPC gateway

RM GUI BRS 9
Release 9.6 12/2023
Key

Key

The designations used in this manual have the following meanings:

 List
 Work step
Link Cross-reference with link
Note: A note emphasizes a significant fact or draws your attention to a dependency.
Courier Representation of a CLI command or field contents in the graphical user interface

Execution in the Graphical User Interface

Execution in the Command Line Interface

10 RM GUI BRS
Release 9.6 12/2023
Notes on the Graphical User Interface
Banner

Notes on the Graphical User Interface

The prerequisite to use the Graphical User Interface of the device is a web browser with HTML5
support.

The responsive Graphical User Interface automatically adapts to the size of your screen.
Consequently, you can see more details on a large, high-resolution screen than on a small screen.
For example, on a high-resolution screen, the buttons have a label next to the icon. On a screen
with a small width, the Graphical User Interface displays only the icon.

Note: On a conventional screen, you click to navigate. On a device with a touchscreen, on the other
hand, you tap. For simplicity, we only use "click" in our help texts.

The Graphical User Interface is divided as follows:

• Banner
• Menu pane
• Dialog area

Banner
The banner displays the following information:

Displays and hides the menu. When the web browser window is too narrow, the Graphical User
Interface hides the menu pane. The banner displays the button instead.

Brand logo
Click the logo to open the website of the manufacturer of the device in a new window.

Dialog name
Displays the name of the dialog currently displayed in the dialog area.

Displays that the web browser cannot contact the device. The connection to the device is
interrupted.

Displays if the settings in the volatile memory (RAM) differ from the settings of the "Selected"
configuration profile in the non-volatile memory (NVM). The banner displays the icon if you have
applied the settings, but not yet saved them in the non-volatile memory (NVM).

When you click the button, the online help opens in a new window.

RM GUI BRS 11
Release 9.6 12/2023
Notes on the Graphical User Interface
Banner

When you click the button, a tooltip displays the following information:
• The summary of the Device status frame. See the Basic Settings > System dialog.
• The summary of the Security status frame. See the Basic Settings > System dialog.

A red dot next to the icon means that at least one of the values is greater than 0.

When you click the button, a submenu opens with the following menu items:
• User account name
The account name of the user that is currently logged in.
• Logout button
When you click the button, this logs out the currently logged in user. Then the login dialog opens.

12 RM GUI BRS
Release 9.6 12/2023
Notes on the Graphical User Interface
Menu pane

Menu pane
When the web browser window is too narrow, the Graphical User Interface hides the menu pane.
To display the menu pane, click the button in the banner.

The menu pane is divided as follows:

• Icons bar
• Menu tree

Icons bar

The icons bar displays the following information:

Device software
Displays the version number of the currently running device software that the device loaded during
the last system startup.

Displays a text field to search for a keyword. When you enter a character or string, the menu tree
displays a menu item only for those dialogs that are related to this keyword.

The menu tree displays a menu item only for those dialogs in which at least one parameter differs
from the default setting (Diff to default). To display the complete menu tree again, click the
button.

Collapses the menu tree. The menu tree then displays only the menu items of the first level.

Expands the menu tree. The menu tree then displays every menu item on every level.

RM GUI BRS 13
Release 9.6 12/2023
Notes on the Graphical User Interface
Menu pane

Menu tree

The menu tree contains one item for each dialog in the Graphical User Interface. When you click a
menu item, the dialog area displays the corresponding dialog. You can change the view of the
menu tree by clicking the buttons in the icons bar at the top. Furthermore, you can change the view
of the menu tree by clicking the following buttons:

Expands the current menu item to display the menu items of the next lower level. The menu tree
displays the button next to each collapsed menu item that contains menu items on the next lower
level.

Collapses the menu item to hide the menu items of the lower levels. The menu tree displays the
button next to each expanded menu item.

14 RM GUI BRS
Release 9.6 12/2023
Notes on the Graphical User Interface
Dialog area

Dialog area
The dialog area displays the dialog that you select in the menu tree, including its controls. Here,
you can monitor and change the settings of the device depending on your access role.

Below you find useful information on how to use the dialogs.

• Control elements
• Modification mark
• Standard buttons
• Saving the settings
• Updating the display
• Working with tables

Control elements

The dialogs contain different control elements. These control elements are read-only or editable,
depending on the parameter and your access role as a user.

The control elements have the following visual properties:

• Input fields
– An editable input field has a line at the bottom.
– A read-only input field has no special visual properties.
• Checkboxes
– An editable checkbox has a bright color.
– A read-only checkbox has a grey color.
• Radio buttons
– An editable radio button has a bright color.
– A read-only radio button has a grey color.

Modification mark

When you modify a value, the corresponding field or table cell displays a red triangle in its top-left
corner. The red triangle indicates that you have not yet applied this modification. The modified
settings are not yet effective.

Standard buttons

Here you find the description of the standard buttons. The special dialog-specific buttons are
described in the corresponding dialog help text.

Applies the settings you modified to the device.

Information on how the device retains the modified settings even after a reboot you find in section
“Saving the settings” on page 16.

RM GUI BRS 15
Release 9.6 12/2023
Notes on the Graphical User Interface
Dialog area

Undoes the unsaved changes in the current dialog. Resets the values in the fields to the settings
applied to the device.

Saving the settings

When applying settings, the device temporarily stores the modified settings. To do this, perform the
following step:
 Click the button.

Note: Unintentional changes to the settings can terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function in the
Basic Settings > Load/Save dialog, before changing any settings. Using the function, the device
continuously checks if it can still be reached from the IP address of your PC. If the connection is
lost, then the device loads the configuration profile saved in the non-volatile memory (NVM) after the
specified time. Afterwards, the device can be accessed again.

To keep the modified settings even after restarting the device, perform the following steps:
 Open the Basic Settings > Load/Save dialog.
 In the table, mark the checkbox far left in the table row of the desired configuration profile.
 When the checkbox in the Selected column is unmarked, click the button and then the Select
item.
 Click the button to save your current changes.

Updating the display

If a dialog remains open for a longer time, then the values in the device have possibly changed in
the meantime.
 To update the display in the dialog, click the button. Unsaved information in the dialog is
lost.

Working with tables

The dialogs display numerous settings in table form. You have the option of customizing the
appearance of the tables to fit your needs.

You can find useful information on how to use the tables in the following sections:
• Filter rows
• Sort rows
• Select multiple table rows

16 RM GUI BRS
Release 9.6 12/2023
Notes on the Graphical User Interface
Dialog area

Filter rows

The filter lets you reduce the number of displayed table rows.

Displays a second table row in the table header containing a text field for every column. When you
enter a string in a field, the table displays only the table rows that contain this string in the
corresponding column.

Sort rows

You can change the order of the table rows. When you click the table header, an icon displays the
sorting status.

Displays that the table rows are sorted by a criterion other than the values in this column.

Click the icon to sort the table rows in descending order based on the entries of the corresponding
column. You might be able to restore the initial sorting in the table only after logging off and logging
in again.

Displays that the table rows are sorted in descending order based on the entries of the
corresponding column.

Click the icon to sort the table rows in ascending order based on the entries of the corresponding
column. You might be able to restore the initial sorting in the table only after logging off and logging
in again.

Displays that the table rows are sorted in ascending order based on the entries of the
corresponding column.

Select multiple table rows

You have the option of selecting multiple table rows at once and then apply an action to the selected
table rows. This is useful for example, when you want to remove multiple table rows at the same
time.

To select individual table rows, mark the leftmost checkbox in the desired table row.

To select every table row, mark the leftmost checkbox in the table header.

RM GUI BRS 17
Release 9.6 12/2023
Notes on the Graphical User Interface
Dialog area

18 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > System ]

1 Basic Settings

The menu contains the following dialogs:

 System
 Network
 Out-of-Band over USB
 Software
 Load/Save
 External Memory
 Port
 Power over Ethernet
 Restart

1.1 System
[ Basic Settings > System ]

This dialog displays information about the operating status of the device.

Device status

Displays the device status and the alarms that currently exist. When at least one alarm is present,
the background color changes to red. Otherwise, the background color remains green.

You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Device
Status dialog. If a monitored parameter differs from the desired status, then the device triggers an
alarm.

A tooltip displays the cause of the currently existing alarms and the time at which the device
triggered each alarm. To display the tooltip, hover the mouse pointer over or tap the field. In the
Diagnostics > Status Configuration > Device Status dialog, the Status tab displays an overview of the
alarms.

Note: If you connect only one power supply unit to a device that supports 2 redundant power supply
units, then the device triggers an alarm. To avoid this alarm, deactivate the monitoring of the
missing power supply units in the Diagnostics > Status Configuration > Device Status dialog.

RM GUI BRS 19
Release 9.6 12/2023
Basic Settings
[ Basic Settings > System ]

Security status

Displays the security status and the alarms that currently exist. When at least one alarm is present,
the background color changes to red. Otherwise, the background color remains green.

You specify the parameters that the device monitors in the Diagnostics > Status Configuration >
Security Status dialog. If a monitored parameter differs from the desired status, then the device
triggers an alarm.

A tooltip displays the cause of the currently existing alarms and the time at which the device
triggered each alarm. To display the tooltip, hover the mouse pointer over or tap the field. In the
Diagnostics > Status Configuration > Security Status dialog, the Status tab displays an overview of the
alarms.

Signal contact status

The device can contain several signal contacts.

Signal contact status

Displays the signal contact status and the alarms that currently exist. When at least one alarm is
present, the background color changes to red. Otherwise, the background color remains green.

You specify the parameters that the device monitors in the Diagnostics > Status Configuration > Signal
Contact > Signal Contact 1/Diagnostics > Status Configuration > Signal Contact > Signal Contact 2 dialog. If
a monitored parameter differs from the desired status, then the device triggers an alarm.

A tooltip displays the cause of the currently existing alarms and the time at which the device
triggered each alarm. To display the tooltip, hover the mouse pointer over or tap the field. In the
Diagnostics > Status Configuration > Signal Contact > Signal Contact 1/Diagnostics > Status Configuration >
Signal Contact > Signal Contact 2 dialog, the Status tab displays an overview of the alarms.

System data

The fields in this frame display operating data and information on the location of the device.

System name
Specifies the name by which the device is known in the network.

Possible values:
 Alphanumeric ASCII character string with 0..255 characters
The device accepts the following characters:
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\\]^_`{}~
<device type name>-<MAC address> (default setting)

20 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > System ]

When generating HTTPS X.509 certificates, the application generating the certificate uses the
specified value as the domain name and common name.

The following functions use the specified value as a hostname or Fully Qualified Domain Name
(FQDN). For compatibility reasons, it is recommended to use only lowercase letters, as some
systems differentiate uppercase from lowercase in the FQDN. Verify that this name is unique in the
entire network.
• DHCP client
• Syslog
• IEC61850-MMS
• PROFINET

Note: Specify a device name that is compatible with PROFINET: max. 240 characters, not starting
with a number. The participants in the network read the device name using SNMP and PROFINET
DCP.

Location
Specifies the current or planned location.

Possible values:
 Alphanumeric ASCII character string with 0..255 characters

Contact person
Specifies the contact person for this device.

Possible values:
 Alphanumeric ASCII character string with 0..255 characters

Device type
Displays the product name of the device.

Power supply 1
Power supply 2
Displays the status of the power supply unit at the respective voltage supply connector.

Possible values:
 present
 defective
 not installed
 unknown

RM GUI BRS 21
Release 9.6 12/2023
Basic Settings
[ Basic Settings > System ]

Uptime
Displays the time that has elapsed since the device was last restarted.

Possible values:
 Time in the format day(s), ...h ...m ...s

Temperature [°C]
Displays the current temperature in the device in °C.

You activate the monitoring of the temperature threshold values in the Diagnostics > Status
Configuration > Device Status dialog.

Upper temp. limit [°C]

Specifies the upper temperature threshold value in °C.

Possible values:
 -99..99 (integer)
If the temperature in the device exceeds the specified value, then the device displays an alarm.

Lower temp. limit [°C]

Specifies the lower temperature threshold value in °C.

Possible values:
 -99..99 (integer)
If the temperature in the device falls below the specified value, then the device displays an
alarm.

Humidity [%]
Displays the current humidity in the device as a percentage.

You activate the monitoring of the humidity threshold values in the Diagnostics > Status
Configuration > Device Status dialog.

Upper humidity limit [%]

Specifies the upper humidity threshold value as a percentage.

Possible values:
 0..100 (default setting: 95)
If the humidity in the device exceeds the specified value, then the device displays an alarm.

Lower humidity limit [%]

Specifies the lower humidity threshold value as a percentage.

Possible values:
 0..100 (default setting: 5)
If the humidity in the device falls below the specified value, then the device displays an alarm.

22 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > System ]

LED status

For further information about the device status LEDs, see the “Installation” user manual.

Status

There is currently no device status alarm. The device status is OK.

There is currently at least one device status alarm. For details, see the Device status frame.

Power

Device that supports 2 redundant power supply units: Only one supply voltage is active.

Device that supports one power supply unit: The supply voltage is active.

Device that supports 2 redundant power supply units: Both supply voltages are active.

ACA

No external memory is connected.

The external memory is connected but not ready for operation.

The external memory is connected and ready for operation.

Port status

This frame displays a simplified view of the device ports at the time of the last display update. You
identify the port status from the indicator.

In the initial view, the frame only displays ports with an active link. When you click the button,
the frame displays every port.
• The port speed is displayed next to the port number.
• When you hover the mouse pointer over or tap the appropriate port icon, a tooltip displays
detailed port state information.

RM GUI BRS 23
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network ]

Green background color

Port with an active link.

Gray background color

Port with an inactive link.

Yellow background color

Port on which the device detected an unsupported SFP transceiver or an unsupported data rate.

Dashed border
Port in a Blocking state due to a redundancy function.

1.2 Network
[ Basic Settings > Network ]

The menu contains the following dialogs:

 Global
 IPv4
 IPv6

24 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > Global ]

1.2.1 Global
[ Basic Settings > Network > Global ]

This dialog lets you specify the VLAN and HiDiscovery settings required for the access to the device
management through the network.

Management interface

This frame lets you specify the VLAN in which the device management can be accessed.

VLAN ID
Specifies the VLAN in which the device management is accessible through the network. The device
management is accessible through ports that are members of this VLAN.

Possible values:
 1..4042 (default setting: 1)
The prerequisite is that in the Switching > VLAN > Configuration dialog the VLAN is already set up.

When you click the button after changing the value, the Information window opens. Select the
port, over which you connect to the device in the future. After clicking the Ok button, the new device
management VLAN settings are assigned to the port.
• After that the port is a member of the VLAN and transmits the data packets without a VLAN tag
(untagged). See the Switching > VLAN > Configuration dialog.
• The device assigns the port VLAN ID of the device management VLAN to the port. See the
Switching > VLAN > Port dialog.

After a short time the device is reachable over the new port in the new device management VLAN.

MAC address
Displays the MAC address of the device. The device management is accessible through the
network using the MAC address.

MAC address conflict detection

Enables/disables the MAC address conflict detection function.

Possible values:
 marked
The MAC address conflict detection function is enabled.
The device verifies that its MAC address is unique in the network.
 unmarked (default setting)
The MAC address conflict detection function is disabled.

RM GUI BRS 25
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > Global ]

HiDiscovery protocol v1/v2

This frame lets you specify settings for the access to the device using the HiDiscovery protocol.

On a PC, the HiDiscovery software displays the Hirschmann devices that can be accessed in the
network on which the HiDiscovery function is enabled. You can access these devices even if they
have invalid or no IP parameters assigned. The HiDiscovery software lets you assign or change the
IP parameters in the device.

Note: With the HiDiscovery software you access the device only through ports that are members
of the same VLAN as the device management. You specify which VLAN a certain port is assigned
to in the Switching > VLAN > Configuration dialog.

Operation
Enables/disables the HiDiscovery function in the device.

Possible values:
 On (default setting)
The HiDiscovery function is enabled.
You can use the HiDiscovery software to access the device from your PC.
 Off
The HiDiscovery function is disabled.

Access
Enables/disables the write access to the device using for the HiDiscovery function.

Possible values:
 readWrite (default setting)
The HiDiscovery function has write access to the device. The device lets you change the IP
parameters in the device using the HiDiscovery function.
 readOnly
The HiDiscovery function has read-only access to the device. The device lets you view the IP
parameters in the device using the HiDiscovery function.

Recommendation: Change the setting to the value readOnly only after putting the device into
operation.

Signal
Activates/deactivates the flashing of the port LEDs as does the function of the same name in the
HiDiscovery software. The function lets you identify the device in the field.

Possible values:
 marked
The flashing of the port LEDs is active.
The port LEDs flash until you disable the function again.
 unmarked (default setting)
The flashing of the port LEDs is inactive.

26 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv4 ]

1.2.2 IPv4
[ Basic Settings > Network > IPv4 ]

This dialog allows you to specify the IPv4 settings required for the access to the device
management through the network.

Management interface

IP address assignment
Specifies the source from which the device management receives its IP parameters.

Possible values:
 Local
The device uses the IP parameters from the internal memory. You specify the settings for this
in the IP parameter frame.
 BOOTP
The device receives its IP parameters from a BOOTP or DHCP server.
The server evaluates the MAC address of the device, then assigns the IP parameters.
 DHCP (default setting)
The device receives its IP parameters from a DHCP server.
The server evaluates the MAC address, the DHCP name, or other parameters of the device,
then assigns the IP parameters.

Note: If there is no response from the BOOTP or DHCP server, then the device sets the IP address
to 0.0.0.0 and makes another attempt to obtain a valid IP address.

RM GUI BRS 27
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv4 ]

IP parameter

This frame lets you assign the IP parameters manually. If you have selected the Local radio button
in the Management interface frame, IP address assignment option list, then these fields can be edited.

IP address
Specifies the IP address under which the device management can be accessed through the
network.

Possible values:
 Valid IPv4 address

Netmask
Specifies the netmask.

Possible values:
 Valid IPv4 netmask

Gateway address
Specifies the IP address of a router through which the device accesses other devices outside of its
own network.

Possible values:
 Valid IPv4 address

BOOTP/DHCP

Client ID
Displays the DHCP client ID that the device sends to the BOOTP or DHCP server. If the server is
set up accordingly, then the server reserves an IP address for this DHCP client ID. Therefore, the
device receives the same IP from the server every time it requests it.

The DHCP client ID that the device sends is the device name specified in the System name field in
the Basic Settings > System dialog.

28 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv4 ]

DHCP option 66/67/4/42

Enables/disables the DHCP option 66/67/4/42 function in the device.

Possible values:
 On (default setting)
The DHCP option 66/67/4/42 function is enabled.
The device loads the configuration profile and receives the time server information using the
following DHCP options:
– Option 66: TFTP server name
Option 67: Boot file name
The device automatically loads the configuration profile from the DHCP server into the
volatile memory (RAM) using the Trivial File Transfer Protocol (TFTP). The device uses the
settings of the imported configuration profile in the running-config.
– Option 4: Time Server
Option 42: Network Time Protocol Servers
The device receives the time server information from the DHCP server.
 Off
The DHCP option 66/67/4/42 function is disabled.
– The device does not load a configuration profile using DHCP Options 66/67.
– The device does not receive time server information using DHCP Options 4/42.

Remaining lease time

Lease time [s]

Displays the remaining time in seconds during which the IP address that the DHCP server assigned
to the device management is still valid.

To update the display, click the button.

RM GUI BRS 29
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv6 ]

1.2.3 IPv6
[ Basic Settings > Network > IPv6 ]

This dialog allows you to specify the IPv6 settings required for the access to the device
management through the network.

Operation

Operation
Enables/disables the IPv6 protocol in the device.

You can operate IPv4 and IPv6 simultaneously in the device. This is possible with the use of the
Dual IP Layer technique, also referred to as Dual Stack.

Possible values:
 On (default setting)
IPv6 is enabled.
 Off
IPv6 is disabled.
If you want the device to operate only using IPv4, then disable IPv6 in the device.

Configuration

Dynamic IP address assignment

Specifies the source from which the device management receives its IPv6 parameters.

Possible values:
 None
The device receives its IPv6 parameters manually.
You can manually specify a maximum number of 4 IPv6 addresses. You cannot specify
loopback, link-local, and Multicast addresses as static IPv6 addresses.
 Auto (default setting)
The device receives its IPv6 parameters dynamically. The device receives a maximum of 2 IPv6
addresses.
An example here is the Router Advertisement Daemon (radvd). The radvd uses Router
Solicitation and Router Advertisement messages to automatically set up an IPv6 address. The
Router Solicitation and Router Advertisement messages are described in RFC 4861.
 DHCPv6
The device receives its IPv6 parameters from a DHCPv6 server.
 All
If the All radio button is selected, then the device receives its IPv6 parameters using every
alternative for both dynamic and manual assignments.

30 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv6 ]

DHCP

Client ID
Displays the DHCPv6 client ID that the device sends to the DHCPv6 server. If the server is set up
accordingly, then the client device receives an IPv6 address for this DHCPv6 client ID.

The IPv6 address received from the DHCPv6 server has the PrefixLength value 128. According to
RFC 8415, a DHCPv6 server cannot currently be used to supply Gateway address or PrefixLength
information.

The device can receive only one IPv6 address from the DHCPv6 server.

IP parameter

Gateway address
Specifies the IPv6 address of a router through which the device accesses other devices outside its
own network.

Possible values:
 Valid IPv6 address (except loopback and Multicast addresses)

Duplicate Address Detection

In this field you can specify the number of consecutive Neighbor Solicitation messages that the
device sends for the Duplicate Address Detection function. This function is used to determine the
uniqueness of an IPv6 unicast address on the interface.

Number of neighbor solicitants

Specifies the number of Neighbor Solicitation messages that the device sends for the Duplicate
Address Detection function.

Possible values:
 0
The function is disabled.
 1..5 (default setting: 1)

If the Duplicate Address Detection function discovers that an IPv6 address is not unique on a link, then
the device does not log this event in the log file (System Log).

RM GUI BRS 31
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Network > IPv6 ]

Table

This table displays a list of the IPv6 addresses set up for the device management.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Prefix
Displays the prefix of the IPv6 address in a compressed format. The prefix shows the leftmost bits
of an IPv6 address, also known as the network part of the address.

PrefixLength
Displays the prefix length of the IPv6 address.

Unlike an IPv4 address, the IPv6 address does not use a subnet mask to identify the network part
of an address. This role is performed in IPv6 by the prefix length.

Possible values:
 0..128

IP address
Displays the full IPv6 address in a compressed format.

The compressed format is automatically applied to every IPv6 address, regardless of the source
from which the device management receives its IPv6 parameters.

Possible values:
 Valid IPv6 address
To use an IPv6 address in a URL, use the following URL syntax: https://[<ipv6_address>].

For further information on IPv6 compression rules and address types, see the “Configuration” user
manual.

EUI option
Specifies if the EUI option function is applied to the IPv6 address.

When you mark this checkbox, the Interface ID of the IPv6 address is automatically specified. The
device uses the MAC address of its interface with the values ff and fe added between byte 3 and
byte 4 to generate a 64 bit Interface ID.

You can only select this option for IPv6 addresses that have a prefix length equal to 64.

Possible values:
 marked
The EUI option function is active.
 unmarked (default setting)
The EUI option function is inactive.

32 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Out-of-Band over USB ]

Origin
Specifies the way in which the device received its IPv6 parameters.

Possible values:
 Autoconf
The device received the IPv6 address dynamically, when the Auto radio button is selected.
 Manual
The device received the IPv6 address manually.
 DHCP
The device received the IPv6 address from a DHCPv6 server.
 Linklayer
The device automatically sets up a link-local type IPv6 address. The link-local address cannot
be changed.

Status
Displays the current status of the IPv6 address.

Possible values:
 active
The IPv6 address is active.
 notInService
The IPv6 address is inactive.
 notReady
The IPv6 address is specified, but not currently active as some configuration parameters are still
missing.

Note: When the IPv6 address is manually specified, you can manually change between active and
notInService states. To do this, for the corresponding table row, select in the Status column the
desired status from the drop-down list.

1.3 Out-of-Band over USB

[ Basic Settings > Out-of-Band over USB ]

The device has a USB network interface that lets you access the device management out-of-band.
When there is a high in-band load on the switching ports, you can still use the USB network
interface to access the device management.

The device lets you access the device management through the USB network interface using the
following protocols:
• HTTP
• HTTPS
• SSH
• Telnet
• SNMP
• FTP
• TFTP
• SFTP
• SCP

RM GUI BRS 33
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Out-of-Band over USB ]

Accessing the device management has the following limitations:

• The management station is directly connected to the USB port.
• The USB network interface does not support the following features:
– Priority tagged packets
– Packets including a VLAN tag
– DHCP L2 Relay
– LLDP
– DiffServ
– ACL
– Industrial Protocols

In this dialog, the device lets you change the IP parameters and disable the USB network interface,
if needed.

Operation

Operation
Enables/disables the USB network interface.

Possible values:
 On (default setting)
The device lets you access the device management through the USB network interface.
 Off
The device prohibits access to the device management through the USB network interface.

Management interface

Device MAC address

Displays the MAC address of the USB network interface.

Host MAC address

Displays the MAC address of the connected management station.

34 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Out-of-Band over USB ]

IP parameter

Verify that the IP subnet of this network interface does not overlap with any subnet connected to
another interface of the device:
• management interface

IP address
Specifies the IP address of the device management for access through the USB network interface.

Possible values:
 Valid IPv4 address
(default setting: 192.168.248.100)
The device assigns this IP address, increased by 1, to the management station that is
connected to the device.
Example: 192.168.248.100 for the USB network interface, 192.168.248.101 for the
management station.

Netmask
Specifies the netmask.

Possible values:
 Valid IPv4 netmask
(default setting: 255.255.255.0)

RM GUI BRS 35
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Software ]

1.4 Software
[ Basic Settings > Software ]

This dialog lets you update the device software and display information about the device software.

You also have the option to restore a backup of the device software that is saved in the device.

Note: Before you update the device software, follow the version-specific notes in the Readme text
file.

Version

Stored version
Displays the version number and creation date of the device software stored in the flash memory.
The device loads the device software during the next system startup.

Running version
Displays the version number and creation date of the currently running device software that the
device loaded during the last system startup.

Backup version
Displays the version number and creation date of the device software saved as a backup in the
flash memory. The device copied this device software into the backup memory during the last
software update or after you clicked the Restore button.

Restore
The device swaps the software images and accordingly the values displayed in the fields Stored
version and Backup version.

During the next system startup, the device loads the device software displayed in the Stored version
field.

Bootcode
Displays the version number and creation date of the boot code.

Software update

The device lets you update the device software using the fields in this frame. As an alternative, the
device lets you update the device software by right-clicking in the table if the software image is in
the external memory.

URL
Specifies the path and the file name of the image file that you use to update the device software.

As an alternative, the device lets you update the device software by right-clicking in the table if the
software image is in the external memory.

36 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Software ]

The device gives you the following options for updating the device software:
• Software update from the PC
Drag and drop the file into the area from your PC or network drive. As an alternative, click
in the area to select the file.
• Software update from an FTP server
If the file is on an FTP server, then specify the URL in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>
• Software update from a TFTP server
If the file is on a TFTP server, then specify the URL in the following form:
tftp://<IP address>/<path>/<file name>
• Software update from an SCP or SFTP server
If the file is on an SCP or SFTP server, then specify the URL in one of the following forms:
 scp:// or sftp://<IP address>/<path>/<file name>
Click the Start button to open the Credentials window. In this window, you enter the User name
and Password to log in to the server.
 scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>

Start
Updates the device software.

The device installs the selected file in the flash memory, replacing the previously saved device
software. During the next system startup, the device loads the installed device software.

The device copies the existing software to the backup memory.

To stay logged in to the device during the software update, move the mouse pointer occasionally.
As an alternative, specify a sufficiently high value in the Device Security > Management Access > Web
dialog, field Web interface session timeout [min] before the software update.

Allow upload of unsigned device software

Activates/deactivates the option that the device allows to upload an unsigned device software. The
purpose of this setting is to enable the upload of a device software that does not have a
cryptographic signature.

Possible values:
 marked
The device allows to upload an unsigned device software.
Uploading an unsigned device software can be a security risk. If you trust the originator, then
you can upload the unsigned device software.
 unmarked (default setting)
The device only allows to upload a signed device software.

Table

File location
Displays the storage location of the device software.

Possible values:
 ram
Volatile memory of the device

RM GUI BRS 37
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Software ]

 flash
Non-volatile memory (NVM) of the device
 usb
External USB memory (ACA22-USB-C (EEC))

Index
Displays the index of the device software.

The index number of the device software in the flash memory has the following meaning:
 1
During the next system startup, the device loads this device software.
 2
The device copied this device software into the backup area during the last software update.

File name
Displays the device-internal file name of the device software.

Firmware
Displays the version number and creation date of the device software.

38 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

1.5 Load/Save
[ Basic Settings > Load/Save ]

This dialog lets you save the device settings permanently in a configuration profile.

The device can hold several configuration profiles. When you activate an alternative configuration
profile, you change to other device settings. You have the option of exporting the configuration
profiles to your PC or to a server. You also have the option of importing the configuration profiles
from your PC or from a server to the device.

In the default setting, the device saves the configuration profiles unencrypted. If you enter a
password in the Configuration encryption frame, then the device saves both the current and the future
configuration profiles in an encrypted format.

Unintentional changes to the settings can terminate the connection between your PC and the
device. To keep the device accessible, enable the Undo configuration modifications function before
changing any settings. If the connection is lost, then the device loads the configuration profile saved
in the non-volatile memory (NVM) after the specified time.

Note: Upgrading from Classic to HiOS? Convert your device configuration files using our online
tool: https://convert.hirschmann.com

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Remove

Removes the configuration profile selected in the table from the non-volatile memory (NVM) or from
the external memory.

If the configuration profile is designated as "Selected", then the device helps prevent you from
removing the configuration profile.

Save

Saves the temporarily applied settings in the configuration profile designated as “Selected” in the
non-volatile memory (NVM).

When in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving
column is marked, then the device saves a copy of the configuration profile in the external memory.

Displays a context menu with further functions for the corresponding dialog.

RM GUI BRS 39
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Save as..
Opens the Save as.. window to copy the configuration profile selected in the table and saves it with
a user-specified name in the non-volatile memory (NVM).
 In the Profile name field, enter the name under which you want to save the configuration profile.
 To save the configuration profile under a new name, click the button.
 To overwrite an existing configuration profile, select the corresponding item from the drop-
down list.

If in the Basic Settings > External Memory dialog the checkbox in the Backup config when saving column
is marked, then the device designates the configuration profile of the same name in the external
memory as “Selected”.

Note: Before adding additional configuration profiles, decide for or against permanently activated
configuration encryption in the device. Save additional configuration profiles either unencrypted or
encrypted with the same password.

Activate
Loads the settings of the configuration profile selected in the table to the volatile memory (RAM).
• The device terminates the connection to the Graphical User Interface. To access the device
management again, perform the following steps:
 Reload the Graphical User Interface.
 Log in again.
• The device immediately uses the settings of the configuration profile on the fly.

Enable the Undo configuration modifications function before you activate another configuration profile.
If the connection is lost afterwards, then the device loads the last configuration profile designated
as “Selected” from the non-volatile memory (NVM). The device can then be accessed again.

If the configuration encryption is inactive, then the device loads an unencrypted configuration
profile. If the configuration encryption is active and the password matches the password stored in
the device, then the device loads an encrypted configuration profile.

When you activate an older configuration profile, the device takes over the settings of the functions
contained in this software version. The device sets the values of new functions to their default
value.

Select
Designates the configuration profile selected in the table as “Selected”. In the Selected column, the
checkbox is then marked.

When applying the Undo configuration modifications function or during the system startup, the device
loads the settings of this configuration profile to the volatile memory (RAM).
• If the configuration encryption in the device is disabled, then designate an unencrypted
configuration profile only as “Selected”.
• If the configuration encryption in the device is enabled and the password of the configuration
profile matches the password saved in the device, then designate an encrypted configuration
profile only as “Selected”.

Otherwise, the device is unable to load and encrypt the settings in the configuration profile the next
time it restarts. For this case you specify in the Diagnostics > System > Selftest dialog if the device
starts with the default settings or terminates the restart and stops.

40 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Note: You only mark the configuration profiles saved in the non-volatile memory (NVM).

Import...
Opens the Import... window to import a configuration profile.

The prerequisite is that you have exported the configuration profile using the Export... button or
using the link in the Profile name column.
 From the Select source drop-down list, select from where the device imports the configuration
profile.
 PC/URL
The device imports the configuration profile from the local PC or from a remote server.
 External memory
The device imports the configuration profile from the external memory.
 When PC/URL is selected above, in the Import profile from PC/URL frame you specify the
configuration profile file to be imported.
– Import from the PC
If the file is on your PC or on a network drive, then drag and drop the file in the area. As
an alternative, click in the area to select the file.
– Import from an FTP server
If the file is on an FTP server, then specify the URL in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>
– Import from a TFTP server
If the file is on a TFTP server, then specify the URL in the following form:
tftp://<IP address>/<path>/<file name>
– Import from an SCP or SFTP server
If the file is on an SCP or SFTP server, then specify the URL in one of the following forms:
scp:// or sftp://<IP address>/<path>/<file name>
Click the Start button to open the Credentials window. In this window, you enter the User name
and Password to log in to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
 When External memory is selected above, in the Import profile from external memory frame you
specify the configuration profile file to be imported.
From the Profile name drop-down list, select the name of the configuration profile to be imported.
 In the Destination frame you specify where the device saves the imported configuration profile.
In the Profile name field you specify the name under which the device saves the configuration
profile.
In the Storage field you specify the storage location for the configuration profile. The prerequisite
is that from the Select source drop-down list the PC/URL item is selected.
 RAM
The device saves the configuration profile in the volatile memory (RAM) of the device. This
replaces the running-config, the device uses the settings of the imported configuration
profile immediately. The device terminates the connection to the Graphical User Interface.
Reload the Graphical User Interface. Log in again.
 NVM
The device saves the configuration profile in the non-volatile memory (NVM) of the device.

RM GUI BRS 41
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

When you import a configuration profile, the device takes over the settings as follows:
• If the configuration profile was exported on the same device or on an identically equipped device
of the same type, then:
The device takes over the settings completely.
• If the configuration profile was exported on an other device, then:
The device takes over the settings which it can interpret based on its hardware equipment and
software level.
The remaining settings the device takes over from its running-config configuration profile.

Regarding configuration profile encryption, also read the help text of the Configuration encryption
frame. The device imports a configuration profile under the following conditions:
• The configuration encryption of the device is inactive. The configuration profile is unencrypted.
• The configuration encryption of the device is active. The configuration profile is encrypted with
the same password that the device currently uses.

Export...
Exports the configuration profile selected in the table and saves it as an XML file on a remote
server.

To save the file on your PC, click the link in the Profile name column to select the storage location
and specify the file name.

The device gives you the following options for exporting a configuration profile:
• Export to an FTP server
To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>
• Export to a TFTP server
To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
• Export to an SCP or SFTP server
To save the file on an SCP or SFTP server, specify the URL for the file in one of the following
forms:
 scp:// or sftp://<IP address>/<path>/<file name>
Click the Ok button to open the Credentials window. In this window, you enter the User name
and Password to log in to the server.
 scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>

Save running-config as script

Saves the running config configuration profile as a script file on the local PC. This lets you
backup your current device settings or to use them on various devices.

Load running-config from script

Imports a script file which modifies the current running config configuration profile.

The device gives you the following options to import a script file:
• Import from the PC
If the file is on your PC or on a network drive, then drag and drop the file in the area. As an
alternative, click in the area to select the file.
• Import from an FTP server
If the file is on an FTP server, then specify the URL in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>

42 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

• Import from a TFTP server

If the file is on a TFTP server, then specify the URL in the following form:
tftp://<IP address>/<path>/<file name>
• Import from an SCP or SFTP server
If the file is on an SCP or SFTP server, then specify the URL in one of the following forms:
scp:// or sftp://<IP address>/<path>/<file name>

Back to factory...
Resets the settings in the device to the default values.
• The device deletes the saved configuration profiles from the volatile memory (RAM) and from the
non-volatile memory (NVM).
• The device deletes the HTTPS certificate used by the web server in the device.
• The device deletes the RSA key (Host Key) used by the SSH server in the device.
• When an external memory is connected, the device deletes the configuration profiles saved in
the external memory.
• After a short time, the device reboots and then uses the default settings.

Back to default
Deletes the current operating (running config) settings from the volatile memory (RAM).

Storage
Displays the storage location of the configuration profile.

Possible values:
 RAM (volatile memory of the device)
In the volatile memory, the device stores the settings for the current operation.
 NVM (non-volatile memory of the device)
When applying the Undo configuration modifications function or during the system startup, the
device loads the “Selected” configuration profile from the non-volatile memory.
The non-volatile memory provides space for multiple configuration profiles, depending on the
number of settings saved in the configuration profile. The device manages a maximum of
20 configuration profiles in the non-volatile memory.
You can load a configuration profile into the volatile memory (RAM). To do this, perform the
following steps:
 Select the table row of the configuration profile.
 Click the button and then the Activate item.
 ENVM (external memory)
In the external memory, the device saves a backup copy of the “Selected” configuration profile.
The prerequisite is that in the Basic Settings > External Memory dialog the Backup config when saving
checkbox is marked.

Profile name
Displays the name of the configuration profile.

Possible values:
 running-config
Name of the configuration profile in the volatile memory (RAM).

RM GUI BRS 43
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

 config
Name of the factory setting configuration profile in the non-volatile memory (NVM).
 User-defined name
The device lets you save a configuration profile with a user-specified name. To do this, select
the table row of an existing configuration profile in the table, click the button and then the
Save as.. item.

To export the configuration profile as an XML file on your PC, click the link. Then you select the
storage location and specify the file name.

To save the file on a remote server, click the button and then the Export... item.

Last modified (UTC)

Displays the Universal Time Coordinated (UTC) time a user last saved the configuration profile.

Selected
Displays if the configuration profile is designated as “Selected”.

The device lets you designate another configuration profile as “Selected”. To do this, select the
desired configuration profile in the table, click the button and then the Activate item.

Possible values:
 marked
The configuration profile is designated as “Selected”.
– When applying the Undo configuration modifications function or during the system startup, the
device loads the configuration profile into the volatile memory (RAM).
– When you click the button, the device saves the temporarily applied settings in this
configuration profile.
 unmarked
Another configuration profile is designated as “Selected”.

Encryption
Displays if the configuration profile is encrypted.

Possible values:
 marked
The configuration profile is encrypted.
 unmarked
The configuration profile is unencrypted.

You activate/deactivate the encryption of the configuration profile in the Configuration encryption
frame.

44 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Verified
Displays if the password of the encrypted configuration profile matches the password stored in the
device.

Possible values:
 marked
The passwords match. The device is able to unencrypt the configuration profile.
 unmarked
The passwords are different. The device is unable to unencrypt the configuration profile.

Note: The device applies script files additionally to the current settings. Verify that the script file
does not contain any parts that conflict with the current settings.

Software version
Displays the version number of the device software that the device ran while saving the
configuration profile.

Fingerprint
Displays the checksum saved in the configuration profile.

When saving the settings, the device calculates the checksum and inserts it into the configuration
profile.

Verified
Displays if the checksum saved in the configuration profile is valid.

The device calculates the checksum of the configuration profile marked as “Selected” and
compares it with the checksum saved in this configuration profile.

Possible values:
 marked
The calculated and the saved checksum match.
The saved settings are consistent.
 unmarked
For the configuration profile marked as “Selected” applies:
The calculated and the saved checksum are different.
The configuration profile contains modified settings.
Possible causes:
– The file is damaged.
– The file system in the external memory is inconsistent.
– A user has exported the configuration profile and changed the XML file outside the device.
For the other configuration profiles the device has not calculated the checksum.

The device verifies the checksum correctly only if the configuration profile has been saved before
as follows:
• on an identical device
• with the same software version, which the device is running
• with a lower or the same level of the device software
such as HiOS-2A or HiOS-3S on a device which runs HiOS-3S

Note: This function identifies changes to the settings in the configuration profile. The function does
not provide protection against operating the device with modified settings.

RM GUI BRS 45
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

External memory

Selected external memory

Displays the type of the external memory.

Possible values:
 usb
External USB memory (ACA22-USB-C (EEC))

Status
Displays the operating state of the external memory.

Possible values:
 notPresent
No external memory is connected.
 removed
Someone has removed the external memory from the device during operation.
 ok
The external memory is connected and ready for operation.
 outOfMemory
The memory space is occupied in the external memory.
 genericErr
The device has detected an error.

Configuration encryption

Active
Displays if the configuration encryption is active/inactive in the device.

Possible values:
 marked
The configuration encryption is active.
If the configuration profile is encrypted and the password matches the password stored in the
device, then the device loads a configuration profile from the non-volatile memory (NVM).
 unmarked
The configuration encryption is inactive.
If the configuration profile is unencrypted, then the device loads a configuration profile from the
non-volatile memory (NVM) only.

If in the Basic Settings > External Memory dialog, the Config priority column has the value first and
the configuration profile is unencrypted, then the Security status frame in the Basic Settings > System
dialog displays an alarm.

In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify
if the device monitors the Load unencrypted config from external memory parameter.

46 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Set password
Opens the Set password window that helps you to enter the password needed for the configuration
profile encryption. Encrypting the configuration profiles makes unauthorized access more difficult.
To do this, perform the following steps:
 When you are changing an existing password, enter the existing password in the Old password
field. To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
 In the New password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
 Mark the Save configuration afterwards checkbox to use encryption also for the Selected
configuration profile in the non-volatile memory (NVM) and in the external memory.

Note: If a maximum of one configuration profile is stored in the non-volatile memory (NVM) of the
device, then use this function only. Before adding additional configuration profiles, decide for or
against permanently activated configuration encryption in the device. Save additional configuration
profiles either unencrypted or encrypted with the same password.

If you are replacing a device with an encrypted configuration profile, for example due to an
inoperable device, then perform the following steps:
 Restart the new device and assign the IP parameters.
 Open the Basic Settings > Load/Save dialog on the new device.
 Encrypt the configuration profile in the new device. See above. Enter the same password you
used in the inoperable device.
 Install the external memory from the inoperable device in the new device.
 Restart the new device.
During the next system startup, the device loads the configuration profile with the settings of the
inoperable device from the external memory. The device copies the settings into the volatile
memory (RAM) and into the non-volatile memory (NVM).

Delete
Opens the Delete window which helps you to cancel the configuration encryption in the device. To
cancel the configuration encryption, perform the following steps:
 In the Old password field, enter the existing password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
 Mark the Save configuration afterwards checkbox to remove the encryption also for the Selected
configuration profile in the non-volatile memory (NVM) and in the external memory.

Note: If you keep additional encrypted configuration profiles in the memory, then the device helps
prevent you from activating or designating these configuration profiles as "Selected".

RM GUI BRS 47
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Undo configuration modifications

Operation
Enables/disables the Undo configuration modifications function. Using the function, the device
continuously checks if it can still be reached from the IP address of your PC. If the connection is
lost, after a specified time period the device loads the “Selected” configuration profile from the non-
volatile memory (NVM). Afterwards, the device can be accessed again.

Possible values:
 On
The function is enabled.
– You specify the time period between the interruption of the connection and the loading of the
configuration profile in the Timeout [s] to recover after connection loss field.
– When the non-volatile memory (NVM) contains multiple configuration profiles, the device
loads the configuration profile designated as “Selected”.
 Off (default setting)
The function is disabled.
Disable the function again before you close the Graphical User Interface. You thus help prevent
the device from restoring the configuration profile designated as “Selected”.

Note: Before you enable the function, save the settings in the configuration profile. The device thus
maintains the current settings, that are only temporarily saved.

Timeout [s] to recover after connection loss

Specifies the time in seconds after which the device loads the “Selected” configuration profile from
the non-volatile memory (NVM) if the connection is lost.

Possible values:
 30..600 (default setting: 600)

Specify a sufficiently large value. Take into account the time when you are viewing the dialogs of
the Graphical User Interface without changing or updating them.

48 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

Watchdog IP address
Displays the IP address of the PC on which you have enabled the function.

Possible values:
 IPv4 address (default setting: 0.0.0.0)

Information

NVM in sync with running config

Displays if the settings in the volatile memory (RAM) differ from the settings of the "Selected"
configuration profile in the non-volatile memory (NVM).

Possible values:
 marked
The settings match.
 unmarked
The settings differ. Additionally, the Banner displays the icon .

External memory in sync with NVM

Displays if the settings of the"Selected" configuration profile in the external memory (ACA) differ
from the settings of the "Selected" configuration profile in the non-volatile memory (NVM).

Possible values:
 marked
The settings match.
 unmarked
The settings differ.
Possible causes:
– No external memory is connected to the device.
– In the Basic Settings > External Memory dialog, the Backup config when saving function is
disabled.

Backup config on a remote server when saving

Operation
Enables/disables the Backup config on a remote server when saving function.

Possible values:
 Enabled
The Backup config on a remote server when saving function is enabled.
When you save the configuration profile in the non-volatile memory (NVM), the device
automatically backs up the configuration profile on the remote server specified in the URL field.
 Disabled (default setting)
The Backup config on a remote server when saving function is disabled.

RM GUI BRS 49
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Load/Save ]

URL
Specifies path and file name of the backed up configuration profile on the remote server.

Possible values:
 Alphanumeric ASCII character string with 0..128 characters
Example: tftp://192.9.200.1/cfg/config.xml
The device supports the following wildcards:
– %d
System date in the format YYYY-mm-dd
– %t
System time in the format HH_MM_SS
– %i
IP address of the device
– %m
MAC address of the device in the format AA-BB-CC-DD-EE-FF
– %p
Product name of the device

Set credentials
Opens the Credentials window which helps you to enter the login credentials needed to authenticate
on the remote server. To do this, perform the following steps:
 In the User name field, enter the user name.
To display the user name in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
 In the Password field, enter the password.
To display the password in plain text instead of ***** (asterisks), mark the Display content
checkbox.
Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The device accepts the following characters:
a..z
A..Z
0..9
!#$%&'()*+,-./:;<=>?@[\\]^_`{}~

50 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > External Memory ]

1.6 External Memory

[ Basic Settings > External Memory ]

This dialog lets you activate functions that the device automatically executes in combination with
the external memory. The dialog also displays the operating state and identifying characteristics of
the external memory.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Type
Displays the type of the external memory.

Possible values:
 usb
External USB memory (ACA22-USB-C (EEC))

Status
Displays the operating state of the external memory.

Writable
Displays if the device has write access to the external memory.

Possible values:
 marked
The device has write access to the external memory.
 unmarked
The device has read-only access to the external memory. Possibly the write protection is
activated in the external memory.

RM GUI BRS 51
Release 9.6 12/2023
Basic Settings
[ Basic Settings > External Memory ]

Software auto update

Activates/deactivates the automatic device software update during the system startup.

Possible values:
 marked (default setting)
The device updates the device software when the following files are located in the external
memory:
– the image file of the device software
– a text file startup.txt with the content autoUpdate=<image_file_name>.bin
 unmarked
No automatic device software update during the system startup.

SSH key auto upload

Activates/deactivates the loading of the RSA key from an external memory during the system
startup.

Possible values:
 marked (default setting)
The loading of the RSA key is activated.
During the system startup, the device loads the RSA key from the external memory when the
following files are located in the external memory:
– SSH RSA key file
– a text file startup.txt with the content
autoUpdateRSA=<filename_of_the_SSH_RSA_key>
The device displays messages on the system console of the serial interface.
 unmarked
The loading of the RSA key is deactivated.

Note: When loading the RSA key from the external memory (ENVM), the device overwrites the
existing keys in the non-volatile memory (NVM).

Config priority
Specifies the memory from which the device loads the configuration profile upon reboot.

Possible values:
 disable
The device loads the configuration profile from the non-volatile memory (NVM).
 first
The device loads the configuration profile from the external memory.
When the device does not find a configuration profile in the external memory, it loads the
configuration profile from the non-volatile memory (NVM).

Note: When loading the configuration profile from the external memory (ENVM), the device
overwrites the settings of the Selected configuration profile in the non-volatile memory (NVM).

If the Config priority column has the value first and the configuration profile is unencrypted, then
the Security status frame in the Basic Settings > System dialog displays an alarm.

In the Diagnostics > Status Configuration > Security Status dialog, Global tab, Monitor column you specify
if the device monitors the Load unencrypted config from external memory parameter.

52 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > External Memory ]

Backup config when saving

Activates/deactivates saving a copy of the configuration profile in the external memory.

Possible values:
 marked (default setting)
Saving a copy is activated. When you click in the Basic Settings > Load/Save dialog the
button, the device saves a copy of the configuration profile on the active external memory.
 unmarked
Saving a copy is deactivated. The device does not save a copy of the configuration profile.

Manufacturer ID
Displays the name of the memory manufacturer.

Revision
Displays the revision number specified by the memory manufacturer.

Version
Displays the version number specified by the memory manufacturer.

Name
Displays the product name specified by the memory manufacturer.

Serial number
Displays the serial number specified by the memory manufacturer.

RM GUI BRS 53
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

1.7 Port
[ Basic Settings > Port ]

This dialog lets you specify settings for the individual ports. The dialog also displays the operating
mode, connection status, bit rate and duplex mode for every port.

The dialog contains the following tabs:

 [Configuration]
 [Statistics]
 [Ingress Utilization]

[Configuration]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Name
Name of the port.

Possible values:
 Alphanumeric ASCII character string with 0..64 characters
The device accepts the following characters:
– <space>
– 0..9
– a..z
– A..Z
– !#$%&'()*+,-./:;<=>?@[\\]^_`{}~

Port on
Activates/deactivates the port.

Possible values:
 marked (default setting)
The port is active.
 unmarked
The port is inactive. The port does not send or receive any data.

54 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

State
Displays if the port is currently physically enabled or disabled.

Possible values:
 marked
The port is physically enabled.
 unmarked
The port is physically disabled.
When the Port on function is active, the Auto-Disable function has disabled the port. You specify
the settings of the Auto-Disable function in the Diagnostics > Ports > Auto-Disable dialog.

Autoneg
Activates/deactivates the automatic selection of the operating mode for the port.

Possible values:
 marked (default setting)
The automatic selection of the operating mode is active.
The port negotiates the operating mode independently using auto-negotiation and automatically
detects the assignment of the twisted-pair port connectors (auto cable crossing). This setting
has priority over the manual setting of the port.
Elapse several seconds until the port has set the operating mode.
 unmarked
The automatic selection of the operating mode is inactive.
The port operates with the values you specify in the Manual configuration column and in the
Manual cable crossing column.
 Grayed-out display
No automatic selection of the operating mode.

Manual configuration
Specifies the operating mode of the ports when the Autoneg function is disabled.

Possible values:
 10M HDX
Half-duplex connection
Applies to device variants with 20 or more ports: For information on whether the port supports
half-duplex see the “Installation” user manual.
 10M FDX
Full-duplex connection
 100M HDX
Half-duplex connection
Applies to device variants with 20 or more ports: For information on whether the port supports
half-duplex see the “Installation” user manual.
 100M FDX
Full-duplex connection
 1G FDX
Full-duplex connection
 2.5G FDX
Full-duplex connection

Note: The operating modes of the port actually available depend on the device hardware.

RM GUI BRS 55
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

Link/Current settings
Displays the operating mode which the port currently uses.

Possible values:
 –
No cable connected, no link.
 10M HDX
Half-duplex connection
 10M FDX
Full-duplex connection
 100M HDX
Half-duplex connection
 100M FDX
Full-duplex connection
 1G FDX
Full-duplex connection
 2.5G FDX
Full-duplex connection

Note: The operating modes of the port actually available depend on the device hardware.

Manual cable crossing

Specifies the devices connected to a TP port.

The prerequisite is that the Autoneg function is disabled.

Possible values:
 mdi
The device interchanges the send- and receive-line pairs on the port.
 mdix (default setting on TP ports)
The device helps prevent the interchange of the send- and receive-line pairs on the port.
 auto-mdix
The device detects the send and receive line pairs of the connected device and automatically
adapts to them.
Example: When you connect an end device with a crossed cable, the device automatically
resets the port from mdix to mdi.
 unsupported (default setting on optical ports or TP-SFP ports)
The port does not support this function.

56 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

Flow control
Activates/deactivates the flow control on the port.

Possible values:
 marked (default setting)
The Flow control on the port is active.
The sending and evaluating of pause packets (full-duplex operation) or collisions (half-duplex
operation) is activated on the port.
 To enable the flow control in the device, also activate the Flow control function in the
Switching > Global dialog.
 Activate the flow control also on the port of the device that is connected to this port.
On an uplink port, activating the flow control can possibly cause undesired sending interruptions
in the higher-level network segment (“wandering backpressure”).
 unmarked
The Flow control on the port is inactive.

If you are using a redundancy function, then you deactivate the flow control on the participating
ports. If the flow control and the redundancy function are active at the same time, it is possible that
the redundancy function operates differently than intended.

Send trap
Activates/deactivates the sending of SNMP traps when the device detects a change in the link up/
down status on the port.

Possible values:
 marked (default setting)
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
When the device detects a link up/down status change, the device sends an SNMP trap.
 unmarked
The sending of SNMP traps is inactive.

MTU
Specifies the maximum allowed size of Ethernet packets on the port in bytes.

Possible values:
 1518..9720 (default setting: 1518)
With the setting 1518, the port transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)

This setting lets you increase the max. allowed size of Ethernet packets that this port can receive
or transmit.

The following list contains possible applications:

• When you use the device in the transfer network with double VLAN tagging, it is possible that
you require an MTU that is larger by 4 bytes.

On other interfaces, you specify the maximum permissible size of the Ethernet packets as follows:
• Link Aggregation interfaces
Switching > L2-Redundancy > Link Aggregation dialog, MTU column

RM GUI BRS 57
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

Power state
Specifies if the port is physically switched on or off when you deactivate the port with the Port on
function.

Possible values:
 marked
The port remains physically enabled. A connected device receives an active link.
 unmarked (default setting)
The port is physically disabled.

Power save
Specifies how the port behaves when no cable is connected.

Possible values:
 no-power-save (default setting)
The port remains activated.
 auto-power-down
The port changes to the energy-saving mode.
 unsupported
The port does not support this function and remains activated.

Signal
Activates/deactivates the port LED flashing. This function lets you identify the port in the field.

Possible values:
 marked
The flashing of the port LED is active.
The port LED flashes until you disable the function again.
 unmarked (default setting)
The flashing of the port LED is inactive.

[Statistics]

This tab displays the following overview per port:

• Number of data packets/bytes received by the device
– Received packets
– Received octets
– Received unicasts
– Received multicasts
– Received broadcasts
• Number of data packets/bytes sent or forwarded by the device
– Transmitted packets
– Transmitted octets
– Transmitted unicasts
– Transmitted multicasts
– Transmitted broadcasts
• Number of errors detected by the device
– Received fragments
– Detected CRC errors
– Detected collisions

58 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Port ]

• Number of data packets per size category received by the device

– Packets 64 bytes
– Packets 65 to 127 bytes
– Packets 128 to 255 bytes
– Packets 256 to 511 bytes
– Packets 512 to 1023 bytes
– Packets 1024 to 1518 bytes
• Number of data packets discarded by the device
– Received discards
– Transmitted discards

To sort the table by a specific criterion click the header of the corresponding column.

For example, to sort the table based on the number of received bytes in ascending order, click the
header of the Received octets column once. To sort in descending order, click the header again.

To reset the counter for the port statistics in the table to 0, perform the following steps:
 In the Basic Settings > Port dialog, click the button.
or
 In the Basic Settings > Restart dialog, click the Clear port statistics button.

[Ingress Utilization]

This tab displays the ingress network load on the individual ports.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Utilization [%]
Displays the current utilization in percent in relation to the time interval specified in the Control
interval [s] column.

The utilization is the relationship between the received data quantity and the maximum possible
data quantity at the currently set data rate.

Lower threshold [%]

Specifies the lower notification threshold value for the network load. If the network load on the port
falls below this value, then the status of the checkbox in the Alarm column changes to marked.

Possible values:
 0.00..100.00 (default setting: 0.00)

The value 0 or 0.00 deactivates the lower notification threshold value.

RM GUI BRS 59
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet ]

Upper threshold [%]

Specifies the upper notification threshold value for the network load. If the network load on the port
exceeds this value, then the status of the checkbox in the Alarm column changes to marked.

Possible values:
 0.00..100.00 (default setting: 0.00)

The value 0 or 0.00 deactivates the upper notification threshold value.

Control interval [s]

Specifies the interval in seconds by which the device determines and possibly limits the network
load.

Possible values:
 1..3600 (default setting: 30)

Alarm
Displays the utilization alarm status.

Possible values:
 marked
The network load on the port is below the value specified in the Lower threshold [%] column or
above the value specified in the Upper threshold [%] column. The device sends an SNMP trap.
The prerequisite is that in the Diagnostics > Status Configuration > Alarms (Traps) dialog the Alarms
(Traps) function is enabled and at least one trap destination is specified.
 unmarked
The network load on the port is between the lower and the upper notification threshold values.

1.8 Power over Ethernet

[ Basic Settings > Power over Ethernet ]

In Power over Ethernet (PoE), the Power Source Equipment (PSE) supplies current to powered
devices (PD) such as IP phones through the twisted-pair cable.

The product code and the PoE-specific labeling on the PSE device housing indicates if your device
supports Power over Ethernet. The PoE ports of the device support Power over Ethernet according
to IEEE 802.3at.

The system provides an internal maximum power budget for the ports. The ports reserve power
according to the detected class of a connected powered device. The real delivered power is equal
to or less than the reserved power.

You manage the power output with the Priority parameter. When the sum of the power required by
the connected devices exceeds the power available, the device turns off the power supplied to the
ports according to the set-up priority. The device turns off the power supplied to the ports, starting
with the ports set-up as low priority. When several ports have the same priority, the device turns off
power, starting with the highest-numbered ports.

60 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet ]

The menu contains the following dialogs:

 PoE Global
 PoE Port

RM GUI BRS 61
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Global ]

1.8.1 PoE Global

[ Basic Settings > Power over Ethernet > Global ]

Based on the settings specified in this dialog, the device provides power to the end-user devices.
If the power consumption reaches the user-specified threshold value, then the device sends an
SNMP trap.

Operation

Operation
Enables/disables the Power over Ethernet function.

Possible values:
 On (default setting)
The Power over Ethernet function is enabled.
 Off
The Power over Ethernet function is disabled.

Configuration

Send trap
Activates/deactivates the sending of SNMP traps. If the power consumption exceeds the user-
specified threshold value, then the device sends an SNMP trap.

Possible values:
 marked (default setting)
The device sends SNMP traps. The prerequisite is that in the Diagnostics > Status Configuration >
Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap destination is
specified.
 unmarked
The device does not send any SNMP traps.

Threshold [%]
Specifies the threshold value for the power consumption in percent.

If the power output exceeds this threshold value, then the device measures the total output power
and sends an SNMP trap.

62 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Global ]

Possible values:
 0..99 (default setting: 90)

System power

Budget [W]
Displays the sum of the power available for the global budget.

Reserved [W]
Displays the global reserved power. The device reserves power according to the detected classes
of connected powered devices. Reserved power is equal to or less than the actual delivered power.

Delivered [W]
Displays the actual power delivered to the modules in watts.

Delivered [mA]
Displays the actual current delivered to the modules in milliamperes.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Module
Device module to which the table rows relate.

Configured power budget [W]

Specifies the power of the modules for the distribution at the ports.

Possible values:
 0..n (default setting: n)
Here, n corresponds to the value in the Max. power budget [W] column.

Max. power budget [W]

Displays the maximum power available for this module.

Reserved power [W]

Displays the power reserved for the module according to the detected classes of the connected
powered devices.

Delivered power [W]

Displays the actual power in watts delivered to powered devices connected to this port.

RM GUI BRS 63
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Global ]

Delivered current [mA]

Displays the actual current in milliamperes delivered to powered devices connected to this port.

Power source
Displays the power sourcing equipment for the device.

Possible values:
 internal
Internal power source
 external
External power source

Threshold [%]
Specifies the threshold value for the power consumption of the module in percent. If the power
output exceeds this threshold value, then the device measures the total output power and sends
an SNMP trap.

Possible values:
 0..99 (default setting: 90)

Send trap
Activates/deactivates the sending of SNMP traps if the device detects that the threshold value for
the power consumption exceeds.

Possible values:
 marked (default setting)
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the power consumption of the module exceeds the user-defined threshold value, then the
device sends an SNMP trap.
 unmarked
The sending of SNMP traps is inactive.

64 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Port ]

1.8.2 PoE Port

[ Basic Settings > Power over Ethernet > Port ]

When power consumption is higher than deliverable power, the device turns off power to the
powered devices (PD) according to the priority levels and port numbers. When the PDs connected
require more power than the device provides, the device deactivates the Power over Ethernet
function on the ports. The device disables the Power over Ethernet function on the ports with the
lowest priority first. When multiple ports have the same priority, the device first disables the Power
over Ethernet function on the ports with the higher port number. The device also turns off power to
powered devices (PD) for a specified time period.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

PoE enable
Activates/deactivates the PoE power provided to the port.

When the device activates or deactivates the function, the device logs an event in the System Log).

Possible values:
 marked (default setting)
Providing PoE power to the port is active.
 unmarked
Providing PoE power to the port is inactive.

Fast startup
Activates/deactivates the Power over Ethernet Fast Startup function on the port.

The prerequisite is that the checkbox in the PoE enable column is marked.

Possible values:
 marked
The fast start up function is active. The device sends power to the powered devices (PD)
immediately after turning the power to the device on.
 unmarked (default setting)
The fast start up function is inactive. The device sends power to the powered devices (PD) after
loading its own configuration.

Priority
Specifies the port priority.

To help prevent current overloads, the device disables ports with low priority first. To help prevent
that the device disables the ports supplying necessary devices, specify a high priority for these
ports.

RM GUI BRS 65
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Port ]

Possible values:
 critical
 high
 low (default setting)

Status
Displays the status of the port Powered Device (PD) detection.

Possible values:
 disabled
The device is in the DISABLED state and is not delivering power to the powered devices.
 deliveringPower
The device identified the class of the connected PD and is in the POWER ON state.
 fault
The device is in the TEST ERROR state.
 otherFault
The device is in the IDLE state.
 searching
The device is in a state other than the listed states.
 test
The device is in the TEST MODE.

Detected class
Displays the power class of the powered device connected to the port.

Possible values:
 Class 0
 Class 1
 Class 2
 Class 3
 Class 4

Class 0
Class 1
Class 2
Class 3
Class 4
Activates/deactivates the current of the classes 0 to 4 on the port.

Possible values:
 marked (default setting)
 unmarked

66 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Power over Ethernet > Port ]

Consumption [W]
Displays the current power consumption of the port in watts.

Possible values:
 0,0..30,0

Consumption [mA]
Displays the current delivered to the port in milliamperes.

Possible values:
 0..600

Power limit [W]

Specifies the maximum power in watts that the port outputs.

This function lets you distribute the power budget available among the PoE ports as required.

For example, for a connected device not providing a “Power Class”, the port reserves a fixed
amount of 15.4 W (class 0) even if the device requires less power. The surplus power is not
available to any other port.

By specifying the power limit, you reduce the reserved power to the actual requirement of the
connected device. The unused power is available to other ports.

If the exact power consumption of the connected powered device is unknown, then the device
displays the value in the Max. consumption [W] column. Verify that the power limit is greater than the
value in the Max. consumption [W] column.

If the maximum observed power is greater than the set power limit, then the device sees the power
limit as invalid. In this case, the device uses the PoE class for the calculation.

Possible values:
 0,0..30,0 (default setting: 0)

Max. consumption [W]

Displays the maximum power in watts that the device has consumed so far.

You reset the value when you disable PoE on the port or terminate the connection to the connected
device.

Name
Specifies the name of the port.

Specify the name of your choice.

RM GUI BRS 67
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Restart ]

Possible values:
 Alphanumeric ASCII character string with 0..32 characters

Auto-shutdown power
Activates/deactivates the Auto-shutdown power function according to the settings.

Possible values:
 marked
 unmarked (default setting)

Disable power at [hh:mm]

Specifies the time at which the device disables the power for the port upon activation of the Auto-
shutdown power function.

Possible values:
 00:00..23:59 (default setting: 00:00)

Re-enable power at [hh:mm]

Specifies the time at which the device enables the power for the port upon activation of the Auto-
shutdown power function.

Possible values:
 00:00..23:59 (default setting: 00:00)

1.9 Restart
[ Basic Settings > Restart ]

This dialog lets you restart the device, reset port counters and the MAC address table (forwarding
database), and delete log files.

Restart

Cold start...
Opens the Restart window to initiate an immediate or delayed restart of the device.

If the configuration profile in the volatile memory (RAM) and the "Selected" configuration profile in
the non-volatile memory (NVM) differ, then the device displays the Warning window.
 To permanently save the settings, click the Yes button in the Warning window.
 To discard the changed settings, click the No button in the Warning window.
 In the Restart in field you specify the delay time for the delayed restart.
Possible values:
 00:00:00..596:31:23 (default setting: 00:00:00)
Hour:Minute:Second

68 RM GUI BRS
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Restart ]

When the delay time elapses, the device restarts and goes through the following phases:
• If you activate the function in the Diagnostics > System > Selftest dialog, then the device performs
a RAM test.
• The device starts the device software that the Stored version field displays in the Basic Settings >
Software dialog.
• The device loads the settings from the "Selected" configuration profile. See the Basic Settings >
Load/Save dialog.

Note: During the restart, the device does not transfer any data. During this time, the device cannot
be accessed by the Graphical User Interface or other management systems.

Restart in
Displays the remaining time in days, hours, minutes, seconds until the device restarts.

To update the display of the remaining time, click the button.

Cancel
Aborts a delayed restart.

Buttons

Clear FDB
Removes the MAC addresses from the forwarding table that have in the Switching > Filter for MAC
Addresses dialog the value Learned in the Status column.

Clear ARP table

Removes the dynamically set up addresses from the ARP table.

See the Diagnostics > System > ARP dialog.

Clear port statistics

Resets the counter for the port statistics to 0.

See the Basic Settings > Port dialog, Statistics tab.

Clear IGMP snooping data

Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.

See the Switching > IGMP Snooping > Global dialog.

Clear log file

Removes the logged events from the log file.

See the Diagnostics > Report > System Log dialog.

RM GUI BRS 69
Release 9.6 12/2023
Basic Settings
[ Basic Settings > Restart ]

Clear persistent log file

Removes the log files from the external memory.

See the Diagnostics > Report > Persistent Logging dialog.

70 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > Basic Settings ]

2 Time

The menu contains the following dialogs:

 Basic Settings
 SNTP
 PTP
 802.1AS

2.1 Basic Settings

[ Time > Basic Settings ]

The device is equipped with a buffered hardware clock. This clock keeps the correct time if the
power supply becomes inoperable, or you disconnect the device from the power supply. After the
system startup, the correct time is available again, for example, for log entries.

The hardware clock bridges a power supply downtime of 3 hours. The prerequisite is that the power
supply of the device has been connected continuously for at least 5 minutes beforehand.

In this dialog, you specify time-related settings independently of the time synchronization protocol
specified.

The dialog contains the following tabs:

 [Global]
 [Daylight saving time]

[Global]

In this tab, you specify the system time and the time zone.

Configuration

System time (UTC)

Displays the date and time in Universal Time Coordinated (UTC) format.

Set time from PC

The device takes over the time from your computer as the system time.

System time
Displays the local date and time: System time = System time (UTC) + Local offset [min] + Daylight saving
time

RM GUI BRS 71
Release 9.6 12/2023
Time
[ Time > Basic Settings ]

Time source
Displays the time source from which the device obtains the time information.

The device automatically selects the available time source with the greatest accuracy.

Possible values:
 local
System clock of the device.
 sntp
The SNTP client is enabled, and the device is synchronized by an SNTP server. See the Time >
SNTP dialog.
 ptp
The PTP function is enabled, and the device clock is synchronized with a PTP master clock. See
the Time > PTP dialog.

Local offset [min]

Specifies the difference in minutes between Universal Time Coordinated (UTC) and local time:
Local offset [min] = System time − System time (UTC)

Possible values:
 -780..840 (default setting: 60)

[Daylight saving time]

In this tab, you enable/disable the Daylight saving time function. You specify the start and end of
summer time using a pre-defined profile. As an alternative, you specify these settings individually.
During the summer time, the device advances the local time by one hour.

Operation

Daylight saving time

Enables/disables the Daylight saving time mode.

Possible values:
 On
The Daylight saving time mode is enabled.
The device automatically sets the clock forward to summer time and back again.
 Off (default setting)
The Daylight saving time mode is disabled.

You specify the daylight saving time settings in the Summertime begin and Summertime end frames.

72 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > Basic Settings ]

Profile...
Opens the Profile... window to select a pre-defined profile for the start and end of summer time.
Selecting a profile overwrites the settings specified in the Summertime begin and Summertime end
frames.

Possible values:
 EU
Daylight saving time settings as applicable in the European Union.
 USA
Daylight saving time settings as applicable in the United States.

Summertime begin

In this frame, you specify the time at which the device sets the clock forward from standard time to
summer time. In the first 3 fields, you specify the day for the start of summer time. In the last field,
you specify the time.

Week
Specifies the week in the current month.

Possible values:
 - (default setting)
 first
 second
 third
 fourth
 last

Day
Specifies the day of the week.

Possible values:
 - (default setting)
 Sunday
 Monday
 Tuesday
 Wednesday
 Thursday
 Friday
 Saturday

Month
Specifies the month.

Possible values:
 - (default setting)
 January

RM GUI BRS 73
Release 9.6 12/2023
Time
[ Time > Basic Settings ]

 February
 March
 April
 May
 June
 July
 August
 September
 October
 November
 December

System time
Specifies the time at which the device sets the clock forward to summer time.

Possible values:
 <HH:MM> (default setting: 00:00)

Summertime end

In this frame, you specify the time at which the device resets the clock from summer time to
standard time. In the first 3 fields, you specify the day for the end of summer time. In the last field,
you specify the time.

Week
Specifies the week in the current month.

Possible values:
 - (default setting)
 first
 second
 third
 fourth
 last

Day
Specifies the day of the week.

Possible values:
 - (default setting)
 Sunday
 Monday
 Tuesday
 Wednesday
 Thursday

74 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > SNTP ]

 Friday
 Saturday

Month
Specifies the month.

Possible values:
 - (default setting)
 January
 February
 March
 April
 May
 June
 July
 August
 September
 October
 November
 December

System time
Specifies the time at which the device resets the clock to standard time.

Possible values:
 <HH:MM> (default setting: 00:00)

2.2 SNTP
[ Time > SNTP ]

The Simple Network Time Protocol (SNTP) is a procedure described in the RFC 4330 for time
synchronization in the network.

With the SNTP client function, the device lets you synchronize the local system clock with an
external NTP or SNTP server.

As the SNTP server, the device makes the time information available to other devices in the
network.

The menu contains the following dialogs:

 SNTP Client
 SNTP Server

RM GUI BRS 75
Release 9.6 12/2023
Time
[ Time > SNTP > Client ]

2.2.1 SNTP Client

[ Time > SNTP > Client ]

In this dialog, you specify the settings with which the device operates as an SNTP client. As an
SNTP client, the device obtains time information from an external NTP or SNTP servers and
synchronizes the local system clock with the time from the time server.

Operation

Operation
Enables/disables the Client function in the device. Note the setting in the Disable client after successful
sync checkbox in the Configuration frame.

Possible values:
 On
The Client function is enabled.
The device operates as an SNTP client.
 Off (default setting)
The Client function is disabled.

State

State
Displays the status of the Client function.

Possible values:
 disabled
The SNTP client is not operating.
 notSynchronized
The SNTP client is operating.
The local system clock is not in sync with an external NTP or SNTP server.
 synchronizedToRemoteServer
The SNTP client is not operating.
The local system clock is in sync with an external NTP or SNTP server.

76 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > SNTP > Client ]

Configuration

Mode
Specifies if the device actively requests the time information from an external NTP or SNTP server
set up in the device (unicast mode) or passively waits for the time information from a random NTP
or SNTP server (broadcast mode).

Possible values:
 unicast (default setting)
The device takes the time information only from one of the set-up NTP or SNTP servers. The
device sends Unicast requests to the external SNTP or NTP server and evaluates the response
of the server.
 broadcast
The device obtains the time information from a random NTP or SNTP server. The device
evaluates the Broadcasts or Multicasts from this server.

Request interval [s]

Specifies the interval in seconds at which the device requests time information from the external
NTP or SNTP server.

Possible values:
 5..3600 (default setting: 30)

Broadcast recv timeout [s]

Specifies the time in seconds the device operating in broadcast mode waits before changing the
value in the State field from syncToRemoteServer to notSynchronized when it does not receive
Broadcast packets. See the State frame.

Possible values:
 128..2048 (default setting: 320)

Disable client after successful sync

Activates/deactivates the automatic disabling of the SNTP Client function after the device has
successfully synchronized its local system clock.

Possible values:
 marked
The automatic disabling of the SNTP Client function is active.
The device disables the SNTP Client function after it has successfully synchronized its local
system clock.
 unmarked (default setting)
The automatic disabling of the SNTP Client function is inactive.
The device keeps the SNTP Client function enabled after it has successfully synchronized its
local system clock.

RM GUI BRS 77
Release 9.6 12/2023
Time
[ Time > SNTP > Client ]

Table

In the table, you specify the settings for up to 4 external NTP or SNTP servers. After enabling the
function, the device sends requests to the server set up in the first table row.

When the external NTP or SNTP server does not respond, the device sends its request to the
server set up in the next table row. When the device does not receive a response, it cyclically sends
requests to each set-up NTP or SNTP server until it receives a valid time from one of these servers.
The device synchronizes its local system clock with the first responding NTP or SNTP server, even
if an server ahead in the table will be reachable again later.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Adds a table row.

Remove

Removes the selected table row.

Index
Displays the index number to which the table row relates.

The device automatically assigns the value when you add a table row. When you delete a table row,
this leaves a gap in the numbering. When you add a table row, the device fills the first gap.

Name
Specifies a name for the external NTP or SNTP server.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters

IP address
Specifies the IP address of the external NTP or SNTP server.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
 Valid IPv6 address

Destination UDP port

Specifies the UDP port on which the external NTP or SNTP server listens for requests.

Possible values:
 1..65535 (2¹?-1) (default setting: 123)
Exception: Port 2222 is reserved for internal functions.

78 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > SNTP > Client ]

Status
Displays the connection status between the device and the external NTP or SNTP server.

Possible values:
 success
The device has successfully synchronized the local system clock with the external NTP or SNTP
server.
 badDateEncoded
Synchronization was unsuccessful. The time information received contains protocol errors.
 other
Synchronization was unsuccessful.
– The IP address 0.0.0.0 is specified for the external NTP or SNTP server.
or
– The device is using a different external NTP or SNTP server.
 requestTimedOut
Synchronization was unsuccessful. The device has not received a response from the external
NTP or SNTP server.
 serverKissOfDeath
Synchronization was unsuccessful. The external NTP or SNTP server is overloaded. The device
is requested to synchronize its system clock with another NTP or SNTP server. When no other
NTP or SNTP server is available, the device checks at intervals longer than the value in the
Request interval [s] field, if the server is still overloaded.
 serverUnsychronized
Synchronization was unsuccessful. The external NTP or SNTP server is not in sync with a
reference time source.
 versionNotSupported
Synchronization was unsuccessful. The SNTP versions of the client and server are
incompatible.

Active
Activates/deactivates the connection to the external NTP or SNTP server.

Possible values:
 marked
The connection to the external NTP or SNTP server is activated.
The device has the option to access to the server.
 unmarked (default setting)
The connection to the external NTP or SNTP server is deactivated.
The device does not have the option to access to the server.

RM GUI BRS 79
Release 9.6 12/2023
Time
[ Time > SNTP > Server ]

2.2.2 SNTP Server

[ Time > SNTP > Server ]

In this dialog, you specify the settings with which the device operates as an SNTP server. As an
SNTP server, the device makes the time information available to other devices in the network. The
device provides the Universal Time Coordinated (UTC) without considering local time differences.

If set accordingly, the SNTP server on the device operates in Broadcast mode. In Broadcast mode,
the device makes the time information available to other devices in the network by sending
Broadcasts or Multicasts.

Operation

Operation
Enables/disables the Server function on the device. Note the setting in the Disable server at local time
source checkbox in the Configuration frame.

Possible values:
 On
The Server function is enabled.
The device operates as an SNTP server.
 Off (default setting)
The Server function is disabled.

State

State
Displays the state of the Server function on the device.

Possible values:
 disabled
The SNTP server is not operating.
 notSynchronized
The SNTP server is operating.
The local system clock is not in sync with a reference time source.
 syncToLocal
The SNTP server is operating.
The local system clock is in sync with the hardware clock of the device.
 syncToRefclock
The SNTP server is operating.
The local system clock is in sync with an external reference time source, like a PTP clock.
 syncToRemoteServer
The SNTP server is operating.
The local system clock is in sync with an external NTP or SNTP server which is superordinate
to the device in a cascade.

80 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > SNTP > Server ]

Configuration

UDP port
Specifies the UDP port on which the device listens for requests.

Possible values:
 1..65535 (2¹?-1) (default setting: 123)
Exception: Port 2222 is reserved for internal functions.

Broadcast admin mode

Activates/deactivates the Broadcast mode.

Possible values:
 marked
The device sends SNTP packets as Broadcasts or Multicasts.
The device also responds to SNTP requests in unicast mode.
 unmarked (default setting)
The device responds to SNTP requests in unicast mode, but sends no Broadcast packets on its
own.

Broadcast destination address

Specifies the destination IP address to which the device sends the SNTP packets in Broadcast
mode.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
Broadcast and Multicast addresses are permitted.

Broadcast UDP port

Specifies the UDP port on which the device sends the SNTP packets in Broadcast mode.

Possible values:
 1..65535 (2¹?-1) (default setting: 123)
Exception: Port 2222 is reserved for internal functions.

Broadcast VLAN ID
Specifies the VLAN to which the device sends the SNTP packets in Broadcast mode.

Possible values:
 0
The device sends the SNTP packets in the same VLAN in which the device management
access occurs. See the Basic Settings > Network > Global dialog.
 1..4042 (default setting: 1)

RM GUI BRS 81
Release 9.6 12/2023
Time
[ Time > PTP ]

Broadcast send interval [s]

Specifies the interval in seconds at which the device broadcasts SNTP packets.

Possible values:
 64..1024 (default setting: 128)

Disable server at local time source

Activates/deactivates the automatic disabling of the SNTP Server function if the local system clock
is not in sync with another external time reference.

Possible values:
 marked
The automatic disabling of the SNTP Server function is active.
If the device has synchronized its local system clock to an external time reference, like a PTP
clock, then it keeps the SNTP Server function enabled. Otherwise, the device disables the SNTP
Server function.
 unmarked (default setting)
The automatic disabling of the SNTP Server function is inactive.
The device keeps the SNTP Server function enabled, regardless of whether it has synchronized
its local system clock to an external time reference.
If the local system clock is not in sync with an external time reference, then in the SNTP packet,
the device informs the client that its system clock is synchronized locally.

2.3 PTP
[ Time > PTP ]

The menu contains the following dialogs:

 PTP Global
 PTP Boundary Clock
 PTP Transparent Clock

82 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Global ]

2.3.1 PTP Global

[ Time > PTP > Global ]

In this dialog you specify basic settings for the PTP function.

The Precision Time Protocol (PTP) is a procedure defined in IEEE 1588-2008 that supplies the
devices in the network with a precise time. The method synchronizes the clocks in the network with
a precision of a few 100 ns. The protocol uses Multicast communication, so the load on the network
due to the PTP synchronization messages is negligible.

PTP is significantly more accurate than SNTP. If the SNTP function and the PTP function are
enabled in the device at the same time, then the PTP function has priority.

With the Best Master Clock Algorithm, the devices in the network determine which device has the
most accurate time. The devices use the device with the most accurate time as the reference time
source (Grandmaster). Subsequently the participating devices synchronize themselves with this
reference time source.

If you want to transport PTP time accurately through the network, then use only devices with PTP
hardware support on the transport paths.

The protocol differentiates between the following clocks:

• Boundary Clock (BC)
This clock has any number of PTP ports and operates as both PTP master and PTP slave. In its
respective network segment, the clock operates as an Ordinary Clock.
– As PTP slave, the clock synchronizes itself with a PTP master that is higher than the device
in the cascade.
– As PTP master, the clock forwards the time information through the network to PTP slaves
that are higher than the device in the cascade.
• Transparent Clock (TC)
This clock has any number of PTP ports. In contrast to the Boundary Clock, this clock corrects
the time information before forwarding it, without synchronizing itself.

Operation IEEE1588/PTP

Operation IEEE1588/PTP
Enables/disables the PTP function.

In the device, either the 802.1AS function or the PTP function can be enabled at the same time.

Possible values:
 On
The PTP function is enabled.
The device synchronizes its clock with PTP.
If the SNTP function and the PTP function are enabled in the device at the same time, then the
PTP function has priority.
 Off (default setting)
The PTP function is disabled.
The device transmits the PTP synchronization messages without any correction on every port.

RM GUI BRS 83
Release 9.6 12/2023
Time
[ Time > PTP > Global ]

Configuration IEEE1588/PTP

PTP mode
Specifies the PTP version and mode of the local clock.

Possible values:
 v2-transparent-clock (default setting)
 v2-boundary-clock

Sync lower bound [ns]

Specifies the lower threshold value in nanoseconds for the path difference between the local clock
and the reference time source (Grandmaster). If the path difference falls below this value once, then
the local clock is classed as synchronized.

Possible values:
 1..999999999 (10?-1) (default setting: 30)

Sync upper bound [ns]

Specifies the upper threshold value in nanoseconds for the path difference between the local clock
and the reference time source (Grandmaster). If the path difference exceeds this value once, then
the local clock is classed as unsynchronized.

Possible values:
 31..1000000000 (10?) (default setting: 5000)

PTP management
Activates/deactivates the PTP management defined in the PTP standard.

Possible values:
 marked
PTP management is activated.
 unmarked (default setting)
PTP management is deactivated.

Status

Is synchronized
Displays if the local system clock is synchronized with the reference time source (Grandmaster).

If the path difference between the local clock and the reference time source (Grandmaster) falls
below the synchronization lower threshold value one time, then the local clock is synchronized. This
status is kept until the path difference exceeds the synchronization upper threshold value one time.

You specify the synchronization threshold values in the Configuration IEEE1588/PTP frame.

84 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock ]

Max. offset absolute [ns]

Displays the maximum path difference in nanoseconds that has occurred since the local system
clock was synchronized with the reference time source (Grandmaster).

PTP time
Displays the date and time for the PTP time scale when the local clock is synchronized with the
reference time source (Grandmaster). Format: Month Day, Year hh:mm:ss AM/PM

2.3.2 PTP Boundary Clock

[ Time > PTP > Boundary Clock ]

With this menu you can set up the Boundary Clock mode for the local clock.

The menu contains the following dialogs:

 PTP Boundary Clock Global
 PTP Boundary Clock Port

RM GUI BRS 85
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Global ]

2.3.2.1 PTP Boundary Clock Global

[ Time > PTP > Boundary Clock > Global ]

In this dialog you specify general, cross-port settings for the Boundary Clock mode for the local
clock. The Boundary Clock (BC) operates according to PTP version 2 (IEEE 1588-2008).

The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock.

Operation IEEE1588/PTPv2 BC

Priority 1
Specifies priority 1 for the device.

Possible values:
 0..255 (default setting: 128)

The Best Master Clock Algorithm first evaluates priority 1 among the participating devices to
determine the reference time source (Grandmaster).

The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.

Priority 2
Specifies priority 2 for the device.

Possible values:
 0..255 (default setting: 128)

When the previously evaluated criteria are the same for multiple devices, the Best Master Clock
Algorithm evaluates priority 2 of the participating devices.

The lower you set this value, the more probable it is that the device becomes the reference time
source (Grandmaster). See the Grandmaster frame.

Domain number
Assigns the device to a PTP domain.

Possible values:
 0..255 (default setting: 0)

The device transmits time information from and to devices only in the same domain.

Status IEEE1588/PTPv2 BC

Two step
Displays that the clock is operating in Two-Step mode.

86 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Global ]

Steps removed
Displays the number of communication paths passed through between the local clock of the device
and the reference time source (Grandmaster).

For a PTP slave, the value 1 means that the clock is connected with the reference time source
(Grandmaster) directly through one communication path.

Offset to master [ns]

Displays the measured difference (offset) between the local clock and the reference time source
(Grandmaster) in nanoseconds. The PTP slave calculates the difference from the time information
received.

In Two-Step mode the time information consists of 2 PTP synchronization messages each, which
the PTP master sends cyclically:
• The first synchronization message (sync message) contains an estimated value for the exact
sending time of the message.
• The second synchronization message (follow-up message) contains the exact sending time of
the first message.

The PTP slave uses the two PTP synchronization messages to calculate the difference (offset) from
the master and corrects its clock by this difference. Here the PTP slave also considers the Delay to
master [ns] value.

Delay to master [ns]

Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.

The PTP slave sends a “Delay Request” packet to the PTP master and thus determines the exact
sending time of the packet. When it receives the packet, the PTP master generates a time stamp
and sends this in a “Delay Response” packet back to the PTP slave. The PTP slave uses the two
packets to calculate the delay, and considers this starting from the next offset measurement.

The prerequisite is that in the Time > PTP > Boundary Clock > Port dialog, Delay mechanism column,
the value e2e is specified for the slave ports.

Grandmaster

This frame displays the criteria that the Best Master Clock Algorithm uses when evaluating the
reference time source (Grandmaster).

The algorithm first evaluates priority 1 of the participating devices. The device with the lowest value
for priority 1 is designated as the reference time source (Grandmaster). When the value is the same
for multiple devices, the algorithm takes the next criterion, and when this is also the same, the
algorithm takes the next criterion after this one. When every value is the same for multiple devices,
the lowest value in the Clock identity field decides which device is designated as the reference time
source (Grandmaster).

The device lets you influence which device in the network is designated as the reference time
source (Grandmaster). To do this, modify the value in the Priority 1 field or the Priority 2 field in the
Operation IEEE1588/PTPv2 BC frame.

RM GUI BRS 87
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Global ]

Priority 1
Displays priority 1 for the device that is currently the reference time source (Grandmaster).

Clock class
Displays the class of the reference time source (Grandmaster). Parameter for the Best Master
Clock Algorithm.

Clock accuracy
Displays the estimated accuracy of the reference time source (Grandmaster). Parameter for the
Best Master Clock Algorithm.

Clock variance
Displays the variance of the reference time source (Grandmaster), also known as the Offset scaled
log variance. Parameter for the Best Master Clock Algorithm.

Priority 2
Displays priority 2 for the device that is currently the reference time source (Grandmaster).

Local time properties

Time source
Specifies the time source from which the local clock gets its time information.

Possible values:
 atomicClock
 gps
 terrestrialRadio
 ptp
 ntp
 handSet
 other
 internalOscillator (default setting)

UTC offset [s]

Specifies the difference between the PTP time scale and the Universal Time Coordinated (UTC).

See the PTP timescale checkbox.

Possible values:
 -32768..32767 (2¹?-1)

Note: The default setting is the value valid on the creation date of the device software. For further
information, see the "Bulletin C" of the Earth Rotation and Reference Systems Service (IERS):
https://www.iers.org/IERS/EN/Publications/Bulletins/bulletins.html

88 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Global ]

UTC offset valid

Specifies if the value specified in the UTC offset [s] field is correct.

Possible values:
 marked
 unmarked (default setting)

Time traceable
Displays if the device obtains the time from a primary UTC reference, for example from an NTP
server.

Possible values:
 marked
 unmarked

Frequency traceable
Displays if the device obtains the frequency from a primary UTC reference, for example from an
NTP server.

Possible values:
 marked
 unmarked

PTP timescale
Displays if the device uses the PTP time scale.

Possible values:
 marked
 unmarked

According to IEEE 1588, the PTP time scale is the TAI atomic time started on 01.01.1970.

In contrast to Universal Time Coordinated (UTC), TAI does not use leap seconds.

As of July 1, 2020, the TAI time is 37 s ahead of the Universal Time Coordinated (UTC).

Identities

The device displays the identities as byte sequences in hexadecimal notation.

The identification numbers (UUID) are made up as follows:

• The device identification number consists of the MAC address of the device, with the values ff
and fe added between byte 3 and byte 4.
• The port UUID consists of the device identification number followed by a 16-bit port ID.

Clock identity
Displays the identification number (UUID) of the device.

RM GUI BRS 89
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Global ]

Parent port identity

Displays the port identification number (UUID) of the directly superior master device.

Grandmaster identity
Displays the identification number (UUID) of the reference time source (Grandmaster) device.

90 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Port ]

2.3.2.2 PTP Boundary Clock Port

[ Time > PTP > Boundary Clock > Port ]

In this dialog you specify the Boundary Clock (BC) settings on each individual port.

The settings are effective when the local clock operates as the Boundary Clock (BC). For this, you
select in the Time > PTP > Global dialog in the PTP mode field the value v2-boundary-clock.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

PTP enable
Activates/deactivates PTP synchronization message transmission on the port.

Possible values:
 marked (default setting)
The transmission is activated. The port forwards and receives PTP synchronization messages.
 unmarked
The transmission is deactivated. The port blocks PTP synchronization messages.

PTP status
Displays the current status of the port.

Possible values:
 initializing
Initialization phase
 faulty
Faulty mode: error in the Precision Time Protocol (PTP).
 disabled
PTP is disabled on the port.
 listening
Device port is waiting for PTP synchronization messages.
 pre-master
PTP pre-master mode
 master
PTP master mode
 passive
PTP passive mode
 uncalibrated
PTP uncalibrated mode
 slave
PTP slave mode

RM GUI BRS 91
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Port ]

Network protocol
Specifies which protocol the port uses to transmit the PTP synchronization messages.

Possible values:
 802.3 (default setting)
 UDP/IPv4

Announce interval [s]

Specifies the interval in seconds at which the port transmits messages for the PTP topology
discovery.

Assign the same value to every device of a PTP domain.

Possible values:
 1
 2 (default setting)
 4
 8
 16

Announce timeout
Specifies the number of announce intervals.

Example:

For the default setting (Announce interval [s] = 2 and Announce timeout = 3), the timeout is 3 × 2 s
= 6 s.

Possible values:
 2..10 (default setting: 3)
Assign the same value to every device of a PTP domain.

Sync interval
Specifies the interval in seconds at which the port transmits PTP synchronization messages.

Possible values:
 0.25
 0.5
 1 (default setting)
 2

Delay mechanism
Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.

Possible values:
 disabled
The measurement of the delay for the PTP synchronization messages for the connected PTP
devices is inactive.

92 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Boundary Clock > Port ]

 e2e (default setting)

End-to-End: As the PTP slave, the port measures the delay for the PTP synchronization
messages to the PTP master.
The device displays the measured value in the Time > PTP > Boundary Clock > Global dialog.
 p2p
Peer-to-Peer: The device measures the delay for the PTP synchronization messages for the
connected PTP devices, provided that these devices support P2P.
This mechanism spares the device from having to determine the delay again in the case of a
reconfiguration.

P2P delay
Displays the measured Peer-to-Peer delay for the PTP synchronization messages.

The prerequisite is that in the Delay mechanism column the value p2p is specified.

P2P delay interval [s]

Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.

The prerequisite is that in the Delay mechanism column the value p2p is specified for this port and
for the port of the remote device.

Possible values:
 1 (default setting)
 2
 4
 8
 16
 32

E2E delay interval [s]

Displays the interval in seconds at which the port measures the End-to-End delay.

Possible values:
 When the port is operating as the PTP master, the device assigns to the port the value 8.
 When the port is operating as the PTP slave, the value is specified by the PTP master connected
to the port.

Asymmetry
Corrects the measured delay value corrupted by asymmetrical transmission paths.

Possible values:
 -2000000000..2000000000 (default setting: 0)

The value represents the delay symmetry in nanoseconds.

A measured delay value of y ns corresponds to an asymmetry of y × 2 ns.

The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite
direction.

RM GUI BRS 93
Release 9.6 12/2023
Time
[ Time > PTP > Transparent Clock ]

VLAN
Specifies the VLAN ID that the device uses to tag the received PTP synchronization messages on
this port.

Possible values:
 none (default setting)
The device transmits PTP synchronization messages without a VLAN tag.
 0..4042
You specify VLANs that you have already set up in the device from the list.

Verify that the port is a member of the VLAN.

See the Switching > VLAN > Configuration dialog.

VLAN priority
Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).

Possible values:
 0..7 (default setting: 6)

If you specified in the VLAN column the value none, then the device ignores the VLAN priority.

2.3.3 PTP Transparent Clock

[ Time > PTP > Transparent Clock ]

With this menu you can set up the Transparent Clock mode for the local clock.

The menu contains the following dialogs:

 PTP Transparent Clock Global
 PTP Transparent Clock Port

94 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Transparent Clock > Global ]

2.3.3.1 PTP Transparent Clock Global

[ Time > PTP > Transparent Clock > Global ]

In this dialog you specify general, cross-port settings for the Transparent Clock mode for the local
clock. The Transparent Clock (TC) operates according to PTP version 2 (IEEE 1588-2008).

The settings are effective when the local clock operates as the Transparent Clock (TC). For this,
you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock.

Operation IEEE1588/PTPv2 TC

Delay mechanism
Specifies the mechanism with which the device measures the delay for transmitting the PTP
synchronization messages.

Possible values:
 e2e (default setting)
As the PTP slave, the port measures the delay for the PTP synchronization messages to the PTP
master.
The device displays the measured value in the Time > PTP > Transparent Clock > Global dialog.
 p2p
The device measures the delay for the PTP synchronization messages for every connected PTP
device, provided that the device supports P2P.
This mechanism spares the device from having to determine the delay again in the case of a
reconfiguration.
If you specify this value, then the value 802.3 is only available in the Network protocol field.
 e2e-optimized
Like e2e, with the following special characteristics:
– The device transmits the delay requests of the PTP slaves only to the PTP master, even
though these requests are multicast messages. The device thus spares the other devices
from unnecessary multicast requests.
– If the master-slave topology changes, then the device relearns the port for the PTP master
as soon as it receives a synchronization message from another PTP master.
– If the device does not know a PTP master, then the device transmits delay requests to the
ports.
 disabled
The delay measuring is disabled on the port. The device discards messages for the delay
measuring.

Primary domain
Assigns the device to a PTP domain.

Possible values:
 0..255 (default setting: 0)

The device transmits time information from and to devices only in the same domain.

RM GUI BRS 95
Release 9.6 12/2023
Time
[ Time > PTP > Transparent Clock > Global ]

Network protocol
Specifies which protocol the port uses to transmit the PTP synchronization messages.

Possible values:
 ieee8023 (default setting)
 udpIpv4

Multi domain mode

Activates/deactivates the PTP synchronization message correction in every PTP domain.

Possible values:
 marked
The device corrects PTP synchronization messages in every PTP domain.
 unmarked (default setting)
The device corrects PTP synchronization messages only in the primary PTP domain. See the
Primary domain field.

VLAN ID
Specifies the VLAN ID with which the device marks the PTP synchronization messages on this port.

VLAN priority
Specifies the priority with which the device transmits the PTP synchronization messages marked
with a VLAN ID (Layer 2, IEEE 802.1D).

Possible values:
 0..7 (default setting: 6)

If you specified the value none in the VLAN ID field, then the device ignores the specified value.

Local synchronization

Syntonize
Activates/deactivates the frequency synchronization of the Transparent Clock with the PTP master.

Possible values:
 marked (default setting)
The frequency synchronization is active.
The device synchronizes the frequency.
 unmarked
The frequency synchronization is inactive.
The frequency remains constant.

96 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > PTP > Transparent Clock > Global ]

Synchronize local clock

Activates/deactivates the synchronization of the local system time.

Possible values:
 marked
The synchronization is active.
The device synchronizes the local system time with the time received using PTP. The
prerequisite is that the Syntonize checkbox is marked.
 unmarked (default setting)
The synchronization is inactive.
The local system time remains constant.

Current master
Displays the port identification number (UUID) of the directly superior master device on which the
device synchronizes its frequency.

If the value contains only zeros, this is because:

• The Syntonize function is disabled.
or
• The device cannot find a PTP master.

Offset to master [ns]

Displays the measured difference (offset) between the local clock and the PTP master in
nanoseconds. The device calculates the difference from the time information received.

The prerequisite is that the Synchronize local clock function is enabled.

Delay to master [ns]

Displays the delay when transmitting the PTP synchronization messages from the PTP master to
the PTP slave in nanoseconds.

Prerequisites:
• The Synchronize local clock function is enabled.
• In the Delay mechanism field, the value e2e is selected.

Status IEEE1588/PTPv2 TC

Clock identity
Displays the identification number (UUID) of the device.

The device displays the identities as byte sequences in hexadecimal notation.

The device identification number consists of the MAC address of the device, with the values ff and
fe added between byte 3 and byte 4.

RM GUI BRS 97
Release 9.6 12/2023
Time
[ Time > PTP > Transparent Clock > Port ]

2.3.3.2 PTP Transparent Clock Port

[ Time > PTP > Transparent Clock > Port ]

In this dialog you specify the Transparent Clock (TC) settings on each individual port.

The settings are effective when the local clock operates as the Transparent Clock (TC). For this,
you select in the Time > PTP > Global dialog in the PTP mode field the value v2-transparent-clock.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

PTP enable
Activates/deactivates the transmitting of PTP synchronization messages on the port.

Possible values:
 marked (default setting)
The transmitting is active.
The port forwards and receives PTP synchronization messages.
 unmarked
The transmitting is inactive.
The port blocks PTP synchronization messages.

P2P delay interval [s]

Specifies the interval in seconds at which the port measures the Peer-to-Peer delay.

The prerequisite is that in the Time > PTP > Transparent Clock > Global dialog, Delay mechanism option
list, the radio button p2p is selected for this port and for the port of the remote device.

Possible values:
 1 (default setting)
 2
 4
 8
 16
 32

P2P delay
Displays the measured Peer-to-Peer delay for the PTP synchronization messages.

The prerequisite is that in the Time > PTP > Transparent Clock > Global dialog, Delay mechanism option
list, the radio button p2p is selected.

98 RM GUI BRS
Release 9.6 12/2023
Time
[ Time > 802.1AS ]

Asymmetry
Corrects the measured delay value corrupted by asymmetrical transmission paths.

Possible values:
 -2000000000..2000000000 (2× 10?) (default setting: 0)

The value represents the delay symmetry in nanoseconds.

A measured delay value of y ns corresponds to an asymmetry of y × 2 ns.

The value is positive if the delay from the PTP master to the PTP slave is longer than in the opposite
direction.

2.4 802.1AS
[ Time > 802.1AS ]

The protocol 802.1AS is a procedure defined in IEEE 802.1AS-2011 that defines how to
synchronize time accurately between devices in the network. When you use the protocol 802.1AS
over the Ethernet, you can think of the protocol as a profile of IEEE 1588-2008.

The 802.1AS function has the following specifications:

• In the device, either the 802.1AS function or the PTP function can be enabled.
• If the SNTP function and the 802.1AS function are enabled in the device at the same time, then
the 802.1AS function has priority.
• The 802.1AS function supports only one domain.

The menu contains the following dialogs:

 802.1AS Global
 802.1AS Port
 802.1AS Statistics

RM GUI BRS 99
Release 9.6 12/2023
Time
[ Time > 802.1AS > Global ]

2.4.1 802.1AS Global

[ Time > 802.1AS > Global ]

In this dialog you specify basic settings for the 802.1AS function.

Operation

Operation
Enables/disables the 802.1AS function.

Possible values:
 On
The 802.1AS function is enabled.
The device synchronizes its clock using the 802.1AS function.
Consider activating the 802.1AS function on the individual ports.

 Off (default setting)

The 802.1AS function is disabled.

Configuration

Priority 1
Specifies priority 1 for the device.

Possible values:
 0..255 (default setting: 246)

The Best Master Clock Algorithm first evaluates priority 1 among the participating devices to
determine the reference time source (Grandmaster).

The lower you set this value, the more probable it is that the device is designated as the reference
time source (Grandmaster).

If you specify the value 255, then the device is not designated as the reference time source
(Grandmaster). See the Grandmaster frame.

Priority 2
Specifies priority 2 for the device.

Possible values:
 0..255 (default setting: 248)

When the previously evaluated criteria are the same for multiple devices, the Best Master Clock
Algorithm evaluates priority 2 of the participating devices.

The lower you set this value, the more probable it is that the device is designated as the reference
time source (Grandmaster). See the Grandmaster frame.

100 RM GUI BRS

Release 9.6 12/2023
Time
[ Time > 802.1AS > Global ]

Sync lower bound [ns]

Specifies the lower threshold value in nanoseconds for the measured time difference between the
local clock and the reference time source (Grandmaster). If the measured time difference falls
below this value once, then the local clock is classed as synchronized.

Possible values:
 0..999999999 (10?-1) (default setting: 30)

Sync upper bound [ns]

Specifies the upper threshold value in nanoseconds for the measured time difference between the
local clock and the reference time source (Grandmaster). If the measured time difference exceeds
this value once, then the local clock is classed as unsynchronized.

Possible values:
 31..1000000000 (10?) (default setting: 5000)

UTC offset [s]

Displays the difference between the 802.1AS time scale and the Universal Time Coordinated (UTC).

UTC offset valid

Displays if the value displayed in the UTC offset [s] field is correct.

Possible values:
 marked
 unmarked

Status

Offset to master [ns]

Displays the measured difference (offset) between the local clock and the reference time source
(Grandmaster) in nanoseconds. The device calculates the difference from the time information
received.

Max. offset absolute [ns]

Displays the maximum measured time difference in nanoseconds that has occurred since the local
clock was synchronized with the reference time source (Grandmaster).

Is synchronized
Displays if the local clock is synchronized with the reference time source (Grandmaster).

If the measured time difference between the local clock and the reference time source
(Grandmaster) falls below the synchronization lower threshold value, then the local clock is
synchronized. This status is kept until the measured time difference exceeds the synchronization
upper threshold value.

You specify the synchronization threshold values in the Configuration frame.

RM GUI BRS 101

Release 9.6 12/2023
Time
[ Time > 802.1AS > Global ]

Steps removed
Displays the number of communication paths passed through between the local clock of the device
and the reference time source (Grandmaster).

For a 802.1AS slave, the value 1 means that the clock is connected with the reference time source
(Grandmaster) directly through one communication path.

Clock identity
Displays the clock identification number of the device.

The device displays the identification number as byte sequences in hexadecimal notation.

The device identification number consists of the MAC address of the device, with the values ff and
fe added between byte 3 and byte 4.

Grandmaster

This frame displays the criteria that the Best Master Clock Algorithm uses when evaluating the
reference time source (Grandmaster).

Priority 1
Displays priority 1 for the device that is currently the reference time source (Grandmaster).

Clock class
Displays the class of the reference time source (Grandmaster). Parameter for the Best Master
Clock Algorithm.

Clock accuracy
Displays the estimated accuracy of the reference time source (Grandmaster). Parameter for the
Best Master Clock Algorithm.

Clock variance
Displays the variance of the reference time source (Grandmaster), also known as the Offset scaled
log variance. Parameter for the Best Master Clock Algorithm.

Priority 2
Displays priority 2 for the device that is currently the reference time source (Grandmaster).

102 RM GUI BRS

Release 9.6 12/2023
Time
[ Time > 802.1AS > Global ]

Clock identity
Displays the identification number of the reference time source (Grandmaster) device. The device
displays the identification number as byte sequences in hexadecimal notation.

Parent

Clock identity
Displays the port identification number of the directly superior master device. The device displays
the identification number as byte sequences in hexadecimal notation.

Port
Displays the port number of the directly superior master device.

Cumulative rate ratio [ppm]

Displays the measured frequency difference of the local clock in parts per million relative to the
reference time source (Grandmaster).

RM GUI BRS 103

Release 9.6 12/2023
Time
[ Time > 802.1AS > Port ]

2.4.2 802.1AS Port

[ Time > 802.1AS > Port ]

In this dialog you specify the 802.1AS settings on each individual port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the 802.1AS function on the port.

Possible values:
 marked (default setting)
The protocol is active on the port.
On the port, the device synchronizes its clock using the 802.1AS function.
 unmarked
The protocol is inactive on the port.

Role
Displays the current role of the port, considering the 802.1AS function.

Possible values:
 disabled
The port operates in the Disabled Port role. The port is not 802.1AS-capable.
 master
The port operates in the Master Port role.

104 RM GUI BRS

Release 9.6 12/2023
Time
[ Time > 802.1AS > Port ]

 passive
The port operates in the Passive Port role.
 slave
The port operates in the Slave Port role.

Inspired by: IEEE Std 802.11AS-2011

Grandmaster

master master
master

slave slave slave

master passive master passive

master master master master

slave passive slave passive

disabled disabled

master master

slave slave

AS capable
Displays if the 802.1AS function is active on the port.

Possible values:
 marked
The 802.1AS function is active on the port. The prerequisites are:
– The port measures a Peer delay, the checkbox in the Measuring delay column is marked.
– The value in the Peer delay [ns] column is lower than the value in the Peer delay threshold [ns]
column.
 unmarked
The 802.1AS function is inactive on the port.

Announce interval [s]

Specifies the interval in seconds at which the port (in the Master Port role) transmits Announce
messages for 802.1AS topology discovery.

Possible values:
 1..2 (default setting: 1)
Assign the same value to every device of a 802.1AS domain.
 –
The port does not transmit Announce messages.

RM GUI BRS 105

Release 9.6 12/2023
Time
[ Time > 802.1AS > Port ]

Announce timeout
Specifies the number of Announce interval [s] at which the port (in the Slave Port role) waits for
Announce messages.

When the number of intervals elapses without receiving an Announce message, the device tries to
find a new path to the reference time source using the Best Master Clock Algorithm. If the device
finds a reference time source (Grandmaster), then it assigns the Slave Port role to the port through
which the new path leads. Otherwise the device becomes the reference time source (Grandmaster)
and assigns the Master Port role to its ports.

Example: In the default setting (Announce interval [s] = 1, Announce timeout = 3), the
timeout is 3 × 1 s = 3 s.

Possible values:
 2..10 (default setting: 3)
Assign the same value to each port that belongs to the same 802.1AS domain.

Sync interval [s]

Specifies the interval in seconds at which the port (in the Master Port role) transmits Sync
messages for time synchronization.

Possible values:
 0.125 (default setting)
 0.250
 0.5
 1
 –
The port does not transmit Sync messages.

Sync timeout
Specifies the number of Sync interval [s] at which the port (in the Slave Port role) waits for Sync
messages.

When the number of intervals elapses without receiving an Sync message, the device tries to find
a new path to the reference time source using the Best Master Clock Algorithm. If the device finds
a reference time source (Grandmaster), then it assigns the Slave Port role to the port through which
the new path leads. Otherwise the device becomes the reference time source (Grandmaster) and
assigns the Master Port role to its ports.

Example: In the default setting (Sync interval [s] = 0.125, Sync timeout = 3), the timeout
is 3 × 0.125 s = 0.375 s.

Possible values:
 2..10 (default setting: 3)
Assign the same value to each port that belongs to the same 802.1AS domain.

106 RM GUI BRS

Release 9.6 12/2023
Time
[ Time > 802.1AS > Port ]

Peer delay interval [s]

Specifies the interval in seconds at which the port (in the Master Port, Passive Port or Slave Port
role) transmits a Peer delay request message to measure the Peer delay.

Possible values:
 1 (default setting)
 2
 4
 8
 –
The port does not transmit Peer delay request messages.

Peer delay timeout

Specifies the number of Peer delay interval [s] at which the port (in the Master Port, Passive Port or
Slave Port role) waits for Delay response messages.

When the number of intervals elapses without receiving an Delay response message, the device
assigns the Disabled Port role to the port. The port is no longer 802.1AS-capable.

Possible values:
 2..10 (default setting: 3)

Peer delay threshold [ns]

Specifies the upper threshold value for the Peer delay in nanoseconds. If the value in the Peer delay
[ns] column is greater than this value, then the device assigns the Disabled Port role to the port. The
port is no longer 802.1AS-capable.

Possible values:
 0..1000000000 (10?) (default setting: 10000)

Measuring delay
Displays if the port measures a Peer delay.

Possible values:
 marked
The port measures a Peer delay. You find the measured value in the Peer delay [ns] column.
 unmarked
The port does not measure a Peer delay.

Peer delay [ns]

Displays the measured Peer delay value in nanoseconds. The prerequisite is that the checkbox in
the Measuring delay column is marked.

Neighbor rate ratio [ppm]

Displays the measured frequency difference of the local clock in parts per million relative to the
clock in the adjacent device.

RM GUI BRS 107

Release 9.6 12/2023
Time
[ Time > 802.1AS > Statistics ]

2.4.3 802.1AS Statistics

[ Time > 802.1AS > Statistics ]

This dialog displays information about the number of messages received, sent, or discarded on the
ports. The dialog also displays counters that increment every time a timeout event occurred.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Received messages
Displays the counters for messages received on the ports:

Sync messages
Displays the number of Sync messages.

Sync follow-up messages

Displays the number of Sync follow-up messages.

Delay request messages

Displays the number of Peer delay request messages.

Delay response messages

Displays the number of Peer delay response messages.

Delay response follow-up messages

Displays the number of Peer delay response follow-up messages.

Announce messages
Displays the number of Announce messages.

Discarded messages
Displays the number of Sync messages that the device discarded on this port. The device discards
a Sync message for example, in cases where the port does not receive a Sync follow-up message
for a corresponding Sync message.

108 RM GUI BRS

Release 9.6 12/2023
Time
[ Time > 802.1AS > Statistics ]

Sync timeout
Displays the number of times that a Sync timeout event occurred on the port. See the Sync timeout
column in the Time > 802.1AS > Port dialog.

Announce timeout
Displays the number of times that an Announce timeout event occurred on this port. See the Announce
timeout column in the Time > 802.1AS > Port dialog.

Delay timeout
Displays the number of times that a Peer delay timeout event occurred on this port. See the Peer delay
timeout column in the Time > 802.1AS > Port dialog.

Transmitted messages
Displays the counters for messages transmitted on the ports:

Sync messages
Displays the number of Sync messages.

Sync follow-up messages

Displays the number of Sync follow-up messages.

Delay request messages

Displays the number of Peer delay request messages.

Delay response messages

Displays the number of Peer delay response messages.

Delay response follow-up messages

Displays the number of Peer delay response follow-up messages.

Announce messages
Displays the number of Announce messages.

RM GUI BRS 109

Release 9.6 12/2023
Time
2.4.3 802.1AS Statistics

110 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

3 Device Security

The menu contains the following dialogs:

 User Management
 Authentication List
 Management Access
 Pre-login Banner

3.1 User Management

[ Device Security > User Management ]

If users log in with valid login data, then the device lets them have access to its device
management.

In this dialog you manage the users of the local user management. You also specify the following
settings here:
• Settings for the login
• Settings for saving the passwords
• Specify policy for valid passwords

The methods that the device uses for the authentication you specify in the Device Security >
Authentication List dialog.

Configuration

This frame lets you specify settings for the login.

Login attempts
Specifies the number of login attempts possible when the user accesses the device management
using the Graphical User Interface and the Command Line Interface.

Note: Accessing the device management using the Command Line Interface through the serial
connection, the number of login attempts is unlimited.

Possible values:
 0..5 (default setting: 0)

If the user makes one more unsuccessful login attempt, then the device locks access for the user.

The device lets only users with the administrator authorization remove the lock.

The value 0 deactivates the lock. The user has unlimited attempts to log in.

Min. password length

The device accepts the password if it contains at least the number of characters specified here.

The device checks the password according to this setting, regardless of the setting for the Policy
check checkbox.

RM GUI BRS 111

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

Possible values:
 1..64 (default setting: 6)

Login attempts period (min.)

Displays the time period before the device resets the counter in the Login attempts field.

Possible values:
 0..60 (default setting: 0)

Password policy

This frame lets you specify the policy for valid passwords. The device checks every new password
and password change according to this policy.

The settings effect the Password column. The prerequisite is that the checkbox in the Policy check
column is marked.

Upper-case characters (min.)

The device accepts the password if it contains at least as many upper-case letters as specified
here.

Possible values:
 0..16 (default setting: 1)

The value 0 deactivates this setting.

Lower-case characters (min.)

The device accepts the password if it contains at least as many lower-case letters as specified here.

Possible values:
 0..16 (default setting: 1)

The value 0 deactivates this setting.

Digits (min.)
The device accepts the password if it contains at least as many numbers as specified here.

Possible values:
 0..16 (default setting: 1)

The value 0 deactivates this setting.

112 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

Special characters (min.)

The device accepts the password if it contains at least as many special characters as specified
here.

Possible values:
 0..16 (default setting: 1)

The value 0 deactivates this setting.

Table

Every user requires an active user account to gain access to the device management. The table
lets you set up and manage user accounts. To change settings, click the desired parameter in the
table and modify the value.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• In the User name field, you specify the name of the user account.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters

Remove

Removes the selected table row.

User name
Displays the name of the user account.

To add a user account, click the button.

Active
Activates/deactivates the user account.

Possible values:
 marked
The user account is active. The device accepts the login of a user with this user name.
 unmarked (default setting)
The user account is inactive. The device rejects the login of a user with this user name.

When one user account exists with the access role administrator, this user account is constantly
active.

RM GUI BRS 113

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

Password
Specifies the password that the user applies to access the device management using the Graphical
User Interface or Command Line Interface.

Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.

When you specify the password for the first time, the device uses the same password in the SNMP
auth password and SNMP encryption password columns.
• The device lets you specify different passwords in the SNMP auth password and SNMP encryption
password columns.
• If you change the password in the current column, then the device also changes the passwords
for the SNMP auth password and SNMP encryption password columns, but only if they are not
individually specified previously.

Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The device accepts the following characters:
– a..z
– A..Z
– 0..9
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~

The minimum length of the password is specified in the Configuration frame. The device
differentiates between upper and lower case.

If the checkbox in the Policy check column is marked, then the device checks the password
according to the policy specified in the Password policy frame.

The device constantly checks the minimum length of the password, even if the checkbox in the
Policy check column is unmarked.

Role
Specifies the access role that regulates the access of the user to the individual functions of the
device.

Possible values:
 unauthorized
The user is blocked, and the device rejects the user login.
Assign this value to temporarily lock the user account. If the device detects an error when
another access role is being assigned, then the device assigns this access role to the user
account.
 guest (default setting)
The user is authorized to monitor the device.
 auditor
The user is authorized to monitor the device and to save the log file in the Diagnostics > Report >
Audit Trail dialog.
 operator
The user is authorized to monitor the device and to change the settings – with the exception of
security settings for device access.
 administrator
The user is authorized to monitor the device and to change the settings.

114 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

The device assigns the Service Type transferred in the response of a RADIUS server as follows to
an access role:
• Administrative-User: administrator
• Login-User: operator
• NAS-Prompt-User: guest

User locked
Unlocks the user account.

Possible values:
 marked
The user account is locked. The user has no access to the device management.
If the user makes too many unsuccessful login attempts, then the device automatically locks the
user.
 unmarked (grayed out) (default setting)
The user account is unlocked. The user has access to the device management.

Policy check
Activates/deactivates the password check.

Possible values:
 marked
The password check is activated.
When you set up or change the password, the device checks the password according to the
policy specified in the Password policy frame.
 unmarked (default setting)
The password check is deactivated.

SNMP auth type

Specifies the authentication protocol that the device applies for user access using SNMPv3.

Possible values:
 hmacmd5 (default value)
For this user account, the device uses protocol HMACMD5.
 hmacsha
For this user account, the device uses protocol HMACSHA.

SNMP auth password

Specifies the password that the device applies for user access using SNMPv3.

Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.

By default, the device uses the same password that you specify in the Password column.
• For the current column, the device lets you specify a different password than in the Password
column.
• If you change the password in the Password column, then the device also changes the password
for the current column, but only if it is not individually specified.

RM GUI BRS 115

Release 9.6 12/2023
Device Security
[ Device Security > User Management ]

Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The device accepts the following characters:
– a..z
– A..Z
– 0..9
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~

SNMP encryption type

Specifies the encryption protocol that the device applies for user access using SNMPv3.

Possible values:
 none
No encryption.
 des (default value)
DES encryption
 aesCfb128
AES128 encryption

SNMP encryption password

Specifies the password that the device applies to encrypt user access using SNMPv3.

Displays ***** (asterisks) instead of the password with which the user logs in. To change the
password, click the relevant field.

Possible values:
 Alphanumeric ASCII character string with 6..64 characters
The device accepts the following characters:
– a..z
– A..Z
– 0..9
– !#$%&'()*+,-./:;<=>?@[\]^_`{}~

116 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Authentication List ]

3.2 Authentication List

[ Device Security > Authentication List ]

In this dialog you manage the authentication lists. In an authentication list you specify which method
the device uses for the authentication. You also have the option to assign pre-defined applications
to the authentication lists.

If users log in with valid login data, then the device lets them have access to its device
management. The device authenticates the users using the following methods:
• User management of the device
• RADIUS

With the port-based access control according to IEEE 802.1X, if connected end devices log in with
valid login data, then the device lets them have access to the network. The device authenticates
the end devices using the following methods:
• RADIUS
• IAS (Integrated Authentication Server)

In the default setting the following authentication lists are available:

• defaultDot1x8021AuthList
• defaultLoginAuthList
• defaultV24AuthList

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Note: If the table does not contain a list, then the access to the device management is only possible
using the Command Line Interface through the serial interface of the device. In this case, the device
authenticates the user by using the local user management. See the Device Security > User
Management dialog.

Buttons

Add

Opens the Create window to add a table row.

• In the Name field, you specify the name of the list.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters

RM GUI BRS 117

Release 9.6 12/2023
Device Security
[ Device Security > Authentication List ]

Remove

Removes the selected table row.

Allocate applications

Opens the Allocate applications window. The window displays the applications that you can
designate to the selected list.
 Click and select an entry to designate it to the currently selected list.
An application that is already designated to a different list the device designates to the currently
selected list, after you click the Ok button.
 Click and deselect an entry to undo its designation to the currently selected list.
If you deselect the application WebInterface, then the connection to the device is lost, after you
click the Ok button.

Name
Displays the name of the list.

To add a list, click the button.

Policy 1
Policy 2
Policy 3
Policy 4
Policy 5
Specifies the authentication policy that the device uses for access using the application specified
in the Dedicated applications column.

The device gives you the option of a fall-back solution. For this, you specify another policy in each
of the policy fields. If the authentication with the specified policy is unsuccessful, then the device
can use the next policy, depending on the order of the values entered in each policy.

Possible values:
 local (default setting)
The device authenticates the users by using the local user management. See the Device
Security > User Management dialog.
You cannot assign this value to the authentication list defaultDot1x8021AuthList.
 radius
The device authenticates the users with a RADIUS server in the network. You specify the
RADIUS server in the Network Security > RADIUS > Authentication Server dialog.

118 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Authentication List ]

 reject
The device accepts or rejects the authentication depending on which policy you try first. The
following list contains authentication scenarios:
– If the first policy in the authentication list is local and the device accepts the login credentials
of the user, then it logs the user in without attempting the other polices.
– If the first policy in the authentication list is local and the device denies the login credentials
of the user, then it attempts to log the user in using the other polices in the order specified.
– If the first policy in the authentication list is radius and the device rejects a login, then the
login is immediately rejected without attempting to log in the user using another policy.
If there is no response from the RADIUS server, then the device attempts to authenticate the
user with the next policy.
– If the first policy in the authentication list is reject, then the devices immediately rejects the
user login without attempting another policy.
– Verify that the authentication list defaultV24AuthList contains at least one policy different
from reject.
 ias
The device authenticates the end devices logging in using 802.1X with the integrated
authentication server (IAS). The integrated authentication server manages the login data in a
separate database. See the Network Security > 802.1X > IAS dialog.
You can only assign this value to the authentication list defaultDot1x8021AuthList.

Dedicated applications
Displays the dedicated applications. When users access the device with the relevant application,
the device uses the specified policies for the authentication.

To allocate another application to the list or remove the allocation, click the button. The device
lets you assign each application to exactly one list.

Active
Activates/deactivates the list.

Possible values:
 marked (default setting)
The list is activated. The device uses the policies in this list when users access the device with
the relevant application.
 unmarked
The list is deactivated.

RM GUI BRS 119

Release 9.6 12/2023
Device Security
[ Device Security > Management Access ]

3.3 Management Access

[ Device Security > Management Access ]

The menu contains the following dialogs:

 Server
 IP Access Restriction
 Web
 Command Line Interface
 SNMPv1/v2 Community

120 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

3.3.1 Server
[ Device Security > Management Access > Server ]

This dialog lets you set up the server services which enable users or applications to access the
management of the device.

The dialog contains the following tabs:

 [Information]
 [SNMP]
 [Telnet]
 [SSH]
 [HTTP]
 [HTTPS]

[Information]

This tab displays as an overview which server services are enabled.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

SNMPv1
Displays if the server service is active or inactive, which authorizes access to the device using
SNMP version 1. See the SNMP tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

SNMPv2
Displays if the server service is active or inactive, which authorizes access to the device using
SNMP version 2. See the SNMP tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

RM GUI BRS 121

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

SNMPv3
Displays if the server service is active or inactive, which authorizes access to the device using
SNMP version 3. See the SNMP tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

Telnet server
Displays if the server service is active or inactive, which authorizes access to the device using
Telnet. See the Telnet tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

SSH server
Displays if the server service is active or inactive, which authorizes access to the device using
Secure Shell (SSH). See the SSH tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

HTTP server
Displays if the server service is active or inactive, which authorizes access to the device using the
Graphical User Interface through HTTP. See the HTTP tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

HTTPS server
Displays if the server service is active or inactive, which authorizes access to the device using the
Graphical User Interface through HTTPS. See the HTTPS tab.

Possible values:
 marked
Server service is active.
 unmarked
Server service is inactive.

122 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

[SNMP]

This tab lets you specify settings for the SNMP agent of the device and to enable/disable access
to the device with different SNMP versions.

The SNMP agent enables access to the device management with SNMP-based applications.

Configuration

SNMPv1
Activates/deactivates the access to the device with SNMP version 1.

Possible values:
 marked
SNMP version 1 access is active.
– You specify the community names in the Device Security > Management Access > SNMPv1/v2
Community dialog.
 unmarked (default setting)
SNMP version 1 access is inactive.

SNMPv2
Activates/deactivates the access to the device with SNMP version 2.

Possible values:
 marked
SNMP version 2 access is active.
– You specify the community names in the Device Security > Management Access > SNMPv1/v2
Community dialog.
 unmarked (default setting)
SNMP version 2 access is inactive.

SNMPv3
Activates/deactivates the access to the device with SNMP version 3.

Possible values:
 marked (default setting)
Access is activated.
 unmarked
Access is deactivated.

Network management systems like Industrial HiVision use this protocol to communicate with the
device.

UDP port
Specifies the number of the UDP port on which the SNMP agent receives requests from clients.

Possible values:
 1..65535 (2¹?-1) (default setting: 161)
Exception: Port 2222 is reserved for internal functions.

RM GUI BRS 123

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

To enable the SNMP agent to use the new port after a change, you proceed as follows:

 Click the button.

 Select in the Basic Settings > Load/Save dialog the active configuration profile.

 Click the button to save the current settings.

 Restart the device.

SNMPover802
Activates/deactivates the access to the device through SNMP over IEEE 802.

Possible values:
 marked
Access is activated.
 unmarked (default setting)
Access is deactivated.

[Telnet]

This tab lets you enable/disable the Telnet server in the device and specify its settings.

The Telnet server enables access to the device management remotely through the Command Line
Interface. Telnet connections are unencrypted.

Operation

Telnet server
Enables/disables the Telnet server.

Possible values:
 On (default setting)
The Telnet server is enabled.
The access to the device management is possible through the Command Line Interface using
an unencrypted Telnet connection.
 Off
The Telnet server is disabled.

Note: If the SSH server is disabled and you also disable the Telnet server, then the access to the
Command Line Interface is only possible through the serial interface of the device.

124 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Configuration

TCP port
Specifies the number of the TCP port on which the device receives Telnet requests from clients.

Possible values:
 1..65535 (2¹?-1) (default setting: 23)
Exception: Port 2222 is reserved for internal functions.

The server restarts automatically after the port is changed. Existing connections remain in place.

Connections
Displays how many Telnet connections are currently established to the device.

Connections (max.)
Specifies the maximum number of Telnet connections to the device that can be set up
simultaneously.

Possible values:
 1..5 (default setting: 5)

Session timeout [min]

Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
for the user logged in.

A change in the value takes effect the next time a user logs in.

Possible values:
 0
Deactivates the function. The connection remains established in the case of inactivity.
 1..160 (default setting: 5)

[SSH]

This tab lets you enable/disable the SSH server in the device and specify its settings required for
SSH. The server works with SSH version 2.

The SSH server enables access to the device management remotely through the Command Line
Interface. SSH connections are encrypted.

The SSH server identifies itself to the clients using its public RSA key. When first setting up the
connection, the client program displays the user the fingerprint of this key. The fingerprint contains
a Base64-coded character sequence that is easy to check. When you make this character
sequence available to the users through a reliable channel, they have the option to compare both
fingerprints. If the character sequences match, then the client is connected to the correct server.

RM GUI BRS 125

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

The device lets you generate the private and public keys (host keys) required for RSA directly in
the device. As an alternative, copy your own host key in PEM format to the device.

As an alternative, the device lets you load the RSA key (host key) from an external memory during
the system startup. You activate this function in the Basic Settings > External Memory dialog, SSH key
auto upload column.

Operation

SSH server
Enables/disables the SSH server.

Possible values:
 On (default setting)
The SSH server is enabled.
The access to the device management is possible through the Command Line Interface using
an encrypted SSH connection.
You can start the server only if there is an RSA signature in the device.
 Off
The SSH server is disabled.
When you disable the SSH server, the existing connections remain established. However, the
device helps prevent new connections from being set up.

Note: If the Telnet server is disabled and you also disable the SSH server, then the access to the
Command Line Interface is only possible through the serial interface of the device.

Configuration

TCP port
Specifies the number of the TCP port on which the device receives SSH requests from clients.

Possible values:
 1..65535 (2¹?-1) (default setting: 22)
Exception: Port 2222 is reserved for internal functions.

The server restarts automatically after the port is changed. Existing connections remain in place.

Sessions
Displays how many SSH connections are currently established to the device.

126 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Sessions (max.)
Specifies the maximum number of SSH connections to the device that can be set up
simultaneously.

Possible values:
 1..5 (default setting: 5)

Session timeout [min]

Specifies the timeout in minutes. After the user logged in has been inactive for this time, the device
ends the connection.

A change in the value takes effect the next time a user logs in.

Possible values:
 0
Deactivates the function. The connection remains established in the case of inactivity.
 1..160 (default setting: 5)

Signature

RSA present
Displays if an RSA host key is present in the device.

Possible values:
 marked
A key is present.
 unmarked
No key is present.

Create
Generates a host key in the device. The prerequisite is that the SSH server is disabled.

Length of the key generated:

• 2048 bit (RSA)

To get the SSH server to use the generated host key, restart the SSH server.

As an alternative, copy your own host key in PEM format to the device. See the Key import frame.

Delete
Removes the host key from the device. The prerequisite is that the SSH server is disabled.

Oper status
Displays if the device currently generates a host key.

It is possible that another user triggered this action.

RM GUI BRS 127

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Possible values:
 rsa
The device currently generates an RSA host key.
 none
The device does not generate a host key.

Fingerprint

The fingerprint is an easy to verify string that uniquely identifies the host key of the SSH server.

After importing a new host key, the device continues to display the existing fingerprint until you
restart the server.

Fingerprint type
Specifies which fingerprint the RSA fingerprint field displays.

Possible values:
 md5
The RSA fingerprint field displays the fingerprint as hexadecimal MD5 hash.
 sha256 (default setting)
The RSA fingerprint field displays the fingerprint as Base64-coded SHA256 hash.

RSA fingerprint
Displays the fingerprint of the public host key of the SSH server.

When you change the settings in the Fingerprint type field, click afterwards the button and then

the button to update the display.

Key import

URL
Specifies the path and file name of your own RSA host key.

The device accepts the RSA key if it has the following key length:
• 2048 bit (RSA)

The device gives you the following options for copying the key to the device:
• Import from the PC
When the host key is located on your PC or on a network drive, drag and drop the file that
contains the key in the area. As an alternative, click in the area to select the file.
• Import from an FTP server
When the key is on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>

128 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

• Import from a TFTP server

When the key is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
• Import from an SCP or SFTP server
When the key is on an SCP or SFTP server, specify the URL for the file in the following form:
 scp:// or sftp://<IP address>/<path>/<file name>
Click the Start button to open the Credentials window. In this window, you enter the User name
and Password to log in to the server.
 scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>

Start
Copies the key specified in the URL field to the device.

[HTTP]

This tab lets you enable/disable the Hypertext Transfer Protocol (HTTP) for the web server and
specify the settings required for HTTP.

The web server provides the Graphical User Interface through an unencrypted HTTP connection.
For security reasons, disable the Hypertext Transfer Protocol (HTTP) and use the Hypertext
Transfer Protocol Secure (HTTPS) instead.

The device supports up to 10 simultaneous connections using HTTP or HTTPS.

Note: If you change the settings in this tab and click the button, then the device ends the
session and disconnects every opened connection. To continue working with the Graphical User
Interface, log in again.

Operation

HTTP server
Enables/disables the HTTP function for the web server.

Possible values:
 On (default setting)
The HTTP function is enabled.
The access to the device management is possible through an unencrypted HTTP connection.
When the HTTPS function is also enabled, the device automatically redirects the request for a
HTTP connection to an encrypted HTTPS connection.
 Off
The HTTP function is disabled.
When the HTTPS function is enabled, the access to the device management is possible through
an encrypted HTTPS connection.

Note: If the HTTP and HTTPS functions are disabled, then you can enable the HTTP function using
the Command Line Interface command http server to get to the Graphical User Interface.

RM GUI BRS 129

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Configuration

TCP port
Specifies the number of the TCP port on which the web server receives HTTP requests from clients.

Possible values:
 1..65535 (2¹?-1) (default setting: 80)
Exception: Port 2222 is reserved for internal functions.

[HTTPS]

This tab lets you enable/disable the Hypertext Transfer Protocol Secure(HTTPS) for the web server
and specify the settings required for HTTPS.

The web server provides the Graphical User Interface through an encrypted HTTP connection.

A digital certificate is required for the encryption of the HTTP connection. The device lets you
generate this certificate yourself or to load an existing certificate onto the device.

The device supports up to 10 simultaneous connections using HTTP or HTTPS.

Operation

HTTPS server
Enables/disables the HTTPS function for the web server.

Possible values:
 On (default setting)
The HTTPS function is enabled.
The access to the device management is possible through an encrypted HTTPS connection.
When there is no digital certificate present, the device generates a digital certificate before it
enables the HTTPS function.
 Off
The HTTPS function is disabled.
When the HTTP function is enabled, the access to the device management is possible through
an unencrypted HTTP connection.

Note: If the HTTP and HTTPS functions are disabled, then you can enable the HTTPS function using
the Command Line Interface command https server to get to the Graphical User Interface.

130 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Configuration

TCP port
Specifies the number of the TCP port on which the web server receives HTTPS requests from
clients.

Possible values:
 1..65535 (2¹?-1) (default setting: 443)
Exception: Port 2222 is reserved for internal functions.

Certificate

If the device uses an HTTPS certificate not signed by a certification authority (CA) known to the
web browser, then the web browser may display a warning message before loading the Graphical
User Interface.

To address the warning, you have the following possibilities:

• Install an HTTPS certificate on the device whose CA is known to your web browser. This may
additionally require you to make the CA known to your web browser or operating system.
• As a workaround, you can also add an exception rule for the existing device certificate in your
web browser.

Present
Displays if the digital certificate is present in the device.

Possible values:
 marked
The certificate is present.
 unmarked
The certificate has been removed.

Create
Generates a digital certificate in the device.

Until restarting the web server uses the previous certificate.

To get the web server to use the newly generated certificate, restart the web server. Restarting the
web server is possible only through the Command Line Interface.

As an alternative, copy your own certificate to the device. See the Certificate import frame.

Delete
Deletes the digital certificate.

Until restarting the web server uses the previous certificate.

RM GUI BRS 131

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

Oper status
Displays if the device currently generates or deletes a digital certificate.

It is possible that another user has triggered the action.

Possible values:
 none
The device does currently not generate or delete a certificate.
 delete
The device currently deletes a certificate.
 generate
The device currently generates a certificate.

Fingerprint

The fingerprint is an easily verified hexadecimal number sequence that uniquely identifies the
digital certificate of the HTTPS server.

After importing a new digital certificate, the device displays the current fingerprint until you restart
the server.

Fingerprint type
Specifies which fingerprint the Fingerprint field displays.

Possible values:
 sha1
The Fingerprint field displays the SHA1 fingerprint of the certificate.
 sha256 (default setting)
The Fingerprint field displays the SHA256 fingerprint of the certificate.

Fingerprint
Hexadecimal character sequence of the digital certificate used by the server.

When you change the settings in the Fingerprint type field, click afterwards the button and then

the button to update the display.

Certificate import

URL
Specifies the path and file name of the certificate.

The device accepts certificates with the following properties:

• X.509 format
• .PEM file name extension

132 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Server ]

• Base64-coded, enclosed by
– -----BEGIN PRIVATE KEY-----
and
-----END PRIVATE KEY-----
as well as
– -----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
• RSA key with 2048 bit length

The device gives you the following options for copying the certificate to the device:
• Import from the PC
When the certificate is located on your PC or on a network drive, drag and drop the certificate
onto the area. As an alternative, click in the area to select the certificate.
• Import from an FTP server
When the certificate is on a FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>[:port]/<path>/<file name>
• Import from a TFTP server
When the certificate is on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
• Import from an SCP or SFTP server
When the certificate is on an SCP or SFTP server, specify the URL for the file in the following
form:
– scp:// or sftp://<IP address>[:port]/<path>/<file name>
Click the Start button to open the Credentials window. In this window, you enter the User name
and Password to log in to the server.
– scp:// or sftp://<user>:<password>@<IP address>[:port]/<path>/<file name>

Start
Copies the certificate specified in the URL field to the device.

RM GUI BRS 133

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > IP Access Restriction ]

3.3.2 IP Access Restriction

[ Device Security > Management Access > IP Access Restriction ]

This dialog lets you restrict access to the device management from a specific IP address range for
selected applications.
• If the function is disabled, then access to the device management is unrestricted. Everyone can
access the device management from any IP address using any application.
• If the function is enabled, then access is restricted. Everyone can access the device
management only under the following conditions:
– At least one rule is active.
and
– You access the device with a permitted application from a permitted IP address range
specified in the rule.

Operation

Operation
Enables/disables the IP Access Restriction function.

Possible values:
 On
The IP Access Restriction function is enabled.
The access to the device management is restricted.

Note: Before you enable the function, verify that the table contains at least one active rule that
grants you access to the device management. Otherwise, access to the device management is only
possible using the Command Line Interface through the serial connection.

 Off (default setting)

The IP Access Restriction function is disabled.

Table

You have the option of defining up to 16 table rows and activating them separately.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Adds a table row.

Remove

Removes the selected table row.

134 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > IP Access Restriction ]

Index
Displays the index number to which the table row relates. The device automatically assigns the
value when you add a table row.

When you delete a table row, this leaves a gap in the numbering. When you add a table row, the
device fills the first gap.

Possible values:
 1..16

Address
Specifies the IP address of the network from which you allow the access to the device
management. You specify the network range in the Netmask column.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

Netmask
Specifies the range of the network specified in the Address column.

Possible values:
 Valid netmask (default setting: 0.0.0.0)
Example: To restrict access from a single IP address, specify the value as 255.255.255.255.

HTTP
Activates/deactivates the HTTP access.

Possible values:
 marked (default setting)
HTTP access is active. Access is possible from the adjacent IP address range.
 unmarked
HTTP access is inactive.

HTTPS
Activates/deactivates the HTTPS access.

Possible values:
 marked (default setting)
HTTPS access is active. Access is possible from the adjacent IP address range.
 unmarked
HTTPS access is inactive.

SNMP
Activates/deactivates the SNMP access.

Possible values:
 marked (default setting)
SNMP access is active. Access is possible from the adjacent IP address range.
 unmarked
SNMP access is inactive.

RM GUI BRS 135

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > IP Access Restriction ]

Telnet
Activates/deactivates the Telnet access.

Possible values:
 marked (default setting)
Telnet access is active. Access is possible from the adjacent IP address range.
 unmarked
Telnet access is inactive.

SSH
Activates/deactivates the SSH access.

Possible values:
 marked (default setting)
SSH access is active. Access is possible from the adjacent IP address range.
 unmarked
SSH access is inactive.

IEC61850-MMS
Activates/deactivates the access to the MMS server.

Possible values:
 marked (default setting)
IEC61850-MMS access is active. Access is possible from the adjacent IP address range.
 unmarked
IEC61850-MMS access is inactive.

Modbus TCP
Activates/deactivates the access to the Modbus TCP server.

Possible values:
 marked (default setting)
Modbus TCP access is active. Access is possible from the adjacent IP address range.
 unmarked
Modbus TCP access is inactive.

EtherNet/IP
Activates/deactivates the access to the EtherNet/IP server.

Possible values:
 marked (default setting)
Ethernet/IP access is active. Access is possible from the adjacent IP address range.
 unmarked
Ethernet/IP access is inactive.

136 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > IP Access Restriction ]

PROFINET
Activates/deactivates the access to the PROFINET server.

Possible values:
 marked (default setting)
PROFINET access is active. Access is possible from the adjacent IP address range.
 unmarked
PROFINET access is inactive.

Active
Activates/deactivates the table row.

Possible values:
 marked (default setting)
The table row is active. The device restricts the access to the device management from the
specified IP address range for the selected applications.
 unmarked
The table row is inactive. The device does not restrict access to the device management from
the specified IP address range for the selected applications.

RM GUI BRS 137

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > Web ]

3.3.3 Web
[ Device Security > Management Access > Web ]

In this dialog you specify settings for the Graphical User Interface.

Configuration

Web interface session timeout [min]

Specifies the timeout in minutes. After the device has been inactive for this time it ends the session
for the user logged in.

Possible values:
 0..160 (default setting: 5)

The value 0 deactivates the function, and the user remains logged in when inactive.

138 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > CLI ]

3.3.4 Command Line Interface

[ Device Security > Management Access > CLI ]

In this dialog you specify settings for the Command Line Interface. For further information about the
Command Line Interface, see the “Command Line Interface” reference manual.

The dialog contains the following tabs:

 [Global]
 [Login banner]

[Global]

This tab lets you change the prompt in the Command Line Interface and specify the automatic
closing of sessions through the serial interface when they have been inactive.

The device has the following serial interfaces.

• USB-C interface

Configuration

Login prompt
Specifies the character string that the device displays in the Command Line Interface at the start of
every command line.

Possible values:
 Alphanumeric ASCII character string with 0..128 characters
(0x20..0x7E) including space characters
Wildcards
– %d date
– %i IP address
– %m MAC address
– %p product name
– %t time
Default setting: (BRS)

Changes to this setting are immediately effective in the active Command Line Interface session.

Serial interface timeout [min]

Specifies the time in minutes after which the device automatically closes the session of an inactive
user logged in with the Command Line Interface through the serial interface.

Possible values:
 0..160 (default setting: 5)
The value 0 deactivates the function, and the user remains logged in when inactive.

A change in the value takes effect the next time a user logs in.

For the Telnet server and the SSH server, you specify the timeout in the Device Security > Management
Access > Server dialog.

RM GUI BRS 139

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > CLI ]

[Login banner]

In this tab you replace the start screen of the Command Line Interface with your own text.

In the default setting, the start screen displays information about the device, such as the software
version and the device settings. With the function in this tab, you deactivate this information and
replace it with an individually specified text.

To display your own text in the Command Line Interface and in the Graphical User Interface before
the login, you use the Device Security > Pre-login Banner dialog.

Operation

Operation
Enables/disables the Login banner function.

Possible values:
 On
The Login banner function is enabled.
The device displays the text information specified in the Banner text field to the users that log in
with the Command Line Interface.
 Off (default setting)
The Login banner function is disabled.
The start screen displays information about the device. The text information in the Banner text
field is kept.

Banner text

Banner text
Specifies the character string that the device displays in the Command Line Interface at the start of
every session.

Possible values:
 Alphanumeric ASCII character string with 0..1024 characters
(0x20..0x7E) including space characters
 <Tab>
 <Line break>

140 RM GUI BRS

Release 9.6 12/2023
Device Security
[ Device Security > Management Access > SNMPv1/v2 Community ]

3.3.5 SNMPv1/v2 Community

[ Device Security > Management Access > SNMPv1/v2 Community ]

In this dialog you specify the community name for SNMPv1/v2 applications.

Applications send requests using SNMPv1/v2 with a community name in the SNMP data packet
header. Depending on the community name (see Community column), the application gets read-
only authorization or read and write authorization.

You activate the access to the device using SNMPv1/v2 in the Device Security > Management
Access > Server dialog.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Community
Displays the authorization for SNMPv1/v2 applications to the device.

Possible values:
 Write
For requests with the community name entered, the application receives read and write
authorization.
 Read
For requests with the community name entered, the application receives read-only
authorization.

Name
Specifies the community name for the adjacent authorization.

Possible values:
 Alphanumeric ASCII character string with 0..64 characters
private (default setting for read and write authorization)
public (default setting for read-only authorization)

RM GUI BRS 141

Release 9.6 12/2023
Device Security
[ Device Security > Pre-login Banner ]

3.4 Pre-login Banner

[ Device Security > Pre-login Banner ]

This dialog lets you display a greeting or information text to users before they log in.

The users see this text in the login dialog of the Graphical User Interface and of the Command Line
Interface. Users logging in with SSH see the text - regardless of the client used - before or during
the login.

To display the text only in the Command Line Interface, use the settings in the Device Security >
Management Access > CLI dialog.

Operation

Operation
Enables/disables the Pre-login Banner function.

Using the Pre-login Banner function, the device displays a greeting or information text in the login
dialog of the Graphical User Interface and of the Command Line Interface.

Possible values:
 On
The Pre-login Banner function is enabled.
The device displays the text specified in the Banner text field in the login dialog.
 Off (default setting)
The Pre-login Banner function is disabled.
The device does not display a text in the login dialog. When you enter a text in the Banner text
field, the device saves this text.

Banner text

Banner text
Specifies information text that the device displays in the login dialog of the Graphical User Interface
and of the Command Line Interface.

Possible values:
 Alphanumeric ASCII character string with 0..512 characters
(0x20..0x7E) including space characters
 <Tab>
 <Line break>

142 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > Overview ]

4 Network Security

The menu contains the following dialogs:

 Network Security Overview
 Port Security
 802.1X
 RADIUS
 DoS
 ACL

4.1 Network Security Overview

[ Network Security > Overview ]

This dialog displays an overview over the network security rules used in the device.

Overview
The top level displays:
• The ports to which a network security rule is assigned
• The VLANs to which a network security rule is assigned

The subordinate levels display:

• The set-up ACL rules
See the Network Security > ACL dialog.

Buttons

Displays a text field to search for a keyword. When you enter a character or string, the overview
displays only items related to this keyword.

Collapses the levels. The overview then displays only the first level of the items.

Expands the levels. The overview then displays every level of the items.

RM GUI BRS 143

Release 9.6 12/2023
Network Security
[ Network Security > Overview ]

Expands the current item and displays the items of the next lower level.

Collapses the item and hides the items of the underlying levels.

144 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > Port Security ]

4.2 Port Security

[ Network Security > Port Security ]

The device lets you forward only data packets from desired senders on a port. When the Port
Security function is enabled, the device checks the VLAN ID and MAC address of the sender before
it forwards a data packet. The device discards data packets from not desired senders and logs this
event.

In this dialog, a Wizard window helps you associate the ports with the address of one or more
desired senders. In the device, these addresses are known as static entries. To view the specified
static addresses, select the relevant port and click the button.

To simplify the setup process, the device lets you record the address of the desired senders
automatically. The device “learns” the addresses by evaluating the received data packets. In the
device, these addresses are known as dynamic entries. When a user-defined upper limit has been
reached (Dynamic limit), the device stops the “learning” on the relevant port. The device forwards
only the data packets of the senders already registered on the port. When you adapt the upper limit
to the number of expected senders, you thus make MAC Flooding attacks more difficult.

Note: With the automatic recording of the dynamic entries, the device constantly discards the first
data packet from unknown senders. Using this first data packet, the device checks if the upper limit
has been reached. The device records the addresses until the upper limit is reached. Afterwards,
the device forwards data packets that it receives on the relevant port from this sender.

Operation

Operation
Enables/disables the Port Security function in the device.

Possible values:
 On
The Port Security function is enabled.
The device checks the VLAN ID and the source MAC address before it forwards a data packet.
The device forwards a received data packet only if the VLAN and the source MAC address of
the data packet are desired on the relevant port. For this setting to take effect, you also activate
the Port Security function on the relevant ports.
 Off (default setting)
The Port Security function is disabled.
The device forwards every received data packet without checking the source address.

RM GUI BRS 145

Release 9.6 12/2023
Network Security
[ Network Security > Port Security ]

Configuration

Auto-disable
Activates/deactivates the Auto-Disable function for Port Security in the device.

Possible values:
 marked
The Auto-Disable function for Port Security is active.
Also mark the checkbox in the Auto-disable column for the relevant ports.
The device disables the port and optionally sends an SNMP trap when one of the following
events occurs:
– The device registers at least one address of a sender that is not desired on the port.
– The device registers more addresses than specified in the Dynamic limit column.
 unmarked (default setting)
The Auto-Disable function for Port Security is inactive.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Wizard

Opens the Wizard window that helps you associate the ports with the address of one or more
desired senders. See “[Wizard: Port security]” on page 148.

Port
Displays the port number.

Active
Activates/deactivates the Port Security function on the port.

Possible values:
 marked
The device checks every data packet received on the port and forwards it only if the source
address of the data packet is desired. Also enable the Port Security function in the Operation
frame.
 unmarked (default setting)
The device forwards every data packet received on the port without checking the source
address.

Note: When you operate the device as an active participant within an MRP ring or HIPER Ring, we
recommend that you unmark the checkbox for the ring ports.

Note: When you operate the device as an active participant of a Ring/Network Coupling, we
recommend that you unmark the checkbox for the relevant coupling ports.

146 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > Port Security ]

Auto-disable
Activates/deactivates the Auto-Disable function for Port Security on the port.

Possible values:
 marked (default setting)
The Auto-Disable function is active on the port.
The device disables the port and optionally sends an SNMP trap when one of the following
events occurs:
– The device registers at least one address of a sender that is not desired on the port.
– The device registers more addresses than specified in the Dynamic limit column.
The Link status LED for the port flashes 3× per period. This restriction makes MAC Spoofing
attacks more difficult.
The prerequisite is that in the Configuration frame the Auto-disable checkbox is marked.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– After a waiting period, the Auto-Disable function enables the port again automatically. For this
you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked
The Auto-Disable function is inactive on the port.

Send trap
Activates/deactivates the sending of SNMP traps when the device discards a data packet from an
undesired sender on the port.

Possible values:
 marked
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device discards data packets from a sender that is not desired on the port, then the device
sends an SNMP trap.
 unmarked (default setting)
The sending of SNMP traps is inactive.

Trap interval [s]

Specifies the delay time in seconds that the device waits after sending an SNMP trap before
sending the next SNMP trap.

Possible values:
 0..3600 (default setting: 0)

The value 0 deactivates the delay time.

Dynamic limit
Specifies the upper limit for the number of automatically registered addresses (dynamic entries).
When the upper limit is reached, the device stops “learning” on this port.

Adjust the value to the number of expected senders.

If the port registers more addresses than specified here, then the Auto-Disable function disables the
port. The prerequisite is that you mark the checkbox in the Auto-disable column and the Auto-disable
checkbox in the Configuration frame.

RM GUI BRS 147

Release 9.6 12/2023
Network Security
[ Network Security > Port Security ]

Possible values:
 0
No automatic registering of addresses on this port.
 1..600 (default setting: 600)

Static limit
Specifies the upper limit for the number of addresses associated with the port using the Wizard
window (static entries).

Possible values:
 0
No association possible between the port and a desired sender. Only specify this value if you
specify a value > 0 in the Dynamic limit column.
 1..64 (default setting: 64)

Dynamic entries
Displays the number of addresses that the device has automatically registered.

Static MAC entries

Displays the number of MAC addresses associated with the port.

Last violating VLAN ID/MAC

Displays the VLAN ID and MAC address of an undesired sender whose data packets the device
last discarded on this port.

Sent traps
Displays the number of discarded data packets on this port that caused the device to send an
SNMP trap.

[Wizard: Port security]

The Wizard window helps you associate the ports with the address of one or more desired senders.

The Wizard window guides you through the following steps:

• Select port
• MAC addresses

Note: The device saves the addresses associated with the port until you deactivate the Port Security
function on the relevant port or disable the Port Security function in the device.

After closing the Wizard window, click the button to save your settings.

148 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > Port Security ]

Select port

Port
Specifies the port that you associate with the address of desired senders in the next step.

MAC addresses

Static entries (x/y)

Displays the number of addresses associated with the port using the Wizard window and the upper
limit for static entries. The lower part of the Wizard window displays the entries in detail, if any.

Removes the entries in the lower part of the Wizard window. The device removes the respective
association between a port and the desired senders.

VLAN ID
Specifies the VLAN ID of the desired sender.

Possible values:
 1..4042

MAC address
Specifies the MAC address of the desired sender.

Possible values:
 Valid Unicast MAC address
Specify the value with a colon separator, for example 00:11:22:33:44:55.

Note: You can assign a MAC address to only one port.

Add
Adds a static entry based on the values specified in the VLAN ID and MAC address fields. As a result,
you find a new entry in the lower part of the Wizard window.

RM GUI BRS 149

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X ]

Entries in the lower part of the window

The lower part of the Wizard window displays the VLAN ID and MAC address of desired senders on
this port. In the following list you find a description of the icons specific to these entries.

Static entry: When you click the icon, the device removes the static entry and the respective
association between the port and the desired senders.

Dynamic entry: When you click the icon, the icon changes to . The device converts the dynamic
entry to a static entry when you close the Wizard window. To undo this change, click the icon again
before you close the Wizard window.

4.3 802.1X
[ Network Security > 802.1X ]

With the port-based access control according to IEEE 802.1X, the device monitors the access to
the network from connected end devices. The device (authenticator) lets an end device (supplicant)
have access to the network if it logs in with valid login data. The authenticator and the end devices
communicate using the EAPoL (Extensible Authentication Protocol over LANs) authentication
protocol.

The device supports the following methods to authenticate end devices:

• radius
A RADIUS server in the network authenticates the end devices.
• ias
The Integrated Authentication Server (IAS) implemented in the device authenticates the end
devices. Compared to RADIUS, the IAS provides only basic functions.

The menu contains the following dialogs:

 802.1X Global
 802.1X Port Configuration
 802.1X Port Clients
 802.1X EAPOL Port Statistics
 802.1X Port Authentication History
 802.1X Integrated Authentication Server (IAS)

150 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Global ]

4.3.1 802.1X Global

[ Network Security > 802.1X > Global ]

This dialog lets you specify basic settings for the port-based access control.

Operation

Operation
Enables/disables the 802.1X function.

Possible values:
 On
The 802.1X function is enabled.
The device checks the access to the network from connected end devices.
The port-based access control is enabled.
 Off (default setting)
The 802.1X function is disabled.
The port-based access control is disabled.

Configuration

VLAN assignment
Activates/deactivates the assigning of the relevant port to a VLAN. This function lets you provide
selected services to the connected end device in this VLAN.

Possible values:
 marked
The assigning is active.
If the end device successfully authenticates itself, then the device assigns to the relevant port
the VLAN ID transferred by the RADIUS authentication server.
 unmarked (default setting)
The assigning is inactive.
The relevant port is assigned to the VLAN specified in the Network Security > 802.1X > Port
Configuration dialog, Assigned VLAN ID column.

Dynamic VLAN creation

Activates/deactivates the automatic creation of the VLAN assigned by the RADIUS authentication
server if the VLAN does not exist.

Possible values:
 marked
The automatic VLAN creation is active.
The device sets up the VLAN if it does not exist.
 unmarked (default setting)
The automatic VLAN creation is inactive.
If the assigned VLAN does not exist, then the port remains assigned to the original VLAN.

RM GUI BRS 151

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Global ]

Monitor mode
Activates/deactivates the monitor mode.

Possible values:
 marked
The monitor mode is active.
The device monitors the authentication and helps with diagnosing detected errors. If an end
device has not logged in successfully, then the device gives the end device access to the
network.
 unmarked (default setting)
The monitor mode is inactive.

Information

Monitor mode clients

Displays to how many end devices the device gave network access even though they did not log
in successfully.

The prerequisite is that in the Configuration frame the Monitor mode function is active.

Non monitor mode clients

Displays the number of end devices to which the device gave network access after successful login.

Policy 1
Displays the method that the device currently uses to authenticate the end devices using the
protocol 802.1X.

You specify the method used in the Device Security > Authentication List dialog.
 To authenticate the end devices through a RADIUS server, you assign the radius policy to the
8021x list.
 To authenticate the end devices through the Integrated Authentication Server (IAS) you assign
the ias policy to the 8021x list.

152 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

4.3.2 802.1X Port Configuration

[ Network Security > 802.1X > Port Configuration ]

This dialog lets you specify the access settings for every port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Port control
Specifies how the device grants access to the network (Port control mode).

Possible values:
 forceUnauthorized
The device blocks the access to the network. You use this setting if an end device is connected
to the port that does not receive access to the network.
 auto
The device grants access to the network if the end device logged in successfully. You use this
setting if an end device is connected to the port that logs in at the authenticator.

Note: If other end devices are connected through the same port, then they get access to the
network without additional authentication.

 forceAuthorized (default setting)

When end devices do not support IEEE 802.1X, the device grants access to the network. You
use this setting if an end device is connected to the port that receives access to the network
without logging in.

Authentication state
Displays the current status of the authentication on the port (Controlled Port Status).

Possible values:
 authorized
The end device is logged in successfully.
 unauthorized
The end device is not logged in.

RM GUI BRS 153

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

Assigned VLAN ID
Displays the VLAN that the authenticator assigned to the port. This value applies only on ports in
which the Port control column contains the value auto.

Possible values:
 0..4042 (default setting: 0)

You find the VLAN that the authenticator assigned to the ports in the Network Security > 802.1X > Port
Clients dialog.

Reason
Displays the cause for the assignment of the VLAN. This value applies only on ports in which the
Port control column contains the value auto.

Possible values:
 notAssigned (default setting)
 radius
 guestVlan
 unauthenticatedVlan

You find the VLAN that the authenticator assigned to the ports for a supplicant in the Network
Security > 802.1X > Port Clients dialog.

Guest VLAN ID
Specifies the VLAN that the authenticator assigns to the port if the end device does not log in during
the time period specified in the Guest VLAN period column. This value applies only on ports in which
the Port control column contains the value auto.

This function lets you grant end devices, without IEEE 802.1X support, access to selected services
in the network.

Possible values:
 0 (default setting)
The authenticator does not assign a Guest VLAN to the port.
 1..4042

Note: The MAC authorized bypass function and the Guest VLAN ID function cannot be in use
simultaneously.

Unauthenticated VLAN ID
Specifies the VLAN that the authenticator assigns to the port if the end device does not log in
successfully. This value applies only on ports in which the Port control column contains the value
auto.

This function lets you grant end devices without valid login data access to selected services in the
network.

Possible values:
 0..4042 (default setting: 0)

The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the
port.

154 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

Note: Assign to the port a VLAN set up statically in the device.

Periodic reauthentication
Activates/deactivates periodic reauthentication requests.

Possible values:
 marked
The periodic reauthentication requests are active.
The device periodically requests the end device to log in again. You specify this time period in
the Reauthentication period [s] column.
If the authenticator assigned a Voice VLAN, Unauthenticated VLAN or Guest VLAN to the end
device, then this setting becomes ineffective.
 unmarked (default setting)
The periodic reauthentication requests are inactive.
The device keeps the end device logged in.

RM GUI BRS 155

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

Reauthentication period [s]

Specifies the period in seconds after which the authenticator periodically requests the end device
to log in again.

Possible values:
 1..65535 (2¹?-1) (default setting: 3600)

Quiet period [s]

Specifies the time period in seconds in which the authenticator does not accept any more logins
from the end device after an unsuccessful login attempt (Quiet period [s]).

Possible values:
 0..65535 (2¹?-1) (default setting: 60)

Transmit period [s]

Specifies the period in seconds after which the authenticator requests the end device to log in
again. After this waiting period, the device sends an EAP request/identity data packet to the end
device.

Possible values:
 1..65535 (2¹?-1) (default setting: 30)

Supplicant timeout [s]

Specifies the period in seconds for which the authenticator waits for the login of the end device.

Possible values:
 1..65535 (2¹?-1) (default setting: 30)

Server timeout [s]

Specifies the period in seconds for which the authenticator waits for the response from the
authentication server (RADIUS or IAS).

Possible values:
 1..65535 (2¹?-1) (default setting: 30)

Requests (max.)
Specifies how many times the authenticator requests the end device to log in until the time specified
in the Supplicant timeout [s] column has elapsed. The device sends an EAP request/identity data
packet to the end device as often as specified here.

Possible values:
 0..10 (default setting: 2)

Guest VLAN period

Displays the period in seconds for which the authenticator waits for EAPOL data packets after the
end device is connected. If this period elapses, then the authenticator grants the end device access
to the network and assigns the port to the Guest VLAN specified in the Guest VLAN ID column.

The value in this column is the triple of the value specified in the Transmit period [s] column.

156 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

Status
Displays the current status of the Authenticator (Authenticator PAE state).

Possible values:
 initialize
 disconnected
 connecting
 authenticating
 authenticated
 aborting
 held
 forceAuth
 forceUnauth

Backend authentication state

Displays the current status of the connection to the authentication server (Backend
Authentication state).

Possible values:
 request
 response
 success
 fail
 timeout
 idle
 initialize

Initialize port
Activates/deactivates the port initialization to activate the access control on the port or reset it to its
initial state. Use this function only on ports in which the Port control column contains the value auto.

Possible values:
 marked
The port initialization is active.
When the initialization is complete, the device changes the value to unmarked again.
 unmarked (default setting)
The port initialization is inactive.
The device keeps the current port status.

Reauthenticate
Activates/deactivates the one-time reauthentication request.

Use this function only on ports in which the Port control column contains the value auto.

The device also lets you periodically request the end device to log in again. See the Periodic
reauthentication column.

RM GUI BRS 157

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Configuration ]

Possible values:
 marked
The one-time reauthentication request is active.
The device requests the end device to log in again. Afterwards, the device changes the value to
unmarked again.
 unmarked (default setting)
The one-time reauthentication request is inactive.
The device keeps the end device logged in.

158 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Clients ]

4.3.3 802.1X Port Clients

[ Network Security > 802.1X > Port Clients ]

This dialog displays information on the connected end devices.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

User name
Displays the user name with which the end device logged in.

MAC address
Displays the MAC address of the end device.

Assigned VLAN ID
Displays the VLAN that the authenticator assigned to the port after the successful authentication of
the end device.

VLAN assignment reason

Displays the reason for the assignment of the VLAN.

Possible values:
 default
 radius
 unauthenticatedVlan
 guestVlan
 monitorVlan
 invalid

The field only displays a valid value as long as the client is authenticated.

Session timeout
Displays the remaining time in seconds until the login of the end device expires. This value applies
only if for the port in the Network Security > 802.1X > Port Configuration dialog, Port control column the
value auto is specified.

The authentication server assigns the timeout period to the device through RADIUS. The value 0
means that the authentication server has not assigned a timeout.

RM GUI BRS 159

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Clients ]

Termination action
Displays the action performed by the device when the login has elapsed.

Possible values:
 default
 reauthenticate

160 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Statistics ]

4.3.4 802.1X EAPOL Port Statistics

[ Network Security > 802.1X > Statistics ]

This dialog displays which EAPOL data packets the end device has sent and received for the
authentication of the end devices.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Remove

Removes the selected table row.

Port
Displays the port number.

Received
Displays the total number of EAPOL data packets that the device received on the port.

Transmitted
Displays the total number of EAPOL data packets that the device sent on the port.

Start
Displays the number of EAPOL start data packets that the device received on the port.

Logoff
Displays the number of EAPOL logoff data packets that the device received on the port.

Response/ID
Displays the number of EAP response/identity data packets that the device received on the port.

Response
Displays the number of valid EAP response data packets that the device received on the port
(without EAP response/identity data packets).

Request/ID
Displays the number of EAP request/identity data packets that the device received on the port.

RM GUI BRS 161

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Statistics ]

Request
Displays the number of valid EAP request data packets that the device received on the port (without
EAP request/identity data packets).

Invalid
Displays the number of EAPOL data packets with an unknown frame type that the device received
on the port.

Received error
Displays the number of EAPOL data packets with an invalid packet body length field that the device
received on the port.

Packet version
Displays the protocol version number of the EAPOL data packet that the device last received on
the port.

Source of last received packet

Displays the sender MAC address of the EAPOL data packet that the device last received on the
port.

The value 00:00:00:00:00:00 means that the port has not received any EAPOL data packets yet.

162 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Authentication History ]

4.3.5 802.1X Port Authentication History

[ Network Security > 802.1X > Port Authentication History ]

The device registers the authentication process of the end devices that are connected to its ports.
This dialog displays the information recorded during the authentication.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Remove

Removes the selected table row.

Port
Displays the port number.

Time
Displays the time at which the authenticator authenticated the end device.

Present since
Displays since when this entry has been entered in the table.

MAC address
Displays the MAC address of the end device.

VLAN ID
Displays the ID of the VLAN that was assigned to the end device before the login.

Status
Displays the status of the authentication on the port.

Possible values:
 success
The authentication was successful.
 failure
The authentication did not succeed.

RM GUI BRS 163

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > Port Authentication History ]

Access
Displays if the device grants the end device access to the network.

Possible values:
 granted
The device grants the end device access to the network.
 denied
The device denies the end device access to the network.

Assigned VLAN ID
Displays the ID of the VLAN that the authenticator assigned to the port.

VLAN type
Displays the type of the VLAN that the authenticator assigned to the port.

Possible values:
 default
 radius
 unauthenticatedVlan
 guestVlan
 monitorVlan
 notAssigned

Reason
Displays the reason for assigning the VLAN and the VLAN type.

164 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > 802.1X > IAS ]

4.3.6 802.1X Integrated Authentication Server (IAS)

[ Network Security > 802.1X > IAS ]

The Integrated Authentication Server (IAS) lets you authenticate end devices using the protocol
802.1X. Compared to RADIUS, the IAS has a very limited range of functions. The authentication is
based only on the user name and the password.

In this dialog you manage the login data of the end devices. The device lets you set up to 100 sets
of login data.

To authenticate the end devices through the Integrated Authentication Server you assign in the
Device Security > Authentication List dialog the ias policy to the 8021x list.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• In the User name field, you specify the name of the user account on the end device.

Remove

Removes the selected table row.

User name
Displays the name of the user account on the end device.

To add a user account, click the button.

Password
Specifies the password with which the user authenticates.

Possible values:
 Alphanumeric ASCII character string with 0..64 characters

The device differentiates between upper and lower case.

RM GUI BRS 165

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS ]

Active
Activates/deactivates the login data.

Possible values:
 marked
The login data is active. An end device has the option of logging in with this login data using the
protocol 802.1X.
 unmarked (default setting)
The login data is inactive.

4.4 RADIUS
[ Network Security > RADIUS ]

With its factory settings, the device authenticates users based on the local user management.
However, as the size of a network increases, it becomes more difficult to keep the login data of the
users consistent across the devices.

RADIUS (Remote Authentication Dial-In User Service) lets you authenticate and authorize the
users at a central point in the network. A RADIUS server performs the following tasks here:
• Authentication
The authentication server authenticates the users when the RADIUS client at the access point
forwards the login data of the users to the server.
• Authorization
The authentication server authorizes logged in users for selected services by assigning various
parameters for the relevant end device to the RADIUS client at the access point.
• Accounting
The accounting server records the traffic data that has occurred during the port authentication
according to IEEE 802.1X. This lets you subsequently determine which services the users have
used, and to what extent.

If you assign the radius policy to an application in the Device Security > Authentication List dialog,
then the device operates in the role of the RADIUS client. The device forwards the login data of the
users to the primary authentication server. The authentication server decides if the login data is
valid and transfers the authorizations of the users to the device.

The device assigns the Service Type transferred in the response of a RADIUS server as follows to
an access role existing in the device:
• Administrative-User: administrator
• Login-User: operator
• NAS-Prompt-User: guest

The device also lets you authenticate end devices with IEEE 802.1X through an authentication
server. To do this, you assign the radius policy to the 8021x list in the Device Security >
Authentication List dialog.

The menu contains the following dialogs:

 RADIUS Global
 RADIUS Authentication Server
 RADIUS Accounting Server
 RADIUS Authentication Statistics
 RADIUS Accounting Statistics

166 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Global ]

4.4.1 RADIUS Global

[ Network Security > RADIUS > Global ]

This dialog lets you specify basic settings for RADIUS.

RADIUS configuration

Buttons

Reset

Deletes the statistics in the Network Security > RADIUS > Authentication Statistics dialog and in the
Network Security > RADIUS > Accounting Statistics dialog.

Retransmits (max.)
Specifies how many times the device retransmits an unanswered request to the authentication
server before the device sends the request to an alternative authentication server.

Possible values:
 1..15 (default setting: 4)

Timeout [s]
Specifies how many seconds the device waits for a response after a request to an authentication
server before it retransmits the request.

Possible values:
 1..30 (default setting: 5)

Accounting
Activates/deactivates the accounting.

Possible values:
 marked
Accounting is active.
The device sends the traffic data to an accounting server specified in the Network Security >
RADIUS > Accounting Server dialog.
 unmarked (default setting)
Accounting is inactive.

NAS IP address (attribute 4)

Specifies the IP address that the device transfers to the authentication server as attribute 4. Specify
the IP address of the device or another available address.

Note: The device only includes the attribute 4 if the packet was triggered by the 802.1X
authentication request of an end device (supplicant).

RM GUI BRS 167

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Global ]

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

In many cases, there is a firewall between the device and the authentication server. In the Network
Address Translation (NAT) in the firewall changes the original IP address, and the authentication
server receives the translated IP address of the device.

The device transfers the IP address in this field unchanged across the Network Address Translation
(NAT).

168 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Authentication Server ]

4.4.2 RADIUS Authentication Server

[ Network Security > RADIUS > Authentication Server ]

This dialog lets you specify up to 8 authentication servers. An authentication server authenticates
and authorizes the users when the device forwards the login data to the server.

The device sends the login data to the specified primary authentication server. When the server
does not respond, the device contacts the specified authentication server that is highest in the
table. When no response comes from this server either, the device contacts the next server in the
table.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• In the Index field, you specify the index number.
• In the IP address field, you specify the IP address of the server.

Remove

Removes the selected table row.

Index
Displays the index number to which the table row relates. You specify the index number when you
add a table row.

Name
Displays the name of the server. To change the value, click the relevant field.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)
You can specify the same name for several servers. When several servers have the same
name, the setting in the Primary server column applies.

RM GUI BRS 169

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Authentication Server ]

IP address
Specifies the IP address of the server.

Possible values:
 Valid IPv4 address

Destination UDP port

Specifies the number of the UDP port on which the server receives requests.

Possible values:
 0..65535 (2¹?-1) (default setting: 1812)
Exception: Port 2222 is reserved for internal functions.

Secret
Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.

Possible values:
 Alphanumeric ASCII character string with 1..64 characters

You get the password from the administrator of the authentication server.

Primary server
Specifies the authentication server as primary or secondary.

Possible values:
 marked
The server is specified as the primary authentication server. The device sends the login data for
authenticating the users to this authentication server.
This setting applies only if more than one server in the table has the same value in the Name
column.
 unmarked (default setting)
The server is the secondary authentication server. When the device does not receive a
response from the primary authentication server, the device sends the login data to the
secondary authentication server.

Active
Activates/deactivates the connection to the server.

The device uses the server, if you specify in the Device Security > Authentication List dialog the value
radius in one of the columns Policy 1 to Policy 5.

Possible values:
 marked (default setting)
The connection is active. The device sends the login data for authenticating the users to this
server if the preconditions named above are fulfilled.
 unmarked
The connection is inactive. The device does not send any login data to this server.

170 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Accounting Server ]

4.4.3 RADIUS Accounting Server

[ Network Security > RADIUS > Accounting Server ]

This dialog lets you specify up to 8 accounting servers. An accounting server records the traffic data
that has occurred during the port authentication according to IEEE 802.1X. The prerequisite is that
in the Network Security > RADIUS > Global dialog the Accounting function is active.

The device sends the traffic data to the first accounting server that can be reached. When the
accounting server does not respond, the device contacts the next server in the table.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• In the Index field, you specify the index number.
• In the IP address field, you specify the IP address of the server.

Remove

Removes the selected table row.

Index
Displays the index number to which the table row relates. You specify the index number when you
add a table row.

Possible values:
 1..8

Name
Displays the name of the server.

To change the value, click the relevant field.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters
(default setting: Default-RADIUS-Server)

RM GUI BRS 171

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Accounting Server ]

IP address
Specifies the IP address of the server.

Possible values:
 Valid IPv4 address

Destination UDP port

Specifies the number of the UDP port on which the server receives requests.

Possible values:
 0..65535 (2¹?-1) (default setting: 1813)
Exception: Port 2222 is reserved for internal functions.

Secret
Displays ****** (asterisks) when you specify a password with which the device logs in to the server.
To change the password, click the relevant field.

Possible values:
 Alphanumeric ASCII character string with 1..16 characters

You get the password from the administrator of the authentication server.

Active
Activates/deactivates the connection to the server.

Possible values:
 marked (default setting)
The connection is active. The device sends traffic data to this server if the preconditions named
above are fulfilled.
 unmarked
The connection is inactive. The device does not send any traffic data to this server.

172 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Authentication Statistics ]

4.4.4 RADIUS Authentication Statistics

[ Network Security > RADIUS > Authentication Statistics ]

This dialog displays information about the communication between the device and the
authentication server. The table displays the information for each server in a separate table row.

To delete the statistic, click in the Network Security > RADIUS > Global dialog the button.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Name
Displays the name of the server.

IP address
Displays the IP address of the server.

Round trip time

Displays the time interval in hundredths of a second between the last response received from the
server (Access Reply/Access Challenge) and the corresponding data packet sent (Access
Request).

Access requests
Displays the number of access data packets that the device sent to the server. This value does not
take repetitions into account.

Retransmitted access requests

Displays the number of access data packets that the device retransmitted to the server.

Access accepts
Displays the number of access accept data packets that the device received from the server.

Access rejects
Displays the number of access reject data packets that the device received from the server.

Access challenges
Displays the number of access challenge data packets that the device received from the server.

Malformed access responses

Displays the number of malformed access response data packets that the device received from the
server (including data packets with an invalid length).

RM GUI BRS 173

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Authentication Statistics ]

Bad authenticators
Displays the number of access response data packets with an invalid authenticator that the device
received from the server.

Pending requests
Displays the number of access request data packets that the device sent to the server to which it
has not yet received a response from the server.

Timeouts
Displays how many times no response to the server was received before the specified waiting time
elapsed.

Unknown types
Displays the number data packets with an unknown data type that the device received from the
server on the authentication port.

Packets dropped
Displays the number of data packets that the device received from the server on the authentication
port and then discarded them.

174 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > RADIUS > Accounting Statistics ]

4.4.5 RADIUS Accounting Statistics

[ Network Security > RADIUS > Accounting Statistics ]

This dialog displays information about the communication between the device and the accounting
server. The table displays the information for each server in a separate table row.

To delete the statistic, click in the Network Security > RADIUS > Global dialog the button.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Name
Displays the name of the server.

IP address
Displays the IP address of the server.

Round trip time

Displays the time interval in hundredths of a second between the last response received from the
server (Accounting Response) and the corresponding data packet sent (Accounting Request).

Accounting requests
Displays the number of accounting request data packets that the device sent to the server. This
value does not take repetitions into account.

Retransmitted accounting requests

Displays the number of accounting request data packets that the device retransmitted to the server.

Received packets
Displays the number of accounting response data packets that the device received from the server.

Malformed packets
Displays the number of malformed accounting response data packets that the device received from
the server (including data packets with an invalid length).

Bad authenticators
Displays the number of accounting response data packets with an invalid authenticator that the
device received from the server.

RM GUI BRS 175

Release 9.6 12/2023
Network Security
[ Network Security > DoS ]

Pending requests
Displays the number of accounting request data packets that the device sent to the server to which
it has not yet received a response from the server.

Timeouts
Displays how many times no response to the server was received before the specified waiting time
elapsed.

Unknown types
Displays the number data packets with an unknown data type that the device received from the
server on the accounting port.

Packets dropped
Displays the number of data packets that the device received from the server on the accounting
port and then discarded them.

4.5 DoS
[ Network Security > DoS ]

Denial of Service (DoS) is a cyberattack that aims to make certain services or devices unusable. In
this dialog you can set up several filters to help protect the device itself and other devices in the
network from DoS attacks.

The menu contains the following dialogs:

 DoS Global

176 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > DoS > Global ]

4.5.1 DoS Global

[ Network Security > DoS > Global ]

In this dialog you specify the DoS settings for the TCP/UDP, IP and ICMP protocols.

Note: We recommend activating the filters to increase the level of security of the device.

TCP/UDP

A scanner uses port scans to prepare network attacks. The scanner uses different techniques to
determine running devices and open ports. This frame lets you activate filters for specific scanning
techniques.

The device supports the detection of the following scan types:

• Null scans
• Xmas scans
• SYN/FIN scans
• TCP Offset attacks
• TCP SYN attacks
• L4 Port attacks
• Minimal Header scans

Null Scan filter

Activates/deactivates the Null Scan filter.

The device detects and discards incoming TCP packets with the following properties:
• No TCP flags are set.
• The TCP sequence number is 0.

Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

Xmas filter
Activates/deactivates the Xmas filter.

The device detects and discards incoming TCP packets with the following properties:
• The TCP flags FIN, URG and PSH are simultaneously set.
• The TCP sequence number is 0.

Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

RM GUI BRS 177

Release 9.6 12/2023
Network Security
[ Network Security > DoS > Global ]

SYN/FIN filter
Activates/deactivates the SYN/FIN filter.

The device detects incoming data packets with the TCP flags SYN and FIN set simultaneously and
discards them.

Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

TCP Offset protection

Activates/deactivates the TCP Offset protection.

The TCP Offset protection detects incoming TCP data packets whose fragment offset field of the
IP header is equal to 1 and discards them.

The TCP Offset protection accepts UDP and ICMP packets whose fragment offset field of the IP
header is equal to 1.

Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.

TCP SYN protection

Activates/deactivates the TCP SYN protection.

The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4 source
port <1024 and discards them.

Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.

L4 Port protection
Activates/deactivates the L4 Port protection.

The L4 Port protection detects incoming TCP and UDP data packets whose source port number
and destination port number are identical and discards them.

Possible values:
 marked
The protection is active.
 unmarked (default setting)
The protection is inactive.

178 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > DoS > Global ]

Land Attack filter

Activates/deactivates the Land Attack filter. With the Land Attack method, the attacking station
sends data packets whose source and destination addresses are identical to the IP address of the
recipient.

Possible values:
 marked
The filter is active. The device discards data packets whose source and destination addresses
are identical.
 unmarked (default setting)
The filter is inactive.

ICMP

This dialog provides you with filter options for the following ICMP parameters:
• Fragmented data packets
• ICMP packets from a specific size upwards
• Broadcast pings

Fragmented packets filter

Activates/deactivates the filter for fragmented ICMP packets.

The filter detects fragmented ICMP packets and discards them.

Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

Packet size filter

Activates/deactivates the filter for incoming ICMP packets.

The filter detects ICMP packets whose payload size exceeds the size specified in the Allowed
payload size [byte] field and discards them.

Possible values:
 marked
The filter is active.
 unmarked (default setting)
The filter is inactive.

Allowed payload size [byte]

Specifies the maximum allowed payload size of ICMP packets in bytes.

Mark the Packet size filter checkbox if you want the device to discard incoming data packets whose
payload size exceeds the maximum allowed size for ICMP packets.

RM GUI BRS 179

Release 9.6 12/2023
Network Security
[ Network Security > ACL ]

Possible values:
 0..1472 (default setting: 512)

Drop broadcast ping

Activates/deactivates the filter for Broadcast Pings. Broadcast Pings are a known evidence for
Smurf Attacks.

Possible values:
 marked
The filter is active.
The device detects Broadcast Pings and drops them.
 unmarked (default setting)
The filter is inactive.

Information

Packets dropped
Displays the number of data packets that the device has discarded.

4.6 ACL
[ Network Security > ACL ]

In this menu, you specify the settings for the Access Control Lists (ACL). Access Control Lists
contain rules which the device applies successively to the data stream on its ports or VLANs.

If a data packet matches the criteria of one or more rules, then the device applies the action
specified in the first rule that matches to the data stream. The device ignores the rules that follow
the first rule that matches. Possible actions include:
• permit: The device forwards the data packet to a port or to a VLAN.
• deny: The device drops the data packet.

In the default setting, the device forwards every data packet. Once you assign an Access Control
List to a port or VLAN, then this behavior changes. The device enters at the end of an Access
Control List an implicit Deny-All rule. Consequently, the device discards data packets that do not
match the criteria of any rules. If you want a different behavior, then add a Permit-All rule at the end
of your Access Control Lists.

Proceed as follows to set up Access Control Lists and rules:

 Make a rule and specify the rule settings. See the Network Security > ACL > IPv4 Rule dialog, or
the Network Security > ACL > MAC Rule dialog.
 Assign the Access Control List to the ports and VLANs of the device. See the Network Security >
ACL > Assignment dialog.

The menu contains the following dialogs:

 ACL IPv4 Rule
 ACL MAC Rule
 ACL Assignment

180 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > ACL > IPv4 Rule ]

4.6.1 ACL IPv4 Rule

[ Network Security > ACL > IPv4 Rule ]

In this dialog you specify the rules that the device applies to the IP data packets.

An Access Control List (group) contains one or more rules. The device applies the rules of an
Access Control List successively, beginning with the rule with the lowest value in the Index column.

The device lets you filter according to the following criteria:

• Source or destination IP address of a data packet
• Type of the transmitting protocol
• Source or destination port of a data packet

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• From the Group name drop-down list, you select the Access Control List name to which the rule
belongs or specify a new name. When you add a new name, click the icon.
• In the Index field, you specify the number of the rule within the Access Control List. If the Access
Control List contains multiple rules, then the device processes the rule with the lowest index
value first.

Remove

Removes the selected table row.

Group name
Displays the name of the Access Control List. The Access Control List contains the rules.

Index
Displays the number of the rule within the Access Control List. You specify the index number when
you add a table row.

If the Access Control List contains multiple rules, then the device processes the rule with the lowest
value first.

RM GUI BRS 181

Release 9.6 12/2023
Network Security
[ Network Security > ACL > IPv4 Rule ]

Match every packet

Specifies to which IP data packets the device applies the rule.

Possible values:
 marked (default setting)
The device applies the rule to every IP data packet.
 unmarked
The device applies the rule to IP data packets depending on the value in the following fields:
– Source IP address, Destination IP address, Protocol
– DSCP, TOS priority, TOS mask
– Packet fragmented

Source IP address
Specifies the source address of the IP data packets to which the device applies the rule.

Possible values:
 ?.?.?.? (default setting)
The device applies the rule to IP data packets with any source address.
 Valid IPv4 address
The device applies the rule to IP data packets with the specified source address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
 Valid IPv4 address/bit mask
The device applies the rule to IP data packets with the specified source address. The inverse
bit mask lets you specify the address range with bit-level accuracy.
Example 192.168.1.0/0.0.0.127: The device applies the rule to IP data packets with a source
address in the range from 192.168.1.0 to ….127.

Destination IP address
Specifies the destination address of the IP data packets to which the device applies the rule.

Possible values:
 ?.?.?.? (default setting)
The device applies the rule to IP data packets with any destination address.
 Valid IPv4 address
The device applies the rule to data packets with the specified destination address.
You use the ? character as a wild card.
Example 192.?.?.32: The device applies the rule to IP data packets whose source address
begins with 192. and ends with .32.
 Valid IPv4 address/bit mask
The device applies the rule to data packets with the specified destination address. The inverse
bit mask lets you specify the address range with bit-level accuracy.
Example 192.168.1.0/0.0.0.127: The device applies the rule to IP data packets with a
destination address in the range from 192.168.1.0 to ….127.

182 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > ACL > IPv4 Rule ]

Protocol
Specifies the IP protocol or Layer 4 protocol type of the data packets to which the device applies
the rule. The device applies the rule only to data packets that contain the specified value in the
Protocol field.

Possible values:
 any (default setting)
The device applies the rule to every IP data packet without evaluating the protocol type.
 icmp
Internet Control Message Protocol (RFC 792)
 igmp
Internet Group Management Protocol
 ip-in-ip
IP in IP tunneling (RFC 2003)
 tcp
Transmission Control Protocol (RFC 793)
 udp
User Datagram Protocol (RFC 768)
 ip
Internet Protocol

Source TCP/UDP port

Specifies the source port of the IP data packets to which the device applies the rule. The
prerequisite is that in the Protocol column the value TCP or UDP is specified.

Possible values:
 any (default setting)
The device applies the rule to every IP data packet without evaluating the source port.
 1..65535 (2¹?-1)
The device applies the rule only to IP data packets containing the specified source port.

Destination TCP/UDP port

Specifies the destination port of the IP data packets to which the device applies the rule. The
prerequisite is that in the Protocol column the value TCP or UDP is specified.

Possible values:
 any (default setting)
The device applies the rule to every IP data packet without evaluating the destination port.
 1..65535 (2¹?-1)
The device applies the rule only to IP data packets containing the specified destination port.

Action
Specifies how the device processes received IP data packets when the device applies the rule.

Possible values:
 permit (default setting)
The device forwards the IP data packets.
 deny
The device drops the IP data packets.

RM GUI BRS 183

Release 9.6 12/2023
Network Security
[ Network Security > ACL > IPv4 Rule ]

Log
Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog.

Possible values:
 marked
Logging is active.
The prerequisite is that in the Network Security > ACL > Assignment dialog the Access Control List
is assigned to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule
to IP data packets.
 unmarked (default setting)
Logging is inactive.

The device lets you activate this function for up to 128 deny rules.

184 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > ACL > MAC Rule ]

4.6.2 ACL MAC Rule

[ Network Security > ACL > MAC Rule ]

In this dialog you specify the rules that the device applies to the MAC data packets.

An Access Control List (group) contains one or more rules. The device applies the rules of an
Access Control List successively, beginning with the rule with the lowest value in the Index column.

The device lets you filter according to the following criteria:

• Source or destination MAC address of a data packet

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

Remove

Removes the selected table row.

Group name
Displays the name of the Access Control List. The Access Control List contains the rules.

Index
Displays the number of the rule within the Access Control List. You specify the index number when
you add a table row.

If the Access Control List contains multiple rules, then the device processes the rule with the lowest
value first.

RM GUI BRS 185

Release 9.6 12/2023
Network Security
[ Network Security > ACL > MAC Rule ]

Match every packet

Specifies to which MAC data packets the device applies the rule.

Possible values:
 marked (default setting)
The device applies the rule to every MAC data packet.
 unmarked
The device applies the rule to MAC data packets depending on the value in the following fields:
– Source MAC address
– Destination MAC address

Source MAC address

Specifies the source address of the MAC data packets to which the device applies the rule.

Possible values:
 ??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any source address.
 Valid MAC address
The device applies the rule to MAC data packets with the specified source address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose source
address begins with 00:11.
 Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask lets you specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a source address in the range from 00:11:22:33:44:54 to …:57.

Destination MAC address

Specifies the destination address of the MAC data packets to which the device applies the rule.

Possible values:
 ??:??:??:??:??:?? (default setting)
The device applies the rule to MAC data packets with any destination address.
 Valid MAC address
The device applies the rule to MAC data packets with the specified destination address.
You use the ? character as a wild card.
Example 00:11:??:??:??:??: The device applies the rule to MAC data packets whose
destination address begins with 00:11.
 Valid MAC address/bit mask
The device applies the rule to MAC data packets with the specified source address. The bit
mask lets you specify the address range with bit-level accuracy.
Example 00:11:22:33:44:54/FF:FF:FF:FF:FF:FC: The device applies the rule to MAC data
packets with a destination address in the range from 00:11:22:33:44:54 to …:57.

186 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > ACL > MAC Rule ]

Action
Specifies how the device processes received MAC data packets when the device applies the rule.

Possible values:
 permit (default setting)
The device forwards the MAC data packets.
 deny
The device discards the MAC data packets.

Log
Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog.

Possible values:
 marked
Logging is active.
The prerequisite is that in the Network Security > ACL > Assignment dialog the Access Control List
is assigned to a VLAN or port.
The device registers in the log file, in an interval of 30 s, how many times it applied the deny rule
to MAC data packets.
 unmarked (default setting)
Logging is inactive.

The device lets you activate this function for up to 128 deny rules.

RM GUI BRS 187

Release 9.6 12/2023
Network Security
[ Network Security > ACL > Assignment ]

4.6.3 ACL Assignment

[ Network Security > ACL > Assignment ]

This dialog lets you assign one or more Access Control Lists to the ports and VLANs of the device.
By assigning a priority you specify the processing sequence, provided you assign one or more
Access Control Lists to a port or VLAN.

The device applies rules successively, namely in the sequence specified by the rule index. You
specify the priority of a group in the Priority column. The lower the number, the higher the priority.
In this process, the device applies the rules with a high priority before the rules with a low priority.

The assignment of Access Control Lists to ports and VLANs results in the following different types
of ACLs:
• Port-based IPv4 ACLs
• Port-based MAC ACLs
• VLAN-based IPv4 ACLs
• VLAN-based MAC ACLs

The device lets you apply the Access Control Lists to data packets received (inbound).

Note: Before you enable the function, verify that at least one active table row in the table lets you
access. Otherwise, the connection to the device terminates if you change the settings. To access
the device management is possible only using the CLI through the serial interface of the device.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to assign a rule to a port or a VLAN.

• From the Port/VLAN drop-down list, you select the port or the VLAN to which the device applies
the rule.
• In the Priority field, you specify the sequence in which the device applies the rules to the data
stream.
• From the Direction drop-down list, you select if the device applies the rule to received or sent data
packets.
• From the Group name drop-down list, you select the rule that the device assigns to the port or
VLAN.

Remove

Removes the selected table row.

Group name
Displays the name of the Access Control List. The Access Control List contains the rules.

188 RM GUI BRS

Release 9.6 12/2023
Network Security
[ Network Security > ACL > Assignment ]

Type
Displays if the Access Control List contains MAC rules or IPv4 rules.

Possible values:
 mac
The Access Control List contains MAC rules.
 ip
The Access Control List contains IPv4 rules.

You edit Access Control Lists with IPv4 rules in the Network Security > ACL > IPv4 Rule dialog. You
edit Access Control Lists with MAC rules in the Network Security > ACL > MAC Rule dialog.

Port
Displays the port to which the Access Control List is assigned. The field remains empty when the
Access Control List is assigned to a VLAN.

VLAN ID
Displays the VLAN to which the Access Control List is assigned. The field remains empty when the
Access Control List is assigned to a port.

Direction
Displays that the device applies the Access Control List to received data packets. The device can
apply the Access Control Lists only to received data packets.

Priority
Displays the priority of the Access Control List.

Using the priority, you specify the sequence in which the device applies the Access Control Lists to
the data stream. The device applies the rules in ascending order which starts with priority 1. If an
Access Control List is assigned to a port and to a VLAN with the same priority, then the device
applies the rules to the port first.

Possible values:
 1..4294967295 (2³²-1)

Active
Displays if the Access Control List on the port or in the VLAN is active.

Possible values:
 marked (default setting)
The Access Control List is active.
 unmarked
The Access Control List is inactive.

RM GUI BRS 189

Release 9.6 12/2023
Network Security
4.6.3 ACL Assignment

190 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > Global ]

5 Switching

The menu contains the following dialogs:

 Switching Global
 Rate Limiter
 Filter for MAC Addresses
 IGMP Snooping
 Time-Sensitive Networking
 MRP-IEEE
 GARP
 QoS/Priority
 VLAN
 L2-Redundancy

5.1 Switching Global

[ Switching > Global ]

This dialog lets you specify the following settings:

• Change the Aging time of the MAC address table (forwarding database) entries
• Enable the flow control in the device

If a large number of data packets are received in the priority queue of a port at the same time, then
this can cause the port memory to overflow. This happens, for example, when the device receives
data on a Gigabit port and forwards it to a port with a lower bandwidth. The device discards surplus
data packets.

The flow control mechanism defined in IEEE 802.3 helps ensure that no data packets are lost due
to a buffer overflow on a port. Shortly before the buffer memory of a port is completely full, the
device signals to the connected devices that it is not accepting any more data packets from them.
• In full-duplex mode, the device sends a pause data packet.
• In half-duplex mode, the device simulates a collision.

The connected devices then stop sending data packets for the duration of the signaling. On an
uplink port, this can possibly cause undesired sending interruptions in the higher-level network
segment (“wandering backpressure”). The flow control mechanism thus lowers the network to the
bandwidth that the slowest device in the network can process.

Configuration

MAC address
Displays the MAC address of the device.

RM GUI BRS 191

Release 9.6 12/2023
Switching
[ Switching > Global ]

Aging time [s]

Specifies the aging time in seconds.

Possible values:
 10..500000 (default setting: 30)

The device monitors the age of the learned unicast MAC addresses. The device deletes address
entries that exceed a particular age (aging time) from its MAC address table (forwarding database).

You find the MAC address table (forwarding database) in the Switching > Filter for MAC Addresses
dialog.

Flow control
Activates/deactivates the flow control in the device.

Possible values:
 marked
The flow control is active in the device.
Additionally activate the flow control on the required ports. See the Basic Settings > Port dialog,
Configuration tab, checkbox in the Flow control column.
 unmarked (default setting)
The flow control is inactive in the device.

If you are using a redundancy function, then deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, it is possible that the
redundancy function operates differently than intended.

192 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > Rate Limiter ]

5.2 Rate Limiter

[ Switching > Rate Limiter ]

The device lets you limit the amount of data packets on the ports to help provide stable operation
even with a large data volume. If the amount of data packets on a port exceed the threshold value,
then the device discards the excess data packets on this port.

The rate limiter function operates only on Layer 2, and is used to limit the effects of storms of data
packets that flood the device (typically Broadcasts).

The rate limiter function ignores protocol information on higher layers, such as IP or TCP.

The dialog contains the following tabs:

 [Ingress]
 [Egress]

[Ingress]

In this tab you enable the Rate Limiter function. The threshold value specifies the maximum amount
of data packets the port receives. If the amount of data packets on a port exceed the specified
threshold value, then the device discards the excess data packets on this port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Unit
Specifies the unit for the threshold value:

Possible values:
 percent (default setting)
Specifies the threshold value as a percentage of the data rate of the port.
 pps
Specifies the threshold value in data packets per second.

Broadcast mode
Activates/deactivates the rate limiter function for received broadcast data packets.

Possible values:
 marked
 unmarked (default setting)

If the threshold value is exceeded, then the device discards the excess broadcast data packets on
this port.

RM GUI BRS 193

Release 9.6 12/2023
Switching
[ Switching > Rate Limiter ]

Broadcast threshold
Specifies the threshold value for received broadcasts on this port.

Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 If you select the value percent in the Unit column, then enter a percentage value from 1
to 100.
 If you select the value pps in the Unit column, then enter an absolute value for the data rate.

Known multicast mode

Activates/deactivates the rate limiter function for received known multicast data packets.

Possible values:
 marked
 unmarked (default setting)

If the threshold value is exceeded, then the device discards the excess multicast data packets on
this port.

Known multicast threshold

Specifies the threshold value for received multicasts on this port.

Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 If you select the value percent in the Unit column, then enter a percentage value from 0
to 100.
 If you select the value pps in the Unit column, then enter an absolute value for the data rate.

Unknown frame mode

Activates/deactivates the rate limiter function for received unicast and multicast data packets with
an unknown destination address.

Possible values:
 marked
 unmarked (default setting)

If the threshold value is exceeded, then the device discards the excess unicast data packets on this
port.

Unknown frame threshold

Specifies the threshold value for received unicasts with an unknown destination address on this
port.

Possible values:
 0..14880000 (default setting: 0)
The value 0 deactivates the rate limiter function on this port.
 If you select the value percent in the Unit, then enter a percentage value from 0 to 100.
 If you select the value pps in the Unit column, then enter an absolute value for the data rate.

194 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > Rate Limiter ]

[Egress]

In this tab you specify the egress transmission rate on the port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Bandwidth [%]
Specifies the egress transmission rate.

Possible values:
 0 (default setting)
The bandwidth limitation is disabled.
 1..100
The bandwidth limitation is enabled.
This value specifies the percentage of overall link speed for the port in 1% increments.

RM GUI BRS 195

Release 9.6 12/2023
Switching
[ Switching > Filter for MAC Addresses ]

5.3 Filter for MAC Addresses

[ Switching > Filter for MAC Addresses ]

This dialog lets you display and edit address filters for the MAC address table (forwarding
database). Address filters specify the way the data packets are forwarded in the device based on
the destination MAC address.

Each table row represents one filter. The device automatically sets up the filters. The device lets
you set up additional filters manually.

The device forwards the data packets as follows:

• When the table contains the destination address of a data packet, the device forwards the data
packet from the receiving port to the port specified in the table row.
• When there is no table entry for the destination address, the device forwards the data packet
from the receiving port to every other port.

Table

To delete the learned MAC addresses from the MAC address table (forwarding database), click in
the Basic Settings > Restart dialog the Clear FDB button.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

• In the MAC address field, you specify the destination MAC address.
• In the VLAN ID field, you specify the VLAN ID.
• In the Port field, you specify the port.
 Select one port if the destination MAC address is a unicast address.
 Select one or more ports if the destination MAC address is a multicast address.
 Select no port to add a discard filter. The device discards data packets with the destination
MAC address specified in the table entry.

Remove

Removes the selected table row.

Clear FDB

Removes the MAC addresses from the forwarding table that have the value Learned in the Status
column.

Address
Displays the destination MAC address to which the table row relates.

196 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > Filter for MAC Addresses ]

VLAN ID
Displays the ID of the VLAN to which the table row relates.

The device learns the MAC addresses for every VLAN separately (independent VLAN learning).

Status
Displays how the device has set up the address filter.

Possible values:
 Learned
Address filter set up automatically by the device based on received data packets.
 Mgmt
MAC address of the device. The address filter is protected against changes.
 Other
Static address added by the following function:
– 802.1X
– Port Security
 Permanent
Address filter set up manually. The address filter stays set up permanently.
 GMRP
Multicast address filter automatically set up by GMRP.
 IGMP
Address filter automatically set up by IGMP Snooping.
 MRP-MMRP
Multicast address filter automatically set up by MMRP.

<Port number>
Displays how the corresponding port transmits data packets which it directs to the adjacent
destination address.

Possible values:
 –
The port does not transmit any data packets to the destination address.
 learned
The port transmits data packets to the destination address. The device has automatically set up
the filter based on received data packets.
 IGMP learned
The port transmits data packets to the destination address. The device has automatically set up
the filter based on IGMP.
 unicast static
The port transmits data packets to the destination address. A user has set up the filter.
 multicast static
The port transmits data packets to the destination address. A user has set up the filter.

RM GUI BRS 197

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping ]

5.4 IGMP Snooping

[ Switching > IGMP Snooping ]

The Internet Group Management Protocol (IGMP) is a protocol for dynamically managing Multicast
groups. The protocol describes the distribution of Multicast data packets between routers and end
devices on Layer 3.

The device lets you use the IGMP Snooping function to also use the IGMP mechanisms on Layer 2:
• Without IGMP Snooping, the device forwards the Multicast data packets to every port.
• With the activated IGMP Snooping function, the device forwards the Multicast data packets only
on ports to which Multicast receivers are connected. This reduces the network load. The device
evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2.

Activate the IGMP Snooping function not until the following conditions are fulfilled:
• There is a Multicast router in the network that generates IGMP queries (periodic queries).
• The devices participating in IGMP Snooping forward the IGMP queries.

The device links the IGMP reports with the entries in its MAC address table (forwarding database).
When a multicast receiver joins a multicast group, the device adds a table row for this port in the
Switching > Filter for MAC Addresses dialog. When the multicast receiver leaves the multicast group,
the device removes the table row.

The menu contains the following dialogs:

 IGMP Snooping Global
 IGMP Snooping Configuration
 IGMP Snooping Enhancements
 IGMP Snooping Querier
 IGMP Snooping Multicasts

198 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Global ]

5.4.1 IGMP Snooping Global

[ Switching > IGMP Snooping > Global ]

This dialog lets you enable the IGMP Snooping function in the device and set the function up for each
port and each VLAN.

Operation

Operation
Enables/disables the IGMP Snooping function in the device.

Possible values:
 On
The IGMP Snooping function is enabled in the device according to RFC 4541 (Considerations for
Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping
Switches).
 Off (default setting)
The IGMP Snooping function is disabled in the device.
The device transmits received query, report, and leave data packets without evaluating them.
Received data packets with a Multicast destination address are transmitted to every port by the
device.

Information

Buttons

Reset IGMP snooping counters

Removes the IGMP Snooping entries and resets the counter in the Information frame to 0.

Processed multicast controls

Displays the number of Multicast control data packets processed.

This statistic encompasses the following packet types:

• IGMP Reports
• IGMP Queries version V1
• IGMP Queries version V2
• IGMP Queries version V3
• IGMP Queries with an incorrect version
• PIM or DVMRP packets

The device uses the Multicast control data packets to set up the MAC address table (forwarding
database) for transmitting the Multicast data packets.

RM GUI BRS 199

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Global ]

Possible values:
 0..2147483647 (2³¹-1)

You use the Clear IGMP snooping data button in the Basic Settings > Restart dialog or the command
clear igmp-snooping using the Command Line Interface to reset the IGMP Snooping entries,
including the counter for the processed multicast control data packets.

200 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Configuration ]

5.4.2 IGMP Snooping Configuration

[ Switching > IGMP Snooping > Configuration ]

This dialog lets you enable the IGMP Snooping function in the device and set the function up for each
port and each VLAN.

The dialog contains the following tabs:

 [VLAN ID]
 [Port]

[VLAN ID]

In this tab you set up the IGMP Snooping function for every VLAN.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN ID
Displays the ID of the VLAN to which the table row relates.

Active
Activates/deactivates the IGMP Snooping function for this VLAN.

The prerequisite is that the IGMP Snooping function is globally enabled.

Possible values:
 marked
IGMP Snooping is activated for this VLAN. The VLAN has joined the Multicast data stream.
 unmarked (default setting)
IGMP Snooping is deactivated for this VLAN. The VLAN has left the Multicast data stream.

Group membership interval

Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered
in the MAC address table (forwarding database) when the device does not receive any more report
data packets from the VLAN.

Specify a value larger than the value in the Max. response time column.

RM GUI BRS 201

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Configuration ]

Possible values:
 2..3600 (default setting: 260)

Max. response time

Specifies the time in seconds in which the members of a Multicast group respond to a query data
packet. For their response, the members specify a random time within the response time. You thus
help prevent the multicast group members from responding to the query at the same time.

Specify a value smaller than the value in the Group membership interval column.

Possible values:
 1..25 (default setting: 10)

Fast leave admin mode

Activates/deactivates the Fast Leave function for this VLAN.

Possible values:
 marked
When the Fast Leave function is active and the device receives an IGMP Leave message from
a multicast group, the device immediately removes the entry from its MAC address table
(forwarding database).
 unmarked (default setting)
When the Fast Leave function is inactive, the device first sends MAC-based queries to the
members of the multicast group and removes an entry when a VLAN does not send any more
report messages.

MRP expiration time

Multicast Router Present Expiration Time. Specifies the time in seconds for which the device waits
for a query on this port that belongs to a VLAN. When the port does not receive a query data packet,
the device removes the port from the list of ports with connected multicast routers.

You have the option of configuring this parameter only if the port belongs to an existing VLAN.

Possible values:
 0
unlimited timeout - no expiration time
 1..3600 (default setting: 260)

[Port]

In this tab you set up the IGMP Snooping function for every port.

202 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Configuration ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the IGMP Snooping function on the port.

The prerequisite is that the IGMP Snooping function is globally enabled.

Possible values:
 marked
IGMP Snooping is active on this port. The device includes the port in the multicast data stream.
 unmarked (default setting)
IGMP Snooping is inactive on this port. The port left the multicast data stream.

Group membership interval

Specifies the time in seconds for which a port, from a dynamic multicast group, remains entered in
the MAC address table (forwarding database) when the device does not receive any more report
data packets from the port.

Possible values:
 2..3600 (default setting: 260)

Specify the value larger than the value in the Max. response time column.

Max. response time

Possible values:
 1..25 (default setting: 10)

Specify a value lower than the value in the Group membership interval column.

MRP expiration time

Specifies the Multicast Router Present Expiration Time. The MRP expiration time is the time in
seconds for which the device waits for a query packet on this port. When the port does not receive
a query data packet, the device removes the port from the list of ports with connected multicast
routers.

Possible values:
 0
unlimited timeout - no expiration time
 1..3600 (default setting: 260)

RM GUI BRS 203

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Configuration ]

Fast leave admin mode

Activates/deactivates the Fast Leave function on the port.

Static query port

Activates/deactivates the Static query port mode.

Possible values:
 marked
The Static query port mode is active.
The port is a static query port in the set-up VLANs.
 unmarked (default setting)
The Static query port mode is inactive.
The port is not a static query port. The device transmits IGMP report messages to the port only
if it receives IGMP queries.

VLAN IDs
Displays the ID of the VLANs to which the table row relates.

204 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]

5.4.3 IGMP Snooping Enhancements

[ Switching > IGMP Snooping > Snooping Enhancements ]

This dialog lets you select a port for a VLAN and to set up the port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Wizard

Opens the Wizard window that helps you select and set up the ports. See “[Wizard: IGMP snooping
enhancements]” on page 206.

VLAN ID
Displays the ID of the VLAN to which the table row relates.

<Port number>
Displays for every VLAN set up in the device if the relevant port is a query port. Additionally, the
field displays if the device transmits every Multicast stream in the VLAN to this port.

Possible values:
 –
The port is not a query port in this VLAN.
 L = Learned
The device detected the port as a query port because the port received IGMP queries in this
VLAN. The port is not a statically set up query port.
 A = Automatic
The device detected the port as a query port. The prerequisite is that you set up the port as
Learn by LLDP.
 S = Static (manual setting)
A user specified the port as a static query port. The device transmits IGMP reports only to ports
on which it previously received IGMP queries – and to statically set-up query ports.
To assign this value, perform the following steps:
 Open the Wizard window.
 On the Configuration page, mark the Static checkbox.

RM GUI BRS 205

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]

 P = Learn by LLDP (manual setting)

A user specified the port as Learn by LLDP.
With the Link Layer Discovery Protocol (LLDP), the device detects Hirschmann devices
connected directly to the port. The device denotes the detected query ports with A.
To assign this value, perform the following steps:
 Open the Wizard window.
 On the Configuration page, mark the Learn by LLDP checkbox.
 F = Forward All (manual setting)
A user specified the port so that the device forwards every received Multicast stream in the
VLAN to this port. Use this setting for diagnostic purposes, for example.
To assign this value, perform the following steps:
 Open the Wizard window.
 On the Configuration page, mark the Forward all checkbox.

Display categories
Enhances the clarity of the display. The table emphasizes the cells which contain the specified
value. This helps to analyze and sort the table according to your needs.

Possible values:
 Learned (L)
The table displays cells which contain the value L and possibly further values. Cells which
contain other values than L only, the table displays with the “-“ symbol.
 Static (S)
The table displays cells which contain the value S and possibly further values. Cells which
contain other values than S only, the table displays with the “-“ symbol.
 Automatic (A)
The table displays cells which contain the value A and possibly further values. Cells which
contain other values than A only, the table displays with the “-“ symbol.
 Learned by LLDP (P)
The table displays cells which contain the value P and possibly further values. Cells which
contain other values than P only, the table displays with the “-“ symbol.
 Forward all (F)
The table displays cells which contain the value F and possibly further values. Cells which
contain other values than F only, the table displays with the “-“ symbol.

[Wizard: IGMP snooping enhancements]

The Wizard window helps you select and set up the ports.

The Wizard window guides you through the following steps:

• Selection VLAN/Port
• Configuration

After closing the Wizard window, click the button to save your settings.

Selection VLAN/Port

VLAN ID
Select the VLAN ID.

206 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Snooping Enhancements ]

Port
Select the ports.

Configuration

VLAN ID
Displays the selected VLAN ID.

Port
Displays the number of the selected ports.

Static
Specifies the port as a static query port in the set-up VLANs. The device transmits IGMP report
messages to the ports at which it receives IGMP queries. This lets you also transmit IGMP report
messages to other selected ports or connected Hirschmann devices (Automatic).

Learn by LLDP
Specifies the port as Learn by LLDP. Lets the device detect directly connected Hirschmann
devices using LLDP and learn the related ports as a query port.

Forward all
Specifies the port as Forward all. With the Forward all setting, the device sends on this port
every data packet with a Multicast address in the destination address field.

RM GUI BRS 207

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Querier ]

5.4.4 IGMP Snooping Querier

[ Switching > IGMP Snooping > Querier ]

The device forwards a Multicast stream only to those ports to which a Multicast receiver is
connected.

To detect which ports Multicast receivers are connected to, the device sends query data packets
on the ports at a given interval. When a Multicast receiver is connected, it joins the Multicast stream
by responding to the device with a report data packet.

This dialog lets you set up the Snooping Querier settings globally and for the set-up VLANs.

Operation

Operation
Enables/disables the IGMP Querier function globally in the device.

Possible values:
 On
 Off (default setting)

Configuration

In this frame you specify the IGMP Snooping Querier settings for the General Query data packets.

Protocol version
Specifies the IGMP version of the General Query data packets.

Possible values:
 1
IGMP v1
 2 (default setting)
IGMP v2
 3
IGMP v3

208 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Querier ]

Query interval [s]

Specifies the time in seconds after which the device itself generates General Query data packets
when it has received query data packets from the Multicast router.

Possible values:
 1..1800 (default setting: 60)

Expiry interval [s]

Specifies the time in seconds after which an active querier switches from the passive state back to
the active state if it has not received any query packets for longer than specified here.

Possible values:
 60..300 (default setting: 125)

Table

In the table you specify the Snooping Querier settings for the set-up VLANs.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN ID
Displays the ID of the VLAN to which the table row relates.

Active
Activates/deactivates the IGMP Snooping Querier function for this VLAN.

Possible values:
 marked
The IGMP Snooping Querier function is active for this VLAN.
 unmarked (default setting)
The IGMP Snooping Querier function is inactive for this VLAN.

Current state
Displays if the Snooping Querier is active for this VLAN.

Possible values:
 marked
The Snooping Querier is active for this VLAN.
 unmarked
The Snooping Querier is inactive for this VLAN.

RM GUI BRS 209

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Querier ]

IP address
Specifies the IP address that the device adds as the source address in generated General Query
data packets. You use the address of the multicast router.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

Protocol version
Displays the Internet Group Management Protocol (IGMP) version of the General Query data
packets.

Possible values:
 1
IGMP v1
 2 (default setting)
IGMP v2
 3
IGMP v3

Max. response time

Displays the time in seconds in which the members of a Multicast group respond to a query data
packet. For their response, the members specify a random time within the response time. This
helps prevent every Multicast group member to respond to the query at the same time.

Last querier address

Displays the IP address of the Multicast router from which the last received IGMP query was sent
out..

Last querier version

Displays the IGMP version that the Multicast router used when sending out the last IGMP query
received in this VLAN.

210 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > IGMP Snooping > Multicasts ]

5.4.5 IGMP Snooping Multicasts

[ Switching > IGMP Snooping > Multicasts ]

The device lets you specify how it forwards data packets with unknown Multicast addresses: Either
the device discards these data packets, floods them to every port, or forwards them only to the ports
that previously received query packets.

The device also forwards the data packets with known Multicast addresses to the query ports.

Configuration

Unknown multicasts
Specifies how the device forwards data packets with unknown Multicast addresses.

Possible values:
 discard
The device discards data packets with an unknown MAC/IP Multicast address.
 flood (default setting)
The device forwards data packets with an unknown MAC/IP Multicast address to every port.

Table

In the table you specify the settings for known Multicasts for the set-up VLANs.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN ID
Displays the ID of the VLAN to which the table row relates.

Known multicasts
Specifies how the device forwards data packets with known Multicast addresses.

Possible values:
 send to query and registered ports
The device forwards data packets with a known MAC/IP Multicast address to the query ports
and to the registered ports.
 send to registered ports (default setting)
The device forwards data packets with a known MAC/IP Multicast address to registered ports.

RM GUI BRS 211

Release 9.6 12/2023
Switching
[ Switching > TSN ]

5.5 Time-Sensitive Networking

[ Switching > TSN ]

The menu contains the following dialogs:

 TSN Configuration
 TSN Gate Control List

212 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > TSN > Configuration ]

5.5.1 TSN Configuration

[ Switching > TSN > Configuration ]

In this dialog you enable the TSN function and specify the time-specific settings.

The device supports time-aware queuing defined in IEEE 802.1Qbv. This TSN feature lets the TSN-
capable ports transmit data packets of every traffic class scheduled relative to a defined cycle in
the Gate Control List. The VLAN tag of an Ethernet packet – or the port priority in case of an
untagged packet – contains the priority.

The feature helps to avoid latency and congestion loss for reserved data streams. The precise
synchronization of cycles and gate states using the Precision Time Protocol (PTP) according to
IEEE 1588 makes congestion-free, low-latency communication possible. The prerequisite is that
every device in the network supports IEEE 802.1Qbv.

Note: In contrast to the Command Line Interface, you commit the settings immediately if you click
the button.

Operation

Operation
Enables/disables the TSN function in the device.

Possible values:
 On
The TSN function is globally enabled.
The device processes link-local frames on the TSN-capable ports with the priority of traffic
class 6. As a result, the link-local frames compete with other data packets with the same or
higher priority when forwarding. This affects the following frame types:
– RSTP
– LLDP
– IEEE 802.1AS
– PTP Peer Delay
 Off (default setting)
The TSN function is globally disabled.
As long as the TSN function is active on a port, the port uses the opened gates
0,1,2,3,4,5,6,7. This setting is preset by the manufacturer.

Base time

Date
Time
[ns]
Specifies the time at which the cycle starts related to the Universal Time Coordinated (UTC).

The device converts the value into the PTP time scale directly without considering the leap
seconds.

RM GUI BRS 213

Release 9.6 12/2023
Switching
[ Switching > TSN > Configuration ]

Possible values:
 <Day of the week, date>
(depending on the language and region settings of your computer)
 hh:mm:ss AM/PM
Hour:Minute:Second
 0..999999999 (10?-1)
Specifies the offset of nanoseconds.

Note: When you specify the base time in the future, the cycle starts as many seconds earlier than
specified in the UTC offset [s] field. See the Time > PTP > Boundary Clock > Global dialog.

Configuration

Cycle time [ns]

Specifies the duration of a cycle in nanoseconds.

Possible values:
 50000..10000000 (10?) (default setting: 1000000)
50 µs .. 10 ms

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

On devices with 16 or more ports, the TSN function is available on the following ports:
• 1/1..1/8 on a device with 16 ports
• 1/1..1/12 on a device with 20 or 24 ports

Port
Displays the port number.

Active
Activates/deactivates the TSN function on the port.

Possible values:
 marked
The TSN function is active on the port.
When you specify the base time in the future, the cycle starts at the time specified in the Base
time frame.
The prerequisite is that the PTP function is enabled and the device is synchronized.
As long as the TSN function is globally enabled, the port uses the cycle specified in the
Switching > TSN > Gate Control List > Configured dialog.
 unmarked (default setting)
The TSN function is inactive on the port.
As long as the TSN function is globally enabled, the port uses the opened gates
0,1,2,3,4,5,6,7.

214 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > TSN > Gate Control List ]

Port state
Displays the status of the cycle on the port.

Possible values:
 running
The cycle is running.
The port uses the cycle specified in the Switching > TSN > Gate Control List > Configured dialog.
 waitForTimeSync
The cycle has not yet started.
The clock of the device is not synchronized.
Check the PTP settings.
 pending
The cycle has not yet started.
The base time is specified in the future.
 disabled
The cycle is not running.
The TSN function is inactive on the port.
– Check the setting in the Operation frame.
– Check the setting in the Active column.
The port uses the gate states specified in the Default gate states column.
 error
The cycle is not running.
An error was detected.

Time of last activation

Displays the date and time at which the time settings became active last time.

This value relates to the PTP time.

5.5.2 TSN Gate Control List

[ Switching > TSN > Gate Control List ]

The menu contains the following dialogs:

 TSN Configured Gate Control List
 TSN Current Gate Control List

RM GUI BRS 215

Release 9.6 12/2023
Switching
[ Switching > TSN > Gate Control List > Configured ]

5.5.2.1 TSN Configured Gate Control List

[ Switching > TSN > Gate Control List > Configured ]

In this dialog you specify the time slots of the cycle for the TSN-capable ports. Adding a table row
you specify the opened gates and the duration of the time slot.

Note: In contrast to the Command Line Interface, you commit the settings immediately if you click
the button.

The dialog contains the following tabs:

 One tab for every TSN-capable port.
The number of TSN-capable ports depends on the device.

[<Port number>]

Configuration

Status
Displays the template assigned to the Gate Control List.

Possible values:
 -
No template. No entries are assigned to the Gate Control List.
 default 2 time slots
Template with 3 entries:
– First entry is the traffic class 7.
– Second entry is the traffic class 6 to 0.
– Third entry is a guard band.
 default 3 time slots
Template with 5 entries:
– First entry is the traffic class 7.
– Second entry is a guard band.
– Third entry is the traffic class 6.
– Fourth entry is the traffic class 5 to 0.
– Fifth entry is a guard band.
 <any other template name>
The template was assigned using the Command Line Interface.

Template
Opens the Template window to assign a different template to the Gate Control List. When you select
a different template and click the Ok button, the device replaces the entries in the table.

From the drop-down list, you select one of the following templates:
• default 2 time slots
• default 3 time slots

The device lets you assign additional templates using the Command Line Interface.

216 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > TSN > Gate Control List > Configured ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Delete

Removes the selected table row.

Index
Displays the index number of the entry in the Gate Control List, which specifies the chronological
order of the timeslots.

Gate states
Specifies the opened gates in case the TSN function on the port is active.
• The data packets whose traffic class is assigned to a selected gate are selected for transmission
– Gate state OPEN.
• The data packets whose traffic class is assigned to a not selected gate are not selected for
transmission – Gate state CLOSED.

Possible values:
 - (default setting)
No gate selected.
The device does not open any gate on the port during the time slot is processed. From the drop-
down list, unselect every gate.
 0..7
The device opens the selected gates on the port during the time slot is processed. From the
drop-down list, select one or more items.
You assign the VLAN priorities to a traffic class in the Switching > QoS/Priority > 802.1D/p Mapping
dialog.

Interval [ns]
Specifies the duration of the time slot in nanoseconds.

Possible values:
 1000..10000000 (10?)

When you specify the duration of the time slots, consider the following conditions:
• A single time slot
– Confirm that a time slot is at least long enough for the port to transmit the longest expected
data packet.
– Confirm that a time slot is less than or equal to the duration of the cycle.
• The sum of the time slots specified
– We recommend that the sum of the time slots is equal to the duration of the cycle.
– If the sum exceeds the duration of the cycle, then the overlapping time slots are discarded
and the cycle restarts.
– If the sum is smaller than the duration of the cycle, then the interval of the last time slot is
extended to fit into the cycle.

RM GUI BRS 217

Release 9.6 12/2023
Switching
[ Switching > TSN > Gate Control List > Configured ]

Note: Discrepancies between the specified time slots and the cycle duration are not highlighted in
the Switching > TSN > Gate Control List > Current dialog.

218 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > TSN > Gate Control List > Current ]

5.5.2.2 TSN Current Gate Control List

[ Switching > TSN > Gate Control List > Current ]

In this dialog you monitor the current settings of the cycle for the TSN-capable ports. Every table
row represents a specified time slot.

If the time at which the cycle starts (Base time) is in the future, then the displayed values are different
from the values specified in the Switching > TSN > Gate Control List > Configured dialog.

In the Switching > TSN > Configuration dialog, the Port state column displays if the cycle is running on
a port.

The dialog contains the following tabs:

 One tab for every TSN-capable port.
The number of TSN-capable ports depends on the device.

[<Port number>]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Index
Displays the index number of the entry in the Gate Control List, which specifies the chronological
order of the timeslots.

Gate states
Displays the opened gates in case the TSN function on the port is active.

Interval [ns]
Displays the duration of the time slot in nanoseconds.

RM GUI BRS 219

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE ]

5.6 MRP-IEEE
[ Switching > MRP-IEEE ]

The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE standards
association also modified and replaced the GARP applications, GARP Multicast Registration
Protocol (GMRP) and GARP VLAN Registration Protocol (GVRP). The Multiple MAC Registration
Protocol (MMRP) and the Multiple VLAN Registration Protocol (MVRP) replace these protocols.

MRP-IEEE helps confine traffic to the required areas of the LAN. To confine traffic, the MRP-IEEE
applications distribute attribute values to participating MRP-IEEE devices across a LAN registering
and de-registering multicast group membership and VLAN identifiers.

Registering group participants lets you reserve resources for specific data packets transversing a
LAN. Defining resource requirements regulates the level of traffic, allowing the devices to
determine the required resources and provides for dynamic maintenance of the allocated
resources.

The menu contains the following dialogs:

 MRP-IEEE Configuration
 MRP-IEEE Multiple MAC Registration Protocol
 MRP-IEEE Multiple VLAN Registration Protocol

220 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > Configuration ]

5.6.1 MRP-IEEE Configuration

[ Switching > MRP-IEEE > Configuration ]

This dialog lets you set the various MRP timers. By maintaining a relationship between the various
timer values, the protocol operates efficiently and with less likelihood of unnecessary attribute
withdraws and re-registrations. The default timer values effectively maintain these relationships.

When you reconfigure the timers, maintain the following relationships:

• To allow for re-registration after a Leave or LeaveAll event, even if there is a lost message,
specify the LeaveTime to: ≥ (2x JoinTime) + 60.
• To minimize the volume of rejoining data packets generated following a LeaveAll event, specify
the value for the LeaveAll timer larger than the LeaveTime value.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Join time [1/100s]

Specifies the Join timer which controls the interval between transmit opportunities applied to the
Applicant state machine.

Possible values:
 10..100 (default setting: 20)

Leave time [1/100s]

Specifies the Leave timer which controls the period that the Registrar state machine waits in the
leave (LV) state before transiting to the empty (MT) state.

Possible values:
 20..600 (default setting: 60)

Leave all time [1/100s]

Specifies the LeaveAll timer which controls the frequency with which the LeaveAll state machine
generates LeaveAll PDUs.

Possible values:
 200..6000 (default setting: 1000)

RM GUI BRS 221

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MMRP ]

5.6.2 MRP-IEEE Multiple MAC Registration Protocol

[ Switching > MRP-IEEE > MMRP ]

The Multiple MAC Registration Protocol (MMRP) lets end devices and MAC switches register and
de-register group membership and individual MAC address information with switches located in the
same LAN. The switches within the LAN disseminate the information through switches that support
extended filtering services. Using the MAC address information, MMRP lets you confine multicast
traffic to the required areas of a Layer 2 network.

For an example of how MMRP works, consider a security camera mounted on a mast overlooking
a building. The camera sends multicast packets onto a LAN. You have 2 end devices installed for
surveillance in separate locations. You register the MAC addresses of the camera and the 2 end
devices in the same multicast group. You then specify the MMRP settings on the ports to send the
multicast group packets to the 2 end devices.

The dialog contains the following tabs:

 [Configuration]
 [Service requirement]
 [Statistics]

[Configuration]

In this tab you select active MMRP port participants and set the device to transmit periodic events.
The dialog also lets you enable VLAN registered MAC address broadcasting.

A periodic state machine exists for each port and transmits periodic events regularly to the applicant
state machines associated with active ports. Periodic events contain information indicating the
status of the devices associated with the active port.

Operation

Operation
Enables/disables the global MMRP function in the device. The device participates in MMRP
message exchanges.

Possible values:
 On
The device is a normal participant in MMRP message exchanges.
 Off (default setting)
The device ignores MMRP messages.

222 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MMRP ]

Configuration

Periodic state machine

Enables/disables the global periodic state machine in the device.

Possible values:
 On
With MMRP Operation enabled globally, the device transmits MMRP messages in one-second
intervals, on MMRP participating ports.
 Off (default setting)
Disables the periodic state machine in the device.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the port MMRP participation.

Possible values:
 marked (default setting)
With MMRP enabled globally and on this port, the device sends and receives MMRP messages
on this port.
 unmarked
Disables the port MMRP participation.

Restricted group registration

Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the port.

Possible values:
 marked
If enabled and a static filter entry for the MAC address exists on the VLAN concerned, then the
device registers the MAC address attributes dynamically.
 unmarked (default setting)
Activates/deactivates the restriction of dynamic MAC address registration using MMRP on the
port.

RM GUI BRS 223

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MMRP ]

[Service requirement]

This tab contains forwarding parameters for each active VLAN, specifying the ports on which
multicast forwarding applies. The device lets you statically setup VLAN ports as Forward all or
Forbidden. You set the Forbidden MMRP service requirement statically only through the
Graphical User Interface or Command Line Interface.

A port is setup only as ForwardAll or Forbidden.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN ID
Displays the ID of the VLAN.

<Port number>
Specifies the service requirement handling for the port.

Possible values:
 FA
Specifies the ForwardAll traffic setting on the port. The device forwards the data packets
destined to MMRP registered multicast MAC addresses on the VLAN. The device forwards the
data packets to ports which MMRP has dynamically setup or ports which the administrator has
statically setup as ForwardAll ports.
 F
Specifies the Forbidden traffic setting on the port. The device blocks dynamic MMRP
ForwardAll service requirements. With ForwardAll requests blocked on this port in this VLAN,
the device blocks the data packets destined to MMRP registered multicast MAC addresses on
this port. Furthermore, the device blocks MMRP service request for changing this value on this
port.
 - (default setting)
Disables the forwarding functions on this port.
 Learned
Displays values setup by MMRP service requests.

[Statistics]

Devices on a LAN exchange Multiple MAC Registration Protocol Data Units (MMRPDUs) to
maintain statuses of devices on an active MMRP port. This tab lets you monitor the MMRP data
packets statistics for each port.

224 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MMRP ]

Information

Buttons

Reset statistics

Resets the port statistics counters and the values in the Last received MAC address column.

Transmitted MMRP PDU

Displays the number of MMRPDUs transmitted in the device.

Received MMRP PDU

Displays the number of MMRPDUs received in the device.

Received bad header PDU

Displays the number of MMRPDUs received with a bad header in the device.

Received bad format PDU

Displays the number of MMRPDUs with a bad data field that were not transmitted in the device.

Transmission failed
Displays the number of MMRPDUs not transmitted in the device.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Transmitted MMRP PDU

Displays the number of MMRPDUs transmitted on the port.

Received MMRP PDU

Displays the number of MMRPDUs received on the port.

Received bad header PDU

Displays the number of MMRPDUs with a bad header that were received on the port.

Received bad format PDU

Displays the number of MMRPDUs with a bad data field that were not transmitted on the port.

RM GUI BRS 225

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MMRP ]

Transmission failed
Displays the number of MMRPDUs not transmitted on the port.

Last received MAC address

Displays the last MAC address from which the port received MMRPDUs.

226 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MVRP ]

5.6.3 MRP-IEEE Multiple VLAN Registration Protocol

[ Switching > MRP-IEEE > MVRP ]

The Multiple VLAN Registration Protocol (MVRP) provides a mechanism that lets you distribute
VLAN information and configure VLANs dynamically. For example, when you configure a VLAN on
an active MVRP port, the device distributes the VLAN information to other MVRP enabled devices.
Using the information received, an MVRP enabled device dynamically generates the VLAN trunks
on other MVRP enabled devices as needed.

The dialog contains the following tabs:

 [Configuration]
 [Statistics]

[Configuration]

In this tab you select active MVRP port participants and set the device to transmit periodic events.

Operation

Operation
Enables/disables the global Applicant Administrative Control which specifies if the Applicant state
machine participates in MMRP message exchanges.

Possible values:
 On
Normal Participant. The Applicant state machine participates in MMRP message exchanges.
 Off (default setting)
Non-Participant. The Applicant state machine ignores MMRP messages.

RM GUI BRS 227

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MVRP ]

Configuration

Periodic state machine

Enables/disables the periodic state machine in the device.

Possible values:
 On
The periodic state machine is enabled.
With MVRP Operation enabled globally, the device transmits MVRP periodic events every 1 s,
on MVRP participating ports.
 Off (default setting)
The periodic state machine is disabled.
Disables the periodic state machine in the device.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the port MVRP participation.

Possible values:
 marked (default setting)
With MVRP enabled globally and on this port, the device distributes VLAN membership
information to MVRP-aware devices connected to this port.
 unmarked
Disables the port MVRP participation.

Restricted VLAN registration

Activates/deactivates the Restricted VLAN registration function on this port.

Possible values:
 marked
If enabled and a static VLAN registration entry exists, then the device lets you add a dynamic
VLAN for this entry.
 unmarked (default setting)
Disables the Restricted VLAN registration function on this port.

[Statistics]

Devices on a LAN exchange Multiple VLAN Registration Protocol Data Units (MVRPDUs) to
maintain statuses of VLANs on active ports. This tab lets you monitor the MVRP data packets.

228 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > MRP-IEEE > MVRP ]

Information

Buttons

Reset statistics

Resets the port statistics counters and the values in the Last received MAC address column.

Transmitted MVRP PDU

Displays the number of MVRPDUs transmitted in the device.

Received MVRP PDU

Displays the number of MVRPDUs received in the device.

Received bad header PDU

Displays the number of MVRPDUs received with a bad header in the device.

Received bad format PDU

Displays the number of MVRPDUs with a bad data field that the device blocked.

Transmission failed
Displays the number of detected failures while adding a message into the MVRP queue.

Message queue failures

Displays the number of MVRPDUs that the device blocked.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Transmitted MVRP PDU

Displays the number of MVRPDUs transmitted on the port.

Received MVRP PDU

Displays the number of MVRPDUs received on the port.

Received bad header PDU

Displays the number of MVRPDUs with a bad header that the device received on the port.

RM GUI BRS 229

Release 9.6 12/2023
Switching
[ Switching > GARP ]

Received bad format PDU

Displays the number of MVRPDUs with a bad data field that the device blocked on the port.

Transmission failed
Displays the number of MVRPDUs that the device blocked on the port.

Registrations failed
Displays the number of unsuccessful registration attempts on the port.

Last received MAC address

Displays the last MAC address from which the port received MVRPDUs.

5.7 GARP
[ Switching > GARP ]

The Generic Attribute Registration Protocol (GARP) is defined by the IEEE standards association
to provide a generic framework so switches can register and deregister attribute values, such as
VLAN identifiers and multicast group membership.

When an attribute for a participant is registered or deregistered according to GARP, the participant
is modified according to specific rules. The participants are a set of reachable end stations and
network devices. The defined set of participants at any given time, along with their attributes, is the
reachability tree for the subset of the network topology. The device forwards the data frames only
to the registered end stations. The station registration helps prevent attempts to send data to the
end stations that are unreachable.

Note: Before you enable the GMRP function, verify that the MMRP function is disabled.

The menu contains the following dialogs:

 GMRP
 GVRP

230 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > GARP > GMRP ]

5.7.1 GMRP
[ Switching > GARP > GMRP ]

The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol
(GARP) that provides a mechanism allowing network devices and end stations to dynamically
register group membership. The devices register group membership information with the devices
attached to the same LAN segment. GARP also lets the devices distribute the information across
the network devices that support extended filtering services.

GMRP and GARP are industry-standard protocols defined by the IEEE 802.1D.

Operation

Operation
Enables/disables the global GMRP function in the device. The device participates in GMRP
message exchanges.

Possible values:
 On
GMRP is enabled.
 Off (default setting)
The device ignores GMRP messages.

Multicasts

Unknown multicasts
Enables/disables the unknown multicast data to be either flooded or discarded.

Possible values:
 discard
The device discards unknown multicast data.
 flood (default setting)
The device forwards unknown multicast data to every port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

RM GUI BRS 231

Release 9.6 12/2023
Switching
[ Switching > GARP > GMRP ]

GMRP active
Activates/deactivates the port GMRP participation.

The prerequisite is that the GMRP function is globally enabled.

Possible values:
 marked (default setting)
The port GMRP participation is active.
 unmarked
The port GMRP participation is inactive.

Service requirement
Specifies the ports on which multicast forwarding applies.

Possible values:
 Forward all unregistered groups (default setting)
The device forwards data destined to GMRP-registered multicast MAC addresses on the VLAN.
The device forwards data to the unregistered groups.
 Forward all groups
The device forwards data destined to every group, registered or unregistered.

232 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > GARP > GVRP ]

5.7.2 GVRP
[ Switching > GARP > GVRP ]

The GARP VLAN Registration Protocol or Generic VLAN Registration Protocol (GVRP) is a
protocol that facilitates control of Virtual Local Area Networks (VLANs) within a larger network.
GVRP is a Layer 2 network protocol, used to automatically set up devices in a VLAN network.

GVRP is a GARP application that provides IEEE 802.1Q-compliant VLAN pruning, and setting up
dynamic VLAN on 802.1Q trunk ports. With GVRP, the device exchanges VLAN configuration
information with other GVRP devices. Thus, the device reduces the unnecessary broadcast and
unknown unicast traffic. Exchanging VLAN configuration information also lets you dynamically add
and manage VLANs connected through the 802.1Q trunk ports.

Operation

Operation
Enables/disables the GVRP function globally in the device. The device participates in GVRP
message exchanges. If the function is disabled, then the device ignores GVRP messages.

Possible values:
 On
The GVRP function is enabled.
 Off (default setting)
The GVRP function is disabled.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

GVRP active
Activates/deactivates the port GVRP participation.

The prerequisite is that the GVRP function is globally enabled.

Possible values:
 marked (default setting)
The port GVRP participation is active.
 unmarked
The port GVRP participation is inactive.

RM GUI BRS 233

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority ]

5.8 QoS/Priority
[ Switching > QoS/Priority ]

Communication networks transmit a number of applications at the same time that have different
requirements as regards availability, bandwidth and latency periods.

QoS (Quality of Service) is a procedure defined in IEEE 802.1D. It is used to distribute resources
in the network. You therefore have the possibility of providing minimum bandwidth for necessary
applications. The prerequisite is that the end devices and the devices in the network support
prioritized data transmission. Data packets with high priority are given preference when transmitted
by devices in the network. You transfer data packets with lower priority when there are no data
packets with a higher priority to be transmitted.

The device provides the following setting options:

• You specify how the device evaluates QoS/prioritization information for inbound data packets.
• For outbound packets, you specify which QoS/prioritization information the device writes in the
data packet (for example priority for management packets, port priority).

Note: If you use the functions in this menu, then disable the flow control. The flow control is inactive
if in the Switching > Global dialog, Configuration frame the Flow control checkbox is unmarked.

The menu contains the following dialogs:

 QoS/Priority Global
 QoS/Priority Port Configuration
 802.1D/p Mapping
 IP DSCP Mapping
 Queue Management

234 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > Global ]

5.8.1 QoS/Priority Global

[ Switching > QoS/Priority > Global ]

The device lets you maintain access to the device management, even in situations with heavy
utilization. In this dialog you specify the required QoS/priority settings.

Configuration

VLAN priority for management packets

Specifies the VLAN priority for sending management data packets. Depending on the VLAN
priority, the device assigns the data packet to a specific traffic class and thus to a specific priority
queue of the port.

Possible values:
 0..7 (default setting: 0)

In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.

IP DSCP value for management packets

Specifies the IP DSCP value for sending management data packets. Depending on the IP DSCP
value, the device assigns the data packet to a specific traffic class and thus to a specific priority
queue of the port.

Possible values:
 0 (be/cs0)..63 (default setting: 0 (be/cs0))

Some values in the list also have a DSCP keyword, for example 0 (be/cs0), 10 (af11) and 46
(ef). These values are compatible with the IP precedence model.

In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP DSCP
value.

Queues per port

Displays the number of priority queues per port.

The device has 8 priority queues per port. You assign every priority queue to a specific traffic class
(traffic class according to IEEE 802.1D).

RM GUI BRS 235

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > Port Configuration ]

5.8.2 QoS/Priority Port Configuration

[ Switching > QoS/Priority > Port Configuration ]

In this dialog you specify for every port how the device processes received data packets based on
their QoS/priority information.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Port priority
Specifies what VLAN priority information the device writes into a data packet if the data packet
contains no priority information. After this, the device forwards the data packet depending on the
value specified in the Trust mode column.

Possible values:
 0..7 (default setting: 0)

Trust mode
Specifies how the device handles a received data packet if the data packet contains QoS/priority
information.

Possible values:
 untrusted
The device forwards the data packet according to the priority specified in the Port priority column.
The device ignores the priority information contained in the data packet.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.
 trustDot1p (default setting)
The device forwards the data packet according to the priority information in the VLAN tag.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every VLAN
priority.
 trustIpDscp
– If the data packet is an IP packet, then:
The device forwards the data packet according to the IP DSCP value contained in the data
packet.
In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP
DSCP value.
– If the data packet is not an IP packet, then:
The device forwards the data packet according to the priority specified in the Port priority
column.
In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every
VLAN priority.

236 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > Port Configuration ]

Untrusted traffic class

Displays the traffic class assigned to the VLAN priority information specified in the Port priority
column. In the Switching > QoS/Priority > 802.1D/p Mapping dialog, you assign a traffic class to every
VLAN priority.

Possible values:
 0..7

RM GUI BRS 237

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > 802.1D/p Mapping ]

5.8.3 802.1D/p Mapping

[ Switching > QoS/Priority > 802.1D/p Mapping ]

The device forwards data packets with a VLAN tag according to the contained QoS/priority
information with a higher or lower priority.

In this dialog you assign a traffic class to every VLAN priority. You assign the traffic classes to the
priority queues of the ports.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN priority
Displays the VLAN priority.

Traffic class
Specifies the traffic class assigned to the VLAN priority.

Possible values:
 0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.

Note: Among other things redundancy mechanisms use the highest traffic class. Therefore, select
another traffic class for application data.

Default assignment of the VLAN priority to traffic classes

VLAN Priority Traffic class Content description according to IEEE 802.1D

0 2 Best Effort
Normal data without prioritizing
1 0 Background
Non-time-sensitive data and background services
2 1 Standard
Normal data
3 3 Excellent Effort
Crucial data
4 4 Controlled Load
Time-sensitive data with a high priority
5 5 Video
Video transmission with delays and jitter <100 ms
6 6 Voice
Voice transmission with delays and jitter <10 ms
7 7 Network Control
Data for network management and redundancy mechanisms

238 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > IP DSCP Mapping ]

5.8.4 IP DSCP Mapping

[ Switching > QoS/Priority > IP DSCP Mapping ]

The device forwards IP data packets according to the DSCP value contained in the data packet with
a higher or lower priority.

In this dialog you assign a traffic class to every DSCP value. You assign the traffic classes to the
priority queues of the ports.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

DSCP value
Displays the DSCP value.

Traffic class
Specifies the traffic class which is assigned to the DSCP value.

Possible values:
 0..7
0 assigned to the priority queue with the lowest priority.
7 assigned to the priority queue with the highest priority.

Default assignment of the DSCP values to traffic classes

DSCP Value DSCP Name Traffic class

0 Best Effort /CS0 2
1-7 2
8 CS1 0
9,11,13,15 0
10,12,14 AF11,AF12,AF13 0
16 CS2 1
17,19,21,23 1
18,20,22 AF21,AF22,AF23 1
24 CS3 3
25,27,29,31 3
26,28,30 AF31,AF32,AF33 3
32 CS4 4
33,35,37,39 4
34,36,38 AF41,AF42,AF43 4
40 CS5 5
41,42,43,44,45,47 5
46 EF 5

RM GUI BRS 239

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > IP DSCP Mapping ]

DSCP Value DSCP Name Traffic class

48 CS6 6
49-55 6
56 CS7 7
57-63 7

240 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > QoS/Priority > Queue Management ]

5.8.5 Queue Management

[ Switching > QoS/Priority > Queue Management ]

This dialog lets you enable and disable the Strict priority function for the traffic classes. When you
disable the Strict priority function, the device processes the priority queues of the ports with
Weighted Fair Queuing.

You also have the option of assigning a minimum bandwidths to every traffic classes which the
device uses to process the priority queues with Weighted Fair Queuing.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Traffic class
Displays the traffic class.

Strict priority
Activates/deactivates the processing of the port priority queue with Strict priority for this traffic class.

Possible values:
 marked (default setting)
The processing of the port priority queue with Strict priority is active.
– The port forwards only data packets that are in the priority queue with the highest priority.
When this priority queue is empty, the port forwards data packets that are in the priority
queue with the next lower priority.
– The port forwards data packets with a lower traffic class after the priority queues with a higher
priority are empty. In unfavorable situations, the port does not send these data packets.
– When you select this setting for a traffic class, the device also enables the function for traffic
classes with a higher priority.
– Use this setting for applications such as VoIP or video that require the least possible delay.
 unmarked
The processing of the port priority queue with Strict priority is inactive. The device uses Weighted
Fair Queuing/"Weighted Round Robin" (WRR) to process the port priority queue.
– The device assigns a minimum bandwidth to each traffic class.
– Even under a high network load the port transmits data packets with a low traffic class.
– When you select this setting for a traffic class, the device also disables the function for traffic
classes with a lower priority.

RM GUI BRS 241

Release 9.6 12/2023
Switching
[ Switching > VLAN ]

Min. bandwidth [%]

Specifies the minimum bandwidth for this traffic class when the device is processing the priority
queues of the ports with Weighted Fair Queuing.

Possible values:
 0..100 (default setting: 0 = the device does not reserve any bandwidth for this traffic class)

The value specified in percent refers to the available bandwidth on the port. When you disable the
Strict priority function for every traffic class, the maximum bandwidth is available on the port for the
Weighted Fair Queuing.

The maximum total of the assigned bandwidths is 100 %.

Max. bandwidth [%]

Specifies the shaping rate at which a traffic class transmits packets (Queue Shaping).

Possible values:
 0 (default setting)
The device does not reserve any bandwidth for this traffic class.
 1..100
The device reserves the specified bandwidth for this traffic class. The specified value in percent
refers to the maximum available bandwidth on this port.

For example, using Queue Shaping lets you limit the rate of a strict high-priority queue. Limiting a
strict high-priority queue lets the device also process low-priority queues. To use queue shaping,
you set the maximum bandwidth for a particular queue.

5.9 VLAN
[ Switching > VLAN ]

With VLAN (Virtual Local Area Network) you distribute the data packets in the physical network to
logical subnetworks. This provides you with the following advantages:
• High flexibility
– With VLAN you distribute the data packets to logical networks in the existing infrastructure.
Without VLAN, it would be necessary to have additional devices and complicated cabling.
– With VLAN you specify network segments independently of the location of the individual end
devices.
• Improved throughput
– In VLANs data packets can be transferred by priority.
When the priority is high, the device transfers the data of a VLAN preferentially, for example
for time-sensitive applications such as VoIP phone calls.
– When the data packets and Broadcasts are distributed in small network segments instead of
in the entire network, the network load is considerably reduced.
• Increased security
The distribution of the data packets among individual logical networks makes unwanted
accessing more difficult and strengthens the system against attacks such as MAC Flooding or
MAC Spoofing.

The device supports packet-based “tagged” VLANs according to IEEE 802.1Q. The VLAN tagging
in the data packet indicates the VLAN to which the data packet belongs.

242 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > VLAN ]

The device forwards the tagged data packets of a VLAN only on ports that are assigned to the same
VLAN. This reduces the network load.

The device learns the MAC addresses for every VLAN separately (independent VLAN learning).

The device prioritizes the received data stream in the following sequence:
• Voice VLAN
• Port-based VLAN

The menu contains the following dialogs:

 VLAN Global
 VLAN Configuration
 VLAN Port
 VLAN Voice

RM GUI BRS 243

Release 9.6 12/2023
Switching
[ Switching > VLAN > Global ]

5.9.1 VLAN Global

[ Switching > VLAN > Global ]

This dialog lets you view general VLAN parameters for the device.

Configuration

Buttons

Reset VLAN settings

Resets the VLAN settings of the device to the default setting.

Note that you lose your connection to the device if you have changed the VLAN for the device
management in the Basic Settings > Network > Global dialog.

Max. VLAN ID
Highest ID assignable to a VLAN.

See the Switching > VLAN > Configuration dialog.

VLANs (max.)
Displays the maximum number of VLANs possible.

See the Switching > VLAN > Configuration dialog.

VLANs
Number of VLANs currently set up in the device.

See the Switching > VLAN > Configuration dialog.

The VLAN 1 is permanently set up in the device.

244 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > VLAN > Configuration ]

5.9.2 VLAN Configuration

[ Switching > VLAN > Configuration ]

In this dialog you manage the VLANs. To set up a VLAN, add a further table row. There you specify
for each port if it transmits data packets of the respective VLAN and if the data packets contain a
VLAN tag.

You distinguish between the following VLANs:

• The user sets up static VLANs.
• The device sets up dynamic VLANs automatically and removes them if the prerequisites cease
to apply.
For the following functions the device sets up dynamic VLANs:
– MRP: If you assign to the ring ports a non-existing VLAN, then the device sets up this VLAN.
– MVRP: The device sets up a VLAN based on the messages of neighboring devices.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row.

In the VLAN ID field, you specify the VLAN ID.

Remove

Removes the selected table entry.

VLAN ID
ID of the VLAN.

The device supports up to 128 VLANs simultaneously set up.

Possible values:
 1..4042

Status
Displays how the VLAN is set up.

Possible values:
 other
VLAN 1
or
VLAN set up using the 802.1X function. See the Network Security > 802.1X dialog.

RM GUI BRS 245

Release 9.6 12/2023
Switching
[ Switching > VLAN > Configuration ]

 permanent
VLAN set up by the user.
or
VLAN set up using the MRP function. See the Switching > L2-Redundancy > MRP dialog.
If you save the settings in the non-volatile memory, then the VLANs with this setting remain set
up after a restart.
 dynamicMvrp
VLAN set up using the MVRP function. See the Switching > MRP-IEEE > MVRP dialog.
VLANs with this setting are write-protected. The device removes a VLAN from the table as soon
as the last port leaves the VLAN.

Name
Specifies the name of the VLAN.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters

<Port number>
Specifies if the respective port transmits data packets of the VLAN and if the data packets contain
a VLAN tag.

Possible values:
 - (default setting)
The port is not a member of the VLAN and does not transmit data packets of the VLAN.
 T = Tagged
The port is a member of the VLAN and transmits the data packets with a VLAN tag. You use this
setting for uplink ports, for example.
 LT = Tagged Learned
The port is a member of the VLAN and transmits the data packets with a VLAN tag.
The device has automatically set up the entry based on the GVRP or MVRP function.
 F = Forbidden
The port is not a member of the VLAN and does not transmit data packets of this VLAN.
Additionally, the device helps prevent the port from becoming a VLAN member through the
MVRP function.
 U = Untagged (default setting for VLAN 1)
The port is a member of the VLAN and transmits the data packets without a VLAN tag. Use this
setting if the connected device does not evaluate any VLAN tags, for example on end ports.
 LU = Untagged Learned
The port is a member of the VLAN and transmits the data packets without a VLAN tag.
The device has automatically set up the entry based on the GVRP or MVRP function.

Note: Verify that the port on which the network management station is connected is a member of
the VLAN in which the device transmits the management data. In the default setting, the device
transmits the management data on VLAN 1. Otherwise, the connection to the device terminates
when you transfer the changes to the device. The access to the device management is possible
only using the Command Line Interface through the serial interface.

246 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > VLAN > Port ]

5.9.3 VLAN Port

[ Switching > VLAN > Port ]

In this dialog you specify how the device handles received data packets that have no VLAN tag, or
whose VLAN tag differs from the VLAN ID of the port.

This dialog lets you assign a VLAN to the ports and thus specify the port VLAN ID.

Additionally, you also specify for each port how the device forwards data packets and one of the
following situations occurs:
• The port receives data packets without a VLAN tagging.
• The port receives data packets with VLAN priority information (VLAN ID 0, priority tagged).
• The VLAN ID in the tag of the data packet differs from the VLAN ID of the port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Port-VLAN ID
Specifies the VLAN ID which the device assigns to data packets received without a VLAN tag.

Prerequisites:
• In the Acceptable packet types column the value admitAll is specified.

Possible values:
 1..4042 (default setting: 1)
A VLAN you set up.

If you use the MRP function and you did not assign a VLAN to the ring ports, then you specify the
value 1 here for the ring ports. Otherwise, the device assigns the value to the ring ports
automatically.

Acceptable packet types

Specifies if the port transmits or discards received data packets without a VLAN tag.

Possible values:
 admitAll (default setting)
The port accepts data packets both with and without a VLAN tag.
 admitOnlyVlanTagged
The port accepts only data packets tagged with a VLAN ID ≥ 1.

RM GUI BRS 247

Release 9.6 12/2023
Switching
[ Switching > VLAN > Port ]

Ingress filtering
Activates/deactivates the ingress filtering.

Possible values:
 marked
The ingress filtering is active.
The device compares the VLAN ID in the data packet with the VLANs of which the port is a
member. See the Switching > VLAN > Configuration dialog. If the VLAN ID in the data packet
matches one of these VLANs, then the device forwards the data packet. Otherwise, the device
discards the data packet.
 unmarked (default setting)
The ingress filtering is inactive.
The device forwards received data packets without comparing the VLAN ID. Thus, the device
also forwards data packets in VLANs in which the port is not a member.

248 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > VLAN > Voice ]

5.9.4 VLAN Voice

[ Switching > VLAN > Voice ]

Use the Voice VLAN feature to separate voice and data packets on a port, by VLAN and/or priority.
A primary benefit of Voice VLAN is safeguarding the quality of voice data when the port has a high
load.

The device detects VoIP phones using the Link Layer Discovery Protocol - Media Endpoint
Discovery (LLDP-MED). The device then adds the appropriate port to the member set of the set-
up Voice VLAN. The member set is either tagged or untagged. Tagging depends on the Voice
VLAN interface mode (VLAN ID, Dot1p, None, Untagged).

Another benefit of the Voice VLAN feature is that the VoIP phone obtains VLAN ID or priority
information from the device using LLDP-MED. As a result, the VoIP phone sends voice data
packets with VLAN tag, priority tag or untagged. This depends on the specified Voice VLAN
Interface mode. You activate Voice VLAN on the port which is connecting to the VoIP phone.

Operation

Operation
Enables/disables the Voice function of the device globally.

Possible values:
 On
 Off (default setting)

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Voice VLAN mode

Specifies if the port transmits or discards received data packets without voice VLAN tagging or with
voice VLAN priority information.

Possible values:
 disabled (default setting)
Deactivates the Voice function for this table row.
 none
Lets the IP telephone use its own configuration for sending untagged voice data packets.
 vlan/dot1p-priority
The port filters data packets of the voice VLAN using the vlan and dot1p priority tags.
 untagged
The port filters data packets without a voice VLAN tag.

RM GUI BRS 249

Release 9.6 12/2023
Switching
[ Switching > VLAN > Voice ]

 vlan
The port filters data packets of the voice VLAN using the vlan tag.
 dot1p-priority
The port filters data packets of the voice VLAN using the dot1p priority tags. If you select this
value, then additionally specify a proper value in the Priority column.

Data priority mode

Specifies the trust mode for the data packets on the particular port.

The device uses this mode for data packets on the voice VLAN, when it detects a VoIP telephone
and a PC using the same cable for transmitting data.

Possible values:
 trust (default setting)
If voice data packets are present on the interface, then the data packets have the normal priority.
 untrust
If voice data packets are present and the value dot1p-priority is specified in the Voice VLAN
mode column, then the data packets have the priority 0. If the interface only transmits data, then
the data has the normal priority.

Status
Displays the status of the Voice VLAN on the port.

Possible values:
 marked
The Voice VLAN is enabled.
 unmarked
The Voice VLAN is disabled.

VLAN ID
Specifies the VLAN ID to which the table row relates. To forward data packets to this VLAN using
this filter, select in the Voice VLAN mode column the value vlan.

Possible values:
 1..4042 (default setting: 1)

Priority
Specifies the Voice VLAN Priority of the port.

Prerequisites:
• In the Voice VLAN mode column the value dot1p-priority is specified.

Possible values:
 0..7
 none
Deactivates the Voice VLAN Priority of the port.

250 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy ]

DSCP
Specifies the IP DSCP value.

Possible values:
 0 (be/cs0)..63 (default setting: 0 (be/cs0))

Some values in the list also have a DSCP keyword, for example 0 (be/cs0), 10 (af11) and 46
(ef). These values are compatible with the IP precedence model.

In the Switching > QoS/Priority > IP DSCP Mapping dialog you assign a traffic class to every IP DSCP
value.

Bypass authentication
Activates the Voice VLAN Authentication mode.

If you deactivate the function and set the value in the Voice VLAN mode column to dot1p-priority,
then voice devices require an authentication.

Possible values:
 marked (default setting)
If you activated the function in the Network Security > 802.1X > Global dialog, then set the Port
control parameter for this port to the multiClient value before activating this function. You find
the Port control parameter in the Network Security > 802.1X > Global dialog.
 unmarked

5.10 L2-Redundancy
[ Switching > L2-Redundancy ]

The menu contains the following dialogs:

 MRP
 HIPER Ring
 Spanning Tree
 Link Aggregation
 Link Backup
 FuseNet

RM GUI BRS 251

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > MRP ]

5.10.1 MRP
[ Switching > L2-Redundancy > MRP ]

The Media Redundancy Protocol (MRP) is a protocol that lets you set up high-availability, ring-
shaped network structures. An MRP Ring with Hirschmann devices is made up of up to 100 devices
that support the Media Redundancy Protocol (MRP) according to IEC 62439.

If a section is not operating, then the ring structure of an MRP Ring changes back into a line
structure. You can specify the maximum recovery time.

The Ring Manager device closes the ends of a backbone in a line structure to a redundant ring.

Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree function for the ports connected to the MRP Ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.

When you work with oversized Ethernet packets (the value in the MTU column for the port is >1518,
see the Basic Settings > Port dialog), the switching time of the MRP Ring reconfiguration depends on
the following parameters:
• Bandwidth of the ring line
• Size of the Ethernet packets
• Number of devices in the ring

Set the recovery time sufficiently large to help avoid delays in the MRP packages due to latencies
in the devices. You can find the formula for calculating the switching time in IEC 62439-2,
section 9.5.

Operation

Buttons

Delete ring configuration

Disables the redundancy function and resets the settings in the dialog to the default setting.

Operation
Enables/disables the MRP function.

After you set up the parameters for the MRP Ring, enable the function here.

Possible values:
 On
The MRP function is enabled.
After you set up the devices in the MRP Ring, the redundancy is active.
 Off (default setting)
The MRP function is disabled.

252 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > MRP ]

Ring port 1/Ring port 2

Port
Specifies the number of the port that is operating as a ring port.

Possible values:
 <Port number>
Number of the ring port

Operation
Displays the operating status of the ring port.

Possible values:
 forwarding
The port is enabled, connection exists.
 blocked
The port is blocked, connection exists.
 disabled
The port is disabled.
 not-connected
No connection exists.

Fixed backup
Activates/deactivates the backup port function for the Ring port 2.

Note: The switch over to the primary port can exceed the maximum ring recovery time.

Possible values:
 marked
The Ring port 2 backup function is active. When the ring is closed, the Ring Manager device
reverts back to the primary ring port.
 unmarked (default setting)
The Ring port 2 backup function is inactive. When the ring is closed, the Ring Manager device
continues to send data on the secondary ring port.

Configuration

Ring manager
Enables/disables the Ring manager function.

If there is one device at each end of the line, then you activate this function.

RM GUI BRS 253

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > MRP ]

Possible values:
 On
The Ring manager function is enabled.
The device operates in the Ring Manager mode.
To help avoid unexpected behavior, do not enable the function on a device on which the RCP
function is enabled.
 Off (default setting)
The Ring manager function is disabled.
The device operates exclusively in the Ring Client mode.

Advanced mode
Activates/deactivates the Advanced mode for fast recovery times.

Possible values:
 marked (default setting)
Advanced mode active.
MRP-capable Hirschmann devices support this mode.
 unmarked
Advanced mode inactive.
Select this setting if another device in the ring does not support this mode.

Ring recovery
Specifies the maximum recovery time in milliseconds for reconfiguration of the ring. This setting is
effective only if the device operates in the Ring Manager mode.

Possible values:
 500ms
 200ms (default setting)

Shorter switching times make greater demands on the response time of every individual device in
the ring. Use values lower than 500ms if the other devices in the ring also support this shorter
recovery time.

When you are working with oversized Ethernet packets, the number of devices in the ring is limited.
Note that the switching time depends on several parameters. See the description above.

VLAN ID
Specifies the VLAN ID which you assign to the ring ports.

Possible values:
 0 (default setting)
No VLAN assigned.
Assign in the Switching > VLAN > Configuration dialog to the ring ports for VLAN 1 the value U.
 1..4042
VLAN assigned.
If you assign to the ring ports a non-existing VLAN, then the device sets up this VLAN. In the
Switching > VLAN > Configuration dialog, the device adds a table row for the VLAN and assigns
the value T to the ring ports.

254 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > MRP ]

Information

Information
Displays messages for the redundancy configuration and the possible causes of detected errors.

When the device operates in the Ring Client or Ring Manager mode, the following messages are
possible:
 Redundancy available
The redundancy is set up. When a component of the ring becomes inoperable, the redundant
line takes over its function.
 Configuration error: Error on ringport link.
An error is detected in the cabling of the ring ports.

When the device operates in the Ring Manager mode, the following messages are possible:
 Configuration error: Packets from another ring manager received.
Another device exists in the ring that operates in the Ring Manager mode.
Enable the Ring manager function only on one device in the ring.
 Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device only
receives test data packets on one ring port.

RM GUI BRS 255

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > HIPER Ring ]

5.10.2 HIPER Ring

[ Switching > L2-Redundancy > HIPER Ring ]

The concept of HIPER Ring redundancy enables the construction of high-availability, ring-shaped
networks. The device operates exclusively in the Ring Client mode. This function lets you extend
an existing HIPER Ring or to replace a device already participating as a Ring Client in a HIPER
Ring.

A HIPER Ring contains a Ring Manager (RM) device which controls the ring. The Ring Manager
device sends watchdog packets into the ring on both the primary and secondary ports. When the
Ring Manager device receives the watchdog packets on both ports, the primary port remains in the
forwarding state and the secondary port remains in the discarding state.

The device operates exclusively in the Ring Client mode. This means that the device detects
watchdog packets on its ring ports and sends a Link Down or Link Up packet to the Ring Manager
device when the link status changes.

The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, the
device only supports HIPER Ring in VLAN 1.

Note: Spanning Tree and Ring Redundancy have an effect on each other. Deactivate the Spanning
Tree function for the ports connected to the HIPER Ring. See the Switching > L2-Redundancy >
Spanning Tree > Port dialog.

Note: Set up the devices of the HIPER Ring individually. Before you connect the redundant link,
complete the setup of every device of the HIPER Ring. You thus help avoid loops during the
configuration phase.

Operation

Operation
Enables/disables the HIPER Ring client.

Possible values:
 On
The HIPER Ring client is enabled.
 Off (default setting)
The HIPER Ring client is disabled.

256 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree ]

Ring port 1/Ring port 2

Port
Specifies the port number of the primary/secondary ring port.

Possible values:
 - (default setting)
No primary/secondary ring port selected.
 <Port number>
Number of the ring port

State
Displays the state of the primary/secondary ring port.

Possible values:
 not-available
The HIPER Ring client is disabled.
or
No primary or secondary ring port selected.
 active
The ring port is enabled and logically up.
 inactive
No link available on the ring port.
As soon as the link on a ring port is interrupted, the device sends a Link Down packet to the Ring
Manager device on the other ring port.

Information

Mode
Displays that the device operates in the Ring Client mode.

5.10.3 Spanning Tree

[ Switching > L2-Redundancy > Spanning Tree ]

The Spanning Tree Protocol (STP) is a protocol that deactivates redundant paths of a network to
help avoid loops. If a network component becomes inoperable on the path, then the device
calculates the new topology and reactivates these paths.

The Rapid Spanning Tree Protocol (RSTP) enables fast switching to a newly calculated topology
without interrupting existing connections. RSTP gets average reconfiguration times of less than a
second. When you use RSTP in a ring with 10 to 20 devices, you can get reconfiguration times in
the order of milliseconds.

Note: When you connect the device to the network through twisted-pair SFPs instead of through
usual twisted-pair ports, the reconfiguration of the network takes slightly longer.

RM GUI BRS 257

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree ]

The menu contains the following dialogs:

 Spanning Tree Global
 Spanning Tree Port

258 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

5.10.3.1 Spanning Tree Global

[ Switching > L2-Redundancy > Spanning Tree > Global ]

In this dialog you enable/disable the Spanning Tree function and specify the bridge settings.

Operation

Operation
Enables/disables the Spanning Tree function in the device.

Possible values:
 On (default setting)
 Off
The device behaves transparently. The device floods received Spanning Tree data packets like
multicast data packets to the ports.

Variant

Variant
Displays the protocol used for the Spanning Tree function:

Possible values:
 rstp
The protocol RSTP is active.
With RSTP (IEEE 802.1Q-2005), the Spanning Tree function operates for the underlying physical
layer.

Traps

Send trap
Activates/deactivates the sending of SNMP traps for the following events:
• Another bridge takes over the root bridge role.
• The topology changes. A port changes its Port state from forwarding into discarding or from
discarding into forwarding.

Possible values:
 marked (default setting)
The sending of SNMP traps is active.
 unmarked
The sending of SNMP traps is inactive.

RM GUI BRS 259

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

Bridge configuration

Bridge ID
Displays the bridge ID of the device.

The device with the lowest bridge ID numerical value takes over the role of the root bridge in the
network.

Possible values:
 <Bridge priority> / <MAC address>
Value in the Priority field / MAC address of the device

Priority
Specifies the bridge priority of the device.

Possible values:
 0..61440 in steps of 4096 (default setting: 32768 (2¹?))

To make this device the root bridge, assign the lowest numeric priority value in the network to the
device.

Hello time [s]

Specifies the time in seconds between the sending of two configuration messages (Hello data
packets).

Possible values:
 1..2 (default setting: 2)

If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.

Otherwise, the device uses the value specified by the root bridge. See the Root information frame.

Due to the interaction with the Tx holds parameter, we recommend that you do not change the
default setting.

Forward delay [s]

Specifies the delay time for the status change in seconds.

Possible values:
 4..30 (default setting: 15)

If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.

Otherwise, the device uses the value specified by the root bridge. See the Root information frame.

In the Rapid Spanning Tree Protocol (RSTP), the bridges negotiate a status change without a
specified delay.

The Spanning Tree function uses the parameter to delay the status change between the statuses
disabled, discarding, learning, forwarding.

260 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

The parameters Forward delay [s] and Max age have the following relationship:

Forward delay [s] ≥ (Max age/2) + 1

If you enter values in the fields that contradict this relationship, then the device replaces these
values with the last valid values or with the default value.

Max age
Specifies the maximum permitted branch length, namely the number of devices to the root bridge.

Possible values:
 6..40 (default setting: 20)

If the device takes over the role of the root bridge, then the other devices in the network use the
value specified here.

Otherwise, the device uses the value specified by the root bridge. See the Root information frame.

The Spanning Tree function uses the parameter to specify the validity of STP-BPDUs in seconds.

Tx holds
Limits the maximum transmission rate for sending BPDUs.

Possible values:
 1..40 (default setting: 10)

When the device sends a BPDU, the device increments a counter on this port.

If the counter reaches the value specified here, then the port stops sending BPDUs. On the one
hand, this reduces the load generated by RSTP, and on the other when the device does not receive
BPDUs, a communication interruption can be caused.

The device decrements the counter by 1 every second. In the following second, the device sends
a maximum of 1 new BPDU.

BPDU guard
Activates/deactivates the BPDU Guard function in the device.

With this function, the device helps protect the network from incorrect configurations, attacks with
STP-BPDUs, and unwanted topology changes.

Possible values:
 marked
The BPDU guard is active.
– The device applies the function to manually specified edge ports. For these ports, in the
Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin
edge port column is marked.
– If an edge port receives an STP-BPDU, then the device disables the port. For this port, in the
Basic Settings > Port dialog, Configuration tab the checkbox in the Port on column is unmarked.
 unmarked (default setting)
The BPDU guard is inactive.

RM GUI BRS 261

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

To reset the status of the port to the value forwarding, you proceed as follows:
 If the port is still receiving BPDUs, then:
 In the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab unmark the checkbox
in the Admin edge port column.
or
 In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard
checkbox.
 To re-enable the port again you use the Auto-Disable function. As an alternative, proceed as
follows:
 Open the Basic Settings > Port dialog, Configuration tab.
 Mark the checkbox in the Port on column.

BPDU filter (all admin edge ports)

Activates/deactivates the STP-BPDU filter on every manually specified edge port. For these ports,
in the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab the checkbox in the Admin
edge port column is marked.

Possible values:
 marked
The BPDU filter is active on every edge port.
The function does not use these ports in Spanning Tree operations.
– The device does not send STP-BPDUs on these ports.
– The device drops any STP-BPDUs received on these ports.
 unmarked (default setting)
The global BPDU filter is inactive.
You have the option to explicitly activate the BPDU filter for single ports. See the Port BPDU filter
column in the Switching > L2-Redundancy > Spanning Tree > Port dialog.

Auto-disable
Activates/deactivates the Auto-Disable function for the parameters that BPDU guard is monitoring on
the port.

Possible values:
 marked
The Auto-Disable function for the BPDU guard is active.
– When the port receives an STP-BPDU, the device disables an edge port. The Link status
LED for the port flashes 3× per period.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– After a waiting period, the Auto-Disable function enables the port again automatically. For this
you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.
 unmarked (default setting)
The Auto-Disable function for the BPDU guard is inactive.

262 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

Root information

Root ID
Displays the bridge ID of the current root bridge.

Possible values:
 <Bridge priority> / <MAC address>

Priority
Displays the bridge priority of the current root bridge.

Possible values:
 0..61440 in steps of 4096

Hello time [s]

Displays the time in seconds that the root bridge specifies between the sending of two configuration
messages (Hello data packets).

Possible values:
 1..2

The device uses this specified value. See the Bridge configuration frame.

Forward delay [s]

Displays the delay time in seconds set up by the root bridge for status changes.

Possible values:
 4..30

The device uses this specified value. See the Bridge configuration frame.

In the Rapid Spanning Tree Protocol (RSTP), the bridges negotiate a status change without a
specified delay.

The Spanning Tree function uses the parameter to delay the status change between the statuses
disabled, discarding, learning, forwarding.

Max age
Specifies the maximum permitted branch length that the root bridge sets up, namely the number of
devices to the root bridge.

Possible values:
 6..40 (default setting: 20)

The Spanning Tree function uses the parameter to specify the validity of STP-BPDUs in seconds.

RM GUI BRS 263

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Global ]

Topology information

Bridge is root
Displays if the device currently has the role of the root bridge.

Possible values:
 marked
The device currently has the role of the root bridge.
 unmarked
Another device currently has the role of the root bridge.

Root port
Displays the number of the port from which the current path leads to the root bridge.

If the device takes over the role of the root bridge, then the field displays the value no Port.

Root path cost

Displays the path cost for the path that leads from the root port of the device to the root bridge of
the layer 2 network.

Possible values:
 0
The device takes over the role of the root bridge.
 1..200000000 (2× 10?)

Topology changes
Displays how many times the device has put a port into the forwarding status using the Spanning
Tree function since the Spanning Tree instance was started.

Time since topology change

Displays the time since the last topology change.

Possible values:
 <days, hours:minutes:seconds>

264 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

5.10.3.2 Spanning Tree Port

[ Switching > L2-Redundancy > Spanning Tree > Port ]

In this dialog you activate the Spanning Tree function on the ports, specify edge ports, and specify
the settings for various protection functions.

The dialog contains the following tabs:

 [CIST]
 [Guards]

[CIST]

In this tab you have the option to activate the Spanning Tree function on the ports individually,
specify the settings for edge ports, and view the current values. The abbreviation CIST stands for
Common and Internal Spanning Tree.

Note: Deactivate the Spanning Tree function on the ports that are participating in other Layer 2
redundancy protocols. Otherwise, it is possible that the redundancy protocols operate differently
than intended. This can cause loops.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

STP active
Activates/deactivates the Spanning Tree function on the port.

Possible values:
 marked (default setting)
The Spanning Tree function is active on the port.
 unmarked
The Spanning Tree function is inactive on the port.
If the Spanning Tree function is enabled in the device and inactive on the port, then the port does
not send STP-BPDUs and drops any STP-BPDUs received.

Port state
Displays the transmission status of the port.

Possible values:
 discarding
The port is blocked and forwards only STP-BPDUs.
 learning
The port is blocked, but it learns the MAC addresses of received data packets.

RM GUI BRS 265

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

 forwarding
The port forwards data packets.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.
 manualFwd
The Spanning Tree function is disabled on the port. The port forwards STP-BPDUs.
 notParticipate
The port is not participating in STP.

Port role
Displays the current role of the port in the CIST.

Possible values:
 root
Port with the cheapest path to the root bridge.
 alternate
Port with the alternative path to the root bridge (currently blocking).
 designated
Port for the side of the tree averted from the root bridge (currently blocking).
 backup
Port receives STP-BPDUs from its own device.
 disabled
The port is inactive. See the Basic Settings > Port dialog, Configuration tab.

Port path cost

Specifies the path costs of the port.

Possible values:
 0..200000000 (2× 10?) (default setting: 0)

When the value is 0, the device automatically calculates the path costs depending on the data rate
of the port.

Port priority
Specifies the priority of the port.

Possible values:
 0..240 in steps of 16 (default setting: 128)

This value represents the first 4 bits of the port ID.

266 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

Received bridge ID
Displays the bridge ID of the device from which this port last received an STP-BPDU.

Possible values:
 For ports with the designated role, the device displays the information for the STP-BPDU last
received by the port. This helps to diagnose the detected STP problems in the network.
 For the alternate, backup, master, and root port roles, in the stationary condition (static
topology) this information is identical to the information of the designated port role.
 If a port has no connection or if it did not receive any STP-BDPUs yet, then the device displays
the values that the port can send with the designated role.

Received port ID
Displays the port ID of the device from which this port last received an STP-BPDU.

Received path cost

Displays the path cost that the higher-level bridge has from its root port to the root bridge.

Admin edge port

Activates/deactivates the Admin edge port mode. If the port is connected to an end device, then use
the Admin edge port mode. This setting lets the edge port change faster to the forwarding state after
linkup and thus a faster accessibility of the end device.

Possible values:
 marked
The Admin edge port mode is active.
The port is connected to an end device.
– After the connection is set up, the port changes to the forwarding status without changing
to the learning status beforehand.
– If the port receives an STP-BPDU and the BPDU Guard function is active, then the device
deactivates the port. See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 unmarked (default setting)
The Admin edge port mode is inactive.
The port is connected to another STP bridge.
After the connection is set up, the port changes to the learning status before changing to the
forwarding status, if applicable.

RM GUI BRS 267

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

Auto edge port

Activates/deactivates the automatic detection of whether you connect an end device to the port.
The prerequisite is that the checkbox in the Admin edge port column is unmarked.

Possible values:
 marked (default setting)
The automatic detection is active.
After the installation of the connection and after 1.5 × Hello time [s], the device sets the port to
the forwarding status (default setting 1.5 × 2 s) if the port did not receive any STP-BPDUs
during this time.
 unmarked
The automatic detection is inactive.
After the installation of the connection, and after Max age the device sets the port to the
forwarding status.
(default setting: 20 s)

Oper edge port

Displays if an end device or an STP bridge is connected to the port.

Possible values:
 marked
An end device is connected to the port. The port does not receive any STP-BPDUs.
 unmarked
An STP bridge is connected to the port. The port receives STP-BPDUs.

Oper PointToPoint
Displays if the port is connected to an STP device through a direct full-duplex link.

Possible values:
 marked
The port is connected directly to an STP device through a full-duplex link. The direct,
decentralized communication between 2 bridges provides short reconfiguration times.
 unmarked
The port is connected in another way, for example through a half-duplex link or through a hub.

Port BPDU filter

Activates/deactivates the filtering of STP-BPDUs on the port explicitly.

The prerequisite is that the port is a manually specified edge port. For these ports, the checkbox in
the Admin edge port column is marked.

Possible values:
 marked
The BPDU filter is active on the port.
The function excludes the port from Spanning Tree operations.
– The device does not send STP-BPDUs on the port.
– The device drops any STP-BPDUs received on the port.
 unmarked (default setting)
The BPDU filter is inactive on the port.
You have the option to globally activate the BPDU filter for every edge port. See the Switching >
L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame.
If the BPDU filter (all admin edge ports) checkbox is marked, then the BPDU filter is still active on
the port.

268 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

BPDU filter status

Displays if the BPDU filter is active on the port.

Possible values:
 marked
The BPDU filter is active on the port as a result of the following settings:
– The checkbox in the Port BPDU filter column is marked.
and/or
– The checkbox in the BPDU filter (all admin edge ports) column is marked. See the Switching >
L2-Redundancy > Spanning Tree > Global dialog, Bridge configuration frame.
 unmarked
The BPDU filter is inactive on the port.

BPDU flood
Activates/deactivates the BPDU flood mode on the port even if the Spanning Tree function is inactive
on the port. The device floods STP-BPDUs received on the port to the ports for which the Spanning
Tree function is inactive and the BPDU flood mode is active too.

Possible values:
 marked
The BPDU flood mode is active.
 unmarked (default setting)
The BPDU flood mode is inactive.

[Guards]

This tab lets you specify the settings for various protection functions on the ports.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Root guard
Activates/deactivates the monitoring of STP-BPDUs on the port. The prerequisite is that the Loop
guard function is inactive.

With this setting the device helps you protect the network from incorrect configurations or attacks
with STP-BPDUs that try to change the topology. This setting is relevant only for ports with the STP
role designated.

RM GUI BRS 269

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

Possible values:
 marked
The monitoring of STP-BPDUs is active.
– If the port receives an STP-BPDU with better path information to the root bridge, then the
device discards the STP-BPDU and sets the status of the port to the value discarding
instead of root.
– If there are no STP-BPDUs with better path information to the root bridge, then the device
resets the status of the port after 2 × Hello time [s].
 unmarked (default setting)
The monitoring of STP-BPDUs is inactive.

TCN guard
Activates/deactivates the monitoring of Topology Change notifications on the port. With this setting
the device helps you protect the network from attacks with STP-BPDUs that try to change the
topology.

Possible values:
 marked
The monitoring of Topology Change notifications is active.
– The port ignores the Topology Change flag in received STP-BPDUs.
– If the received BPDU contains other information that causes a topology change, then the
device processes the BPDU even if the TCN guard is enabled.
Example: The device receives better path information for the root bridge.
 unmarked (default setting)
The monitoring of Topology Change notifications is inactive.
If the device receives STP-BPDUs with a Topology Change flag, then the device deletes the
MAC address table (forwarding database) of the port and forwards the Topology Change
notifications.

Loop guard
Activates/deactivates the monitoring of loops on the port. The prerequisite is that the Root guard
function is inactive.

With this setting the device helps prevent loops if the port does not receive any more STP-BPDUs.
Use this setting only for ports with the STP role alternate, backup or root.

Possible values:
 marked
The monitoring of loops is active. This helps prevent loops for example, if you disable the
Spanning Tree function on the remote device or if the connection is interrupted only in the
receiving direction.
– If the port does not receive any STP-BPDUs for a while, then the device sets the status of
the port to the value discarding and marks the checkbox in the Loop state column.
– If the port receives STP-BPDUs again, then the device sets the status of the port to a value
according to Port role and unmarks the checkbox in the Loop state column.
 unmarked (default setting)
The monitoring of loops is inactive.
If the port does not receive any STP-BPDUs for a while, then the device sets the status of the
port to the value forwarding.

270 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Spanning Tree > Port ]

Loop state
Displays if the loop state of the port is inconsistent.

Possible values:
 marked
The loop state of the port is inconsistent:
– The port is not receiving any STP-BPDUs and the Loop guard function is enabled.
– The device sets the state of the port to the value discarding. The device thus helps prevent
any potential loops.
 unmarked
The loop state of the port is consistent. The port receives STP-BPDUs.

Trans. into loop

Displays how many times the loop state of the port became inconsistent (marked checkbox in the
Loop state column).

Trans. out of loop

Displays how many times the loop state of the port became consistent (unmarked checkbox in the
Loop state column).

BPDU guard effect

Displays if the port received an STP-BPDU as an edge port.

Prerequisite:
• The port is a manually specified edge port. In the Switching > L2-Redundancy > Spanning Tree >
Port dialog, the checkbox for this port in the Admin edge port column is marked.
• In the Switching > L2-Redundancy > Spanning Tree > Global dialog, the BPDU Guard function is
active.

Possible values:
 marked
The port is an edge port and received an STP-BPDU.
The device deactivates the port. For this port, in the Basic Settings > Port dialog, Configuration tab
the checkbox in the Port on column is unmarked.
 unmarked
The port is an edge port and has not received any STP-BPDUs, or the port is not an edge port.

To reset the status of the port to the value forwarding, you proceed as follows:
 If the port is still receiving BPDUs, then:
 In the CIST tab, unmark the checkbox in the Admin edge port column.
or
 In the Switching > L2-Redundancy > Spanning Tree > Global dialog, unmark the BPDU guard
checkbox.
 To activate the port, proceed as follows:
 Open the Basic Settings > Port dialog, Configuration tab.
 Mark the checkbox in the Port on column.

RM GUI BRS 271

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

5.10.4 Link Aggregation

[ Switching > L2-Redundancy > Link Aggregation ]

The Link Aggregation function lets you aggregate multiple parallel links. The prerequisite is that the
links have the same speed and are full-duplex. The advantages compared to conventional
connections using a single line are higher availability and a higher transmission bandwidth.

The criteria for distributing the load to the parallel links are based on the Hashing option function.

The Link Aggregation Control Protocol (LACP) makes it possible to monitor the packet-based
continuous link status on the physical ports. LACP also helps ensure that the link partners meet the
aggregation prerequisites.

If the remote side does not support the Link Aggregation Control Protocol (LACP), then you can
use the Static link aggregation function. In this case, the device aggregates the links based on the
link, link speed and duplex setting.

Configuration

Hashing option
Specifies which information the device uses to distribute the packets to the physical ports of the
LAG interface. The device sends packets containing the same distribution-relevant information
over the same physical port to keep the packet order.

This setting overwrites the value specified in the Hashing option column for the port.

Possible values:
 sourceMacVlan
The device uses the Source MAC address, VLAN ID, EtherType fields of the packet, and the
physical ingress port.
 destMacVlan
The device uses the Destination MAC address, VLAN ID, EtherType fields of the packet, and
the physical ingress port.
 sourceDestMacVlan (default setting)
The device uses the Source MAC address, Destination MAC address, VLAN ID, EtherType
fields of the packet, and the physical ingress port.
 sourceIPsourcePort
The device uses the Source IP address and Source TCP/UDP port fields of the packet.
 destIPdestPort
The device uses the Destination IP address and Destination TCP/UDP port fields of the
packet.
 sourceDestIPPort
The device uses the Source IP address, Destination IP address, Source TCP/UDP port,
and Destination TCP/UDP port fields of the packet.

272 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row for a LAG interface or to assign a physical port to a
LAG interface.
• From the Trunk port drop-down list, you select the LAG interface number.
• From the Port drop-down list, you select the number of a physical port to assign to the LAG
interface.

After you set up a LAG interface, the device adds the LAG interface to the table in the Basic
Settings > Port dialog, Statisticstab.

Remove

Removes the selected table row.

Trunk port
Displays the LAG interface number.

Name
Specifies the name of the LAG interface.

Possible values:
 Alphanumeric ASCII character string with 1..15 characters

Link/Status
Displays the current operating state of the LAG interface and the physical ports.

Possible values:
 up (lag/… row)
The LAG interface is operational.
The prerequisites are:
– The Static link aggregation function is active on this LAG interface.
or
– LACP is active on the physical ports assigned to the LAG interface, see the LACP active
column.
and
The key specified for the LAG interface in the LACP admin key column matches the keys
specified for the physical ports in the LACP port actor admin key column.
and
The number of operational physical ports assigned to the LAG interface is greater than or
equal to the value specified in the Active ports (min.) column.
 up
The physical port is operational.

RM GUI BRS 273

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

 down (lag/… row)

The LAG interface is inoperable.
 down
The physical port is disabled.
or
No cable connected or no active link.

Active
Activates/deactivates the LAG interface.

Possible values:
 marked (default setting)
The LAG interface is active.
Consider that the following protocols do not work properly on the physical ports when you
activate the LAG interface:
– PTP
– 802.1AS
 unmarked
The LAG interface is inactive.

STP active
Activates/deactivates the Spanning Tree function on this LAG interface. The prerequisite is that in
the Switching > L2-Redundancy > Spanning Tree > Global dialog the Spanning Tree function is enabled.

You can also activate/deactivate the Spanning Tree function on the LAG interfaces in the Switching >
L2-Redundancy > Spanning Tree > Port dialog.

Possible values:
 marked (default setting)
The Spanning Tree function is active on this LAG interface.
 unmarked
The Spanning Tree function is inactive on this LAG interface.

Static link aggregation

Activates/deactivates the Static link aggregation function on the LAG interface. The device
aggregates the assigned physical ports to the LAG interface, even if the remote site does not
support LACP.

Possible values:
 marked
The Static link aggregation function is active on this LAG interface. The device aggregates an
assigned physical port to the LAG interface as soon as the physical port gets a link. The device
does not send LACPDUs and discards received LACPDUs.
 unmarked (default setting)
The Static link aggregation function is inactive on this LAG interface. If the connection was
successfully negotiated using LACP, then the device aggregates an assigned physical port to
the LAG interface.

274 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

Hashing option
Specifies which information the device uses to distribute the packets to the individual physical ports
of the LAG interface. This setting has priority over the value selected in the Configuration frame,
Hashing option drop-down list.

For further information on the values, see the description of the Hashing option drop-down list in the
Configuration frame.

MTU
Specifies the maximum allowed size of Ethernet packets on the LAG interface in bytes. Any present
VLAN tag is not taken into account.

This setting lets you increase the size of the Ethernet packets for specific applications.

Possible values:
 1518..9720 (default setting: 1518)
With the value 1518, the LAG interface transmits the Ethernet packets up to the following size:
– 1518 bytes without VLAN tag
(1514 bytes + 4 bytes CRC)
– 1522 bytes with VLAN tag
(1518 bytes + 4 bytes CRC)

Active ports (min.)

Specifies the minimum number of physical ports to be active for the LAG interface to stay active. If
the number of active physical ports is lower than the specified value, then the device deactivates
the LAG interface.

If a redundancy function like Spanning Tree is active in the device, then you use this function to force
the device to switch automatically to the redundant line.

Possible values:
 1 (default setting)
 2
 Depending on the hardware:
4
8
32

Type
Displays if the LAG interface is based on the Static link aggregation function or on LACP.

Possible values:
 static
The LAG interface is based on the Static link aggregation function.
 dynamic
The LAG interface is based on LACP.

RM GUI BRS 275

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

Send trap (Link up/down)

Activates/deactivates the sending of SNMP traps when the device detects a change in the link up/
down status for this interface.

Possible values:
 marked (default setting)
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device detects a link up/down status change, then the device sends an SNMP trap.
 unmarked
The sending of SNMP traps is inactive.

LACP admin key

Specifies the LAG interface key. The device uses this key to identify the ports that can be
aggregated to the LAG interface.

Possible values:
 0..65535 (2¹?-1)
You specify the corresponding value for the physical ports in the LACP port actor admin key
column.

Port
Displays the physical port number assigned to the LAG interface.

Aggregation port status

Displays if the LAG interface aggregates the physical port.

Possible values:
 active
The LAG interface aggregates the physical port.
 inactive
The LAG interface does not aggregate the physical port.

LACP active
Activates/deactivates LACP on the physical port.

Possible values:
 marked (default setting)
LACP is active on the physical port.
 unmarked
LACP is inactive on the physical port.

276 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

LACP port actor admin key

Specifies the physical port key. The device uses this key to identify the ports that can be aggregated
to the LAG interface.

Possible values:
 0
The device ignores the key on this physical port when deciding to aggregate the port into the
LAG interface.
 1..65535 (2¹?-1)
If this value matches the value of the LAG interface specified in the LACP admin key column, then
the device only aggregates this physical port to the LAG interface.

LACP actor admin state

Specifies the actor state values that the LAG interface transmits in the LACPDUs. This lets you
control the LACPDU parameters.

The device lets you mix the values. From the drop-down list, select one or more items.

Possible values:
 ACT
(LACP_Activity state)
When selected, the link transmits the LACPDUs cyclically, otherwise when requested.
 STO
(LACP_Timeout state)
When selected, the link transmits the LACPDUs cyclically using the short timeout, otherwise
using the long timeout.
 AGG
(Aggregation state)
When selected, the device interprets the link as a candidate for aggregation, otherwise as an
individual link.

For further information on the values, see IEEE 802.1AX-2014.

LACP actor oper state

Displays the actor state values that the LAG interface transmits in the LACPDUs.

Possible values:
 ACT
(LACP_Activity state)
When visible, the link transmits the LACPDUs cyclically, otherwise when requested.
 STO
(LACP_Timeout state)
When visible, the link transmits the LACPDUs cyclically using the short timeout, otherwise using
the long timeout.
 AGG
(Aggregation state)
When visible, the device interprets the link as a candidate for aggregation, otherwise as an
individual link.
 SYN
(Synchronization state)
When visible, the device interprets the link as IN_SYNC, otherwise as OUT_OF_SYNC.

RM GUI BRS 277

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Aggregation ]

 COL
(Collecting state)
When visible, collection of incoming frames is enabled on this link, otherwise disabled.
 DST
(Distributing state)
When visible, distribution of outgoing frames is enabled on this link, otherwise disabled.
 DFT
(Defaulted state)
When visible, the link uses defaulted operational information, administratively specified for the
Partner. Otherwise the link uses the operational information received from a LACPDU.
 EXP
(Expired state)
When visible, the link receiver is in the EXPIRED state.

LACP partner oper SysID

Displays the MAC address of the remote device connected to this physical port.

The LAG interface has received this information in a LACPDU from the partner.

LACP partner oper port

Displays the port number of the remote device connected to this physical port.

The LAG interface has received this information in a LACPDU from the partner.

LACP partner oper port state

Displays the partner state values that the LAG interface receives in the LACPDUs.

Possible values:
 ACT
 STO
 AGG
 SYN
 COL
 DST
 DFT
 EXP

For further information on the values, see the description of the LACP actor oper state column and
IEEE 802.1AX-2014.

278 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Backup ]

5.10.5 Link Backup

[ Switching > L2-Redundancy > Link Backup ]

With Link Backup, you set up pairs of redundant links. Each pair has a primary port and a backup
port. The primary port forwards the data packets until the device detects an error. If the device
detects an error on the primary port, then the Link Backup function transfers the data packets over
to the backup port.

The dialog also lets you set a fail back option. When you activate the Fail back function and the
primary link returns to normal operation, the device first blocks the data packets on the backup port
and then forwards the data packets to the primary port. This process helps protect the device from
causing loops in the network.

Operation

Operation
Enables/disables the Link Backup function globally in the device.

Possible values:
 On
Enables the Link Backup function.
 Off (default setting)
Disables the Link Backup function.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Adds a table row.

Remove

Removes the selected table row.

RM GUI BRS 279

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Backup ]

Primary port
Displays the primary port of the interface pair. When you enable the Link Backup function, this port
is responsible for forwarding the data packets.

Possible values:
 Physical ports

Backup port
Displays the backup port to which the device forwards the data packets if the device detects an
error on the primary port.

Possible values:
 Physical ports except for the port you set as the primary port.

Description
Specifies the Link Backup pair. Enter a name to identify the Backup pair.

Possible values:
 Alphanumeric ASCII character string with 0..255 characters

Primary port status

Displays the status of the primary port for this Link Backup pair.

Possible values:
 forwarding
The link is up, no shutdown, and forwarding data packets.
 blocking
The link is up, no shutdown, and blocking data packets.
 down
The cable is unplugged, the port is powered off, the port link is interrupted, or a function in the
device has disabled the port.
 unknown
The Link Backup feature is globally disabled, or the port pair is inactive. Therefore, the device
ignores the port pair settings.

Backup port status

Displays the status of the Backup port for this Link Backup pair.

280 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > Link Backup ]

Fail back
Activates/deactivates the automatic fail back.

Possible values:
 marked (default setting)
The automatic fail back is active.
After the delay timer expires, the backup port changes to blocking and the primary port
changes to forwarding.
 unmarked
The automatic fail back is inactive.
The backup port continues forwarding data packets even after the primary port re-establishes a
link or you manually change the admin status of the primary port from shutdown to no
shutdown.

Fail back delay [s]

Specifies the delay time in seconds that the device waits after the primary port re-establishes a link.
Furthermore, this timer also applies when you manually set the admin status of the primary port
from shutdown to no shutdown. After the delay timer expires, the backup port changes to blocking
and the primary port changes to forwarding.

Possible values:
 0..3600 (default setting: 30)
When set to 0, immediately after the primary port re-establishes a link, the backup port changes
to blocking and the primary port changes to forwarding. Furthermore, immediately after you
manually set the admin status of from shutdown to no shutdown, the backup port changes to
blocking and the primary port changes to forwarding.

Active
Activates/deactivates the Link Back up pair configuration.

Possible values:
 marked
The Link Backup pair is active. The device senses the link and administration status and
forwards the data packets according to the pair configuration.
 unmarked (default setting)
The Link Backup pair is inactive. The ports forward the data packets according to standard
switching.

RM GUI BRS 281

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet ]

Create

Primary port
Specifies the primary port of the backup interface pair. During normal operation this port is
responsible for forwarding the data packets.

Possible values:
 Physical ports

Backup port
Specifies the backup port to which the device transfers the data packets to if the device detects an
error on the primary port.

Possible values:
 Physical ports except for the port you set as the primary port.

5.10.6 FuseNet
[ Switching > L2-Redundancy > FuseNet ]

The FuseNet protocols let you couple rings that are operating with one of the following redundancy
protocols:
• MRP
• HIPER Ring
• RSTP

Note: If you use the Ring/Network Coupling function to couple networks, then verify that the networks
only contain Hirschmann devices.

Use the following table to select the FuseNet coupling protocol to be used in the network:

Main Ring Connected Network

MRP HIPER Ring RSTP
MRP – Ring/Network Coupling Ring/Network Coupling
HIPER Ring – Ring/Network Coupling Ring/Network Coupling
RSTP – – –

– no suitable coupling protocol

The menu contains the following dialogs:

 Ring/Network Coupling

282 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

5.10.6.1 Ring/Network Coupling

[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

You use the Ring/Network Coupling function to redundantly couple an existing HIPER Ring, MRP
Ring, or Fast HIPER Ring to another network or another ring. Verify that the coupling partners are
Hirschmann devices.

Note: With two-switch coupling, verify that you have set up a HIPER Ring, MRP Ring, or Fast
HIPER Ring before setting up the Ring/Network Coupling function.

In the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog, you can perform the
following tasks:
• display an overview of the existing Ring/Network Coupling
• set up a Ring/Network Coupling instance
• enable/disable the Ring/Network Coupling instance
• delete the Ring/Network Coupling instance

When configuring the coupling ports, specify the following settings in the Basic Settings > Port dialog:

Port type Bit rate Port on Autoneg Manual configuration

TX 100 Mbit/s marked unmarked 100M FDX
TX 1 Gbit/s marked marked –
Optical 100 Mbit/s marked unmarked 100M FDX
Optical 1 Gbit/s marked marked –
Optical 2.5 Gbit/s marked – 2.5G FDX

Note: The operating modes of the port actually available depend on the device hardware.

If you set up VLANs, then note the VLAN configuration of the coupling and partner coupling ports.
Specify the following settings for the coupling and partner coupling ports:
• Switching > VLAN > Port dialog
– Value in the Port-VLAN ID column = 1
– Checkbox in the Ingress filtering column = unmarked
• Switching > VLAN > Configuration dialog
– VLAN membership = T

Independently of the VLAN settings, the device sends the ring coupling frames with VLAN ID 1 and
priority 7. Verify that the device sends VLAN 1 frames tagged in the local ring and in the connected
network. Tagging the VLAN frames maintains the priority of the ring coupling frames.

The Ring/Network Coupling function operates with test packets. The devices send their test packets
with a VLAN tag, including VLAN ID 1 and the highest VLAN priority 7. If the unblocked port is a
member in VLAN 1 and transmits the data packets without a VLAN tag, then the device also sends
test packets.

Operation

Buttons

Reset

Disables the redundancy function and resets the parameters in the dialog to the default setting.

RM GUI BRS 283

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

Operation
Enables/disables the Ring/Network Coupling function.

Possible values:
 On
The Ring/Network Coupling function is enabled.
 Off (default setting)
The Ring/Network Coupling function is disabled.

Information

Redundancy
Displays if the redundancy is available.

When a component of the ring becomes inoperable, the redundant line takes over its function.

Possible values:
 redGuaranteed
The redundancy is available.
 redNotGuaranteed
The redundancy is unavailable.

Configuration failure
You have set up the function incorrectly, or there is no ring port connection.

Possible values:
 noError
 slaveCouplingLinkError
The coupling line is not connected to the coupling port of the slave device. Instead, the coupling
line is connected to another port of the slave device.
 slaveControlLinkError
The control port of the slave device has no data link.
 masterControlLinkError
The control line is not connected to the control port of the master device. Instead, the control
line is connected to another port of the master device.
 twoSlaves
The control line connects two slave devices.
 localPartnerLinkError
The partner coupling line is not connected to the partner coupling port of the slave device.
Instead, the partner coupling line is connected to another port of the slave device in one-switch
coupling mode.
 localInvalidCouplingPort
In one-switch coupling mode, the coupling line is not connected on the same device as the
partner line. Instead, the coupling line is connected to another device.
 couplingPortNotAvailable
The coupling port is not available because the module to which the port refers is not available
or the port does not exist on this module.

284 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

 controlPortNotAvailable
The control port is not available because the module to which the port refers is not available or
the port does not exist on this module.
 partnerPortNotAvailable
The partner coupling port is not available because the module to which the port refers is not
available or the port does not exist on this module.

Mode

Type
Specifies the method used to couple the networks together.

Possible values:
 one-switch coupling
Lets you specify the port settings in the Coupling port and Partner coupling port frames.
 two-switch coupling, master
Lets you specify the port settings in the Coupling port frame.
 two-switch coupling with control line, master
Lets you specify the port settings in the Coupling port and Control port frames.
 two-switch coupling, slave
Lets you specify the port settings in the Coupling port frame.
 two-switch coupling with control line, slave
Lets you specify the port settings in the Coupling port and Control port frames.

Coupling port

Port
Specifies the port to which you connect the redundant link.

Possible values:
 -
No port selected.
 <Port number>
If you also have set up ring ports, then specify the coupling and ring ports on different ports.

To help prevent continuous loops, the device disables the coupling port in the following cases:
• disabling the function
• changing the configuration while the connections are operating on the ports

When the device has deactivated the coupling port, the Port on checkbox is unmarked in the Basic
Settings > Port dialog, Configuration tab.

RM GUI BRS 285

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

State
Displays the status of the selected port.

Possible values:
 active
The port is active.
 standby
The port is in stand-by mode.
 not-connected
The port is not connected.
 not-applicable
The port is incompatible with the set-up control mode.

Partner coupling port

Port
Specifies the port on which you connect the partner port. The field is visible when you select the
one-switch coupling radio button in the Mode frame.

Possible values:
 - (default setting)
No port selected.
 <Port number>
If you also have set up ring ports, then specify the coupling and ring ports on different ports.

Interface index
Displays the index number of the port that the partner device uses for the connection. The field is
visible when you select a two-switch coupling method in the Mode frame.

State
Displays the status of the selected port.

IP address
Displays the IP address of the partner device, when the devices are connected. The prerequisite is
that you enable the partner device in the network. The field is visible when you select a two-switch
coupling method in the Mode frame.

286 RM GUI BRS

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

Control port

Port
Displays the port on which you connect the control line.

Possible values:
 - (default setting)
No port selected.
 <Port number>

State
Displays the status of the selected port.

Configuration

Redundancy mode
Specifies if the device responds to a detected failure in the remote ring or network.

Possible values:
 redundant ring/network coupling
Either the main line or the redundant line is active. Both lines are not active simultaneously. If
the device detects that the link is interrupted between the devices in the remote ring or network,
then the standby device keeps the redundant port in the standby mode.
 extended redundancy (default setting)
If the device detects a potential connection interruption between the devices in the remote ring
or network, then the standby device forwards data on the redundant port. In this case, the main
line and the redundant line are active simultaneously. This setting lets you maintain continuity
in the remote network.

Note: During the reconfiguration period, package duplications can occur. Therefore, if your
application is able to detect package duplications, then you can select this setting.

RM GUI BRS 287

Release 9.6 12/2023
Switching
[ Switching > L2-Redundancy > FuseNet > Ring/Network Coupling ]

Coupling mode
Specifies the mode of coupling a specific type of network.

Possible values:
 ring coupling (default setting)
The device couples redundant rings. The device lets you couple rings that use the following
redundancy protocols:
– HIPER Ring
– Fast HIPER Ring
– MRP Ring
 network coupling
The device couples network segments. The function lets you couple mesh and bus networks
together.

288 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration ]

6 Diagnostics

The menu contains the following dialogs:

 Status Configuration
 System
 Syslog
 Ports
 LLDP
 Report

6.1 Status Configuration

[ Diagnostics > Status Configuration ]

The menu contains the following dialogs:

 Device Status
 Security Status
 Signal Contact
 MAC Notification
 Alarms (Traps)

RM GUI BRS 289

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]

6.1.1 Device Status

[ Diagnostics > Status Configuration > Device Status ]

The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device to present its condition in graphic form.

The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.

The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Device status frame.

The dialog contains the following tabs:

 [Global]
 [Port]
 [Status]

[Global]

Device status

Device status
Displays the current status of the device. The device determines the status from the individual
monitored parameters.

Possible values:
 ok
 error
The device displays this value to indicate a detected error in one of the monitored parameters.

Traps

Send trap
Activates/deactivates the sending of SNMP traps when the device detects a change in a monitored
function.

Possible values:
 marked (default setting)
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
 unmarked
The sending of SNMP traps is inactive.

290 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Connection errors
Activates/deactivates the monitoring of the link status of the port/interface.

Possible values:
 marked
Monitoring is active.
If the link interrupts on a monitored port/interface, then in the Device status frame, the value
changes to error.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.

Temperature
Activates/deactivates the monitoring of the temperature in the device.

Possible values:
 marked (default setting)
Monitoring is active.
If the temperature exceeds the specified upper threshold value or falls below the specified lower
threshold value, then in the Device status frame, the value changes to error.
 unmarked
Monitoring is inactive.

You specify the temperature threshold values in the Basic Settings > System dialog, Upper temp. limit
[°C] field and Lower temp. limit [°C] field.

External memory removal

Activates/deactivates the monitoring of the active external memory.

Possible values:
 marked
Monitoring is active.
If you remove the active external memory from the device, then in the Device status frame, the
value changes to error.
 unmarked (default setting)
Monitoring is inactive.

RM GUI BRS 291

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]

External memory not in sync

Activates/deactivates the monitoring of the configuration profile in the device and in the external
memory.

Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The configuration profile only exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
 unmarked (default setting)
Monitoring is inactive.

Ring redundancy
Activates/deactivates the monitoring of the ring redundancy.

Possible values:
 marked
Monitoring is active.
In the Device status frame, the value changes to error in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
 unmarked (default setting)
Monitoring is inactive.

Humidity
Activates/deactivates the monitoring of the humidity in the device.

You specify the humidity threshold values in the Basic Settings > System dialog, Upper humidity limit
[%] field and Lower humidity limit [%] field.

Possible values:
 marked (default setting)
Monitoring is active.
If the humidity exceeds or falls below the specified threshold values, then in the Device status
frame, the value changes to error.
 unmarked
Monitoring is inactive.

Power supply
Activates/deactivates the monitoring of the power supply unit.

Possible values:
 marked (default setting)
Monitoring is active.
If the device has a detected power supply fault, then in the Device status frame, the value
changes to error.
 unmarked
Monitoring is inactive.

292 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Device Status ]

[Port]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Propagate connection error

Activates/deactivates the monitoring of the link on the port/interface.

Possible values:
 marked
Monitoring is active.
If the link on the selected port/interface is interrupted, then in the Device status frame, the value
changes to error.
 unmarked (default setting)
Monitoring is inactive.

This setting takes effect when you mark the Connection errors checkbox in the Global tab.

[Status]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.

Cause
Displays the event which caused the SNMP trap.

RM GUI BRS 293

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

6.1.2 Security Status

[ Diagnostics > Status Configuration > Security Status ]

This dialog gives you an overview of the status of the safety-relevant settings in the device.

The device displays its current status as error or ok in the Security status frame. The device
determines this status from the individual monitoring results.

The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Security status frame.

The dialog contains the following tabs:

 [Global]
 [Port]
 [Status]

[Global]

Security status

Security status
Displays the current status of the security-relevant settings in the device. The device determines
the status from the individual monitored parameters.

Possible values:
 ok
 error
The device displays this value to indicate a detected error in one of the monitored parameters.

Traps

Send trap
Activates/deactivates the sending of SNMP traps when the device detects a change in a monitored
function.

Possible values:
 marked
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
 unmarked (default setting)
The sending of SNMP traps is inactive.

294 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Password default settings unchanged

Activates/deactivates the monitoring of the password for the locally set up user account admin.

Possible values:
 marked (default setting)
Monitoring is active.
If the password is set to the default setting for the admin user account, then in the Security status
frame, the value changes to error.
 unmarked
Monitoring is inactive.

You set the password in the Device Security > User Management dialog.

Min. password length shorter than 8

Activates/deactivates the monitoring of the Min. password length policy.

Possible values:
 marked (default setting)
Monitoring is active.
If the value for the Min. password length policy is less than 8, then in the Security status frame, the
value changes to error.
 unmarked
Monitoring is inactive.

You specify the Min. password length policy in the Device Security > User Management dialog in the
Configuration frame.

Password policy settings deactivated

Activates/deactivates the monitoring of the Password policies settings.

Possible values:
 marked (default setting)
Monitoring is active.
If the value for at least one of the following policies is less than 1, then in the Security status frame,
the value changes to error.
– Upper-case characters (min.)
– Lower-case characters (min.)
– Digits (min.)
– Special characters (min.)
 unmarked
Monitoring is inactive.

You specify the policy settings in the Device Security > User Management dialog in the Password policy
frame.

RM GUI BRS 295

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

User account password policy check deactivated

Activates/deactivates the monitoring of the Policy check function.

Possible values:
 marked
Monitoring is active.
If the Policy check function is inactive for at least one user account, then in the Security status
frame, the value changes to error.
 unmarked (default setting)
Monitoring is inactive.

You activate the Policy check function in the Device Security > User Management dialog.

Telnet server active

Activates/deactivates the monitoring of the Telnet server.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the Telnet server, then in the Security status frame, the value changes to error.
 unmarked
Monitoring is inactive.

You enable/disable the Telnet server in the Device Security > Management Access > Server dialog,
Telnet tab.

HTTP server active

Activates/deactivates the monitoring of the HTTP server.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the HTTP server, then in the Security status frame, the value changes to error.
 unmarked
Monitoring is inactive.

You enable/disable the HTTP server in the Device Security > Management Access > Server dialog,
HTTP tab.

296 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

SNMP unencrypted
Activates/deactivates the monitoring of the SNMP server.

Possible values:
 marked (default setting)
Monitoring is active.
If at least one of the following conditions applies, then in the Security status frame, the value
changes to error:
– The SNMPv1 function is enabled.
– The SNMPv2 function is enabled.
– The encryption for SNMPv3 is disabled.
You enable the encryption in the Device Security > User Management dialog, in the SNMP
encryption type column.
 unmarked
Monitoring is inactive.

You specify the settings for the SNMP agent in the Device Security > Management Access > Server
dialog, SNMP tab.

Access to system monitor with serial interface possible

Activates/deactivates the monitoring of the system monitor.

When the system monitor is active, you have the possibility to change to the system monitor using
a serial connection during the system startup.

Possible values:
 marked
Monitoring is active.
If you activate the system monitor, then in the Security status frame, the value changes to error.
 unmarked (default setting)
Monitoring is inactive.

You activate/deactivate the system monitor in the Diagnostics > System > Selftest dialog.

Saving the configuration profile on the external memory possible

Activates/deactivates the monitoring of the configuration profile in the external memory.

Possible values:
 marked
Monitoring is active.
If you activate the saving of the configuration profile in the external memory, then in the Security
status frame, the value changes to error.
 unmarked (default setting)
Monitoring is inactive.

You activate/deactivate the saving of the configuration profile in the external memory in the Basic
Settings > External Memory dialog.

RM GUI BRS 297

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

Link interrupted on enabled device ports

Activates/deactivates the monitoring of the link on the active ports.

Possible values:
 marked
Monitoring is active.
If the link interrupts on an active port, then in the Security status frame, the value changes to
error. In the Port tab, you have the option of selecting the ports to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.

Access with HiDiscovery possible

Activates/deactivates the monitoring of the HiDiscovery function.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the HiDiscovery function, then in the Security status frame, the value changes to
error.
 unmarked
Monitoring is inactive.

You enable/disable the HiDiscovery function in the Basic Settings > Network > Global dialog.

Load unencrypted config from external memory

Activates/deactivates the monitoring of loading unencrypted configuration profiles from the external
memory.

Possible values:
 marked (default setting)
Monitoring is active.
If the settings allow the device to load an unencrypted configuration profile from the external
memory, then in the Security status frame, the value changes to error.
If the following preconditions are fulfilled, then the Security status frame in the Basic Settings >
System dialog, displays an alarm.
– The configuration profile stored in the external memory is unencrypted.
and
– The Config priority column in the Basic Settings > External Memory dialog has the value first.
 unmarked
Monitoring is inactive.

298 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

IEC61850-MMS active
Activates/deactivates the monitoring of the IEC61850-MMS function.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the IEC61850-MMS function, then in the Security status frame, the value changes to
error.
 unmarked
Monitoring is inactive.

You enable/disable the IEC61850-MMS function in the Advanced > Industrial Protocols > IEC61850-MMS
dialog, Operation frame.

Self-signed HTTPS certificate present

Activates/deactivates the monitoring of the HTTPS certificate.

Possible values:
 marked (default setting)
Monitoring is active.
If the HTTPS server uses a self-generated digital certificate, then in the Security status frame, the
value changes to error.
 unmarked
Monitoring is inactive.

Modbus TCP active

Activates/deactivates the monitoring of the Modbus TCP function.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the Modbus TCP function, then in the Security status frame, the value changes to
error.
 unmarked
Monitoring is inactive.

You enable/disable the Modbus TCP function in the Advanced > Industrial Protocols > Modbus TCP
dialog, Operation frame.

EtherNet/IP active
Activates/deactivates the monitoring of the EtherNet/IP function.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the EtherNet/IP function, then in the Security status frame, the value changes to
error.
 unmarked
Monitoring is inactive.

You enable/disable the EtherNet/IP function in the Advanced > Industrial Protocols > EtherNet/IP dialog,
Operation frame.

RM GUI BRS 299

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Security Status ]

PROFINET active
Activates/deactivates the monitoring of the PROFINET function.

Possible values:
 marked (default setting)
Monitoring is active.
If you enable the PROFINET function, then in the Security status frame, the value changes to
error.
 unmarked
Monitoring is inactive.

You enable/disable the PROFINET function in the Advanced > Industrial Protocols > PROFINET dialog,
Operation frame.

[Port]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Link interrupted on enabled device ports

Activates/deactivates the monitoring of the link on the active ports.

Possible values:
 marked
Monitoring is active.
If the port is enabled (Basic Settings > Port dialog, Configuration tab, Port on checkbox is marked)
and the link is down on the port, then in the Security status frame, the value changes to error.
 unmarked (default setting)
Monitoring is inactive.

This setting takes effect when you mark the Link interrupted on enabled device ports checkbox in the
Diagnostics > Status Configuration > Security Status dialog, Global tab.

300 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact ]

[Status]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.

Cause
Displays the event which caused the SNMP trap.

6.1.3 Signal Contact

[ Diagnostics > Status Configuration > Signal Contact ]

The signal contact is a potential-free relay contact. The device thus lets you perform remote
diagnosis. The device uses the relay contact to signal the occurrence of events by opening the relay
contact and interrupting the closed circuit.

Note: The device can contain several signal contacts. Each contact contains the same monitoring
functions. Several contacts allow you to group various functions together providing flexibility in
system monitoring.

The menu contains the following dialogs:

 Signal Contact 1 / Signal Contact 2

RM GUI BRS 301

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]

6.1.3.1 Signal Contact 1 / Signal Contact 2

[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]

In this dialog you specify the trigger conditions for the signal contact.

The signal contact gives you the following options:

• Monitoring the correct operation of the device.
• Signaling the device status of the device.
• Signaling the security status of the device.
• Controlling external devices by manually setting the signal contacts.

The device displays detected faults in the Status tab and also in the Basic Settings > System dialog,
Signal contact status frame.

The dialog contains the following tabs:

 [Global]
 [Port]
 [Status]

[Global]

Configuration

Mode
Specifies which events the signal contact indicates.

Possible values:
 Manual setting (default setting for Signal Contact 2, if present)
You use this setting to manually open or close the signal contact, for example to turn on or off
a remote device. See the Contact option list.
 Monitoring correct operation (default setting)
Using this setting the signal contact indicates the status of the parameters specified in the table
below.
 Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog. In addition, you can read the status in the
Signal contact status frame.
 Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog. In addition, you can read the status in
the Signal contact status frame.
 Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status Configuration >
Security Status dialog. In addition, you can read the status in the Signal contact status frame.

302 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]

Contact
Toggles the signal contact manually. The prerequisite is that from the Mode drop-down list the
Manual setting item is selected.

Possible values:
 open
The signal contact is opened.
 close
The signal contact is closed.

Signal contact status

Displays the current status of the signal contact.

Possible values:
 Opened (error)
The signal contact is opened. The circuit is interrupted.
 Closed (ok)
The signal contact is closed. The circuit is closed.

Trap configuration

Send trap
Activates/deactivates the sending of SNMP traps when the device detects a change in a monitored
function.

Possible values:
 marked
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device detects a change in the monitored functions, then the device sends an SNMP trap.
 unmarked (default setting)
The sending of SNMP traps is inactive.

RM GUI BRS 303

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Connection errors
Activates/deactivates the monitoring of the link status of the port/interface.

Possible values:
 marked
Monitoring is active.
If the link interrupts on a monitored port/interface, then the signal contact opens.
In the Port tab, you have the option of selecting the ports/interfaces to be monitored individually.
 unmarked (default setting)
Monitoring is inactive.

Temperature
Activates/deactivates the monitoring of the temperature in the device.

Possible values:
 marked (default setting)
Monitoring is active.
If the temperature exceeds the specified upper threshold value or falls below the specified lower
threshold value, then the signal contact opens.
 unmarked
Monitoring is inactive.

You specify the temperature threshold values in the Basic Settings > System dialog, Upper temp. limit
[°C] field and Lower temp. limit [°C] field.

Ring redundancy
Activates/deactivates the monitoring of the ring redundancy.

Possible values:
 marked
Monitoring is active.
The signal contact opens in the following situations:
– The redundancy function becomes active (loss of redundancy reserve).
– The device is a normal ring participant and detects an error in its settings.
 unmarked (default setting)
Monitoring is inactive.

External memory removed

Activates/deactivates the monitoring of the active external memory.

Possible values:
 marked
Monitoring is active.
If you remove the active external memory from the device, then the signal contact opens.
 unmarked (default setting)
Monitoring is inactive.

304 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Signal Contact > Signal Contact 1 ]

External memory not in sync with NVM

Activates/deactivates the monitoring of the configuration profile in the device and in the external
memory.

Possible values:
 marked
Monitoring is active.
The signal contact opens in the following situations:
– The configuration profile only exists in the device.
– The configuration profile in the device differs from the configuration profile in the external
memory.
 unmarked (default setting)
Monitoring is inactive.

Humidity
Activates/deactivates the monitoring of the humidity in the device.

Possible values:
 marked (default setting)
Monitoring is active.
If the humidity exceeds or falls below the specified threshold values, then the signal contact
opens.
 unmarked
Monitoring is inactive.

You specify the humidity threshold values in the Basic Settings > System dialog, Upper humidity limit
[%] field and Lower humidity limit [%] field.

Power supply
Activates/deactivates the monitoring of the power supply unit.

Possible values:
 marked (default setting)
Monitoring is active.
If the device has a detected power supply fault, then the signal contact opens.
 unmarked
Monitoring is inactive.

[Port]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

RM GUI BRS 305

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > MAC Notification ]

Propagate connection error

Activates/deactivates the monitoring of the link on the port/interface.

Possible values:
 marked
Monitoring is active.
If the link interrupts on the selected port/interface, then the signal contact opens.
 unmarked (default setting)
Monitoring is inactive.

This setting takes effect when you mark the Connection errors checkbox in the Global tab.

[Status]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Timestamp
Displays the date and time of the event in the format, Month Day, Year hh:mm:ss AM/PM.

Cause
Displays the event which caused the SNMP trap.

6.1.4 MAC Notification

[ Diagnostics > Status Configuration > MAC Notification ]

The device lets you track changes in the network using the MAC address of the devices in the
network. The device saves the combination of port and MAC address in its MAC address table
(forwarding database). If the device (un)learns the MAC address of a (dis)connected device, then
the device sends an SNMP trap.

This function is intended for ports to which you connect end devices and thus the MAC address
changes infrequently.

306 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > MAC Notification ]

Operation

Operation
Enables/disables the MAC Notification function in the device.

Possible values:
 On
The MAC Notification function is enabled.
 Off (default setting)
The MAC Notification function is disabled.

Configuration

Interval [s]
Specifies the send interval in seconds. If the device (un)learns the MAC address of a
(dis)connected device, then the device sends an SNMP trap after this time.

Possible values:
 0..2147483647 (2³¹-1) (default setting: 1)

Before sending an SNMP trap, the device registers up to 20 MAC addresses. If the device detects
a high number of changes, then the device sends the SNMP trap before the send interval expires.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the MAC Notification function on the port.

Possible values:
 marked
The MAC Notification function is active on the port.
The device sends an SNMP trap in case of one of the following events:
– The device learns the MAC address of a newly connected device.
– The device unlearns the MAC address of a disconnected device.
The prerequisite is that in the Diagnostics > Status Configuration > Alarms (Traps) dialog the Alarms
(Traps) function is enabled and at least one trap destination is specified.
 unmarked (default setting)
The MAC Notification function is inactive on the port.

RM GUI BRS 307

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) ]

Last MAC address

Displays the MAC address of the device last connected on or disconnected from the port.

The device detects the MAC addresses of devices which are connected as follows:
• directly connected to the port
• connected to the port through other devices in the network

Last MAC status

Displays the status of the Last MAC address value on this port.

Possible values:
 added
The device detected that another device was connected at the port.
 removed
The device detected that the connected device was removed from the port.
 other
The device did not detect a status.

6.1.5 Alarms (Traps)

[ Diagnostics > Status Configuration > Alarms (Traps) ]

The device lets you send an SNMP trap in response to specific events.

You specify the events for which the device triggers an SNMP trap in the following dialogs:
• Diagnostics > Status Configuration > Device Status
• Diagnostics > Status Configuration > Security Status
• Diagnostics > Status Configuration > MAC Notification

The menu contains the following dialogs:

 Trap V3 User Management
 Trap Destinations

308 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) > Trap V3 User Management ]

6.1.5.1 Trap V3 User Management

[ Diagnostics > Status Configuration > Alarms (Traps) > Trap V3 User Management ]

In this dialog, you specify the SNMPv3 trap users who can send SNMP traps to the trap
destination(s). The device supports encrypted SNMPv3 traps and authentication for sending.

SNMPv3 trap users have permission to send SNMPv3 traps to the specified SNMPv3 trap hosts.

SNMPv3 trap users are intended for sending SNMPv3 traps to SNMPv3 trap hosts exclusively.
SNMPv3 trap users are different from the user accounts set up in the device. Do not confuse them.
See the Device Security > User Management dialog.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row. The device adds an SNMPv3 trap user with the
parameters you specify in this window.
• From the User to be cloned drop-down list, you select the user account, from which the device
clones the authentication settings.
You need to select one of the user accounts set up in the device. You set up device user
accounts in the Device Security > User Management dialog.
• In the Trap User Name field, you specify the name for the SNMPv3 trap user.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters
• From the Trap User Auth Protocol drop-down list, you select the protocol for sending SNMPv3
traps with authentication.
Possible values:
 none
The device sends SNMPv3 traps without authentication.
 hmacmd5
The device sends SNMPv3 traps using the Message-Digest Algorithm 5 (HMACMD5)
protocol.
Available if this protocol is already set for the user to be cloned.
 hmacsha
The device sends SNMPv3 traps using the Secure Hash Algorithm (HMACSHA) protocol.
Available if this protocol is already set for the user to be cloned.
• In the Trap User Auth Password field, you specify the password that the SNMPv3 trap user uses
to authenticate before sending.
Possible values:
 Alphanumeric ASCII character string with 8..64 characters
The prerequisite is that from the Trap User Auth Protocol drop-down list, an item other than none
is selected.

RM GUI BRS 309

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) > Trap V3 User Management ]

• From the Trap User Priv Protocol drop-down list, you select the protocol that the device uses for
this user to encrypt the SNMPv3 traps.
Possible values:
 none (default setting)
No encryption.
 des
Data Encryption Standard (DES).
Available if this protocol is already set for the user to be cloned.
 aesCfb128
Advanced Encryption Standard (AES).
Available if this protocol is already set for the user to be cloned.
• In the Trap User Priv Password field, you specify the password that the SNMPv3 trap user uses to
authenticate before sending.
Possible values:
 Alphanumeric ASCII character string with 8..64 characters
The prerequisite is that from the Trap User Auth Protocol drop-down list, an item other than none
is selected.

When you click the Ok button, the device adds a table row for the SNMPv3 trap user. If you have
selected an item other than none in the Trap User Auth Protocol or Trap User Priv Protocol drop-down
list, the Credentials window opens first. Then, you enter the required password(s). Even if you enter
an incorrect password, the device still adds the SNMPv3 trap user. However, when the device
sends SNMPv3 traps, the trap destination cannot decrypt them.

Remove

Removes the selected table row.

SNMPv3 Notification User

Displays the name of the SNMPv3 trap user.

Authentication
Displays the the protocol for sending SNMPv3 traps with authentication in the context of the
SNMPv3 trap user.

Auth Password
Displays ***** (asterisks) instead of the authentication password of the SNMPv3 trap user.

To change the password, add another SNMPv3 trap user and then delete the existing one.

Privacy
Displays the protocol that the device uses for this user to encrypt the SNMPv3 traps.

Priv Password
Displays ***** (asterisks) instead of the password that the SNMPv3 trap user uses to authenticate
before sending.

To change the password, add another SNMPv3 trap user and then delete the existing one.

310 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) > Trap V3 User Management ]

User status
Displays the status of the SNMPv3 trap user.

Possible values:
 marked (default setting)
The SNMPv3 trap user is active.
 unmarked
The SNMPv3 trap user is inactive.

RM GUI BRS 311

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) > Trap Destinations ]

6.1.5.2 Trap Destinations

[ Diagnostics > Status Configuration > Alarms (Traps) > Trap Destinations ]

In this dialog, you specify the trap destinations to which the device sends SNMP traps.

For SNMPv3, the following conditions apply:

 The device sends SNMPv3 traps to the trap destination specified for the relevant SNMPv3 trap
user.
 The device supports a maximum of 10 trap destinations for SNMPv3.

Operation

Operation
Enables/disables sending SNMP traps.

Possible values:
 On (default setting)
Sending SNMP traps is enabled.
 Off
Sending SNMP traps is disabled.

SNMPv1/v2 trap community

Name
Specifies the community string that the device sends in each SNMPv1/v2 trap for authentication to
the trap destination.

Possible values:
 Alphanumeric ASCII character string with 0..64 characters
trap (default setting)

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Opens the Create window to add a table row. Thus, you set up a trap destination on the device.
• In the Name field, you specify a name for the trap destination.
Possible values:
 Alphanumeric ASCII character string with 1..32 characters

312 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Status Configuration > Alarms (Traps) > Trap Destinations ]

• From the Type drop-down list, you select the SNMP version which the device uses to send
SNMP traps to the trap destination.
Possible values:
 V1
SNMP version 1
For security reasons, we recommend not to use this setting.
 V3
SNMP version 3
• In the Address field, you specify the IP address and the port of the trap destination.
Possible values:
 <IPv4 address>:<port>
If you do not specify a port, then the device automatically adds port 162 to the trap
destination.
• From the SNMPv3 Trap user drop-down list, you select the SNMPv3 trap user in whose context
the device sends SNMPv3 traps to the trap destination.
The prerequisite is that you select the V3 item from the Type drop-down list.
You select one of the users that you have set up in the Diagnostics > Status Configuration > Alarms
(Traps) > Trap V3 User Management dialog.
• From the Security level drop-down list, you select whether the device sends the SNMPv3 traps
encrypted and whether authentication is required before sending.
The prerequisite is that you select the V3 item from the Type drop-down list.
Possible values:
 noAuthNoPriv
The device sends SNMPv3 traps unencrypted without authentication.
For security reasons, we recommend not to use this setting.
 authNoPriv
The device sends SNMPv3 traps unencrypted.
The user needs to authenticate before sending SNMPv3 traps.
 authPriv
The device sends SNMPv3 traps encrypted.
The user needs to authenticate before sending SNMPv3 traps.

Remove

Removes the selected table row.

Name
Displays the name you specified for the SNMPv3 trap destination (trap host).

SNMP Protocol
Displays the SNMP version which the device uses to send SNMP traps to the trap destination.

Address
Specifies the IP address and the port of the trap destination (trap host).

Possible values:
 <IPv4 address>:<port>
If you do not specify a port, then the device automatically adds port 162 to the trap destination.

RM GUI BRS 313

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System ]

SNMPv3 Trap user

Specifies the SNMPv3 trap user that the device uses to send SNMPv3 traps to the trap destination.

You select one of the SNMPv3 trap users that you have set up in the Diagnostics > Status
Configuration > Alarms (Traps) > Trap V3 User Management dialog.

Security level
Specifies whether the device sends the SNMPv3 traps encrypted and whether authentication is
required before sending.

Possible values:
 noAuthNoPriv
The device sends SNMPv3 traps unencrypted without authentication.
For security reasons, we recommend not to use this setting.
 authNoPriv
The device sends SNMPv3 traps unencrypted.
The user needs to authenticate before sending SNMPv3 traps.
 authPriv
The device sends SNMPv3 traps encrypted.
The user needs to authenticate before sending SNMPv3 traps.

Type
Displays the notification type.

Active
Activates/deactivates the sending of SNMP traps to the trap destination.

Possible values:
 marked (default setting)
The sending of SNMP traps to this trap destination is active.
 unmarked
The sending of SNMP traps to this trap destination is inactive.

6.2 System
[ Diagnostics > System ]

The menu contains the following dialogs:

 System Information
 Hardware State
 Configuration Check
 IP Address Conflict Detection
 ARP
 Selftest

314 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > System Information ]

6.2.1 System Information

[ Diagnostics > System > System Information ]

This dialog displays the current operating condition of individual components in the device. The
displayed values are a snapshot; they represent the operating condition at the time the dialog was
loaded to the page.

Buttons

Save system information

Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.

RM GUI BRS 315

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > Hardware State ]

6.2.2 Hardware State

[ Diagnostics > System > Hardware State ]

This dialog provides information about the distribution and state of the flash memory of the device.

Information

Operating hours
Displays the total operating time of the device since it was delivered.

Possible values:
 ..d ..h ..m ..s
Day(s) Hour(s) Minute(s) Second(s)

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Flash region
Displays the name of the parameter, for example for the relevant memory area.

Description
Displays a description for the parameter.

Flash sectors
Displays how many sectors are assigned to the memory area.

Sector erase operations

Displays how many times the device has overwritten the sectors of the memory area.

316 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > Configuration Check ]

6.2.3 Configuration Check

[ Diagnostics > System > Configuration Check ]

The device lets you compare the settings in the device with the settings in its neighboring devices.
For this purpose, the device uses the information that it received from its neighboring devices
through topology recognition (LLDP).

The dialog lists the detected deviations, which affect the performance of the communication
between the device and the recognized neighboring devices.

Note: A neighboring device without LLDP support, which forwards LLDP packets, can be the cause
of equivocal messages in the dialog. This occurs if the neighboring device is a hub or a switch
without management, which ignores IEEE 802.1D-2004. In this case, the dialog displays the
devices recognized and connected to the neighboring device as connected to the device itself, even
though they are connected to the neighboring device.

Configuration

Start configuration check...

Starts the check and updates the content of the table.

When the table remains empty, the configuration check was successful and the settings in the
device are compatible with the settings in the detected neighboring devices.

Information

Error

Displays the number of ERROR level deviations that the device detected during the configuration
check.

Warning

Displays the number of WARNING level deviations that the device detected during the configuration
check.

If you have set up more than 39 VLANs in the device, then the dialog continuously displays a
warning. The reason is the limited number of possible VLAN data sets in LLDP packets with a
maximum length. The device compares the first 39 VLANs automatically. If you have set up 40 or
more VLANs in the device, then check the congruence of the further VLANs manually, if necessary.

Information

Displays the number of INFORMATION level deviations that the device detected during the
configuration check.

RM GUI BRS 317

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > Configuration Check ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Displays detailed information about the detected deviations in the area below the table row. To hide
the detailed information again, click the button. If you click the icon in the table header, you
display or hide the detailed information for each table row.

ID
Displays the rule ID of the deviations having occurred. The dialog combines several deviations with
the same rule ID under one rule ID.

Level
Displays the level of deviation between the settings in this device and the settings in the detected
neighboring devices.

The device differentiates between the following access statuses:

• INFORMATION
The performance of the communication between the two devices is not impaired.
• WARNING
The performance of the communication between the two devices is possibly impaired.
• ERROR
The communication between the two devices is impaired.

Message
Displays a summary of the detected deviations.

318 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]

6.2.4 IP Address Conflict Detection

[ Diagnostics > System > IP Address Conflict Detection ]

Using the IP Address Conflict Detection function the device verifies that its IP address is unique in the
network. For this purpose, the device analyzes received ARP packets.

In this dialog you specify the procedure with which the device detects address conflicts and specify
the required settings for this.

The device displays detected address conflicts in the table.

When the device detects an address conflict, the status LED of the device flashes red 4 times.

Operation

Operation
Enables/disables the IP Address Conflict Detection function.

Possible values:
 On (default setting)
The IP Address Conflict Detection function is enabled.
The device verifies that its IP address is unique in the network.
 Off
The IP Address Conflict Detection function is disabled.

Information

Conflict detected
Displays if an address conflict currently exists.

Possible values:
 marked
The device detects an address conflict.
 unmarked
The device does not detect an address conflict.

Configuration

Detection mode
Specifies the procedure with which the device detects address conflicts.

Possible values:
 active and passive (default setting)
The device uses active and passive address conflict detection.

RM GUI BRS 319

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]

 active
Active address conflict detection. The device actively helps avoid communicating with an IP
address that already exists in the network. The address conflict detection begins as soon as you
connect the device to the network or change its IP parameters.
– The device sends 4 ARP probe data packets at the interval specified in the Detection delay
[ms] field. If the device receives a response to these data packets, then there is an address
conflict.
– If the device does not detect an address conflict, then it sends 2 gratuitous ARP data packets
as an announcement. The device also sends these data packets when the address conflict
detection is disabled.
– If the IP address already exists in the network, then the device changes back to the
previously used IP parameters (if possible).
If the device receives its IP parameters from a DHCP server, then it sends a DHCPDECLINE
message back to the DHCP server.
– After the period specified in the Release delay [s] field, the device checks if the address conflict
still exists. When the device detects 10 address conflicts one after the other, the device
extends the waiting time to 60 s for the next check.
– When the device resolves the address conflict, the device management returns to the
network again.
 passive
Passive address conflict detection. The device analyzes the data stream in the network. If
another device in the network is using the same IP address, then the device initially “defends”
its IP address. The device stops sending if the other device keeps sending with the same IP
address.
– As a “defence” the device sends gratuitous ARP data packets. The device repeats this
procedure for the number of times specified in the Address protections field.
– If the other device continues sending with the same IP address, then after the period
specified in the Release delay [s] field, the device periodically checks if the address conflict still
exists.
– When the device resolves the address conflict, the device management returns to the
network again.

Send periodic ARP probes

Activates/deactivates the periodic address conflict detection.

Possible values:
 marked (default setting)
The periodic address conflict detection is active.
– The device periodically sends an ARP probe data packet every 90 to 150 seconds and waits
for the time specified in the Detection delay [ms] field for a response.
– If the device detects an address conflict, then the device applies the passive detection mode
function. If the Send trap function is active, then the device sends an SNMP trap.
 unmarked
The periodic address conflict detection is inactive.

320 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]

Detection delay [ms]

Specifies the period in milliseconds for which the device waits for a response after sending a ARP
data packets.

Possible values:
 20..500 (default setting: 200)

Release delay [s]

Specifies the period in seconds after which the device checks again if the address conflict still
exists.

Possible values:
 3..3600 (default setting: 15)

Address protections
Specifies how many times the device sends gratuitous ARP data packets in the passive detection
mode to “defend” its IP address.

Possible values:
 0..100 (default setting: 1)

Protection interval [ms]

Specifies the period in milliseconds after which the device sends gratuitous ARP data packets
again in the passive detection mode to “defend” its IP address.

Possible values:
 20..10000 (default setting: 10000)

Send trap
Activates/deactivates the sending of SNMP traps when the device detects an address conflict.

Possible values:
 marked (default setting)
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
If the device detects an address conflict, then the device sends an SNMP trap.
 unmarked
The sending of SNMP traps is inactive.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Timestamp
Displays the time at which the device detected an address conflict.

RM GUI BRS 321

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > IP Address Conflict Detection ]

Port
Displays the number of the port on which the device detected the address conflict.

IP address
Displays the IP address that is causing the address conflict.

MAC address
Displays the MAC address of the device with which the address conflict exists.

322 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > ARP ]

6.2.5 ARP
[ Diagnostics > System > ARP ]

This dialog displays the MAC and IP addresses of the neighboring devices connected to the device
management.

The device can display both IPv4 and IPv6 addresses. For IPv6, the device obtains the addresses
of the neighboring devices with the use of the Neighbor Discovery Protocol (NDP).

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Clear ARP table

Removes the dynamically set up addresses from the ARP table.

Port
Displays the port number.

IP address
Displays the IPv4 address or the IPv6 address of a neighboring device.

MAC address
Displays the MAC address of a neighboring device.

Last updated
Displays the time in seconds since the current settings of the entry were registered in the ARP
table.

Type
Displays the type of the entry.

Possible values:
 static
Static entry. When the ARP table is deleted, the device keeps the static entry.
 dynamic
Dynamic entry. When the Aging time [s] has been exceeded and the device does not receive any
data from this device during this time, the device deletes the dynamic entry.
 local
IP and MAC address of the device management.

RM GUI BRS 323

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > ARP ]

Active
Displays that the ARP table contains the IP/MAC address assignment as an active entry.

324 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > Selftest ]

6.2.6 Selftest
[ Diagnostics > System > Selftest ]

This dialog lets you do the following:

• Activate/deactivate the RAM test when the device is being started.
• Activate/deactivate the option of changing to the system monitor during the system startup.
• Specify how the device behaves in the case of a detected error.

Configuration

If the device does not detect any readable configuration profile when restarting, then the following
settings block your access to the device permanently.
• SysMon1 is available checkbox is unmarked.
• Load default config on error checkbox is unmarked.

This is the case, for example, if the password of the configuration profile that you are loading differs
from the password set in the device. To have the device unlocked again, contact your sales partner.

RAM test
Activates/deactivates the RAM memory check during the system startup.

Possible values:
 marked (default setting)
The RAM memory check is activated. During the system startup, the device checks the RAM
memory.
 unmarked
The RAM memory check is deactivated. This shortens the start time for the device.

SysMon1 is available
Activates/deactivates the option of changing to the system monitor during the system startup.

Possible values:
 marked (default setting)
The device lets you change to the system monitor during the system startup.
 unmarked
The device starts without the option of changing to the system monitor.

Among other things, the system monitor lets you update the device software and to delete saved
configuration profiles.

RM GUI BRS 325

Release 9.6 12/2023
Diagnostics
[ Diagnostics > System > Selftest ]

Load default config on error

Activates/deactivates the loading of the default settings if the device does not detect any readable
configuration profile when restarting.

Possible values:
 marked (default setting)
The device loads the default settings.
 unmarked
The device interrupts the restart and stops. The access to the device management is possible
only using the Command Line Interface through the serial interface.
To regain the access to the device through the network, open the system monitor and reset the
settings. After the system startup, the device uses the default settings.

Table

In this table you specify how the device behaves in the case of a detected error.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Cause
Detected error causes to which the device reacts.

Possible values:
 task
The device detects errors in the applications executed, for example if a task terminates or is not
available.
 resource
The device detects errors in the resources available, for example if the memory is becoming
scarce.
 software
The device detects software errors, for example error in the consistency check.
 hardware
The device detects hardware errors, for example in the chip set.

Action
Specifies how the device behaves if the adjacent event occurs.

Possible values:
 logOnly
The device registers the detected error in the log file. See the Diagnostics > Report > System Log
dialog.
 sendTrap
The device sends an SNMP trap.
The prerequisite is that in the Diagnostics > Status Configuration > Alarms (Traps) dialog the Alarms
(Traps) function is enabled and at least one trap destination is specified.
 reboot (default setting)
The device triggers a restart.

326 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Syslog ]

6.3 Syslog
[ Diagnostics > Syslog ]

The device lets you report selected events, independent of the severity of the event, to different
syslog servers.

In this dialog you specify the settings for this function and manage up to 8 syslog servers.

Operation

Operation
Enables/disables the sending of events to the syslog servers.

Possible values:
 On
The sending of events is enabled.
The device sends the events specified in the table to the specified syslog servers.
 Off (default setting)
The sending of events is disabled.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Adds a table row.

Remove

Removes the selected table row.

Index
Displays the index number to which the table row relates. The device automatically assigns the
value when you add a table row.

When you delete a table row, this leaves a gap in the numbering. When you add a table row, the
device fills the first gap.

RM GUI BRS 327

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Syslog ]

Possible values:
 1..8

IP address
Specifies the IP address of the syslog server.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)
 Valid IPv6 address

Destination UDP port

Specifies the UDP port on which the syslog server expects the log entries.

Possible values:
 1..65535 (2¹?-1) (default setting: 514)

Transport type
Displays the transport type the device uses to send the events to the syslog server.

Possible values:
 udp
The device sends the events over the UDP port specified in the Destination UDP port column.

Min. severity
Specifies the minimum severity of the events. The device sends a log entry for events with this
severity and with more urgent severities to the syslog server.

Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

Type
Specifies the type of the log entry transmitted by the device.

Possible values:
 systemlog (default setting)
 audittrail

328 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Syslog ]

Active
Activates/deactivates the transmission of events to the syslog server.

Possible values:
 marked
The device sends events to the syslog server.
 unmarked (default setting)
The transmission of events to the syslog server is deactivated.

RM GUI BRS 329

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports ]

6.4 Ports
[ Diagnostics > Ports ]

The menu contains the following dialogs:

 SFP
 TP cable diagnosis
 Port Monitor
 Auto-Disable
 Port Mirroring

330 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > SFP ]

6.4.1 SFP
[ Diagnostics > Ports > SFP ]

This dialog lets you look at the SFP transceivers currently connected to the device and their
properties.

Table

The table displays valid values if the device is equipped with SFP transceivers.

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Module type
Type of the SFP transceiver, for example M-SFP-SX/LC.

Serial number
Displays the serial number of the SFP transceiver.

Connector type
Displays the connector type.

Supported
Displays if the device supports the SFP transceiver.

Temperature [°C]
Operating temperature of the SFP transceiver in °Celsius.

Tx power [mW]
Transmission power of the SFP transceiver in mW.

Rx power [mW]
Receiving power of the SFP transceiver in mW.

Tx power [dBm]
Transmission power of the SFP transceiver in dBm.

Rx power [dBm]
Receiving power of the SFP transceiver in dBm.

RM GUI BRS 331

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > TP cable diagnosis ]

6.4.2 TP cable diagnosis

[ Diagnostics > Ports > TP cable diagnosis ]

This feature tests the cable attached to an interface for short or open circuit. The table displays the
cable status and estimated length. The device also displays the individual cable pairs connected to
the port. When the device detects a short circuit or a broken cable, it also displays the estimated
distance to where it detected the problem.

To receive dependable results, use the TP cable diagnosis function for twisted-pair cables with a
minimum length of 10 meters.

Note: This test temporarily interrupts the data stream on the port.

Information

Port
Displays the port number.

Start cable diagnosis...

Opens the Select port window.

From the Port drop-down list you select the port to be tested. Use for copper-based ports only.

To initiate the cable test on the selected port, click the Ok button.

Status
Status of the Virtual Cable Tester.

Possible values:
 active
Cable testing is in progress.
To start the test, click the Start cable diagnosis... button. This action opens the Select port window.
 success
The device displays this entry after performing a successful test.
 failure
The device displays this entry after an interruption in the test.
 uninitialized
The device displays this entry while in standby.

332 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > TP cable diagnosis ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Cable pair
Displays the cable pair to which this table row relates. The device uses the first PHY index
supported to display the values.

Result
Displays the results of the cable test.

Possible values:
 normal
The cable is functioning properly.
 open
There is a break in the cable causing an interruption.
 short
Wires in the cable are touching together causing a short circuit.
 unknown
The device displays this value for untested cable pairs.

The device displays different values than expected in the following cases:
• If no cable is connected to the port, then the device displays the value unknown instead of open.
• If the port is inactive, then the device displays the value short.

Min. length
Displays the minimum estimated length of the cable in meters.

If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value 0.

Max. length
Displays the maximum estimated length of the cable in meters.

If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value 0.

Distance [m]
Displays the estimated distance in meters from one end of the cable to the other or to an interruption
in the cable.

If the cable length is unknown or in the Information frame the Status field displays the value active,
failure or uninitialized, then the device displays the value 0.

RM GUI BRS 333

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

6.4.3 Port Monitor

[ Diagnostics > Ports > Port Monitor ]

The Port Monitor function monitors the adherence to the specified parameters on the ports. If the Port
Monitor function detects that the parameters are being exceeded, then the device performs an
action.

To apply the Port Monitor function, perform the following steps:

• Global tab
 Enable the Port Monitor function in the Operation frame.
 Activate for each port those parameters that you want the Port Monitor function to monitor.
• Link flap, CRC/Fragments and Overload detection tabs
 Specify the threshold values for the parameters for each port.
• Link speed/Duplex mode detection tab
 Activate the allowed combinations of speed and duplex mode for each port.
• Global tab
 Specify for each port an action that the device carries out if the Port Monitor function detects
that the parameters have been exceeded.
• Auto-disable tab
 Mark the Auto-disable checkbox for the monitored parameters if you have specified the auto-
disable action at least once.

The dialog contains the following tabs:

 [Global]
 [Auto-disable]
 [Link flap]
 [CRC/Fragments]
 [Overload detection]
 [Link speed/Duplex mode detection]

[Global]

In this tab you enable the Port Monitor function and specify the parameters that the Port Monitor
function is monitoring. Also specify the action that the device carries out if the Port Monitor function
detects that the parameters have been exceeded.

Operation

Operation
Enables/disables the Port Monitor function globally.

Possible values:
 On
The Port Monitor function is enabled.
 Off (default setting)
The Port Monitor function is disabled.

334 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Reset

Opens the Which statistic should be deleted? window. The window displays the ports that you can
enable again and reset the related counters to 0. Click and select a table row to enable the
corresponding port again.

This affects the counters in the following dialogs:

 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab
 Diagnostics > Ports > Auto-Disable dialog

Port
Displays the port number.

Link flap on
Activates/deactivates the monitoring of link flaps on the port.

Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors link flaps on the port.
– If the device detects too many link flaps, then the device executes the action specified in the
Action column.
– On the Link flap tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.

CRC/Fragments on
Activates/deactivates the monitoring of CRC/fragment errors detected on the port.

Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors CRC/fragment errors detected on the port.
– If the device detects too many CRC/fragment errors, then the device executes the action
specified in the Action column.
– On the CRC/Fragments tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.

RM GUI BRS 335

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Duplex mismatch detection active

Activates/deactivates the monitoring of duplex mismatches on the port.

Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors duplex mismatches on the port.
– If the device detects a duplex mismatch, then the device executes the action specified in the
Action column.
 unmarked (default setting)
Monitoring is inactive.

Overload detection on
Activates/deactivates the overload detection on the port.

Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors the data load on the port.
– If the device detects a data overload on the port, then the device executes the action
specified in the Action column.
– On the Overload detection tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.

Link speed/Duplex mode detection on

Activates/deactivates the monitoring of the link speed and duplex mode on the port.

Possible values:
 marked
Monitoring is active.
– The Port Monitor function monitors the link speed and duplex mode on the port.
– If the device detects an unpermitted combination of link speed and duplex mode, then the
device executes the action specified in the Action column.
– On the Link speed/Duplex mode detection tab, specify the parameters to be monitored.
 unmarked (default setting)
Monitoring is inactive.

Active condition
Displays the monitored parameter that led to the action on the port.

Possible values:
 -
No monitored parameter.
The device does not carry out any action.
 Link flap
Too many link changes during the observed period.
 CRC/Fragments
Too many CRC/fragment errors detected during the observed period.
 Duplex mismatch
Duplex mismatch detected.

336 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

 Overload detection
Overload detected during the observed period.
 Link speed/Duplex mode detection
Impermissible combination of speed and duplex mode detected.

Action
Specifies the action that the device carries out if the Port Monitor function detects that the
parameters have been exceeded.

Possible values:
 disable port
The device disables the port and sends an SNMP trap.
The Link status LED for the port flashes 3× per period.
– To re-enable the port, select the table row of the port, click the button.
– If the parameters are no longer being exceeded, then the Auto-Disable function enables the
relevant port again after the specified waiting period. The prerequisite is that on the Auto-
disable tab the checkbox for the monitored parameter is marked.
 send trap
The device sends an SNMP trap.
The prerequisite is that in the Diagnostics > Status Configuration > Alarms (Traps) dialog the Alarms
(Traps) function is enabled and at least one trap destination is specified.
 auto-disable (default setting)
The device disables the port and sends an SNMP trap.
The Link status LED for the port flashes 3× per period.
The prerequisite is that on the Auto-disable tab the checkbox for the monitored parameter is
marked.
– The Diagnostics > Ports > Auto-Disable dialog displays which ports are currently disabled due
to the parameters being exceeded.
– After a waiting period, the Auto-Disable function enables the port again automatically. For this
you go to the Diagnostics > Ports > Auto-Disable dialog and specify a waiting period for the
relevant port in the Reset timer [s] column.

Port status
Displays the operating state of the port.

Possible values:
 up
The port is enabled.
 down
The port is disabled.
 notPresent
Physical port unavailable.

[Auto-disable]

In this tab you activate the Auto-Disable function for the parameters monitored by the Port Monitor
function.

RM GUI BRS 337

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Reason
Displays the parameters monitored by the Port Monitor function.

Mark the adjacent checkbox so that the Port Monitor function carries out the auto-disable action if
it detects that the monitored parameters have been exceeded.

Auto-disable
Activates/deactivates the Auto-Disable function for the adjacent parameters.

Possible values:
 marked
The Auto-Disable function for the adjacent parameters is active.
If the adjacent parameters are exceeded and the value auto-disable is specified in the Action
column, then the device carries out the Auto-Disable function.
 unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.

[Link flap]

In this tab you specify individually for every port the following settings:
• The number of link changes.
• The period during which the Port Monitor function monitors a parameter to detect discrepancies.

You also see how many link changes the Port Monitor function has detected up to now.

The Port Monitor function monitors those ports for which the checkbox in the Link flap on column is
marked on the Global tab.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

338 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Sampling interval [s]

Specifies in seconds, the period during which the Port Monitor function monitors a parameter to
detect discrepancies.

Possible values:
 1..180 (default setting: 10)

Link flaps
Specifies the number of link changes.

If the Port Monitor function detects this number of link changes in the monitored period, then the
device performs the specified action.

Possible values:
 1..100 (default setting: 5)

Last sampling interval

Displays the number of errors that the device has detected during the period that has elapsed.

Total
Displays the total number of errors that the device has detected since the port was enabled.

[CRC/Fragments]

In this tab you specify individually for every port the following settings:
• The detected fragment error rate.
• The period during which the Port Monitor function monitors a parameter to detect discrepancies.

You also see the fragment error rate that the device has detected up to now.

The Port Monitor function monitors those ports for which the checkbox in the CRC/Fragments on
column is marked on the Global tab.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

RM GUI BRS 339

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Sampling interval [s]

Specifies in seconds, the period during which the Port Monitor function monitors a parameter to
detect discrepancies.

Possible values:
 5..180 (default setting: 10)

CRC/Fragments count [ppm]

Specifies the detected fragment error rate (in parts per million).

If the Port Monitor function detects this fragment error rate in the monitored period, then the device
performs the specified action.

Possible values:
 1..1000000 (10?) (default setting: 1000)

Last active interval [ppm]

Displays the fragment error rate that the device has detected during the period that has elapsed.

Total [ppm]
Displays the fragment error rate that the device has detected since the port was enabled.

[Overload detection]

In this tab you specify individually for every port the following settings:
• The load threshold values.
• The period during which the Port Monitor function monitors a parameter to detect discrepancies.

You also see the number of data packets that the device has detected up to now.

The Port Monitor function monitors those ports for which the checkbox in the Overload detection on
column is marked on the Global tab.

The Port Monitor function does not monitor any ports that are members of a link aggregation group.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

340 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Type
Specifies the type of data packets that the device takes into account when monitoring the load on
the port.

Possible values:
 all
The Port Monitor function monitors Broadcast, Multicast and Unicast packets.
 bc (default setting)
The Port Monitor function monitors only Broadcast packets.
 bc-mc
The Port Monitor function monitors only Broadcast and Multicast packets.

Unit
Specifies the unit for the data rate.

Possible values:
 pps (default setting)
packets per second
 kbps
kbit per second
The prerequisite is that in the Type column the value all is specified.

Lower threshold
Specifies the lower threshold value for the data rate.

The Auto-Disable function enables the port again only when the load on the port is lower than the
value specified here.

Possible values:
 0..10000000 (10?) (default setting: 0)

Upper threshold
Specifies the upper threshold value for the data rate.

If the Port Monitor function detects this load in the monitored period, then the device performs the
specified action.

Possible values:
 0..10000000 (10?) (default setting: 0))

Interval [s]
Specifies in seconds, the period that the Port Monitor function observes a parameter to detect that
a parameter is being exceeded.

Possible values:
 1..20 (default setting: 1)

Packets
Displays the number of Broadcast, Multicast and Unicast packets that the device has detected
during the period that has elapsed.

RM GUI BRS 341

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

Broadcast packets
Displays the number of Broadcast packets that the device has detected during the period that has
elapsed.

Multicast packets
Displays the number of Multicast packets that the device has detected during the period that has
elapsed.

kbit/s
Displays the data rate in Kbits per second that the device has detected during the period that has
elapsed.

[Link speed/Duplex mode detection]

In this tab you activate the allowed combinations of speed and duplex mode for each port.

The Port Monitor function monitors those ports for which the checkbox in the Link speed/Duplex mode
detection on column is marked on the Global tab.

The Port Monitor function monitors only enabled physical ports.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

10M HDX
Activates/deactivates the port monitor to accept a half-duplex and 10 Mbit/s data rate combination
on the port.

Possible values:
 marked
The port monitor takes into consideration the speed and duplex combination.
 unmarked
If the port monitor detects the speed and duplex combination on the port, then the device
executes the action specified in the Global tab.

342 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

10M FDX
Activates/deactivates the port monitor to accept a full-duplex and 10 Mbit/s data rate combination
on the port.

100M HDX
Activates/deactivates the port monitor to accept a half-duplex and 100 Mbit/s data rate combination
on the port.

100M FDX
Activates/deactivates the port monitor to accept a full-duplex and 100 Mbit/s data rate combination
on the port.

1G FDX
Activates/deactivates the port monitor to accept a full-duplex and 1 Gbit/s data rate combination on
the port.

RM GUI BRS 343

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Monitor ]

2.5G FDX
Activates/deactivates the port monitor to accept a full-duplex and 2.5 Gbit/s data rate combination
on the port.

344 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]

6.4.4 Auto-Disable
[ Diagnostics > Ports > Auto-Disable ]

The Auto-Disable function lets you disable monitored ports automatically and enable them again as
you desire.

For example, the Port Monitor function and selected functions in the Network Security menu use the
Auto-Disable function to disable ports if monitored parameters are exceeded.

If the parameters are no longer being exceeded, then the Auto-Disable function enables the relevant
port again after the specified waiting period.

The dialog contains the following tabs:

 [Port]
 [Status]

[Port]

This tab displays which ports are currently disabled due to the parameters being exceeded. If the
parameters are no longer being exceeded and you specify a waiting period in the Reset timer [s]
column, then the Auto-Disable function automatically enables the relevant port again.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Reset

This affects the counters in the following dialogs:

 Diagnostics > Ports > Auto-Disable dialog
 Diagnostics > Ports > Port Monitor dialog
– Link flap tab
– CRC/Fragments tab
– Overload detection tab

Port
Displays the port number.

RM GUI BRS 345

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]

Reset timer [s]

Specifies the waiting period in seconds, after which the Auto-Disable function enables the port again.

Possible values:
 0 (default setting)
The timer is inactive. The port remains disabled.
 30..4294967295 (2³²-1)
If the parameters are no longer being exceeded, then the Auto-Disable function enables the port
again after the waiting period specified here.

Error time
Displays when the device disabled the port due to the parameters being exceeded.

Remaining time [s]

Displays the remaining time in seconds, until the Auto-Disable function enables the port again.

Component
Displays the software component in the device that disabled the port.

Possible values:
 PORT_MON
Port Monitor
See the Diagnostics > Ports > Port Monitor dialog.
 PORT_ML
Port Security
See the Network Security > Port Security dialog.
 DOT1S
BPDU guard
See the Switching > L2-Redundancy > Spanning Tree > Global dialog.

Reason
Displays the monitored parameter that led to the port being disabled.

Possible values:
 none
No monitored parameter.
The port is enabled.
 Link flap
Too many link changes. See the Diagnostics > Ports > Port Monitor dialog, Link flap tab.
 CRC error
Too many CRC/fragment errors are detected. See the Diagnostics > Ports > Port Monitor dialog,
CRC/Fragments tab.
 Duplex mismatch
Duplex mismatch detected. See the Diagnostics > Ports > Port Monitor dialog, Global tab.
 BPDU rate
STP-BPDUs received. See the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 MAC-based port security
Too many data packets from undesired senders. See the Network Security > Port Security dialog.

346 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]

 Overload detection
Overload. See the Diagnostics > Ports > Port Monitor dialog, Overload detection tab.
 Speed duplex
Impermissible combination of speed and duplex mode detected. See the Diagnostics > Ports >
Port Monitor dialog, Link speed/Duplex mode detection tab.

Active
Displays if the port is currently disabled due to the parameters being exceeded.

Possible values:
 marked
The port is currently disabled.
 unmarked
The port is enabled.

[Status]

This tab displays the monitored parameters for which the Auto-Disable function is active.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Reason
Displays the parameters that the device monitors.

Mark the adjacent checkbox so that the Auto-Disable function disables and, when applicable,
enables the port again if the monitored parameters are exceeded.

Category
Displays which function the adjacent parameter belongs to.

Possible values:
 port monitor
The parameter belongs to the functions in the Diagnostics > Ports > Port Monitor dialog.
 network security
The parameter belongs to the functions in the Network Security dialog.
 l2 redundancy
The parameter belongs to the functions in the Switching > L2-Redundancy dialog.

RM GUI BRS 347

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Auto-Disable ]

Auto-disable
Displays if the Auto-Disable function is active/inactive for the adjacent parameter.

Possible values:
 marked
The Auto-Disable function for the adjacent parameters is active.
The Auto-Disable function disables and, when applicable, enables the relevant port again if the
monitored parameters are exceeded.
 unmarked (default setting)
The Auto-Disable function for the adjacent parameters is inactive.

348 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]

6.4.5 Port Mirroring

[ Diagnostics > Ports > Port Mirroring ]

The Port Mirroring function lets you copy received and sent data packets from selected ports to a
destination port. You can watch and process the data stream using an analyzer or an RMON probe,
connected to the destination port. The data packets remain unmodified on the source port.

Note: To enable the access to the device management using the destination port, mark the
checkbox Allow management in the Destination port frame before you enable the Port Mirroring function.

Operation

Buttons

Reset config

Resets the settings in the dialog to the default settings and restores the previously applied settings.

Operation
Enables/disables the Port Mirroring function.

Possible values:
 On
The Port Mirroring function is enabled.
The device copies the data packets from the selected source ports to the destination port.
 Off (default setting)
The Port Mirroring function is disabled.

Destination port

Primary port
Specifies the destination port.

Suitable ports are those ports that are not used for the following purposes:
• Source port
• L2 redundancy protocols

Possible values:
 - (default setting)
No destination port selected.
 <Port number>
Number of the destination port. The device copies the data packets from the source ports to this
port.

On the destination port, the device adds a VLAN tag to the data packets that the source port sends.
The destination port sends the unmodified data packets that the source port receives.

RM GUI BRS 349

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]

Note: The destination port needs sufficient bandwidth to absorb the data stream. If the copied data
stream exceeds the bandwidth of the destination port, then the device discards surplus data
packets on the destination port.

Secondary port
Specifies a second destination port. The prerequisite is that you have specified a primary port.

Possible values:
 - (default setting)
No destination port selected.
 <Port number>
Number of the destination port. The device copies the data packets from the source ports to this
port.

Allow management
Activates/deactivates the access to the device management using the destination port.

Possible values:
 marked
The access to the device management using the destination port is active.
The device lets users have access to the device management using the destination port without
interrupting the active Port Mirroring session.
– The device duplicates multicasts, broadcasts and unknown unicasts on the destination port.
– The VLAN settings on the destination port remain unchanged. The prerequisite for access to
the device management using the destination port is that the destination port is not a member
of the VLAN of the device management.
 unmarked (default setting)
The access to the device management using the destination port is inactive.
The device prohibits the access to the device management using the destination port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Source port
Displays the port number.

Enabled
Activates/deactivates the copying of the data packets from this source port to the destination port.

Possible values:
 marked
The copying of the data packets is active.
The port is specified as a source port.

350 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Ports > Port Mirroring ]

 unmarked (default setting)

The copying of the data packets is inactive.
 (Grayed-out display)
It is not possible to copy the data packets for this port.
Possible causes:
– The port is already specified as a destination port.
– The port is a logical port, not a physical port.

Note: The device lets you activate every physical port as source port except for the destination port.

Type
Specifies which data packets the device copies to the destination port.

On the destination port, the device adds a VLAN tag to the data packets that the source port sends.
The destination port sends the unmodified data packets that the source port receives.

Possible values:
 none (default setting)
No data packets.
 tx
Data packets that the source port sends.
For possible prerequisites see the description below.
 rx
Data packets that the source port receives.
 txrx
Data packets that the source port transmits.
For possible prerequisites see the description below.

Note: With the txrx setting the device copies each transmitted data packet. The destination ports
needs at least a bandwidth that corresponds to the sum of the send and receive channel of the
source ports. For example, for similar ports the destination port is at 100 % capacity when the send
and receive channel of a source port are at 50 % capacity respectively.

The prerequisite to use the settings tx and txrx is that the source port and the destination ports
belong to the same port group.
• The following ports belong to port group 1:
– 1/1..1/8 on a device with 16 ports
– 1/1..1/12 on a device with 20 or 24 ports
• The following ports belong to port group 2:
– 1/9..1/16 on a device with 16 ports
– 1/13..1/20 on a device with 20 ports
– 1/13..1/24 on a device with 24 ports

Example of settings tx or txrx on a device with 16 ports:

• Source port: 1/9
• Primary port: 1/10
• Secondary port: 1/16

RM GUI BRS 351

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP ]

6.5 LLDP
[ Diagnostics > LLDP ]

The device lets you gather information about neighboring devices. For this, the device uses the Link
Layer Discovery Protocol (LLDP). This information lets a network management station map the
structure of the network.

This menu lets you set up the topology discovery and to display the information received in tabular
form.

The menu contains the following dialogs:

 LLDP Configuration
 LLDP Topology Discovery

352 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Configuration ]

6.5.1 LLDP Configuration

[ Diagnostics > LLDP > Configuration ]

This dialog lets you set up the topology discovery for every port.

Operation

Operation
Enables/disables the LLDP function.

Possible values:
 On (default setting)
The LLDP function is enabled.
The topology discovery using LLDP is active in the device.
 Off
The LLDP function is disabled.

Configuration

Transmit interval [s]

Specifies the interval in seconds at which the device sends LLDP data packets.

Possible values:
 5..32768 (2¹?) (default setting: 30)

Transmit interval multiplier

Specifies the factor for determining the time-to-live value for the LLDP data packets.

Possible values:
 2..10 (default setting: 4)

The time-to-live value coded in the LLDP header results from multiplying this value with the value
in the Transmit interval [s] field.

Reinit delay [s]

Specifies the delay in seconds for the reinitialization of a port.

Possible values:
 1..10 (default setting: 2)

If in the Operation column the value Off is specified, then the device tries to reinitialize the port after
the time specified here has elapsed.

RM GUI BRS 353

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Configuration ]

Transmit delay [s]

Specifies the delay in seconds for transmitting successive LLDP data packets after the device
settings change.

Possible values:
 1..8192 (default setting: 2)

The recommended value is between a minimum of 1 and a maximum of a quarter of the value in
the Transmit interval [s] field.

Notification interval [s]

Specifies the interval in seconds for transmitting LLDP notifications.

Possible values:
 5..3600 (default setting: 5)

After transmitting a notification trap, the device waits for a minimum of the time specified here
before transmitting the next notification trap.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Operation
Specifies if the port transmits LLDP data packets.

Possible values:
 transmit
The port sends LLDP data packets but does not save any information about neighboring
devices.
 receive
The port receives LLDP data packets but does not send any information to neighboring devices.
 receive and transmit (default setting)
The port transmits LLDP data packets and saves information about neighboring devices.
 disabled
The port does not send LLDP data packets and does not save information about neighboring
devices.

354 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Configuration ]

Notification
Activates/deactivates the LLDP notifications on the port.

Possible values:
 marked
LLDP notifications are active on the port.
 unmarked (default setting)
LLDP notifications are inactive on the port.

Transmit port description

Activates/deactivates the transmitting of a TLV (Type Length Value) with the port description.

Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device sends the TLV with the port description.
 unmarked
The transmitting of the TLV is inactive.
The device does not send a TLV with the port description.

Transmit system name

Activates/deactivates the transmitting of a TLV (Type Length Value) with the device name.

Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device sends the TLV with the device name.
 unmarked
The transmitting of the TLV is inactive.
The device does not send a TLV with the device name.

Transmit system description

Activates/deactivates the transmitting of the TLV (Type Length Value) with the system description.

Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device sends the TLV with the system description.
 unmarked
The transmitting of the TLV is inactive.
The device does not send a TLV with the system description.

RM GUI BRS 355

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Configuration ]

Transmit system capabilities

Activates/deactivates the transmitting of the TLV (Type Length Value) with the system capabilities.

Possible values:
 marked (default setting)
The transmitting of the TLV is active.
The device sends the TLV with the system capabilities.
 unmarked
The transmitting of the TLV is inactive.
The device does not send a TLV with the system capabilities.

Neighbors (max.)
Limits the number of neighboring devices to be recorded for this port.

Possible values:
 1..50 (default setting: 10)

FDB mode
Specifies which function the device uses to record neighboring devices on this port.

Possible values:
 lldpOnly
The device uses only LLDP data packets to record neighboring devices on this port.
 macOnly
The device uses learned MAC addresses to record neighboring devices on this port. The device
uses the MAC address only if there is no other entry in the MAC address table (forwarding
database) for this port.
 both
The device uses LLDP data packets and learned MAC addresses to record neighboring devices
on this port.
 autoDetect (default setting)
If the device receives LLDP data packets at this port, then the device operates the same as with
the lldpOnly setting. Otherwise, the device operates the same as with the macOnly setting.

356 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]

6.5.2 LLDP Topology Discovery

[ Diagnostics > LLDP > Topology Discovery ]

Devices in networks send notifications in the form of packets which are also known as "LLDPDU"
(LLDP data units). The data that is sent and received through LLDPDUs is useful for many reasons.
Thus the device detects which devices in the network are neighbors and through which ports they
are connected.

The dialog lets you display the network and to detect the connected devices along with their specific
features.

The dialog contains the following tabs:

 [LLDP]
 [LLDP-MED]

[LLDP]

This tab displays the collected LLDP information for the neighboring devices. This information lets
a network management station map the structure of the network.

When devices both with and without an active topology discovery function are connected to a port,
the topology table hides the devices without active topology discovery.

When only devices without active topology discovery are connected to a port, the table contains
one line for this port to represent every device. This line contains the number of connected devices.

The MAC address table (forwarding database) contains MAC addresses of devices that the
topology table hides for the sake of clarity.

When you use one port to connect several devices, for example through a hub, the table shows one
line for each connected device.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Neighbor identifier
Displays the chassis ID of the neighboring device. This can be the basis MAC address of the
neighboring device, for example.

RM GUI BRS 357

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]

FDB
Displays if the connected device has active LLDP support.

Possible values:
 marked
The connected device does not have active LLDP support.
The device uses information from its MAC address table (forwarding database)
 unmarked
The connected device has active LLDP support.

Neighbor address
Displays the IPv4 address or hostname with which the access to the neighboring device
management is possible.

Neighbor IPv6 address

Displays the IPv6 address with which the access to the neighboring device management is
possible.

Neighbor port description

Displays a description for the port of the neighboring device.

Neighbor system name

Displays the device name of the neighboring device.

Neighbor system description

Displays a description for the neighboring device.

Port ID
Displays the ID of the port through which the neighboring device is connected to the device.

Autonegotiation supported
Displays if the port of the neighboring device supports auto-negotiation.

Autonegotiation
Displays if auto-negotiation is active on the port of the neighboring device.

PoE supported
Displays if the port of the neighboring device supports Power over Ethernet (PoE).

PoE enabled
Displays if Power over Ethernet (PoE) is active on the port of the neighboring device.

358 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]

[LLDP-MED]

LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices and network devices. It specifically provides support for VoIP applications. In this
support rule, it provides an additional set of common advertisement, Type Length Value (TLV),
messages. The device uses the TLVs for capabilities discovery such as network policy, Power over
Ethernet, inventory management and location information.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Device class
Displays the device class of the remotely connected device.

Possible values:
 notDefined
The device has capabilities not covered by any of the LLDP-MED classes.
 endpointClass1
The device has endpointClass1 capabilities.
 endpointClass2
The device has endpointClass2 capabilities.
 endpointClass3
The device has endpointClass3 capabilities.
 networkConnectivity
The device has network connectivity device capabilities.

VLAN ID
Displays the extension of the VLAN Identifier for the remote system connected to this port, as
defined in IEEE 802.3.
 0
Priority tagged packets
Only the 802.1D priority is significant and the device uses the default VLAN ID of the ingress
port.
 1..4042
Valid Port VLAN ID

Priority
Displays the value of the 802.1D Priority which is associated with the remote system connected to
the port.

DSCP
Displays the value of the Differentiated Service Code Point (DSCP) which is associated with the
remote system connected to the port.

RM GUI BRS 359

Release 9.6 12/2023
Diagnostics
[ Diagnostics > LLDP > Topology Discovery ]

Unknown bit status

Displays the Unknown Bit Status of incoming data packets.

Possible values:
 true
The network policy for the specified application type is currently unknown. In this case, the
device ignores the Layer 2 priority and value of the DSCP field.
 false
Indicates a specified network policy.

Tagged bit status

Displays the tagged bit status.

Possible values:
 true
The application uses a tagged VLAN.
 false
For the specific application the device uses untagged VLAN operation. In this case, the device
ignores both the VLAN ID and the Layer 2 priority fields. The DSCP value on Layer 3, however,
is relevant.

Hardware revision
Displays the vendor-specific hardware revision string as advertised by the remote endpoint.

Firmware revision
Displays the vendor-specific firmware revision string as advertised by the remote endpoint.

Software revision
Displays the vendor-specific software revision string as advertised by the remote endpoint.

Serial number
Displays the vendor-specific serial number as advertised by the remote endpoint.

Manufacturer name
Displays the vendor-specific manufacturer name as advertised by the remote endpoint.

Model name
Displays the vendor-specific model name as advertised by the remote endpoint.

Asset ID
Displays the vendor-specific asset tracking identifier as advertised by the remote endpoint.

360 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report ]

6.6 Report
[ Diagnostics > Report ]

The menu contains the following dialogs:

 Report Global
 Persistent Logging
 System Log
 Audit Trail

RM GUI BRS 361

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Global ]

6.6.1 Report Global

[ Diagnostics > Report > Global ]

The device lets you log specific events using the following outputs:
• on the console
• on one or more syslog servers
• on a connection to the Command Line Interface set up using SSH
• on a connection to the Command Line Interface set up using Telnet

In this dialog you specify the required settings. By assigning the severity you specify which events
the device registers.

The dialog lets you save a ZIP archive with detailed device information for support purposes on
your PC.

Console logging

Buttons

Download support information

Generates a ZIP archive which the web browser lets you download from the device.

The ZIP archive contains files with detailed device information for support purposes. For further
information, see “Support Information: Files in ZIP archive” on page 365.

Operation
Enables/disables the Console logging function.

Possible values:
 On
The Console logging function is enabled.
The device logs the events on the console.
 Off (default setting)
The Console logging function is disabled.

Severity
Specifies the minimum severity for the events. The device logs events with this severity and with
more urgent severities. For further information, see “Meaning of the event severities” on page 365.

The device outputs the messages on the serial interface.

Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice

362 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Global ]

 informational
 debug

SNMP logging

When you enable the logging of SNMP requests, the device sends these as events with the preset
severity notice to the list of syslog servers. The preset minimum severity for a syslog server entry
is critical.

To send SNMP requests to a syslog server, you have a number of options to change the default
settings. Select the ones that meet your requirements best.
 Set the severity for which the device generates SNMP requests as events to warning or error.
Change the minimum severity for a syslog entry for one or more syslog servers to the same
value.
You also have the option of adding a separate syslog server entry for this.
 Set only the severity for SNMP requests to critical or higher. The device then sends SNMP
requests as events with the severity critical or higher to the syslog servers.
 Set only the minimum severity for one or more syslog server entries to notice or lower. Then it
is possible that the device sends many events to the syslog servers.

Log SNMP get request

Enables/disables the logging for the reception of SNMP Get requests.

Possible values:
 On
The logging is enabled.
The device logs each received SNMP Get request as an event in the syslog.
From the Severity get request drop-down list, you select the severity for this event.
 Off (default setting)
The logging is disabled.

Log SNMP set request

Enables/disables the logging for the reception of SNMP Set requests.

Possible values:
 On
The logging is enabled.
The device logs each received SNMP Set request as an event in the syslog.
From the Severity set request drop-down list, you select the severity for this event.
 Off (default setting)
The logging is disabled.

Severity get request

Specifies the severity of the event that the device logs for received SNMP Get requests. For further
information, see “Meaning of the event severities” on page 365.

Possible values:
 emergency
 alert
 critical

RM GUI BRS 363

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Global ]

 error
 warning
 notice (default setting)
 informational
 debug

Severity set request

Specifies the severity of the event that the device logs for received SNMP Set requests. For further
information, see “Meaning of the event severities” on page 365.

Possible values:
 emergency
 alert
 critical
 error
 warning
 notice (default setting)
 informational
 debug

Buffered logging

The device buffers logged events in 2 separate storage areas so that the log entries for urgent
events are kept.

This dialog lets you specify the minimum severity for events that the device buffers in the storage
area with a higher priority.

Severity
Specifies the minimum severity for the events. The device buffers log entries for events with this
severity and with more urgent severities in the storage area with a higher priority. For further
information, see “Meaning of the event severities” on page 365.

Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

364 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Global ]

CLI logging

Operation
Enables/disables the CLI logging function.

Possible values:
 On
The CLI logging function is enabled.
The device logs every command received using the Command Line Interface.
 Off (default setting)
The CLI logging function is disabled.

Support Information: Files in ZIP archive

File name Format Comments

audittrail.html HTML Contains the chronological recording of the system events and
saved user changes in the Audit Trail protocol.
config.xml XML Contains the settings of the device saved in the "Selected"
configuration profile.
defaultconfig.xml XML Contains the default settings of the device.
script TEXT Contains the output of the command show running-config
script.
runningconfig.xml XML Contains the current operating settings of the device.
supportinfo.html HTML Contains device internal service information.
systeminfo.html HTML Contains information about the current settings and operating
parameters.
systemlog.html HTML Contains the logged events in the Log file. See the Diagnostics >
Report > System Log dialog.

Meaning of the event severities

Severity Meaning
emergency Device not ready for operation
alert Immediate user intervention required
critical Critical status
error Error status
warning Warning
notice Significant, normal status
informational Informal message
debug Debug message

RM GUI BRS 365

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Persistent Logging ]

6.6.2 Persistent Logging

[ Diagnostics > Report > Persistent Logging ]

The device lets you save log entries permanently in a file in the external memory. Therefore, even
after the device is restarted you have access to the log entries.

In this dialog you limit the size of the log file and specify the minimum severity for the events to be
saved. When the log file reaches the specified size, the device archives this file and saves the
following log entries in a newly generated file.

In the table the device displays you the log files held in the external memory. As soon as the
specified maximum number of files has been attained, the device deletes the oldest file and
renames the remaining files. This helps ensure that there is enough memory space in the external
memory.

Note: Verify that an external memory is connected. To verify if an external memory is connected,
see the Status column in the Basic Settings > External Memory dialog. We recommend to monitor the
external memory connection using the Device Status function, see the External memory removal
parameter in the Diagnostics > Status Configuration > Device Status dialog.

Operation

Operation
Enables/disables the Persistent Logging function.

Only activate this function if the external memory is available in the device.

Possible values:
 On (default setting)
The Persistent Logging function is enabled.
The device saves the log entries in a file in the external memory.
 Off
The Persistent Logging function is disabled.

Configuration

Max. file size [kbyte]

Specifies the maximum size of the log file in KBytes. When the log file reaches the specified size,
the device archives this file and saves the following log entries in a newly generated file.

Possible values:
 0..4096 (default setting: 1024)

The value 0 deactivates saving of log entries in the log file.

366 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Persistent Logging ]

Files (max.)
Specifies the number of log files that the device keeps in the external memory.

As soon as the specified maximum number of files has been attained, the device deletes the oldest
file and renames the remaining files.

Possible values:
 0..25 (default setting: 4)

The value 0 deactivates saving of log entries in the log file.

Severity
Specifies the minimum severity of the events. The device saves the log entry for events with this
severity and with more urgent severities in the log file in the external memory.

Possible values:
 emergency
 alert
 critical
 error
 warning (default setting)
 notice
 informational
 debug

Log file target

Specifies the external memory device for logging.

Possible values:
 usb
External USB memory (ACA22-USB-C (EEC))

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Clear persistent log file

Removes the log files from the external memory.

RM GUI BRS 367

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Persistent Logging ]

Index
Displays the index number to which the table row relates.

Possible values:
 1..25

The device automatically assigns this number.

File name
Displays the file name of the log file in the external memory.

Possible values:
 messages
 messages.X

File size [byte]

Displays the size of the log file in the external memory in bytes.

368 RM GUI BRS

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > System Log ]

6.6.3 System Log

[ Diagnostics > Report > System Log ]

The device logs device-internal events in the System Log.

This dialog displays the System Log. The dialog lets you save the log file in HTML format on your
PC.

To search the log file for search terms, use the search function of your web browser.

The log file is kept until a restart is performed in the device. After the restart the device generates
the file again.

Buttons

Save log file

Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.

Clear log file

Removes the logged events from the log file.

RM GUI BRS 369

Release 9.6 12/2023
Diagnostics
[ Diagnostics > Report > Audit Trail ]

6.6.4 Audit Trail

[ Diagnostics > Report > Audit Trail ]

This dialog displays the Audit Trail. The dialog lets you save the log file as an HTML file on your PC.

To search the log file for search terms, use the search function of your web browser.

The device logs system events and writing user actions in the device. This lets you keep track of
WHO changes WHAT in the device and WHEN. The prerequisite is that the access role auditor
or administrator is assigned to your user account.

The device logs the following user actions, among others:

• A user logging in with the Command Line Interface (local or remote)
• A user logging off manually
• Automatic logging off of a user in the Command Line Interface after a specified period of
inactivity
• Device restart
• Locking of a user account due to too many unsuccessful login attempts
• Locking of the access to the device management due to unsuccessful login attempts
• Commands executed in the Command Line Interface, apart from show commands
• Changes to configuration variables
• Changes to the system time
• File transfer operations, including firmware updates
• Configuration changes using HiDiscovery
• Firmware updates and automatic configuration of the device through the external memory
• Opening and closing of SNMP through an HTTPS tunnel

The device does not log passwords. The logged entries are write-protected and remain saved in
the device after a restart.

Note: During the system startup, access to the system monitor is possible using the default settings
of the device. If an attacker gains physical access to the device, then he is able to reset the device
settings to its default values using the system monitor. After this, the device and log file are
accessible using the standard password. Take appropriate measures to restrict physical access to
the device. Otherwise, deactivate access to the system monitor. See the Diagnostics > System >
Selftest dialog, SysMon1 is available checkbox.

Buttons

Save audit trail file

Opens the HTML page in a new web browser window or tab. You can save the HTML page on your
PC using the appropriate web bowser command.

370 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP ]

7 Advanced

The menu contains the following dialogs:

 DHCP
 Industrial Protocols
 Digital IO Module
 Command Line Interface

7.1 DHCP
[ Advanced > DHCP ]

The menu contains the following dialogs:

 DHCP Server
 DHCP L2 Relay

7.1.1 DHCP Server

[ Advanced > DHCP > DHCP Server ]

The Dynamic Host Configuration Protocol (DHCP) lets a server assign the IP settings to the devices
on the network (clients). The DHCP server stores and assigns the available IP addresses and
further settings, if specified.

The DHCP server in the device listens for requests on UDP port 67 and responds to the client
devices on UDP port 68. When the device receives a DHCP request, it validates the IP address to
be assigned before leasing the IP address and other IP settings to the requesting client device.

The menu contains the following dialogs:

 DHCP Server Global
 DHCP Server Pool
 DHCP Server Lease Table

RM GUI BRS 371

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Global ]

7.1.1.1 DHCP Server Global

[ Advanced > DHCP > DHCP Server > Global ]

This dialog lets you activate the DHCP Server function either globally or per port according to your
requirements.

Operation

Operation
Enables/disables the DHCP Server function of the device globally.

Possible values:
 On
 Off (default setting)

Configuration

IP probe
Activates/deactivates the probing for unique IP addresses. Before assigning an IP address, the
device sends an ICMP echo request packet to check whether this IP address is already in use on
the network.

Possible values:
 marked (default setting)
The IP probe function is active.
 unmarked
The IP probe function is inactive.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the number of the physical port on which the device listens for DHCP requests and
reponds to the client devices.

DHCP server active

Activates/deactivates the DHCP Server function on this port.

The prerequisite is that you enable the function globally.

372 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Global ]

Possible values:
 marked (default setting)
The DHCP Server function is active.
 unmarked
The DHCP Server function is inactive.

RM GUI BRS 373

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Pool ]

7.1.1.2 DHCP Server Pool

[ Advanced > DHCP > DHCP Server > Pool ]

In this dialog, you specify the settings for assigning a certain IP address to client devices from which
the device receives a DHCP request.

The device assigns an IP address from a specific pool (address range) depending on which
physical port the requesting client device is connected to or in which VLAN it is a member. The MAC
address of the requesting client device is a further criterion for the pool from which the device
assigns an IP address.

If specified, the device processes further information to assign an IP address from a certain pool to
the client device. This can be, for example, the following information in the DHCP request:
• Client ID
• Remote ID
• Circuit ID

The device provides a maximum of 128 pools. Up to 1000 client devices can receive their IP
settings from the device.

The device manages the IP settings in two types of pools.

• Static pools
To assign the same IP address to a specific device each time, the device manages the relevant
IP settings in a pool whose address range is exactly one IP address.
Static pools are useful, for example, to assign a fixed IP address to a server, NAS, or printer.
• Dynamic pools
To assign IP addresses from a certain address range, the device manages the relevant IP
settings in a pool whose address range includes multiple IP addresses.
Dynamic pools are useful, for example, to assign a certain IP address to client devices that
belong to a certain VLAN.

In addition to the IP settings, the device can assign further parameters (DHCP options) to the client
devices. Assigning such parameters is an smart way to automatically set up client devices as they
obtain their IP settings. The device lets you specify such parameters for each pool.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Add

Adds a table row.

Remove

Removes the selected table row.

374 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Pool ]

Index
Displays the index number to which the table row relates. The device automatically assigns the
value when you add a table row.

Active
Activates/deactivates the DHCP server function on this port.

Possible values:
 marked
The DHCP server function is active.
 unmarked (default setting)
The DHCP server function is inactive.

IP range start
Specifies the fixed IP address for a static pool or the start IP address of an address range.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

IP range end
Specifies the end IP address of an address range. For a static pool, keep the default setting or add
the same value as specified in the IP range start column.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

Port
Specifies the number of the physical port on which the requesting client device is connected.

Possible values:
 All (default setting)
The device assigns an IP address to the requesting client device regardless of the port on which
the local device receives the DHCP request.
 <Port number>
The device assigns an IP address to the requesting client device only if the local device receives
the DHCP request on the specified port.
The prerequisite is that the item - is selected from the drop-down list in the VLAN ID column.

VLAN ID
Specifies the VLAN to which the table row relates. The prerequisite is that the item All is selected
from the drop-down list in the Port column.

Possible values:
 - (default setting)
 1..4042
The value 1 represents the VLAN in which device management is accessible in the default
setting.

RM GUI BRS 375

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Pool ]

MAC address
Specifies the MAC address of the requesting client device.

Possible values:
 – (default setting)
For the IP address assignment, the server ignores this variable.
 Valid Unicast MAC address
Specify the value with a colon separator, for example 00:11:22:33:44:55.

DHCP relay
Specifies the IP address of the DHCP relay through which the clients transmit their requests to the
DHCP server. When the device receives a DHCP request through a different DHCP relay, it ignores
this DHCP request.

Possible values:
 – (default setting)
No DHCP relay specified.
 Valid IPv4 address
IP address of the DHCP relay.

Client ID
Specifies the customized identifier for the client instead of the MAC address.

Possible values:
 – (default setting)
The device ignores the parameter during assignment of an IP address from the pool.
 Sequence of hexadecimal character pairs with 1..254 pairs separated by a space.
Example: 41 42 43 44 4F

Note: If you have high security requirements and do not want to trust the clients implicitly, consider
using the remote ID or the circuit ID instead of the client ID. The remote ID and the circuit ID are
inserted by a DHCP relay and are therefore harder to spoof.

Remote ID
Specifies the remote ID. The DHCP relay inserts the remote ID into the DCHP request.

Circuit ID
Specifies the circuit ID. The DHCP relay inserts the circuit ID into the DCHP request.

376 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Pool ]

Hirschmann device
Activates/deactivates the Hirschmann multicasts. If the device in this IP address range serves only
Hirschmann client devices, then activate this function.

Possible values:
 marked
In this IP address range, the device serves only Hirschmann client devices. The Hirschmann
multicasts are activated.
 unmarked (default setting)
In this IP address range, the device serves client devices of different manufacturers. The
Hirschmann multicasts are deactivated.

Configuration URL
Specifies the protocol to be used as well as the name and path of the configuration file.

Possible values:
 Alphanumeric ASCII character string with 0..70 characters
Example: tftp://192.9.200.1/cfg/config.xml

When you leave this field blank, the device leaves this option field blank in the DHCP message.

Lease time [s]

Specifies the limited period in seconds for which the device leases each IP address.

The client device is responsible for renewing the IP address before the period expires. If the client
device does not renew its IP address in time, then the IP address returns to the address pool.

Possible values:
 60..220752000 (2555 d) (default setting: 86400)
 4294967295 (2³²-1)
Use this value for assignments unlimited in time, and for assignments using BOOTP.

Default gateway
Specifies the IP address of the default gateway.

A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

Netmask
Specifies the mask of the network to which the client belongs.

A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.

RM GUI BRS 377

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Pool ]

Possible values:
 Valid IPv4 netmask (default setting: 255.255.255.0)

WINS server
Specifies the IP address of the Windows Internet Name Server which converts NetBIOS names.

A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

DNS server
Specifies the IP address of the DNS server.

A value of 0.0.0.0 disables the attachment of the option field in the DHCP message.

Possible values:
 Valid IPv4 address (default setting: 0.0.0.0)

Hostname
Specifies the hostname.

When you leave this field blank, the device leaves this option field blank in the DHCP message.

Possible values:
 Alphanumeric ASCII character string with 0..64 characters

378 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP > DHCP Server > Lease Table ]

7.1.1.3 DHCP Server Lease Table

[ Advanced > DHCP > DHCP Server > Lease Table ]

This dialog displays the currently assigned IP addresses for each port.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the number of the port through which the device to which the IP address is assigned is
connected.

IP address
Displays the IP address to which the table row relates.

Status
Displays the lease phase.

According to the standard for DHCP operations, there are 4 phases when assigning an IP address:
Discovery, Offer, Request, and Acknowledgement.

Possible values:
 BOOTP
A DHCP client is attempting to discover a DHCP server for IP address allocation.
 offering
The DHCP server is validating that the IP address is suitable for the client.
 requesting
The DHCP client is acquiring the offered IP address.
 bound
The DHCP server is leasing the IP address to a client.
 renewing
The DHCP client is requesting an extension to the lease.
 rebinding
The DHCP server is assigning the IP address to the client after a successful renewal.
 declined
The DHCP server denied the request for the IP address.
 released
The IP address is available for other clients.

Remaining lifetime
Displays how long the assigned IP address is still valid.

Leased MAC address

Displays the MAC address of the device to which the IP address is assigned.

RM GUI BRS 379

Release 9.6 12/2023
Advanced
[ Advanced > DHCP L2 Relay ]

Gateway
Displays the Gateway IP address of the device to which the IP address is assigned.

Client ID
Displays the client ID of the device to which the IP address is assigned.

Remote ID
Displays the remote ID of the device to which the IP address is assigned.

Circuit ID
Displays the circuit ID of the device to which the IP address is assigned.

7.2 DHCP L2 Relay

[ Advanced > DHCP L2 Relay ]

A network administrator uses the DHCP L2 Relay Agent to add DHCP client information. L3 Relay
Agents and DHCP servers need the DHCP client information to assign an IP address and a
configuration to the clients.

When active, the relay adds Option 82 information configured in this dialog to the packets before it
relays DHCP requests from the clients to the server. The Option 82 fields provide unique
information about the client and relay. This unique identifier consists of a Circuit ID for the client and
a Remote ID for the relay.

In addition to the type, length, and multicast fields, the Circuit ID includes the VLAN ID, unit number,
slot number, and port number for the connected client.

The Remote ID consists of a type and length field and either a MAC address, IP address, client
identifier, or a user-defined device description. A client identifier is the user-defined system name
for the device.

For the DHCPv6 protocol, the device uses a Relay Agent to add Relay Agent options to DHCPv6
packets exchanged between a client and a DHCPv6 server. The Lightweight DHCPv6 Relay Agent
(LDRA) is described in RFC 6221.

The LDRA processes 2 types of messages:

• Relay-Forward messages
The Relay Agent forwards Relay-Forward messages that contain unique information about the
client. The client information includes the peer-address, meaning the IPv6 link-local address of
the client and the Interface-ID information. The Interface-ID information, also known as
Option 18, provides information that identifies the interface on which the client request was sent.
• Relay-Reply messages
The DHCPv6 server sends Relay-Reply messages. The Relay Agent validates the messages
to include the information encapsulated in the initial Relay-Forward message. If the information
is valid, then the Relay Agent forwards the packet to the client.

The menu contains the following dialogs:

 DHCP L2 Relay Configuration
 DHCP L2 Relay Statistics

380 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]

7.2.1 DHCP L2 Relay Configuration

[ Advanced > DHCP L2 Relay > Configuration ]

This dialog lets you activate the relay function on an interface and VLAN. When you activate this
function on a port, the device either relays the Option 82 information or drops the information on
untrusted ports. Furthermore, the device lets you specify the remote identifier.

The Option 82 information is specific to DHCPv4 L2 Relay function. For DHCPv6 L2 Relay function,
the Option 18 information is used in the packet exchange between the client and DHCPv6 server.
The device discards DHCPv6 packets received on ports that do not contain Option 18 information.

The dialog contains the following tabs:

 [Interface]
 [VLAN ID]

Operation

Operation
Enables/disables the DHCP L2 Relay function of the device globally.

With this function enabled, DHCPv4 L2 Relay and DHCPv6 L2 Relay functions can operate at the
same time in the device.

Possible values:
 On
Enables the DHCP L2 Relay function in the device.
 Off (default setting)
Disables the DHCP L2 Relay function in the device.

[Interface]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

Active
Activates/deactivates the DHCP L2 Relay function on the port.

The prerequisite is that you enable the function globally.

RM GUI BRS 381

Release 9.6 12/2023
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]

Possible values:
 marked
The DHCP L2 Relay function is active.
 unmarked (default setting)
The DHCP L2 Relay function is inactive.

Trusted port
Activates/deactivates the secure DHCP L2 Relay mode for the corresponding port.

Possible values:
 marked
The device accepts DHCPv4 packets with Option 82 information.
The device accepts DHCPv6 packets with Option 18 information.
 unmarked (default setting)
The device discards DHCPv4 packets received on non-secure ports that contain Option 82
information.
The device discards DHCPv6 packets received on ports that do not contain Option 18
information.

[VLAN ID]

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

VLAN ID
VLAN to which the table row relates.

Active
Activates/deactivates the DHCP L2 Relay function on the VLAN.

The prerequisite is that you enable the function globally.

Possible values:
 marked
The DHCP L2 Relay function is active.
 unmarked (default setting)
The DHCP L2 Relay function is inactive.

382 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > DHCP L2 Relay > Configuration ]

Circuit ID
Activates or deactivates the addition of the Circuit ID to the Option 82 information.

Possible values:
 marked (default setting)
Enables Circuit ID and Remote ID to be sent together.
 unmarked
The device sends only the Remote ID.

Remote ID type
Specifies the components of the Remote ID for this VLAN. The Remote ID field displays the string
the device uses as Remote ID.

Possible values:
 ip
Specifies the IP address of the device as Remote ID.
 mac (default setting)
Specifies the MAC address of the device as Remote ID.
 client-id
Specifies the system name of the device as Remote ID.
 other
When you select this item, enter any character string in the Remote ID column.

Remote ID
Displays the Remote ID that the device uses for this VLAN. If the item other is selected from the
Remote ID type drop-down list, then enter any character string.

Possible values:
 Alphanumeric ASCII character string with 1..32 characters

The device enters ASCII code values into the packet. If the item client-id or other is selected
from the Remote ID type drop-down list, then the device processes the ASCII code of the characters.
For example, when you enter the string abc, the device enters the value 616263 into the packet.

If the device does not accept the string you entered, then perform the following steps:

 Click the button to undo the unsaved changes in the current dialog.
 From the Remote ID type drop-down list, select the item other.

 Click the button without modifying the string.

 Enter the arbitrary string.

RM GUI BRS 383

Release 9.6 12/2023
Advanced
[ Advanced > DHCP L2 Relay > Statistics ]

7.2.2 DHCP L2 Relay Statistics

[ Advanced > DHCP L2 Relay > Statistics ]

The device monitors the data stream on the ports and displays the results in tabular form.

This table is divided into various categories to aid you in data stream analysis.

The DHCPv6 relay options are not displayed in the statistics table.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Buttons

Reset

Resets the counter for the statistics to 0.

Port
Displays the port number.

Untrusted server messages with Option 82

Displays the number of DHCP server messages received with Option 82 information on the
untrusted interface.

Untrusted client messages with Option 82

Displays the number of DHCP client messages received with Option 82 information on the
untrusted interface.

Trusted server messages without Option 82

Displays the number of DHCP server messages received without Option 82 information on the
trusted interface.

Trusted client messages without Option 82

Displays the number of DHCP client messages received without Option 82 information on the
trusted interface.

384 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols ]

7.3 Industrial Protocols

[ Advanced > Industrial Protocols ]

The menu contains the following dialogs:

 IEC61850-MMS
 Modbus TCP
 EtherNet/IP
 PROFINET

RM GUI BRS 385

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]

7.3.1 IEC61850-MMS
[ Advanced > Industrial Protocols > IEC61850-MMS ]

The IEC61850-MMS is a standardized industrial communication protocol from the International

Electrotechnical Commission (IEC). For example, automatic switching equipment uses this
protocol when communicating with power station equipment.

The packet orientated protocol defines a uniform communication language based on the transport
protocol, TCP/IP. The protocol uses a Manufacturing Message Specification (MMS) server for
client server communications. The protocol includes functions for SCADA, Intelligent Electronic
Device (IED) and the network control systems.

Note: IEC61850/MMS does not provide any authentication mechanisms. If the write access for
IEC61850/MMS is activated, then every client that can access the device using TCP/IP is capable
of changing the settings of the device. As a result, incorrect device settings and potential network
interruptions may occur.

Activate the write access only if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce possible unauthorized access.

This dialog lets you specify the following MMS server settings:
• Activates/deactivates the MMS server.
• Activates/deactivates the write access to the MMS server.
• The MMS server TCP Port.
• The maximum number of MMS server sessions.

Operation

Operation
Enables/disables the IEC61850-MMS server.

Possible values:
 On
The IEC61850-MMS server is enabled.
 Off (default setting)
The IEC61850-MMS server is disabled.
The IEC61850 MIBs stay accessible.

Information

Status
Displays the current IEC61850-MMS server status.

Possible values:
 unavailable
 starting
 running
 stopping

386 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]

 halted
 error

Active sessions
Displays the number of active MMS server connections.

Configuration

Buttons

Download ICD file

Copies the ICD file to your PC.

Write access
Activates/deactivates the write access to the MMS server.

Possible values:
 marked
The write access to the MMS server is activated. This setting lets you change the device settings
using the IEC 61850 MMS protocol.
 unmarked (default setting)
The write access to the MMS server is deactivated. The MMS server is accessible as read-only.

Technical key
Specifies the IED name.

The IED name is eligible independently of the system name.

Possible values:
 Alphanumeric ASCII character string with 0..32 characters
The device accepts the following characters:
– _
– 0..9
– a..z
– A..Z (default setting: KEY)

To get the MMS server to use the IED name, click the button and restart the MMS server. The
connection to connected clients is then interrupted.

TCP port
Specifies TCP port for MMS server access.

Possible values:
 1..65535 (2¹?-1) (default setting: 102)
Exception: Port 2222 is reserved for internal functions.

Note: The server restarts automatically after you change the port. In the process, the device
terminates open connections to the server.

RM GUI BRS 387

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > IEC61850-MMS ]

Sessions (max.)
Specifies the maximum number of MMS server connections.

Possible values:
 1..15 (default setting: 5)

388 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > Modbus TCP ]

7.3.2 Modbus TCP

[ Advanced > Industrial Protocols > Modbus TCP ]

Modbus TCP is a protocol used for Supervisory Control and Data Acquisition (SCADA) system
integration. Modbus TCP is a vendor-neutral protocol used to monitor and control industrial
automation equipment such as Programmable Logic Controllers (PLC), sensors and meters.

This dialog lets you specify the parameters of the protocol. To monitor and control the parameters
of the device, you need an application with an Human-Machine Interface and the memory mapping
table. Refer to the tables located in the “Configuration” user manual for the supported objects and
memory mapping.

In the dialog, you can enable the function, activate the write access, and specify on which TCP port
the Human-Machine Interface polls for data. You can also specify the number of sessions that can
be open at the same time.

Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the
protocol does not authenticate user access.

To help minimize the unavoidable security risks, specify the IP address range located in the Device
Security > Management Access dialog. Enter only the IP addresses assigned to your devices before
enabling the function. Furthermore, the default setting for monitoring function activation in the
Diagnostics > Status Configuration > Security Status dialog, Global tab, is active.

Operation

Operation
Enables/disables the Modbus TCP server in the device.

Possible values:
 On
The Modbus TCP server is enabled.
 Off (default setting)
The Modbus TCP server is disabled.

Configuration

Write access
Activates/deactivates the write access to the Modbus TCP parameters.

Note: Activating the Modbus TCP write-access can cause an unavoidable security risk, because the
protocol does not authenticate user access.

RM GUI BRS 389

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > Modbus TCP ]

Possible values:
 marked (default setting)
The Modbus TCP server read/write access is active. This lets you change the device settings
using the Modbus TCP function.
 unmarked
The Modbus TCP server read-only access is active.

TCP port
Specifies the TCP port number that the Modbus TCP server uses for communication.

Possible values:
 <TCP Port number> (default setting: 502)
Specifying 0 is not allowed.

Sessions (max.)
Specifies the maximum number of concurrent sessions that the Modbus TCP server maintains.

Possible values:
 1..5 (default setting: 5)

390 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > EtherNet/IP ]

7.3.3 EtherNet/IP
[ Advanced > Industrial Protocols > EtherNet/IP ]

This dialog lets you specify the EtherNet/IP settings. You have the following options:
• Enable/disable the EtherNet/IP function in the device.
• Specify a VLAN which forwards the EtherNet/IP packets exclusively.
• Activate/deactivate the read/write capability of the EtherNet/IP function.
• Download the Electronic Data Sheet (EDS) file from the device.

Operation

Operation
Enables/disables the EtherNet/IP function in the device.

Possible values:
 On
The EtherNet/IP function is enabled.
 Off (default setting)
The EtherNet/IP function is disabled.

Configuration

Buttons

Download EDS file

Copies the following information in a zip file onto your PC:

• Electronic Data Sheet (EDS) with device related information
• Device icon

Write access
Activates/deactivates the read/write capability of the EtherNet/IP function.

Possible values:
 marked
The EtherNet/IP function accepts set/get requests.
 unmarked (default setting)
The EtherNet/IP function accepts only get requests.

RM GUI BRS 391

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > EtherNet/IP ]

VLAN Configuration

VLAN ID
Specifies the VLAN to be used for the EtherNet/IP function.

Possible values:
 mgmt (default setting)
The EtherNet/IP function uses the VLAN, in which the device management is accessible through
the network. You specify this VLAN in the Basic Settings > Network > Global dialog, Management
interface frame, VLAN ID field.
 1..4042
The EtherNet/IP function uses the selected VLAN.
Prerequisites:
– The VLAN is already set up in the device.
See the Switching > VLAN > Configuration dialog.
– The port over which the device forwards the EtherNet/IP packets is a member of the VLAN
you assign and transmits the data packets with a VLAN tag.
See the Switching > VLAN > Configuration dialog.
– The IP Access Restriction function is enabled.
See the Device Security > Management Access > IP Access Restriction dialog.

392 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > PROFINET ]

7.3.4 PROFINET
[ Advanced > Industrial Protocols > PROFINET ]

This dialog lets you set up the PROFINET protocol on this device used in conjunction with
PROFINET Controllers and PROFINET devices. The device bases the PROFINET function on the
Siemens V2.2 PROFINET stack for common Ethernet controllers. The PROFINET protocol
implemented in the device conforms to Class B for real time responses according to IEC 61158.

Prerequisites for using the PROFINET function

Functions that directly affect the PROFINET function require the following default values to be
changed. If you have obtained the device as a specially available PROFINET variant, then these
values are already predefined:

PROFINET
Advanced > Industrial Protocols > PROFINET dialog
• Operation frame
Operation = On
• Configuration frame
Name of station field = <empty>

Network
Basic Settings > Network > IPv4 dialog
• Management interface frame
IP address assignment radio button = Local
• HiDiscovery protocol v1/v2 frame
Access drop-down list = readOnly
• IP parameter frame
IP address field = 0.0.0.0
Netmask field = 0.0.0.0
Gateway address field = 0.0.0.0

LLDP
Diagnostics > LLDP > Configuration dialog
• Configuration frame
Transmit interval [s] field = 5
Transmit delay [s] field = 1

RM GUI BRS 393

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > PROFINET ]

Operation

Operation
Enables/disables the PROFINET function in the device.

Possible values:
 On
The PROFINET function is enabled.
 Off (default setting)
The PROFINET function is disabled.

Configuration

Buttons

Download GSDML file

Copies the GSDML file onto your PC.

Name of station
Specifies the name of the device.

Possible values:
 Alphanumeric ASCII character string with 0..240 characters
The device prohibits you from using a number as the first character.

Information

Active application relations

Displays how many application relations are active.

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Port
Displays the port number.

394 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Industrial Protocols > PROFINET ]

DCP mode
Specifies the data stream direction on the port to monitor for DCP packets.

The Programmable Logic Controllers (PLCs) detects PROFINET devices using the Discovery and
Configuration Protocol (DCP).

The DCP identify request packets are multicast, the responses from the agents are unicast.
Regardless of the settings, the device forwards the received DCP packets to other ports whose
setting is either egress or both.

Device Management Device Management

none none
DCP
none ingress ingress ingress
DCP
DCP egress DCP egress

both both

Device Management Device Management

none none
egress ingress both ingress

DCP egress DCP egress

DCP
both both
DCP

Possible values:
 none
The agent does not respond to packets received on this port. The port does not forward packets
received on other ports.
 ingress
The agent responds to packets received on this port. The port does not forward packets
received on other ports.
 egress
The agent does not respond to packets received on this port. The port forwards packets
received on other ports.
 both (default setting)
The agent responds to packets received on this port. The port forwards packets received on
other ports.

RM GUI BRS 395

Release 9.6 12/2023
Advanced
[ Advanced > Digital IO Module ]

7.4 Digital IO Module

[ Advanced > Digital IO Module ]

The digital inputs let you capture and forward signals from digital sensors.

The dialog contains the following tabs:

 [IO input]

[IO input]

This tab lets you:

• activate/deactivate the querying of the digital inputs globally
• specify the interval at which the device queries the values of the digital inputs
• activate/deactivate logging an event
• activate/deactivate the sending of SNMP traps

Operation

Operation
Enables/disables the cyclical queries from the digital inputs (IO Input).

Possible values:
 On
Lets you query the input values.
 Off (default setting)

396 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > Digital IO Module ]

Configuration

Refresh interval [ms]

Specifies the time interval in milliseconds in which the device queries the values from the digital
inputs.

Possible values:
 1000..10000 (default setting: 1000)

Table

For information on how to customize the appearance of the table, see “Working with tables” on
page 16.

Input ID
Displays the slot number of the module (x) and number of the digital input (i) that applies to this
table row.

Notation: x.i

Possible values:
 x = 0..7
The value 0 equals the main unit (MU).
 i = 1..4

Value
Displays the digital input level.

Possible values:
 low
The input voltage on the digital input is 0 V.
 high
The input voltage on the digital input is +24 VDC.
 not-available
The input voltage on the digital input has another value than 0 V or +24 VDC. Verify that the
module is present and seated properly.

Log event
Activates/deactivates the logging in the log file. See the Diagnostics > Report > System Log dialog.

Possible values:
 marked
Logging is activated.
The device checks the status of the digital inputs in accordance with the time interval specified
in the Configuration frame, Refresh interval [ms] field.
When changes on the digital inputs occur, the device logs an entry in the System Log.
 unmarked (default setting)
Logging is deactivated.

RM GUI BRS 397

Release 9.6 12/2023
Advanced
[ Advanced > Digital IO Module ]

Send trap
Activates/deactivates the sending of SNMP traps when the device detects a change on the digital
inputs. The device checks the status of the digital inputs in accordance with the time interval
specified in the Configuration frame, Refresh interval [ms] field.

Possible values:
 marked
The sending of SNMP traps is active. The prerequisite is that in the Diagnostics > Status
Configuration > Alarms (Traps) dialog the Alarms (Traps) function is enabled and at least one trap
destination is specified.
When the device detects changes on the digital inputs, the device sends an SNMP trap.
 unmarked (default setting)
The sending of SNMP traps is inactive.

398 RM GUI BRS

Release 9.6 12/2023
Advanced
[ Advanced > CLI ]

7.5 Command Line Interface

[ Advanced > CLI ]

This dialog lets you access the device using the Command Line Interface.

Prerequisites:
• In the Device Security > Management Access > Server dialog, SSH tab the SSH server is enabled.
• On your workstation, install a SSH-capable client application which registers a handler for URLs
starting with ssh:// in your operating system.

Buttons

Open SSH connection

Opens the SSH-capable client application.

When you click the button, the web application passes the URL of the device starting with ssh://
and the user name of the currently logged in user.

If the web browser finds a SSH-capable client application, then the SSH-capable client establishes
a connection to the device using the SSH protocol.

RM GUI BRS 399

Release 9.6 12/2023
Advanced
7.5 Command Line Interface

400 RM GUI BRS

Release 9.6 12/2023
Index

A Index

0-9
802.1D/p mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 150

A
Access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Access control lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 319
Aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69, 323
Audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Authentication history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Authentication list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Auto disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, 147, 262, 337, 338, 345

B
Boundary clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

C
Cable diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 43, 131, 132, 299
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Community names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuration check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16, 39
Counter reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

D
Daylight saving time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Default gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Device software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Device software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Device status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 290
DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
DHCPv6 L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Digital input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Download EDS for EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Duplicate Address Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

RM GUI BRS 401

Release 9.6 12/2023
Index

E
EAPOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Egress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
ENVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37, 43, 46, 51, 291, 297, 304, 367
EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 391
EtherNet/IP, Download EDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
EtherNet/IP, Read/write capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
EtherNet/IP, VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Event severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
External memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23, 37, 43, 46, 51, 367

F
FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
FDB (MAC address table) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69, 196
Filter MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128, 132
Flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37, 316
Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

G
GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

H
Hardware clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Hardware state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 298, 370
HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Host key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315, 369
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
HTTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Humidity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

I
IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 165
IEC61850-MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 386
IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69, 198
Industrial HiVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9, 123
Ingress filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Ingress rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Integrated authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 165
IO input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
IP access restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
IP address conflict detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
IP DSCP mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
IPv4 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

402 RM GUI BRS

Release 9.6 12/2023
Index

L
L2 Relay (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Link aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Link backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Load/save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68, 69, 369
Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140, 142
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

M
MAC Address Conflict Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
MAC flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
MAC rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
MAC spoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
MAC address table (forwarding database) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69, 196
Management access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 30, 134
Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Manufacturing message specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Media redundancy protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Modbus TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 389
MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
MVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

N
Network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
NVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16, 37, 43

O
Out-of-band management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

P
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112, 295
Password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111, 295
Persistent log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Persistent logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
PoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Port clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153, 236
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Port monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Port statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69, 161
Port VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Port-based access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Power supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, 292, 305
Pre-Login banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Priority queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
PROFINET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300, 393

Q
Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

RM GUI BRS 403

Release 9.6 12/2023
Index

R
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117, 166
RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
RAM test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Read/write capability for EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Relay (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Request interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Ring structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Ring/Network coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
RNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Root bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257, 259

S
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Security status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20, 294
Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Serial interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
SFP module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20, 301
SNMP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123, 297
SNMP traps . . . . . . . . . . . . . . . . . . . 57, 62, 64, 147, 259, 276, 290, 294, 303, 308, 321, 337, 398
SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
SNTP client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
SNTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Software backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Software update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Spanning tree protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
SSH server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Support information (ZIP archive) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
System information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
System time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

T
Technical questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124, 296
Temperature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 291, 292, 304, 305
Threshold values network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Time-Sensitive Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Training courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Transparent clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Trap destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Traps . . . . . . . . . . . . . . . . . . . . . . . . 57, 62, 64, 147, 259, 276, 290, 294, 303, 308, 321, 337, 398
Trust mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
TSN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
TSN Gate Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216, 219
Twisted-pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

404 RM GUI BRS

Release 9.6 12/2023
Index

U
Unsigned device software (allow upload) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 316
USB network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
User administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

V
Virtual local area network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25, 242
VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
VLAN for EtherNet/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
VLAN ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

W
Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39, 48
Web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129, 130

Z
ZIP archive with support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

RM GUI BRS 405

Release 9.6 12/2023
Index

406 RM GUI BRS

Release 9.6 12/2023
Further support

B Further support

Technical questions

For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.

You find the addresses of our partners on the Internet at www.hirschmann.com.

A list of local telephone numbers and email addresses for technical support directly from
Hirschmann is available at hirschmann-support.belden.com. This site also includes a free of charge
knowledge base and a software download section.

Technical Documents

The current manuals and operating instructions for Hirschmann products are available at
doc.hirschmann.com.

Customer Innovation Center

The Customer Innovation Center is ahead of its competitors on three counts with its complete range
of innovative services:
 Consulting incorporates comprehensive technical advice, from system evaluation through
network planning to project planning.
 Training offers you an introduction to the basics, product briefing and user training with
certification.
You find the training courses on technology and products currently available at
www.belden.com/solutions/customer-innovation-center.
 Support ranges from the first installation through the standby service to maintenance concepts.

With the Customer Innovation Center, you decide against any compromise in any case. Our client-
customized package leaves you free to choose the service components you want to use.

RM GUI BRS 407

Release 9.6 12/2023
Readers’ Comments

C Readers’ Comments

What is your opinion of this manual? We are constantly striving to provide as comprehensive a
description of our product as possible, as well as important information to assist you in the operation
of this product. Your comments and suggestions help us to further improve the quality of our
documentation.

Your assessment of this manual:

Very Good Good Satisfactory Mediocre Poor

Precise description O O O O O
Readability O O O O O
Understandability O O O O O
Examples O O O O O
Structure O O O O O
Comprehensive O O O O O
Graphics O O O O O
Drawings O O O O O
Tables O O O O O

Did you discover any errors in this manual?

If so, on what page?

Suggestions for improvement and additional information:

408 RM GUI BRS

Release 9.6 12/2023
Readers’ Comments

General comments:

Sender:

Company / Department:

Name / Telephone number:

Street:

Zip code / City:

E-mail:

Date / Signature:

Dear User,

Please fill out and return this page

 as a fax to the number +49 (0)7127/14-1600 or
 per mail to
Hirschmann Automation and Control GmbH
Department IRD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

RM GUI BRS 409

Release 9.6 12/2023
User Manual
Configuration
BOBCAT Rail Switch
HiOS-2S

UM Config BRS HiOS-2S Technical support

© 2023 Hirschmann Automation and Control GmbH

You find the latest user documentation for your device at: doc.hirschmann.com

Hirschmann Automation and Control GmbH

Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

2023-12-13
Contents

Contents

Safety instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Replacing a device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1 User interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.1 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.2 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.2.1 Preparing the data connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.2.2 Access to the Command Line Interface using the Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . 18
1.2.3 Access to the Command Line Interface using the serial interface . . . . . . . . . . . . . . . . . . . . . . . 21
1.2.4 Mode-based command hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.2.5 Executing the commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.2.6 Structure of a command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.2.7 Examples of commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.2.8 Input prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.2.9 Key combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.2.10 Data entry elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1.2.11 Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
1.2.12 Service Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
1.3 System monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.3.1 Functional scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.3.2 Starting the System Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2 Specifying the IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.1 IP parameter basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.1.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.1.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.2 Specifying the IP parameters using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.3 Specifying the IP parameters using HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.4 Specifying the IP parameters using the Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.5 Specifying the IP parameters using BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
2.6 Specifying the IP parameters using DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.6.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.6.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.7 Management address conflict detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.7.1 Active and passive detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.8 Duplicate Address Detection function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3 Access to the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.1 First login (Password change) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

UM Config BRS 3
Release 9.6 12/2023
Contents

3.2 Authentication lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.2.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.2.2 Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.2.3 Managing authentication lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.2.4 Adjust the settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3 User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.3.1 Access roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.3.2 Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.3.3 Default user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.3.4 Changing default passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.3.5 Setting up a new user account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.3.6 Deactivating the user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.3.7 Adjusting policies for passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.4 SNMP access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.1 SNMPv1/v2 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.2 SNMPv3 access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.3 SNMPv3 traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.5 Out-of-Band access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.5.1 Specifying the IP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.5.2 Disable the USB network interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4 Synchronizing the system time in the network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.1 Setting the time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.2 Automatic daylight saving time changeover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.2.1 Setting daylight saving time using pre-defined profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.2.2 Setting daylight saving time manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.3 SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.3.1 Preparation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.3.2 Defining settings of the SNTP client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.3.3 Specifying SNTP server settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.4 PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.4.1 Types of clocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.4.2 Best Master Clock algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.4.3 Delay measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.4.4 PTP domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.4.5 Using PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

5 Managing configuration profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.1 Detecting changed settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.1.1 Volatile memory (RAM) and non-volatile memory (NVM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.1.2 External memory (ACA) and non-volatile memory (NVM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.2 Saving the settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2.1 Saving the configuration profile in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2.2 Saving the configuration profile in the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.3 Backup the configuration profile on a remote server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.4 Exporting a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.3 Loading settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.1 Activating a configuration profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.2 Loading the configuration profile from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.3 Importing a configuration profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.4 Reset the device to the default setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.4.1 Using the Graphical User Interface or Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . 105
5.4.2 Using the System Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4 UM Config BRS
Release 9.6 12/2023
Contents

6 Loading software updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

6.1 Loading a previous software version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.2 Software update from the PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.3 Software update from a server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6.4 Software update from the external memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.4.1 Manually—initiated by the administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.4.2 Automatically—initiated by the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

7 Configuring the ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

7.1 Enabling/disabling the port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.2 Selecting the operating mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
7.3 Gigabit Ethernet mode for ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
7.3.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

8 Assistance in the protection from unauthorized access . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

8.1 Changing the SNMPv1/v2 community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
8.2 Disabling SNMPv1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.3 Disabling HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
8.4 Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
8.5 Disabling the HiDiscovery access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
8.6 Restricting access to device management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
8.6.1 Restricting access from a specific IP address range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
8.7 Adjusting the session timeouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

9 Controlling the data traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

9.1 Helping protect against DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
9.1.1 Filters for TCP and UDP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
9.1.2 Filters for IP packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
9.1.3 Filters for ICMP packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
9.2 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
9.2.1 Creating and editing IPv4 rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
9.2.2 Creating and configuring an IP ACL using the Command Line Interface. . . . . . . . . . . . . . . . . . 136
9.2.3 Creating and editing MAC rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
9.2.4 Creating and configuring a MAC ACL using the Command Line Interface . . . . . . . . . . . . . . . . 137
9.2.5 Assigning ACLs to a port or VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

10 Network load control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

10.1 Direct packet distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
10.1.1 Learning MAC addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
10.1.2 Aging of learned MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
10.1.3 Static address entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
10.2 Multicasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
10.2.1 Example of a Multicast application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
10.2.2 IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
10.3 Rate limiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

UM Config BRS 5
Release 9.6 12/2023
Contents

10.4 QoS/Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

10.4.1 Description of prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
10.4.2 Handling of received priority information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.4.3 VLAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
10.4.4 IP ToS (Type of Service) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.4.5 Handling of traffic classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
10.4.6 Queue management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
10.4.7 Management prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.4.8 Setting prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10.5 Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.5.1 Flow Control with a half-duplex link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.5.2 Flow Control with a full-duplex link. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
10.5.3 Setting up the Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

11 Configuring template-based TSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

11.1 Underlying facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
11.2 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
11.2.1 Time calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
11.2.2 Set up the devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

12 VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
12.1 Examples of VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
12.1.1 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
12.1.2 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
12.2 Guest VLAN / Unauthenticated VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
12.3 RADIUS VLAN assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
12.4 Creating a Voice VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

13 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
13.1 Network Topology vs. Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
13.1.1 Network topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
13.1.2 Redundancy Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
13.1.3 Combinations of redundancy protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
13.2 Media Redundancy Protocol (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
13.2.1 Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
13.2.2 Reconfiguration time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
13.2.3 Advanced mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
13.2.4 Prerequisites for MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
13.2.5 Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
13.2.6 Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
13.3 HIPER Ring Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
13.3.1 VLANS on the HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
13.3.2 Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
13.4 Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
13.4.1 Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
13.4.2 Rules for Creating the Tree Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
13.4.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

6 UM Config BRS
Release 9.6 12/2023
Contents

13.5 Rapid Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

13.5.1 Port roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
13.5.2 Port states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
13.5.3 Spanning Tree Priority Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
13.5.4 Fast reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
13.5.5 Configuring the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
13.5.6 Guards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
13.6 Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
13.6.1 Methods of Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
13.6.2 Link Aggregation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
13.7 Link Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
13.7.1 Fail Back Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
13.7.2 Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
13.8 FuseNet function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
13.9 Ring/Network Coupling function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
13.9.1 Methods of Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
13.9.2 Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
13.9.3 Prepare the Ring/Network Coupling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

14 Operation diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

14.1 Sending SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
14.1.1 List of SNMP traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
14.1.2 SNMP traps for configuration activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
14.1.3 SNMP trap setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
14.1.4 ICMP messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
14.2 Monitoring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
14.2.1 Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
14.2.2 Configuring the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
14.2.3 Displaying the Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
14.3 Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
14.3.1 Events which can be monitored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
14.3.2 Configuring the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
14.3.3 Displaying the Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
14.4 Out-of-Band signaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
14.4.1 Controlling the Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
14.4.2 Monitoring the Device and Security Statuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
14.5 Port event counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
14.5.1 Detecting non-matching duplex modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
14.6 Auto-Disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
14.7 Displaying the SFP status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
14.8 Topology discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.8.1 Displaying the Topology discovery results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.8.2 LLDP-Med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.9 Detecting loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
14.10 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
14.10.1 Global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
14.10.2 Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
14.10.3 System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
14.10.4 Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
14.11 Network analysis with TCPdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
14.12 Monitoring the data stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
14.12.1 Port Mirroring function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

UM Config BRS 7
Release 9.6 12/2023
Contents

14.13 Self-test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

14.14 Copper cable test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

15 Advanced functions of the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

15.1 DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
15.1.1 Settings that the server assigns to the clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
15.1.2 Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
15.2 DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
15.2.1 Circuit and Remote IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
15.2.2 DHCP L2 Relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
15.3 GARP function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
15.3.1 Configuring GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
15.3.2 Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
15.4 MRP-IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
15.4.1 MRP operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
15.4.2 MRP timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
15.4.3 MMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
15.4.4 MVRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

16 Industry Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

16.1 IEC 61850/MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
16.1.1 Switch model for IEC 61850. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
16.1.2 Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
16.2 Modbus TCP function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
16.2.1 Client/Server Modbus TCP/IP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
16.2.2 Supported Functions and Memory Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
16.2.3 Example Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
16.3 EtherNet/IP function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
16.3.1 Integration into a Control System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
16.3.2 EtherNet/IP Entity Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
16.4 PROFINET function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
16.4.1 Device Models for PROFINET GSDML Version 2.41 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
16.4.2 Graphical User Interface and Command Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
16.4.3 Integrate the device into a Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
16.4.4 Incorporating the device in the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
16.4.5 PROFINET parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

A Setting up the configuration environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

A.1 Setting up a DHCP/BOOTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
A.2 Setting up a DHCP server with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
A.3 Preparing access using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
A.3.1 Generating a key in the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
A.3.2 Loading your own key onto the device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
A.3.3 Preparing the SSH client program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
A.4 HTTPS certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
A.4.1 HTTPS certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
A.4.2 Access through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

B Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
B.1 Literature references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
B.2 Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
B.3 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

8 UM Config BRS
Release 9.6 12/2023
Contents

B.4 List of RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

B.5 Underlying IEEE Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
B.6 Underlying IEC Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
B.7 Underlying ANSI Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
B.8 Technical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.4.6 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.4.7 VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
16.4.8 Access Control Lists (ACL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
B.9 Copyright of integrated Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
B.10 Abbreviations used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

C Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

D Further support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

E Readers’ Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

UM Config BRS 9
Release 9.6 12/2023
Contents

10 UM Config BRS
Release 9.6 12/2023
Safety instructions

Safety instructions

WARNING
UNCONTROLLED MACHINE ACTIONS

To avoid uncontrolled machine actions caused by data loss, configure all the data transmission
devices individually.

Before you start any machine which is controlled via data transmission, be sure to complete the
configuration of all data transmission devices.

Failure to follow these instructions can result in death, serious injury, or equipment
damage.

UM Config BRS 11
Release 9.6 12/2023
Safety instructions

12 UM Config BRS
Release 9.6 12/2023
About this Manual

About this Manual

The “Installation” user manual contains a device description, safety instructions, a description of the
display, and the other information that you need to install the device.

The “Graphical User Interface” reference manual contains detailed information on using the
graphical user interface to operate the individual functions of the device.

The “Command Line Interface” reference manual contains detailed information on using the
Command Line Interface to operate the individual functions of the device.

UM Config BRS 13
Release 9.6 12/2023
Key

Key

The designations used in this manual have the following meanings:

Execution in the Graphical User Interface

Execution in the Command Line Interface

14 UM Config BRS
Release 9.6 12/2023
Replacing a device

Replacing a device

The device provides the following plug-and-play solutions for replacing a device with a device of
the same type, for instance, if a failure was detected or for preventive maintenance:
 The new device loads the configuration profile of the replaced device from the external memory.
See “Loading the configuration profile from the external memory” on page 100.
 The new device gets its IP address using DHCP Option 82.
See “DHCP L2 Relay” on page 276.
See “Setting up a DHCP server with Option 82” on page 380.

With each solution, upon reboot, the new device gets the same IP settings that the replaced device
had.
 For accessing the device management using HTTPS, the device uses a digital certificate. You
have the option to import your own certificate to the device.
See “HTTPS certificate management” on page 386.
 For accessing the device management using SSH, the device uses an RSA host key. You have
the option to import your own host key in PEM format to the device.
See “Loading your own key onto the device” on page 383.

UM Config BRS 15
Release 9.6 12/2023
Replacing a device

16 UM Config BRS
Release 9.6 12/2023
User interfaces
1.1 Graphical User Interface

1 User interfaces

The device lets you specify the settings of the device using the following user interfaces.
Table 1: User interfaces for accessing the device management

User interface Can be reached through … Prerequisite

Graphical User Interface Ethernet (In-Band) Web browser
Command Line Interface Ethernet (In-Band) Terminal emulation software
Serial interface (Out-of-Band)
System monitor Serial interface (Out-of-Band) Terminal emulation software

1.1 Graphical User Interface

System requirements

To open the Graphical User Interface, you need the desktop version of a web browser with HTML5
support.

Note: Third-party software such as web browsers validate certificates based on criteria such as
their expiration date and current cryptographic parameter recommendations. Outdated certificates
may cause issues due to invalid or outdated information. Example: An expired certificate or
changed cryptographic recommendations. To solve validation conflicts with third-party software,
transfer your own up-to-date certificate onto the device or regenerate the certificate with the latest
firmware.

Starting the Graphical User Interface

The prerequisite for starting the Graphical User Interface is that the IP parameters are set up in the
device. See “Specifying the IP parameters” on page 41.

Perform the following steps:

 Start your web browser.
 Type the IP address of the device in the address field of the web browser.
Use the following form: https://xxx.xxx.xxx.xxx
The web browser sets up the connection to the device and displays the login dialog.
 When you want to change the language of the Graphical User Interface, click the appropriate
link in the top right corner of the login dialog.
 Enter the user name.
 Enter the password.
The default password is private.
After you enter the default password for the first time, the device will prompt you to assign a new
password.
 Click the Login button.
The web browser displays the Graphical User Interface.

UM Config BRS 17
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2 Command Line Interface

The Command Line Interface lets you use the functions of the device through a local or remote
connection.

The Command Line Interface provides IT specialists with a familiar environment for configuring IT
devices. As an experienced user or administrator, you have knowledge about the basics and about
using Hirschmann devices.

1.2.1 Preparing the data connection

Information for assembling and starting up your device can be found in the “Installation” user
manual.
 Connect the device with the network. The prerequisite for a successful data connection is the
correct setting of the network parameters.

You can access the user interface of the Command Line Interface for example, with the freeware
program PuTTY. You can download the software from www.putty.org.
 Install the PuTTY program on your computer.

1.2.2 Access to the Command Line Interface using the Secure Shell (SSH)

In the following example, you use the PuTTY program. Another option to access your device using
SSH is the OpenSSH Suite.

Perform the following steps:

 Start the PuTTY program on your computer.

Figure 1:PuTTY input screen

18 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

 In the Host Name (or IP address) field you enter the IP address of your device.
The IP address consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
 To specify the connection type, select the SSH radio button in the Connection type option list.
After selecting and setting the required parameters, the device lets you set up the data
connection using SSH.
 Click the Open button to set up the data connection to your device.
Depending on the device and the time at which SSH was set up, establishing the connection
takes up to a minute.
When you first log in, towards the end of the connection setup, the PuTTY program displays a
security alert message and lets you check the fingerprint of the key.

Figure 2:Security alert prompt for the fingerprint

 Check the fingerprint.
This helps protect yourself from unwelcome guests.
 When the fingerprint matches the fingerprint of the device key, click the Yes button.
The device lets you display the finger prints of the device keys with the command show ssh or in
the Device Security > Management Access > Server dialog, SSH tab.
The Command Line Interface appears on the screen with a window for entering the user name.
The device enables up to 5 users to have access to the Command Line Interface at the same
time.
 Enter the user name.
The default user name is admin.
 Press the <Enter> key.

UM Config BRS 19
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

 Enter the password.

The default password is private.
After you enter the default password for the first time, the device will prompt you to assign a new
password.
 Press the <Enter> key.

login as: admin

admin@192.168.1.5's password:

Copyright (c) 2011-2023 Hirschmann Automation and Control GmbH

All rights reserved

BRS20-0600 Release HiOS-2S-09.6.00

(Build date 2023-12-06 10:16)

System Name : BRS20-ECE555d6e811

Management IP : 192.168.1.5
Subnet Mask : 255.255.255.0
Base MAC : EC:E5:55:01:02:03
USB IP : 192.168.248.100
USB Mask : 255.255.255.0
System Time : 2023-12-08 13:27:44

NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the particular mode.
For the syntax of a particular command form, please
consult the documentation.

BRS>

Figure 3: Start screen of the Command Line Interface

20 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.3 Access to the Command Line Interface using the serial interface

The serial interface is used to locally connect an external network management station (VT100
terminal or PC with terminal emulation). The interface lets you set up a data connection to the
Command Line Interface and to the system monitor.

Perform the following steps:

 Connect the device to a terminal using the serial interface. As an alternative, connect the device
to a COM port of your PC using terminal emulation based on VT100 and press any key.
 As an alternative, you set up the serial data connection to the device with the serial interface
using the PuTTY program. Press the <Enter> key.

Figure 4:Serial data connection with the serial interface using the PuTTY program
 Press any key on your terminal keyboard a number of times until the login screen indicates the
CLI mode.
 Enter the user name.
The default user name is admin.
 Press the <Enter> key.

UM Config BRS 21
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

 Enter the password.

The default password is private.
After you enter the default password for the first time, the device will prompt you to assign a new
password.
 Press the <Enter> key.

Copyright (c) 2011-2023 Hirschmann Automation and Control GmbH

All rights reserved

BRS20-0600 Release HiOS-2S-09.6.00

(Build date 2023-12-06 10:16)

System Name : BRS20-ECE555d6e811

Management IP : 192.168.1.5
Subnet Mask : 255.255.255.0
Base MAC : EC:E5:55:01:02:03
USB IP : 192.168.248.100
USB Mask : 255.255.255.0
System Time : 2023-12-08 13:27:44

NOTE: Enter '?' for Command Help. Command help displays all options
that are valid for the particular mode.
For the syntax of a particular command form, please
consult the documentation.

BRS>

Figure 5: Start screen of the Command Line Interface

1.2.4 Mode-based command hierarchy

In the Command Line Interface, the commands are grouped in the related modes, according to the
type of the command. Every command mode supports specific Hirschmann software commands.

The commands available to you as a user depend on your privilege level (administrator,
operator, guest, auditor). They also depend on the mode in which you are currently working.
When you switch to a specific mode, the commands of the mode are available to you.

The User Exec mode commands are an exception. The Command Line Interface also lets you
execute these commands in the Privileged Exec mode.

22 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

The following figure displays the modes of the Command Line Interface.

ROOT

The User Exec commands

Limited
User Exec Mode are also available in the
functionality
Privileged Exec Mode.

enable exit

Basic functions,
Privileged Exec Mode
basic setting

vlan serviceshell
configure exit exit exit
database start

Advanced
Global Configuration Mode VLAN Database Mode Service Shell
configurations

VLAN configurations Internal functions

for service purposes
interface
exit
<slot/port>

Configurations
on one or Interface Range Mode
several ports

Figure 6: Structure of the Command Line Interface

The Command Line Interface supports, depending on the user level, the following modes:
 User Exec mode
When you log in with the Command Line Interface, you are in the User Exec mode. The User
Exec mode contains a limited range of commands.
Command prompt: (BRS) >
 Privileged Exec mode
To access the entire range of commands, you change to the Privileged Exec mode. The
prerequisite for changing to the Privileged Exec mode is that you log in as a privileged user. In
the Privileged Exec mode, you are able to execute the User Exec mode commands, too.
Command prompt:(BRS) #
 VLAN mode
The VLAN mode contains VLAN-related commands.
Command prompt: (BRS) (VLAN)#
 Service Shell
The Service Shell is for service purposes only.
Command prompt: /mnt/fastpath #

UM Config BRS 23
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

 Global Config mode

The Global Config mode lets you perform modifications to the current configuration. This mode
groups general setup commands.
Command prompt: (BRS) (config)#
 Interface Range mode
The commands in the Interface Range mode affect a specific port, a selected group of multiple
ports or all port of the device. The commands modify a value or switch a function on/off on one
or more specific ports.
– All physical ports in the device
Command prompt: (BRS) ((interface) all)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(BRS) (config)#interface all
(BRS) ((Interface)all)#
– A single port on one interface
Command prompt: (BRS) (interface <slot/port>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(BRS) (config)#interface 2/1
(BRS) (interface 2/1)#
– A range of ports on one interface
Command prompt: (BRS) (interface <interface range> )#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(BRS) (config)#interface 1/2-1/4
(BRS) ((Interface)1/2-1/4)#
– A list of single ports
Command prompt: (BRS) (interface <interface list>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(BRS) (config)#interface 1/2,1/4,1/5
(BRS) ((Interface)1/2,1/4,1/5)#
– A list of port ranges and single ports
Command prompt: (BRS) (interface <complex range>)#
Example: When you switch from the Global Config mode to the Interface Range mode, the
command prompt changes as follows:
(BRS) (config)#interface 1/2-1/4,1/6-1/9
(BRS) ((Interface)1/2-1/4,1/6-1/9)

The following table displays the command modes, the command prompts (input request
characters) visible in the corresponding mode, and the option with which you quit this mode.
Table 2: Command modes

Command mode Access method Quit or start next mode

User Exec mode First access level. Perform basic To quit you enter logout:
tasks and list system information. (BRS) >logout
Are you sure (Y/N) ?y

Privileged Exec From the User Exec mode, you enter To quit the Privileged Exec mode and
mode the command enable: return to the User Exec mode, you enter
(BRS) >enable exit:
(BRS) # (BRS) #exit
(BRS) >

24 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

Table 2: Command modes

Command mode Access method Quit or start next mode

VLAN mode From the Privileged Exec mode, you To end the VLAN mode and return to the
enter the command vlan database: Privileged Exec mode, you enter exit or
(BRS) #vlan database press <CTRL>+<Z>.
(BRS) (Vlan)# (BRS) (Vlan)#exit
(BRS) #
Global Config From the Privileged Exec mode, you To quit the Global Config mode and return
mode enter the command configure: to the Privileged Exec mode, you enter
(BRS) #configure exit:
(BRS) (config)# (BRS) (config)#exit
From the User Exec mode, you enter (BRS) #
the command enable, and then in To then quit the Privileged Exec mode
Privileged Exec mode, enter the and return to the User Exec mode, you
command Configure: enter exit again:
(BRS) >enable (BRS) #exit
(BRS) #configure (BRS) >
(BRS) (config)#
Interface Range From the Global Config mode you To quit the Interface Range mode and
mode enter the command interface return to the Global Config mode, you
{all|<slot/port>|<interface range> enter exit. To return to the Privileged
|<interface list>|<complex range>}. Exec mode, you press <CTRL>+<Z>.
(BRS) (config)#interface <slot/port> (BRS) (interface slot/port)#exit
(BRS) (interface slot/port)# (BRS) #

When you enter a question mark (?) after the prompt, the Command Line Interface displays a list
of the available commands and a short description of the commands.

(BRS)>
cli Set the CLI preferences.
enable Turn on privileged commands.
help Display help for various special keys.
history Show a list of previously run commands.
logout Exit this session.
ping Send ICMP echo packets to a specified IP address.
show Display device options and settings.
telnet Establish a telnet connection to a remote host.

(BRS)>

Figure 7: Commands in the User Exec mode

UM Config BRS 25
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.5 Executing the commands

Syntax analysis

When you log in with the Command Line Interface, you are in the User Exec mode. The Command
Line Interface displays the prompt (BRS)> on the screen.

When you enter a command and press the <Enter> key, the Command Line Interface starts the
syntax analysis. The Command Line Interface searches the command tree for the desired
command.

When the command is outside the Command Line Interface command range, a message informs
you of the detected error.

Example:

You want to execute the show system info command, but enter info without f and press the <Enter>
key.

The Command Line Interface then displays a message:

(BRS)>show system ino

Error: Invalid command 'ino'

Command tree

The commands in the Command Line Interface are organized in a tree structure. The commands,
and where applicable the related parameters, branch down until the command is completely
defined and therefore executable. The Command Line Interface checks the input. When you
entered the command and the parameters correctly and completely, you execute the command
with the <Enter> key.

After you entered the command and the required parameters, the other parameters entered are
treated as optional parameters. When one of the parameters is unknown, the Command Line
Interface displays a syntax message.

The command tree branches for the required parameters until the required parameters have
reached the last branch in the structure.

With optional parameters, the command tree branches until the required parameters and the
optional parameters have reached the last branch in the structure.

1.2.6 Structure of a command

This section describes the syntax, conventions and terminology, and uses examples to represent
them.

26 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

Format of commands

Most of the commands include parameters.

When the command parameter is missing, the Command Line Interface informs you about the
detection of an incorrect command syntax.

This manual displays the commands and parameters in the Courier font.

Parameters

The sequence of the parameters is relevant for the correct syntax of a command.

Parameters are required values, optional values, selections, or a combination of these things. The
representation indicates the type of the parameter.
Table 3: Parameter and command syntax

<command> Commands in pointed brackets (<>) are obligatory.

[command] Commands in square brackets ([]) are optional.
<parameter> Parameters in pointed brackets (<>) are obligatory.
[parameter] Parameters in square brackets ([]) are optional.
... An ellipsis (3 points in sequence without spaces) after an element
indicates that you can repeat the element.
[Choice1 | Choice2] A vertical line enclosed in brackets indicates a selection option.
Select one value.
Elements separated by a vertical line and enclosed in square
brackets indicate an optional selection (Option1 or Option2 or no
selection).
{list} Curved brackets ({}) indicate that a parameter is to be selected from
a list of options.
{Choice1 | Choice2} Elements separated by a vertical line and enclosed in curved
brackets ({}) indicate an obligatory selection option (option1 or
option2).
[param1 {Choice1 | Displays an optional parameter that contains an obligatory selection.
Choice2}]

<a.b.c.d> Small letters are wild cards. You enter parameters with the notation
a.b.c.d with decimal points (for example IP addresses)
<cr> You press the <Enter> key to insert a line break (carriage return).

UM Config BRS 27
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

The following list displays the possible parameter values within the Command Line Interface:
Table 4: Parameter values in the Command Line Interface

Value Description
IP address This parameter represents a valid IPv4 address. The address
consists of 4 decimal numbers with values from 0 to 255. The
4 decimal numbers are separated by a decimal point. The IP address
0.0.0.0 is a valid entry.
MAC address This parameter represents a valid MAC address. The address
consists of 6 hexadecimal numbers with values from 00 to FF. The
numbers are separated by a colon, for example,
00:F6:29:B2:81:40.
string User-defined text with a length in the specified range, for example a
maximum of 32 characters.
character string Use double quotation marks to indicate a character string, for
example “System name with space character”.
number Whole integer in the specified range, for example 0..999999.
date Date in format YYYY-MM-DD.
time Time in format HH:MM:SS.

Network addresses

Network addresses are a requirement for establishing a data connection to a remote work station,
a server, or another network. You distinguish between IP addresses and MAC addresses.

The IP address is an address allocated by the network administrator. The IP address is unique in
one network area.

The MAC addresses are assigned by the hardware manufacturer. MAC addresses are unique
worldwide.

The following table displays the representation and the range of the address types:
Table 5: Format and range of network addresses

Address Type Format Range Example

IP Address nnn.nnn.nnn.nnn nnn: 0 to 255 (decimal) 192.168.11.110
MAC Address mm:mm:mm:mm:mm:mm mm: 00 to ff (hexadecimal A7:C9:89:DD:A9:B3
number pairs)

Strings

A string is indicated by quotation marks. For example, “System name with space character”.
Space characters are not valid user-defined strings. You enter a space character in a parameter
between quotation marks.

Example:
*(BRS)#cli prompt Device name
Error: Invalid command 'name'

*(BRS)#cli prompt 'Device name'

*(Device name)#

28 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.7 Examples of commands

Example 1: clear arp-table-switch

Command for clearing the ARP table of the management agent (cache).

clear arp-table-switchis the command name. The command is executable without any other
parameters by pressing the <Enter> key.

Example 2: radius server timeout

Command to specify the RADIUS server timeout value.

(BRS) (config)#radius server timeout
<1..30> Timeout in seconds (default: 5).

radius server timeout is the command name.

The parameter is required. The value range is 1..30.

Example 3: radius server auth modify <1..8>

Command to set the parameters for RADIUS authentication server 1.

(BRS) (config)#radius server auth modify 1
[name] RADIUS authentication server name.
[port] RADIUS authentication server port.
(default: 1812).
[msgauth] Enable or disable the message authenticator
attribute for this server.
[primary] Configure the primary RADIUS server.
[status] Enable or disable a RADIUS authentication
server entry.
[secret] Configure the shared secret for the RADIUS
authentication server.
[encrypted] Configure the encrypted shared secret.
<cr> Press Enter to execute the command.

radius server auth modify is the command name.

The parameter <1..8> (RADIUS server index) is required. The value range is 1..8 (integer).

The parameters [name], [port], [msgauth], [primary], [status], [secret] and [encrypted]
are optional.

UM Config BRS 29
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.8 Input prompt

Command mode

With the input prompt, the Command Line Interface displays which of the three modes you are in:
 (BRS) >
User Exec mode
 (BRS) #
Privileged Exec mode
 (BRS) (config)#
Global Config mode
 (BRS) (Vlan)#
VLAN Database mode
 (BRS) ((Interface)all)#
Interface Range mode / All ports of the device
 (BRS) ((Interface)2/1)#
Interface Range mode / A single port on one interface
 (BRS) ((Interface)1/2-1/4)#
Interface Range mode / A range of ports on one interface
 (BRS) ((Interface)1/2,1/4,1/5)#
Interface Range mode / A list of single ports
 (BRS) ((Interface)1/1-1/2,1/4-1/6)#
Interface Range mode / A list of port ranges and single ports

Asterisk, pound sign and exclamation point

 Asterisk *
An asterisk * in the first or second position of the input prompt displays you that the settings in
the volatile memory and the settings in the non-volatile memory are different. In your
configuration, the device has detected modifications which have not been saved.
*(BRS)>
 Pound sign #
A pound sign # at the beginning of the input prompt displays you that the boot parameters and
the parameters during the boot phase are different.
*#(BRS)>
 Exclamation point !
An exclamation point ! at the beginning of the input prompt displays: the password for the admin
user account corresponds with the default setting.
!(BRS)>

Wildcards

The device lets you change the command line prompt.

The Command Line Interface supports the following wildcards:

Table 6: Using wildcards within the Command Line Interface input prompt

Wildcard Description
%d System date
%t System time

30 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

Table 6: Using wildcards within the Command Line Interface input prompt

Wildcard Description
%i IP address of the device
%m MAC address of the device
%p Product name of the device

!(BRS)>enable

!(BRS)#cli prompt %i

!192.168.1.5#cli prompt (BRS)%d

!*(BRS)2023-12-08#cli prompt (BRS)%d%t

!*(BRS)2023-12-08 13:27:44#cli prompt %m

!*AA:BB:CC:DD:EE:FF#

1.2.9 Key combinations

The following key combinations make it easier for you to work with the Command Line Interface:
Table 7: Key combinations in the Command Line Interface

Key combination Description

<CTRL> + <H>, Delete previous character
<Backspace>
<CTRL> + <A> Go to beginning of line
<CTRL> + <E> Go to end of line
<CTRL> + <F> Go forward one character
<CTRL> + <B> Go backward one character
<CTRL> + <D> Delete current character
<CTRL> + <U>, <X> Delete to beginning of line
<CTRL> + <K> Delete to end of line
<CTRL> + <W> Delete previous word
<CTRL> + <P> Go to previous line in history buffer
<CTRL> + <R> Rewrite or paste the line
<CTRL> + <N> Go to next line in history buffer
<CTRL> + <Z> Return to root command prompt
<CTRL> + <G> Aborts running tcpdump session
<Tab>, <SPACE> Command line completion
Exit Go to next lower command prompt
<?> List choices

UM Config BRS 31
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

The Help command displays the possible key combinations in Command Line Interface on the
screen:

(BRS) #help

HELP:
Special keys:

Ctrl-H, BkSp delete previous character

Ctrl-A .... go to beginning of line
Ctrl-E .... go to end of line
Ctrl-F .... go forward one character
Ctrl-B .... go backward one character
Ctrl-D .... delete current character
Ctrl-U, X .. delete to beginning of line
Ctrl-K .... delete to end of line
Ctrl-W .... delete previous word
Ctrl-P .... go to previous line in history buffer
Ctrl-R .... rewrites or pastes the line
Ctrl-N .... go to next line in history buffer
Ctrl-Z .... return to root command prompt
Ctrl-G .... aborts running tcpdump session
Tab, <SPACE> command-line completion
Exit .... go to next lower command prompt
? .... list choices

(BRS) #

Figure 8: Listing the key combinations with the Help command

32 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.10 Data entry elements

Command completion

To simplify typing commands, the Command Line Interface lets you use command completion (Tab
Completion). Thus you are able to abbreviate key words.
 Type in the beginning of a keyword. When the characters entered identify a keyword, the
Command Line Interface completes the keyword after you press the tab key or the space key.
When there is more than one option for completion, enter the letter or the letters necessary for
uniquely identifying the keyword. Press the tab key or the space key again. After that, the system
completes the command or parameter.
 When you make a non-unique entry and press <Tab> or <Space> twice, the Command Line
Interface provides you with a list of options.
 On a non-unique entry and pressing <Tab> or <Space>, the Command Line Interface completes
the command up to the end of the uniqueness. When several commands exist and you press
<Tab> or <Space> again, the Command Line Interface provides you with a list of options.
Example:
(BRS) (Config)#lo
(BRS) (Config)#log
logging logout
When you enter lo and <Tab> or <Space>, the Command Line Interface completes the
command up to the end of the uniqueness to log.
When you press <Tab> or <Space> again, the Command Line Interface provides you with a list
of options (logging logout).

Possible commands/parameters

You can obtain a list of the commands or the possible parameters by entering help or ?, for example
by entering (BRS) >show ?

When you enter the command displayed, you get a list of the parameters available for the command
show.

When you enter the command without space character in front of the question mark, the device
displays the help text for the command itself:

!*#(BRS)(Config)#show?

show Display device options and settings.

UM Config BRS 33
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.11 Use cases

Saving the Configuration

To help ensure that your password settings and your other configuration changes are kept after the
device is reset or after an interruption of the voltage supply, you save the configuration. To do this,
perform the following steps:
 Enter enable to change to the Privileged Exec mode.
 Enter the following command:
save [profile]
 Execute the command by pressing the <Enter> key.

Syntax of the „radius server auth add“ command

Use this command to add a RADIUS authentication server.

 Mode: Global Config mode
 Privilege Level: administrator
 Format: radius server auth add <1..8> ip <a.b.c.d> [name <string>] [port <1..65535>]
– [name]: RADIUS authentication server name.
– [port]: RADIUS authentication server port (default value: 1813).

Parameter Meaning Possible values

<1..8> RADIUS server index. 1..8
<a.b.c.d> RADIUS accounting server IP address. IP address
<string> Enter a user-defined text, max.
32 characters.
<1..65535> Enter port number between 1 1..65535
and 65535.

Mode and Privilege Level:

 Prerequisites for executing the command:
– You are in the Global Config mode.
See “Mode-based command hierarchy” on page 22.
– You have the access role administrator.

Syntax of commands and parameters: See “Structure of a command” on page 26.

Examples for executable commands:

 radius server auth add 1 ip 192.168.30.40
 radius server auth add 2 ip 192.168.40.50 name radiusserver2
 radius server auth add 3 ip 192.168.50.60 port 1813
 radius server auth add 4 ip 192.168.60.70 name radiusserver4 port 1814

34 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

1.2.12 Service Shell

The Service Shell is for service purposes only.

The Service Shell lets users have access to internal functions of the device. When you need
assistance with your device, the service personnel use the Service Shell to monitor internal
conditions for example, the switch or CPU registers.

Do not execute internal functions without service technician instructions. Executing internal
functions such as deleting the content of the non-volatile memory (NVM) possibly leads to an
inoperable device.

Start the Service Shell

The prerequisite is that you are in User Exec mode: (BRS) >

Perform the following steps:

 Enter enable and press the <Enter> key.
To reduce the effort when typing:
– Enter e and press the <Tab> key.
 Enter serviceshell start and press the <Enter> key.
To reduce the effort when typing:
– Enter ser and press the <Tab> key.
– Enter s and press the <Tab> key.

!BRS >enable

!*BRS #serviceshell start

WARNING! The service shell offers advanced diagnostics and functions.
Proceed only when instructed by a service technician.

You can return to the previous mode using the 'exit' command.

BusyBox v1.31.0 (2023-12-08 13:27:44 UTC) built-in shell (ash)

Enter 'help' for a list of built-in commands.

!/mnt/fastpath #

Working with the Service Shell

When the Service Shell is active, the timeout of the Command Line Interface is inactive. To help
prevent configuration inconsistencies, end the Service Shell before any other user starts
transferring a new configuration to the device.

UM Config BRS 35
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

Display the Service Shell commands

The prerequisite is that you already started the Service Shell.

Perform the following steps:

 Enter help and press the <Enter> key.

/mnt/fastpath # help
Built-in commands:
------------------
. : [ [[ alias bg break cd chdir command continue echo eval exec
exit export false fg getopts hash help history jobs kill let
local pwd read readonly return set shift source test times trap
true type ulimit umask unalias unset wait
/mnt/fastpath #

End the Service Shell

Perform the following steps:

 Enter exit and press the <Enter> key.

Deactivate the Service Shell permanently in the device

When you deactivate the Service Shell, you are still able to configure the device. However, you limit
the possibilities of service personnel to perform system diagnostics. The service technician will no
longer be able to access internal functions of your device.

The deactivation is irreversible. The Service Shell remains permanently deactivated. To reactivate
the Service Shell, the device requires disassembly by the manufacturer.

The prerequisites are:

• The Service Shell is not started.
• You are in User Exec mode: (BRS) >

Perform the following steps:

 Enter enable and press the <Enter> key.
To reduce the effort when typing:
– Enter e and press the <Tab> key.

36 UM Config BRS
Release 9.6 12/2023
User interfaces
1.2 Command Line Interface

 Enter serviceshell deactivate and press the <Enter> key.

To reduce the effort when typing:
– Enter ser and press the <Tab> key.
– Enter dea and press the <Tab> key.
 This step is irreversible!
Press the <Y> key.

!BRS >enable

!*BRS #serviceshell deactivate

Notice: If you continue, then the Service Shell is permanently deactivated.
This step is irreversible!
For details, refer to the Configuration Manual.
Are you sure (Y/N) ?

UM Config BRS 37
Release 9.6 12/2023
User interfaces
1.3 System monitor

1.3 System monitor

The System Monitor lets you set basic operating parameters before starting the operating system.

1.3.1 Functional scope

In the System Monitor, you carry out the following tasks, for example:
 Managing the operating system and verifying the software image
 Starting the operating system
 Deleting configuration profiles, resetting the device to the factory settings
 Checking boot code information

1.3.2 Starting the System Monitor

You establish a serial connection to the device using the USB-C interface. During the system
startup, the serial interface of the device is unavailable. For this reason, starting the System Monitor
works differently from other Hirschmann devices. To start the System Monitor, you set the device
to the Recovery Mode.

Set the device to the Recovery Mode

Required accessories:
 External memory (recommended: ACA22-USB-C (EEC))
 USB-C to USB-A adapter (only if you use a different external memory than the recommended
one)
 USB cable to connect the USB-C port of the device with the computer
 Computer with VT100 terminal emulation (for example PuTTY) or a serial terminal

Perform the following steps:

 Plug the external memory into your computer.
 In the root directory of the external memory, add an empty file named recovery.txt.
 Plug the external memory into the device.
 Reboot the device.
 Observe the LEDs while the device boots. When the Status LED flashes alternately red and
green, the device has successfully booted into the Recovery Mode.

Note: You find the description of the display elements in the “Installation” user manual.

Access the System Monitor

Perform the following steps:

 Remove the external memory from the device.
 Connect your computer to the device using the USB cable.
 Open the VT100 terminal emulation on the computer to display the System Monitor.
 Select the appropriate COM port.

When the computer and the device are successfully connected, you see a black screen.

38 UM Config BRS
Release 9.6 12/2023
User interfaces
1.3 System monitor

Perform the following steps:

 Press the <Enter> key to display the System Monitor.
You see the following view on your computer:

System Monitor 1
(Selected OS: ...-9.6 (2023-12-06 10:16))

1 Manage operating system

3 Start selected operating system
4 Manage configurations
5 Show boot code information
q End (reset and reboot)

sysMon1>

Figure 9: System Monitor 1 view

 To select a menu item, enter the corresponding number.

 To leave a submenu and return to the main menu, press the <ESC> key.

Note: To boot the device normally next time, only add the external memory without the
recovery.txt file.

UM Config BRS 39
Release 9.6 12/2023
User interfaces
1.3 System monitor

40 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

2 Specifying the IP parameters

When you install the device for the first time, specify the IP parameters.

The device provides the following options for entering the IP parameters during the first installation:
 Entry using the Command Line Interface.
When you preconfigure your device outside its operating environment, or restore the network
access (“In-Band”) to the device, choose this “Out-of-Band” method.
 Entry using the HiDiscovery protocol.
When you have a previously installed network device or you have another Ethernet connection
between your PC and the device, you choose this “In-Band” method.
 Configuration using the external memory.
When you are replacing a device with a device of the same type and have already saved the
configuration in the external memory, you choose this method.
 Using BOOTP.
To set up the installed device to use BOOTP, you choose this In-Band method. You need a
BOOTP server for this method. The BOOTP server assigns the configuration data to the device
using the MAC address of the device. The DHCP mode is the default mode for the configuration
data reference.
 Configuration using DHCP.
To set up the installed device to use DHCP, you choose this In-Band method. You need a DHCP
server for this method. The DHCP server assigns the configuration data to the device using the
MAC address or the system name of the device.
 Configuration using the Graphical User Interface.
When the device already has an IP address and is reachable using the network, the Graphical
User Interface provides you with another option for configuring the IP parameters.

2.1 IP parameter basics

2.1.1 IPv4

IP address

The IP addresses consist of 4 bytes. Write these 4 bytes in decimal notation, separated by a
decimal point.

RFC 1340 written in 1992, defines 5 IP Address classes.

Table 8: IP address classes

Class Network address Host address Address range

A 1 Byte 3 Bytes 0.0.0.0..127.255.255.255
B 2 Bytes 2 Bytes 128.0.0.0..191.255.255.255
C 3 Bytes 1 Byte 192.0.0.0..223.255.255.255
D 224.0.0.0..239.255.255.255
E 240.0.0.0..255.255.255.255

UM Config BRS 41
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

The first byte of an IP address is the network address. The worldwide leading regulatory board for
assigning network addresses is the Internet Assigned Numbers Authority (IANA). When you require
an IP address block, contact your Internet Service Provider (ISP). Your ISP contacts their local
higher-level organization to reserve an IP address block:
 APNIC (Asia Pacific Network Information Center)
Asia/Pacific Region
 ARIN (American Registry for Internet Numbers)
Americas and Sub-Sahara Africa
 LACNIC (Regional Latin-American and Caribbean IP Address Registry)
Latin America and some Caribbean Islands
 RIPE NCC (Réseaux IP Européens)
Europe and Surrounding Regions

0 Net ID - 7 bits Host ID - 24 bits Class A

I 0 Net ID - 14 bits Host ID - 16 bits Class B

I I 0 Net ID - 21 bits Host ID - 8 bit s Class C

I I I 0 Multicast Group ID - 28 bits Class D

I I I I reserved for future use - 28 b its Class E

Figure 10: Bit representation of the IP address

When the first bit of an IP address is 0, it belongs to class A. The first octet is less than 128.

When the first bit of an IP address is 1 and the second bit is 0, it belongs to class B. The first octet
is between 128 and 191.

When the first 2 bits of an IP address are 1, it belongs to class C. The first octet is higher than 191.

Assigning the address of the host (Host ID) is the responsibility of the network operator. The
network operator alone is responsible for the uniqueness of the assigned IP addresses.

Netmask

Routers and Gateways subdivide large networks into subnetworks. The netmask asssigns the IP
addresses of the individual devices to a particular subnetwork.

You perform subnetwork division using the netmask in much the same way as the division of the
network addresses (net id) into classes A to C.

Set the bits of the host address (host id) that represent the mask to one. Set the remaining host
address bits to zero (see the following examples).

Example of a subnet mask:

Decimal notation
255.255.192.0

Binary notation
11111111.11111111.11000000.00000000
Subnetwork mask bits
Class B

42 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

Example of applying the subnet mask to IP addresses for subnetwork assignment:

Decimal notation
129.218.65.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.01000001.00010001
Subnetwork 1
Network address

Decimal notation
129.218.129.17
128 < 129 191 › Class B
Binary notation
10000001.11011010.10000001.00010001
Subnetwork 2
Network address

Example of how the netmask is used

In a large network it is possible that Gateways and routers separate the management agent from
its network management station. How does addressing work in such a case?

Romeo

Juliet
Lorenzo

LAN 1
LAN 2

Figure 11: The management agent is separated from its network management station by a router

The network management station “Romeo” wants to send data to the management agent “Juliet”.
Romeo knows Juliet's IP address and also knows that the router “Lorenzo” knows the way to Juliet.

Romeo therefore puts his message in an envelope and writes Juliet's IP address as the destination
address; for the source address he writes his own IP address on the envelope.

Romeo then places this envelope in a second one with Lorenzo's MAC address as the destination
and his own MAC address as the source. This process is comparable to going from Layer 3 to
Layer 2 of the ISO/OSI base reference model.

Finally, Romeo puts the entire data packet into the mailbox which is comparable to going from
Layer 2 to Layer 1, that means to sending the data packet over the Ethernet.

UM Config BRS 43
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

Lorenzo receives the letter, removes the outer envelope and recognizes from the inner envelope
that the letter is meant for Juliet. He places the inner envelope in a new outer envelope and
searches his address list (the ARP table) for Juliet's MAC address; he writes her MAC address on
the outer envelope as the destination address and his own MAC address as the source address.
He then places the entire data packet in the mail box.

Juliet receives the letter and removes the outer envelope. She finds the inner envelope with
Romeo's IP address. Opening the inner envelope and reading its contents corresponds to
transferring the message to the higher protocol layers of the ISO/OSI layer model.

Juliet would now like to send a reply to Romeo. She places her reply in an envelope with Romeo's
IP address as destination and her own IP address as source. But where is she to send the answer?
For she did not receive Romeo's MAC address. It was lost, because Lorenzo replaced the outer
envelope.

In the MIB, Juliet finds Lorenzo listed under the variable hmNetGatewayIPAddr as a means of
communicating with Romeo. She therefore puts the envelope with the IP addresses in a further
envelope with Lorenzo's MAC destination address.

The letter now travels back to Romeo through Lorenzo, the same way the first letter traveled from
Romeo to Juliet.

Classless Inter-Domain Routing

Class C with a maximum of 254 (28-2) addresses was too small, and class B with a maximum of
65534 (216-2) addresses was too large for most users, resulting in an ineffective usage of the
available class B addresses.

Class D contains reserved Multicast addresses. Class E is for experimental purposes. A non-
participating Gateway ignores experimental datagrams with these destination addresses.

Since 1993, RFC 1519 has been using Classless Inter-Domain Routing (CIDR) to provide a
solution. CIDR overcomes these class boundaries and supports classless address ranges.

With CIDR, you specify the number of bits that designate the IP address range. You represent the
IP address range in binary form and count the mask bits that designate the netmask. The mask bits
equal the number of bits used for the subnet in a given IP address range.

Example:

IP addres s , Network mas k, IP addres s ,

decimal decimal binary
192.168.112.1 255.255.255.128 11000000 10101000 01110000 00000001
192.168.112.127 11000000 10101000 01110000 01111111
25 mas k bits
C IDR notation: 192.168.112.0/25
Mas k bits

The term “supernetting” refers to combining a number of class C address ranges. Supernetting lets
you subdivide class B address ranges to a fine degree.

44 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

2.1.2 IPv6

IP parameter basics

The Internet Protocol version 6 (IPv6) is the new version of the Internet Protocol version 4 (IPv4).
The need to implement IPv6 was due to the fact that IPv4 addresses are not sufficient in the context
of the growing Internet today. The IPv6 protocol is described in RFC 8200.

Some of the differences between IPv6 and IPv4 are:

 Address representation and length
 Absence of the broadcast address type
 Simplified header structure
 Fragmentation performed only by the source host
 Added capabilities for packet flow identification in the network

Both IPv4 and IPv6 protocols can operate at the same time in the device. This is possible with the
use of the Dual IP Layer technique, also referred to as Dual Stack.

Note: If you want the device to operate only using the IPv4 function, then disable the IPv6 function
in the device.

In the device, the IPv6 protocol has the following restrictions:

 You can specify a maximum number of 8 IPv6 unicast addresses as follows:
– 4 IPv6 addresses using manual configuration
– 2 IPv6 addresses when the Auto radio button is selected
– 1 IPv6 address using the DHCPv6 server
– 1 link-local address
 The IPv6 function can be enabled only on the management interface. The total number of
configurable IPv6 addresses can be used at the same time on the interface.
 The IPv6 addresses can be used to set the management IP address of the device. Other
services where IPv6 addresses can be used include for example, SNTP, SYSLOG, DNS, and
LDAP.

UM Config BRS 45
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

Address representation

The IPv6 address consists of 128 bits. It is represented as 8 groups of 4 hexadecimal digits, each
group representing 16 bits, further referred to as a hextet. The hextets are separated by colons (:).
IPv6 addresses are not case-sensitive and you can write them in either lowercase or uppercase.

In accordance with RFC 4291, the preferred format for an IPv6 address is x:x:x:x:x:x:x:x. Each “x”
consists of 4 hexadecimal values and represents a hextet. An example of a preferred format of an
IPv6 address is shown in the figure below.

X : X : X : X : X : X : X : X

0000 0000 0000 0000 0000 0000 0000 0000

to : to : to : to : to : to : to : to
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF

in binary
0000 0000 0000 0000
to to to to
1111 1111 1111 1111

Figure 12: IPv6 address representation

As you can see in the figure above, usually an IPv6 address contains many zeros. To shorten IPv6
addresses that contain 0 bits, it is necessary to follow 2 writing rules:
 The first rule is to discard the leading zeros in every hextet. This rule is only applied to leading
zeros and not to the trailing zeros of a hextet. If the trailing zeros are also discarded, then the
resulting address is ambiguous.
 The second rule uses a special syntax to compress the zeros. You can use 2 adjacent colons
“::” to replace a string of adjacent hextets that contain only zeros. The “::” sign can be used only
one time in an address. If the “::” sign is used more than one time in an address representation,
then there can be more than one possible address expanded from that notation.

When the two rules are applied, the result is commonly known as the compressed format.

In the table below you can find 2 examples of how these rules are applied:
Table 9: IPv6 address compression

Preferred CC03:0000:0000:0000:0001:AB30:0400:FF02
No leading CC03: 0: 0: 0: 1:AB30: 400:FF02
zeros
Compressed CC03::1:AB30:400:FF02

Preferred 2008:00B7:0000:DEF0:DDDD:0000:E604:0001
No leading 2008: B7: 0:DEF0:DDDD: 0:E604: 1
zeros
Compressed 2008:B7::DEF0:DDDD:0:E604:1

46 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

Prefix length

Unlike an IPv4 address, an IPv6 address does not use a subnet mask to identify the network portion
of an address. Instead, the IPv6 protocol uses the prefix length.

The text representation of IPv6 address prefixes is similar to the way IPv4 address prefixes are
written in Classless Inter-Domain Routing (CIDR):

<ipv6-address>/<prefix-length>

The prefix length range is 0..128. The typical IPv6 prefix length for LANs and other types of
networks is /64. This means that the network portion of the address is 64 bits in length. The
remaining 64 bits represent the Interface ID, similar to the host portion of the IPv4 address.

In the figure below you can find an example of prefix length bits allocation.

64 bits prefix length 64 bits interface ID

Address example: 2009:0CB8:0000:0004::10 / 64

2009:0CB8:0000:0004 0000:0000:0000:0010

Address types

The IPv6 address types are described in RFC 4291.

The IPv6 address types are identified by the high-order bits of the address, as in the table below:
Table 10: IPv6 address types

Address type Binary prefix IPv6 notation

Unspecified 00...0 (128 bits) ::/128
Loopback 00...1 (128 bits) ::1/128
Multicast 11111111 FF00::/8
Link-local Unicast 1111111010 FE80::/10
Global Unicast (everything else)

The Unspecified address

The IPv6 address with every bit set to 0 is called the Unspecified address, which corresponds to
0.0.0.0 in IPv4. The Unspecified address is used only to indicate the absence of an address. It is
typically used as a source address when a unique address is not determined yet.

Note: The Unspecified address cannot be assigned to an interface or used as a destination

address.

UM Config BRS 47
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

The Loopback address

The unicast address 0:0:0:0:0:0:0:1 is called the Loopback address. The Loopback address can be
used by a device to send an IPv6 packet to itself. The Loopback address cannot be assigned to a
physical interface.

The Multicast address

IPv6 does not have a broadcast address like IPv4. But there is an IPv6 all-nodes Multicast address
that essentially gives the same result.

An IPv6 Multicast address is used to send an IPv6 packet to multiple destinations. The structure of
a Multicast address is as follows: The next 4 bits identify the scope of the Multicast address (how
far the packet is transmitted):
 The first 8 bits are set to FF.
 The next 4 bits are the lifetime of the address: 0 is permanent and 1 is temporary.
 The next 4 bits identify the scope of the Multicast address, meaning how far the packets are
transmitted through the network.

The Link-Local address

The Link-Local address is used to communicate with other devices on the same link. The term “link”
refers to a subnet. Routers do not forward packets with link-local source or destination addresses
to other links.

Link-local addresses are used to transmit packets on a single link for scopes such as automatic
address configuration, neighbor discovery, or when no routers are present. They have the following
format:
Table 11: Link-Local Address format

10 bits 54 bits 64 bits

1111111010 0 Interface ID

The Link-Local address is specified and cannot be changed.

The Global Unicast address

A Global Unicast address is globally unique and can be routed over the Internet. This type of
addresses are equivalent to public IPv4 addresses. Currently, only Global Unicast addresses with
the first three bits of 001 or 2000::/3 are assigned.

A Global Unicast address has 3 parts:

 Global Routing Prefix
 Subnet ID
 Interface ID.

The Global Routing Prefix is the network portion of the address.

The Subnet ID is used by an organization to identify its subnets and it has up to 16 bits in length.
The length of the Subnet ID is given by the length of the Global Routing Prefix.

48 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.1 IP parameter basics

The Interface ID identifies an interface of a particular node. The term Interface ID is used because
one host can have multiple interfaces, each having one or more IPv6 addresses.

The general format for IPv6 Global Unicast addresses is represented in the figure below.

48 B its 16 B its 64 B its

Global Routing Prefix Subnet ID Interface ID

64 B its prefix
Figure 13: IPv6 Global Unicast address general format

UM Config BRS 49
Release 9.6 12/2023
Specifying the IP parameters
2.2 Specifying the IP parameters using the Command Line Interface

2.2 Specifying the IP parameters using the Command Line

Interface

2.2.1 IPv4

There are the following methods you enter the IP parameters:

 BOOTP/DHCP
 HiDiscovery protocol
 External memory
 Command Line Interface using the serial connection

Entering IP addresses

Connect the PC with terminal

program started to the RJ11 socket

Command Line Interface

starts after key press

Log in and change to the

Privileged EXEC Mode

Enter and save IP parameters

End of entering IP addresses

Figure 14: Flow chart for entering IP addresses

Note: If a terminal or PC with terminal emulation is unavailable in the vicinity of the installation
location, you can set up the device at your own workstation, then take it to its final installation
location.

Perform the following steps:

 Set up a connection to the device.
The start screen appears.

 Deactivate DHCP.

50 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.2 Specifying the IP parameters using the Command Line Interface

 Enter the IP parameters.

 Local IP address
In the default setting, the local IP address is 0.0.0.0.
 Netmask
When you divided the network into subnetworks, and these are identified with a netmask,
enter the netmask here. In the default setting, the local netmask is 0.0.0.0.
 IP address of the gateway.
This entry is only required, in cases where the device and the network management station
or TFTP server are located in different subnetworks (see on page 43 “Example of how the
netmask is used”).
Specify the IP address of the gateway between the subnetwork with the device and the path
to the network management station.
In the default setting, the IP address is 0.0.0.0.
 Save the configuration specified using copy config running-config nvm.
enable To change to the Privileged EXEC mode.
network protocol none To deactivate DHCP.
network parms 10.0.1.23 255.255.255.0 To assign the device the IP address 10.0.1.23 and
the netmask 255.255.255.0. You have the option of
also assigning a Gateway address.
copy config running-config nvm To save the current settings in the non-volatile
memory (nvm) in the “selected” configuration profile.

After entering the IP parameters, you easily set up the device using the Graphical User Interface.

2.2.2 IPv6

The device lets you specify the IPv6 parameters using the Command Line Interface over the serial
interface. Another option to access the Command Line Interface is using a SSH connection with
the use of the IPv4 management address.

Perform the following steps:

 Set up a connection to the device.
The start screen appears.

UM Config BRS 51
Release 9.6 12/2023
Specifying the IP parameters
2.2 Specifying the IP parameters using the Command Line Interface

 Enable the IPv6 protocol if the protocol is disabled.

 Enter the IPv6 parameters.
 IPv6 address
Valid IPv6 address. The IPv6 address is displayed in a compressed format.
 Prefix length
Unlike an IPv4 address, the IPv6 address does not use a subnet mask to identify the network
part of an address. This role is performed in IPv6 by the prefix length (see on page 47 “Prefix
length”).
 EUI option function
You can use the EUI option function to automatically specify the Interface ID of the IPv6
address. The device uses the MAC address of its interface with the values ff and fe added
between byte 3 and byte 4 to generate a 64 bit Interface ID.
You can only select this option for IPv6 addresses that have a prefix length equal to 64.
 IPv6 Gateway address
The IPv6 Gateway address is the address of a router through which the device accesses
other devices outside its own network.
You can specify any IPv6 address except loopback and Multicast addresses.
In the default setting, the IPv6 Gateway address is ::.
enable To change to the Privileged EXEC mode.
network ipv6 operation To enable the IPv6 protocol if the protocol is
disabled. In the default setting, the IPv6 protocol is
enabled.
network ipv6 address add 2001::1 64 To assign the IPv6 address 2001::1 and the prefix
eui-64 length 64. The eui-64 parameter is optional.
You have the option of also assigning a Gateway
address.
copy config running-config nvm To save the current settings in the non-volatile
memory (nvm) in the “selected” configuration profile.

After entering the IPv6 parameters, you easily set up the device using the Graphical User Interface.
To use an IPv6 address in a URL, use the following URL syntax: https://[<ipv6_address>].

52 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery

2.3 Specifying the IP parameters using HiDiscovery

The HiDiscovery protocol lets you assign IP parameters to the device using the Ethernet.

You easily set up other parameters using the Graphical User Interface.

Perform the following steps:

 Install the HiDiscovery program on your computer.
You can download the software from https://catalog.belden.com/
index.cfm?event=pd&p=PF_HiDiscovery.
 Start the HiDiscovery program.

Figure 15: HiDiscovery

When HiDiscovery is started, HiDiscovery automatically searches the network for those devices
which support the HiDiscovery protocol.

HiDiscovery uses the first network interface found for the PC. When your computer has several
network cards, you can select the one you desire in the HiDiscovery toolbar.

HiDiscovery displays a line for every device that responds to a HiDiscovery protocol inquiry.

HiDiscovery lets you identify the devices displayed.

 Select a device line.
 To set the LEDs to flashing for the selected device, click the Signal button on the tool bar. To
stop the flashing, click the Signal button again.
 By double-clicking a line, you open a window in which you specify the device name and the IP
parameter.

Figure 16: HiDiscovery – assigning IP parameters

UM Config BRS 53
Release 9.6 12/2023
Specifying the IP parameters
2.3 Specifying the IP parameters using HiDiscovery

Note: Disable the HiDiscovery function in the device, after you have assigned the IP parameters to
the device.

Note: Save the settings so that you will still have the entries after a restart.

54 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.4 Specifying the IP parameters using the Graphical User Interface

2.4 Specifying the IP parameters using the Graphical User

Interface

2.4.1 IPv4

Perform the following steps:

 Open the Basic Settings > Network > Global dialog.

In this dialog you specify the VLAN in which the device management can be accessed and
set up the HiDiscovery access.
 In the VLAN ID column you specify the VLAN in which the device management can be
accessed over the network.
Note here that you can only access the device management using ports that are members of
the relevant VLAN.
The MAC address field displays the MAC address of the device with which you access the
device over the network.
 In the HiDiscovery protocol v1/v2 frame you specify the settings for accessing the device
using the HiDiscovery software.
 The HiDiscovery protocol lets you allocate an IP address to the device on the basis of its
MAC address. Activate the HiDiscovery protocol if you want to allocate an IP address to
the device from your PC with the HiDiscovery software.
 Open the Basic Settings > Network > IPv4 dialog.
In this dialog you specify the source from which the device gets its IP parameters after starting.
 In the Management interface frame you first specify where the device gets its IP parameters
from:
 In the BOOTP mode, the configuration is using a BOOTP or DHCP server on the basis of
the MAC address of the device.
 In the DHCP mode, the configuration is using a DHCP server on the basis of the MAC
address or the name of the device.
 In the Local mode, the device uses the network parameters from the internal device
memory.
Note: When you change the allocation mode of the IP address, the device activates the new
mode immediately after you click the button.
 If required, you enter the IP address, the netmask and the Gateway in the IP parameter
frame.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 55
Release 9.6 12/2023
Specifying the IP parameters
2.4 Specifying the IP parameters using the Graphical User Interface

2.4.2 IPv6

Perform the following steps:

 Open the Basic Settings > Network > IPv6 dialog.

 The IPv6 protocol is enabled by default. Verify if the On radio button is selected in the
Operation frame.
 In the Configuration frame you specify where the device gets its IPv6 parameters from:
 If the None radio button is selected, then the device receives its IPv6 parameters manually.
You can manually specify a maximum number of 4 IPv6 addresses. You cannot specify
loopback, link-local, and Multicast addresses as static IPv6 addresses.
 If the Auto radio button is selected, then the device receives its IPv6 parameters
dynamically for example, with the use of a Router Advertisement Daemon (radvd).
The device receives a maximum of 2 IPv6 addresses.
 If the DHCPv6 radio button is selected, then the device receives its IPv6 parameters from
a DHCPv6 server.
The device can receive only one IPv6 address from the DHCPv6 server.
 If the All radio button is selected, then the device receives its IPv6 parameters using every
alternative for both dynamic and manual assignments.

Note: When you change the allocation mode of the IPv6 address, the device activates the new
mode immediately after you click the button.
 If necessary, you enter the Gateway address in the IP parameter frame.

Note: If the Auto radio button is selected and you use a Router Advertisement Daemon
(radvd), then the device automatically receives a link-local type Gateway address with a higher
metric than the manually set Gateway address.
 In the Duplicate Address Detection frame you can specify the number of consecutive
Neighbor Solicitation messages that the device sends for the Duplicate Address Detection
function (see on page 62 “Duplicate Address Detection function”).

Apply the settings temporarily. To do this, click the button.

Manually specify an IPv6 address. To do this, perform the following steps:

 Open the Basic Settings > Network > IPv6 dialog.

 Click the button.

The dialog displays the Create window.
 Enter the IPv6 address in the IP address field.
 Enter the IPv6 address prefix length in the PrefixLength field.
 Click the Ok button.
The device adds a table row.

56 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.5 Specifying the IP parameters using BOOTP

2.5 Specifying the IP parameters using BOOTP

With the BOOTP function activated the device sends a boot request message to the BOOTP server.
The boot request message contains the Client ID specified in the Basic Settings > Network > IPv4
dialog. The BOOTP server enters the Client ID into a database and assigns an IP address. The
server answers with a boot reply message. The boot reply message contains the assigned IP
address.

UM Config BRS 57
Release 9.6 12/2023
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP

2.6 Specifying the IP parameters using DHCP

2.6.1 IPv4

The Dynamic Host Configuration Protocol (DHCP) is a further development of BOOTP, which it has
replaced. The DHCP additionally lets the configuration of a DHCP client using a name instead of
using the MAC address.

For the DHCP, this name is known as the Client Identifier in accordance with RFC 2131.

The device uses the name entered under sysName in the system group of the MIB II as the Client
Identifier. You can change the system name using the Graphical User Interface (see dialog Basic
Settings > System), the Command Line Interface or SNMP.

The device sends its system name to the DHCP server. The DHCP server then uses the system
name to allocate an IP address as an alternative to the MAC address.

In addition to the IP address, the DHCP server sends

 the netmask
 the default Gateway (if available)
 the TFTP URL of the configuration file (if available).

The device applies the configuration data to the appropriate parameters. When the DHCP Sever
assigns the IP address, the device permanently saves the configuration data in non-volatile
memory.
Table 12: DHCP options which the device requests

Options Meaning
1 Subnet Mask
2 Time Offset
3 Router
4 Time server
12 Hostname
42 NTP server
61 Client Identifier
66 TFTP Server Name
67 Bootfile Name

The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity
of the configuration parameters (“Lease”) to a specific time period (known as dynamic address
allocation). Before this period (“Lease Duration”) elapses, the DHCP client can attempt to renew
this lease. As an alternative, the client can negotiate a new lease. The DHCP server then allocates
a random free address.

To help avoid this, DHCP servers provide the explicit configuration option of assigning a specific
client the same IP address based on a unique hardware ID (known as static address assignment).

In the default setting, DHCP is activated. As long as DHCP is active, the device attempts to obtain
an IP address. When the device cannot find a DHCP server after restarting, it will not have an IP
address. The Basic Settings > Network > IPv4 dialog lets you activate or deactivate DHCP.

Note: When using Industrial HiVision network management, verify that DHCP allocates the original
IP address to every device.

58 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP

The appendix contains an example configuration of the BOOTP/DHCP-server.

Example of a DHCP-configuration file:

# /etc/dhcpd.conf for DHCP Daemon
#
subnet 10.1.112.0 netmask 255.255.240.0 {
option subnet-mask 255.255.240.0;
option routers 10.1.112.96;
}
#
# Host berta requests IP configuration
# with her MAC address
#
host berta {
hardware ethernet 00:80:63:08:65:42;
fixed-address 10.1.112.82;
}
#
# Host hugo requests IP configuration
# with his client identifier.
#
host hugo {
#
option dhcp-client-identifier "hugo";
option dhcp-client-identifier 00:68:75:67:6f;
fixed-address 10.1.112.83;
server-name "10.1.112.11";
filename "/agent/config.dat";
}

Lines beginning with the # character, contain comments.

The lines preceding the individually listed devices refer to settings that apply to the following device.

The fixed-address line assigns a permanent IP address to the device.

For further information, see the DHCP server manual.

2.6.2 IPv6

The Dynamic Host Configuration Protocol version 6 (DHCPv6) is a network protocol that is used to
dynamically specify IPv6 addresses. This protocol is the IPv6 equivalent of the Dynamic Host
Configuration Protocol (DHCP) for IPv4. DHCPv6 is described in RFC 8415.

The device uses a DHCP Unique Identifier (DUID) to send a request to the DHCPv6 server. In the
device, the DUID represents the Client ID that the DHCPv6 server uses to identify the device that
requested an IPv6 address.

The Client ID is displayed in the Basic Settings > Network > IPv6 dialog, in the DHCP frame.

The device can receive only one IPv6 address from the DHCPv6 server, with a PrefixLength of 128.
No Gateway address information is provided. If needed, you can manually specify Gateway address
information.

UM Config BRS 59
Release 9.6 12/2023
Specifying the IP parameters
2.6 Specifying the IP parameters using DHCP

In the default setting, DHCPv6 protocol is deactivated. You can activate or deactivate the protocol
in the Basic Settings > Network > IPv6 dialog. Verify that the DHCPv6 radio button is selected in the
Configuration frame.

If you want to dynamically get an IPv6 address with a PrefixLength other than 128, then select the
Auto radio button. An example here is the use of a Router Advertisement Daemon (radvd). The
radvd uses Router Solicitation and Router Advertisement messages to automatically set up an IPv6
address.

In the default setting, the Auto radio button is selected. You can select or deselect the Auto radio
button in the Basic Settings > Network > IPv6 dialog, in the Configuration frame.

If the All radio button is selected, then the device receives its IPv6 parameters using every
alternative for both dynamic and manual assignments.

60 UM Config BRS
Release 9.6 12/2023
Specifying the IP parameters
2.7 Management address conflict detection

2.7 Management address conflict detection

You assign an IP address to the device using several different methods. This function helps the
device detect IP address conflicts on a network after the system startup and the device also checks
periodically during operation. This function is described in RFC 5227.

When enabled, the device sends an SNMP trap informing you that it detected an IP address
conflict.

The following list contains the default settings for this function:
• Operation: On
• Detection mode: active and passive
• Send periodic ARP probes: marked
• Detection delay [ms]: 200
• Release delay [s]: 15
• Address protections: 3
• Protection interval [ms]: 200
• Send trap: marked

2.7.1 Active and passive detection

Actively checking the network helps prevent the device from connecting to the network with a
duplicate IP address. After connecting the device to a network or after configuring the IP address,
the device immediately checks if its IP address exists within the network. To check the network for
address conflicts, the device sends 4 ARP probes with the detection delay of 200 ms into the
network. When the IP address exists, the device attempts to return to the previous configuration,
and make another check after the specified release delay time.

When you disable active detection, the device sends 2 gratuitous ARP announcements in 2 s
intervals. Using the ARP announcements with passive detection enabled, the device polls the
network to determine if there is an address conflict. After resolving an address conflict or after
expired release delay time, the device reconnects to the network. Following 10 detected conflicts,
when the specified release delay interval is less than 60 s, the device sets the release delay interval
to 60 s.

After the device performs active detection or you disable the active detection function, with passive
detection enabled the device listens on the network for other devices using the same IP address.
When the device detects a duplicate IP address, it initially defends its address by employing the
ACD mechanism in the passive detection mode and sends out gratuitous ARPs. The number of
protections that the device sends and the protection interval are configurable. To resolve conflicts,
if the remote device remains connected to the network, then the network interface of the local
device disconnects from the network.

When a DHCP server assigns an IP address to the device and an address conflict occurs, the
device returns a DHCP decline message.

The device uses the ARP probe method. This has the following advantages:
 ARP caches on other devices remain unchanged
 the method is robust through multiple ARP probe transmissions

UM Config BRS 61
Release 9.6 12/2023
Specifying the IP parameters
2.8 Duplicate Address Detection function

2.8 Duplicate Address Detection function

The Duplicate Address Detection function determines the uniqueness of an IPv6 unicast address on
an interface. The function is performed when an IPv6 address is set up manually, or using the
DHCPv6, or Auto methods. The function is also triggered by a change in a link status, for example,
a link status change from down to up.

The Duplicate Address Detection function uses Neighbor Solicitation and Neighbor Advertisement
messages. You have the option to set the number of consecutive Neighbor Solicitation messages
that the device sends. To do this, perform the following steps:

 Open the Basic Settings > Network > IPv6 dialog.

 In the Duplicate Address Detection frame set the necessary value in the Number of neighbor
solicitants field.
Possible values:
– 0
The function is disabled.
– 1..5 (default setting: 1)

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

network ipv6 dad-transmits <0..5> To set the number of Neighbor Solicitation
messages that the device sends.
The value 0 disables the function.

Note: If the Duplicate Address Detection function discovers that an IPv6 address is not unique on a
link, then the device does not log this event in the log file (System Log).

62 UM Config BRS
Release 9.6 12/2023
Access to the device
3.1 First login (Password change)

3 Access to the device

3.1 First login (Password change)

To help prevent undesired access to the device, it is imperative that you change the default
password during initial setup.

Perform the following steps:

 Open the Graphical User Interface, the HiView application, or the Command Line Interface the
first time you log in.
 Log in with the default password.
The device prompts you to type in a new password.
 Type in your new password.
To help increase security, choose a password that contains at least 8 characters which includes
upper-case characters, lower-case characters, numerical digits, and special characters.
 When you log in with the Command Line Interface, the device prompts you to confirm your new
password.
 Log in again with your new password.

Note: If you lost your password, then contact your local support team.

For further information, see hirschmann-support.belden.com.

UM Config BRS 63
Release 9.6 12/2023
Access to the device
3.2 Authentication lists

3.2 Authentication lists

When a user accesses the device using a specific connection, the device verifies the login
credentials of the user in an authentication list which contains the policies that the device applies
for authentication.

The prerequisite for a user to access the device management is that at least one policy is assigned
to the authentication list of the application through which access is performed.

3.2.1 Applications

The device provides an application for each type of connection through which someone accesses
the device:
 Access to the Command Line Interface using a serial connection: Console(V.24)
 Access to the Command Line Interface using SSH: SSH
 Access to the Command Line Interface using Telnet: Telnet
 Access to the Graphical User Interface: WebInterface

The device also provides an application to control the access to the network from connected end
devices using port-based access control: 8021x

3.2.2 Policies

When a user logs in with valid login data, the device lets the user have access to its device
management. The device authenticates the users using the following policies:
 User management of the device
 RADIUS

When the end device logs in with valid login data, the device lets the connected end devices have
access to the network with the port-based access control according to IEEE 802.1X. The device
authenticates the end devices using the following policies:
 RADIUS
 IAS (Integrated Authentication Server)

The device gives you the option of a fall-back solution. For this, you specify more than one policy
in the authentication list. When authentication is unsuccessful using the current policy, the device
applies the next specified policy.

3.2.3 Managing authentication lists

You manage the authentication lists in the Graphical User Interface or in the Command Line
Interface. To do this, perform the following steps:

 Open the Device Security > Authentication List dialog.

The dialog displays the authentication lists that are set up.

64 UM Config BRS
Release 9.6 12/2023
Access to the device
3.2 Authentication lists

show authlists To display the authentication lists that are set up.

 Deactivate the authentication list for those applications by means of which no access to the
device is performed, for example 8021x.

 In the Active column of the authentication list defaultDot1x8021AuthList, unmark the

checkbox.

 Apply the settings temporarily. To do this, click the button.

authlists disable To deactivate the authentication list

defaultDot1x8021AuthList defaultDot1x8021AuthList.

3.2.4 Adjust the settings

Example: Set up a separate authentication list for the application WebInterface which is by default
included in the authentication list defaultLoginAuthList.

The device forwards authentication requests to a RADIUS server in the network. As a fall-back
solution, the device authenticates users using the local user management. To do this, perform the
following steps:
 Create an authentication list loginGUI.

 Open the Device Security > Authentication List dialog.

 Click the button.

The dialog displays the Create window.
 Enter a meaningful name in the Name field.
In this example, enter the name loginGUI.
 Click the Ok button.
The device adds a table row.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
authlists add loginGUI To add the authentication list loginGUI.

 Select the policies for the authentication list loginGUI.

 In the Policy 1 column, select the value radius.

 In the Policy 2 column, select the value local.
 In the Policy 3 to Policy 5 columns, select the value reject to help prevent further fall-back.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 65
Release 9.6 12/2023
Access to the device
3.2 Authentication lists

authlists set-policy loginGUI radius To assign the policies radius, local and reject
local reject reject reject to the authentication list loginGUI.
show authlists To display the authentication lists that are set up.

 Assign an application to the authentication list loginGUI.

 Open the Device Security > Authentication List dialog.

 In the table, select the authentication list loginGUI.

 Click the button.

The dialog displays the Allocate applications window.
 Click the application WebInterface to highlight it.
 Click the Ok button.
The dialog displays the updated settings:
– The Dedicated applications column of authentication list loginGUI displays the
application WebInterface.
– The Dedicated applications column of authentication list defaultLoginAuthList does
not display the application WebInterface anymore.

 Apply the settings temporarily. To do this, click the button.

show appllists To display the applications and the allocated lists.

appllists set-authlist WebInterface To assign the loginGUI application to the
loginGUI authentication list WebInterface.

66 UM Config BRS
Release 9.6 12/2023
Access to the device
3.3 User management

3.3 User management

When a user logs in with valid login data, the device lets the user have access to its device
management. The device authenticates the users either using the local user management or with
a RADIUS server in the network. To get the device to use the user management, assign the local
policy to an authentication list, see the Device Security > Authentication List dialog.

In the local user management, you manage the user accounts. One user account is usually
allocated to each user.

3.3.1 Access roles

The device lets you use a role-based authorization model to specifically control the access to the
device management. Users to whom a specific authorization profile is allocated are allowed to use
commands and functions from the same authorization profile or a lower one.

The device uses the authorization profiles on every application with which the device management
can be accessed.

Note: The following applies to the Command Line Interface: Users to whom a specific authorization
profile is assigned are allowed to use commands and functions from this authorization profile or a
lower level role. The commands available to a user also depend on the Command Line Interface
mode in which the user is currently working. See “Mode-based command hierarchy” on page 22.

Every user account is linked to an access role that regulates the access to the individual functions
of the device. Depending on the planned activity for the respective user, you assign a pre-defined
access role to the user. The device differentiates between the following access roles.

Administrator
Auditor

Operator User

Figure 17: Access roles for user accounts

UM Config BRS 67
Release 9.6 12/2023
Access to the device
3.3 User management

Table 13: Access roles for user accounts

Role Description Authorized for the following activities

administrator The user is authorized to All activities with read/write access, including the
monitor and administer the following activities reserved for an administrator:
device.  Add, modify or delete user accounts
 Activate, deactivate or unlock user accounts
 Change every password
 Set up the password management
 Set or change system time
 Load files to the device, for example, device
settings, certificates, or software images
 Reset settings and security-related settings to
the state on delivery
 Set up the RADIUS server and authentication
lists
 Apply scripts using the Command Line
Interface
 Enable/disable CLI logging and SNMP logging
 External memory activation and deactivation
 System monitor activation and deactivation
 Enable/disable the services for the access to
the device management (for example SNMP).
 Set up access restrictions to the Graphical
User Interface or the Command Line Interface
based on the IP addresses
operator The user is authorized to All activities with read/write access, with the
monitor and set up the exception of the above-named activities, which
device, with the exception of are reserved for an administrator:
security-related settings.
auditor The user is authorized to Monitoring activities with read access.
monitor the device and to
save the log file in the
Diagnostics > Report > Audit
Trail dialog.
guest The user is authorized to Monitoring activities with read access.
monitor the device - with the
exception of security-related
settings.
unauthorized No access to the device No activities allowed.
possible.
 As an administrator you
assign this access role to
temporarily lock a user
account.
 If an administrator assigns
a different access role to
the user account and an
error is detected, then the
device assigns this
access role to the user
account.

68 UM Config BRS
Release 9.6 12/2023
Access to the device
3.3 User management

3.3.2 Managing user accounts

You manage the user accounts in the Graphical User Interface or in the Command Line Interface.
To do this, perform the following steps:

 Open the Device Security > User Management dialog.

The dialog displays the user accounts that are set up.

show users To display the user accounts that are set up.

3.3.3 Default user accounts

In the default setting, the user account admin is set up in the device.
Table 14: Settings of the default user account

Parameter Default setting

User name admin
Password private
Role administrator
User locked unmarked
Policy check unmarked
SNMP auth type hmacmd5
SNMP encryption type des

Change the password for the admin user account before making the device available in the
network.

3.3.4 Changing default passwords

To help prevent undesired access, change the password of the default user account. To do this,
perform the following steps:
 Change the password for the admin user account.

 Open the Device Security > User Management dialog.

The dialog displays the user accounts that are set up.
 To require a specified minimum complexity for the passwords, mark the checkbox in the
Policy check column.
Before saving it, the device checks the password according to the policy specified in the
Password policy frame.

UM Config BRS 69
Release 9.6 12/2023
Access to the device
3.3 User management

Note: The password check can lead to a message in the Security status frame in the Basic
Settings > System dialog. You specify the settings that cause this message in the Basic
Settings > System dialog.
 Click the table row of the relevant user account in the Password field. Enter a password of
at least 6 characters.
Up to 64 alphanumeric characters are allowed.
 The device differentiates between upper and lower case.
 The minimum length of the password is specified in the Configuration frame. The device
constantly checks the minimum length of the password.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
users password-policy-check <user> To activate the checking of the password for the
enable <user> user account based on the specified policy.
In this way, you require a specified minimum
complexity for the passwords.
Note: When you display the security status, the password check can lead to a message (show
security-status all). You specify the settingsthat cause this message with the command
security-status monitor pwd-policy-inactive.
users password <user> SECRET To specify the password SECRET for the<user>
user account. Enter at least 6 characters.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

3.3.5 Setting up a new user account

Allocate a separate user account to each user that accesses the device management. In this way
you can specifically control the authorizations for the access.

In the following example, you set up the user account for a user USER with the access role
operator. Users with the access role operator are authorized to monitor and set up the device,
with the exception of security-related settings. To do this, perform the following steps:
 Create a user account.

 Open the Device Security > User Management dialog.

 Click the button.

The dialog displays the Create window.
 Enter the name in the User name field.
In this example, you give the user account the name USER.
 Click the Ok button.
 To require a specified minimum complexity for the passwords, mark the checkbox in the
Policy check column.
Before saving it, the device checks the password according to the policy specified in the
Password policy frame.

70 UM Config BRS
Release 9.6 12/2023
Access to the device
3.3 User management

 In the Password field, enter a password of at least 6 characters.

Up to 64 alphanumeric characters are allowed.
 The device differentiates between upper and lower case.
 The minimum length of the password is specified in the Configuration frame. The device
constantly checks the minimum length of the password.
 In the Role column, select the access role.
In this example, you select the value operator.
 To activate the user account, mark the checkbox in the Active column.

 Apply the settings temporarily. To do this, click the button.

The dialog displays the user accounts that are set up.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
users add USER To add the USER user account.
users password-policy-check USER To activate the checking of the password for the
enable USER user account based on the specified policy. In
this way, you require a specified minimum
complexity for the passwords.
users password USER SECRET To specify the password SECRET for the user
account USER. Enter at least 6 characters.
users access-role USER operator To assign the access role operator to the user
account USER.
users enable USER To activate the user account USER.
show users To display the user accounts that are set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

Note: When you are setting up a new user account in the Command Line Interface, remember to
allocate the password.

3.3.6 Deactivating the user account

After a user account is deactivated, the device denies the related user access to the device
management. In contrast to completely deleting it, deactivating a user account lets you keep the
settings and reuse them in the future. To do this, perform the following steps:
 To keep the user account settings and reuse them in the future, you temporarily deactivate the
user account.

 Open the Device Security > User Management dialog.

The dialog displays the user accounts that are set up.
 In the table row for the relevant user account, unmark the checkbox in the Active column.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 71
Release 9.6 12/2023
Access to the device
3.3 User management

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
users disable <user> To disable user account.
show users To display the user accounts that are set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

 To permanently deactivate the user account settings, you delete the user account.

 Select the table row of the relevant user account.

 Click the button.

users delete <user> To delete the user account <user>.

show users To display the user accounts that are set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

3.3.7 Adjusting policies for passwords

The device lets you check if the passwords for the user accounts match the specified policy. When
the passwords match the policy, you obtain a higher complexity for the passwords.

The user management of the device lets you activate or deactivate the check separately in each
user account. When you mark the checkbox and the new password fulfills the requirements of the
policy, the device accepts the password change.

72 UM Config BRS
Release 9.6 12/2023
Access to the device
3.3 User management

In the default settings, practical values for the policy are set up in the device. You have the option
of adjusting the policy to meet your requirements. To do this, perform the following steps:
 Adjust the policy for passwords to meet your requirements.

 Open the Device Security > User Management dialog.

In the Configuration frame you specify the number user login attempts before the device locks
out the user. You also specify the minimum number of characters that defines a password.

Note: The device lets only users with the administrator authorization remove the lock.

The number of login attempts as well as the possible lockout of the user apply only when
accessing the device management through:
 the Graphical User Interface
 the SSH protocol
 the Telnet protocol

Note: Accessing the device management using the Command Line Interface through the
serial connection, the number of login attempts is unlimited.
 Specify the values to meet your requirements.
 In the Login attempts field you specify the number of times that a user attempts to log in.
The field lets you define this value in the range 0..5.
In the above example, the value 0 deactivates the function.
 The Min. password length field lets you enter values in the range 1..64.
The dialog displays the policy set up in the Password policy frame.
 Adjust the values to meet your requirements.
 Values in the range 1 through 16 are allowed.
The value 0 deactivates the relevant policy.
To apply the entries specified in the Configuration and Password policy frames, mark the
checkbox in the Policy check column for a particular user.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
passwords min-length 6 To specify the policy for the minimum length of the
password.
passwords min-lowercase-chars 1 To specify the policy for the minimum number of
lower-case letters in the password.
passwords min-numeric-chars 1 To specify the policy for the minimum number of
digits in the password.
passwords min-special-chars 1 To specify the policy for the minimum number of
special characters in the password.
passwords min-uppercase-chars 1 To specify the policy for the minimum number of
upper-case letters in the password.
show passwords To display the policies that are set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

UM Config BRS 73
Release 9.6 12/2023
Access to the device
3.4 SNMP access

3.4 SNMP access

The Simple Network Management Protocol (SNMP) lets you work with a network management
system to monitor the device over the network and change its settings.

3.4.1 SNMPv1/v2 access

Using SNMPv1 or SNMPv2 the network management system and the device communicate
unencrypted. Every SNMP packet contains the community name in plain text and the IP address
of the sender.

The community names public for read-only access and private for read and write access are
preset in the device. If SNMPv1/v2 is enabled, then the device lets anyone who knows the
community name have access to the device.

Make undesired access to the device more difficult. To do this, perform the following steps:
 Change the default community names in the device.
Treat the community names with discretion.
Anyone who knows the community name for write access, has the ability to change the settings
of the device.
 Specify a different community name for read and write access than for read-only access.
 Use SNMPv1 or SNMPv2 only in environments protected from eavesdropping. The protocols
do not use encryption.

 We recommend using SNMPv3 and disabling the access using SNMPv1 and SNMPv2 in the
device.

3.4.2 SNMPv3 access

Using SNMPv3 the network management system and the device communicate encrypted. The
network management system authenticates itself with the device using the login credentials of a
user. The prerequisite for the SNMPv3 access is that in the network management system uses the
same settings that are defined in the device.

The device lets you specify the SNMP auth type and SNMP encryption type parameters individually in
each user account.

When you set up a new user account in the device, the parameters are preset so that the network
management system Industrial HiVision reaches the device immediately.

The user accounts set up in the device use the same passwords in the Graphical User Interface, in
the Command Line Interface, and for SNMPv3.

74 UM Config BRS
Release 9.6 12/2023
Access to the device
3.4 SNMP access

To adapt the SNMPv3 parameters of the user account settings to the settings in the network
management system, perform the following steps:

 Open the Device Security > User Management dialog.

The dialog displays the user accounts that are set up.
 Click the table row of the relevant user account in the SNMP auth type field. Select the
desired setting.
 Click the table row of the relevant user account in the SNMP encryption type field. Select the
desired setting.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
users snmpv3 authentication <user> To assign the HMAC-MD5 or HMACSHA protocol
md5 | sha1 for authentication requests to the user account
<user>.
users snmpv3 encryption <user> des | To assign the DES or AES-128 algorithm to the
aescfb128 | none user account <user>.
With this algorithm, the device encrypts
authentication requests. The value none removes
the encryption.
show users To display the user accounts that have been set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

3.4.3 SNMPv3 traps

SNMP version 3 lets the device use encrypted communication with a network management
system.

For this, you need to set up the following roles in the device:
• SNMPv3 trap users
• SNMPv3 trap hosts

SNMPv3 trap users

An SNMPv3 trap user has the permission to send SNMPv3 traps to the specified SNMPv3 trap
hosts.

An SNMPv3 trap user is exclusively for sending SNMPv3 traps to SNMPv3 trap hosts. Do not
confuse SNMPv3 trap users with device user accounts. See section “Managing user accounts” on
page 69.

The device supports encryption and authentication for sending SNMPv3 traps. The device lets you
set up SNMPv3 trap users.

UM Config BRS 75
Release 9.6 12/2023
Access to the device
3.4 SNMP access

The device supports the following authentication and encryption types:

• auth-no-priv
The user needs to authenticate to send SNMPv3 traps. The device sends the SNMPv3 traps
unencrypted.
• auth-priv
The user needs to authenticate to send SNMPv3 traps. The device sends the SNMPv3 traps
encrypted.
• no-auth
For security reasons, not recommended.
The device sends the SNMPv3 traps unencrypted without authentication.

To add an SNMPv3 trap user, perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
snmp notification user add <name1> To add the SNMPv3 trap user <name1>:
auth-priv auth sha1 <passphrase1> priv • With authentication and encryption
des <passphrase2>
• SNMPv3 authentication parameters
• SHA1 as the cryptographic hash function for
SNMPv3 trap user authentication
• <passphrase1> as passphrase
• SNMPv3 encryption parameters
• DES as the SNMPv3 trap encryption algorithm
• <passphrase2> as passphrase.
show snmp notification users To display the SNMPv3 trap user settings.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

To modify an existing SNMPv3 trap user, delete the user and add a new user with the desired
settings.

To delete an SNMPv3 trap user, perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
snmp notification user delete <name1> To delete the SNMPv3 trap user <name1>.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

SNMPv3 trap hosts

An SNMPv3 trap host is the destination for an SNMPv3 trap that the device sends.

The device supports a maximum of 10 SNMP trap hosts.

To specify an SNMPv3 trap host, perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.

76 UM Config BRS
Release 9.6 12/2023
Access to the device
3.4 SNMP access

snmp notification host add <hostname1> To add the SNMPv3 trap host <hostname1>
a.b.c.d user <name2> auth-priv • With the IPv4 address <a.b.c.d>
• Username <name2>
• With authentication and encryption
show snmp notification hosts To display the SNMPv3 trap host settings.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

To modify an existing SNMPv3 trap host, delete the host and add a new host with the desired
settings.

To delete an SNMPv3 trap host, perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
snmp notification host delete To delete the SNMPv3 trap host <hostname1>.
<hostname1>
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

UM Config BRS 77
Release 9.6 12/2023
Access to the device
3.5 Out-of-Band access

3.5 Out-of-Band access

The device has a separate port that lets you access the device management out-of-band. When
there is a high in-band load on the switching ports, you can still use this separate port to access the
device management.

The prerequisite is that you connect the management station directly to the USB port. When you
use Microsoft Windows, install the RNDIS driver, where necessary. Once you connect the
management station, it can communicate with the device management over a virtual network
connection.

In the default setting, you can access the device management through this port using the following
IP parameters:
 IP address 192.168.248.100
 Netmask 255.255.255.0

The device lets you access the device management using the following protocols:
 SNMP
 Telnet
 SSH
 HTTP
 HTTPS
 FTP
 SCP
 TFTP
 SFTP

3.5.1 Specifying the IP parameters

When you connect the management station through the USB port, the device assigns the IP
address of the USB network interface, increased by 1, to the management station
(192.168.248.101 in the default setting). The device lets you change the IP parameters to adapt
the device to the requirements of your environment.

Verify that the IP subnet of this network interface does not overlap with any subnet connected to
another interface of the device:
• Management interface

If the management station accesses the device management through the USB port, then the device
disconnects the Graphical User Interface and Command Line Interface immediately after you have
performed the changes.

Perform the following steps:

 Open the Basic Settings > Out-of-Band over USB dialog.

 Overwrite the IP address in the IP parameter frame, IP address field.

 Apply the settings temporarily. To do this, click the button.

78 UM Config BRS
Release 9.6 12/2023
Access to the device
3.5 Out-of-Band access

enable To change to the Privileged EXEC mode.

network usb parms 192.168.1.1 To specify the IP address 192.168.1.1 and the
255.255.255.0 netmask 255.255.255.0 for the USB network
interface.
show network usb To display the USB network interface settings.
Out-of-band USB management settings
-----------------------------------
Management operation........................enabled
IP address..................................192.168.1.1
Subnet mask.................................255.255.255.0
Host MAC address............................64:60:38:1f:85:85
Device MAC address..........................64:60:38:1f:85:86

save To save the settings in the non-volatile memory

(nvm) in the “selected” configuration profile.

3.5.2 Disable the USB network interface

In the default setting, the USB network interface is enabled. If you do not want someone to access
device management through the USB port, then the device lets you disable the USB network
interface.

Perform the following steps:

 Open the Basic Settings > Out-of-Band over USB dialog.

 To disable the USB network interface, select the Off radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

no network usb operation To disable the USB network interface.
Out-of-band USB management settings
-----------------------------------
Management operation........................disabled
IP address..................................192.168.1.1
Subnet mask.................................255.255.255.0
Host MAC address............................64:60:38:1f:85:85
Device MAC address..........................64:60:38:1f:85:86

save To save the settings in the non-volatile memory

(nvm) in the “selected” configuration profile.

UM Config BRS 79
Release 9.6 12/2023
Access to the device
3.5 Out-of-Band access

80 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.1 Setting the time

4 Synchronizing the system time in the network

Many applications rely on a time that is as correct as possible. The necessary accuracy, and thus
the allowable deviation from the actual time, depends on the application area.

Examples of application areas include:

• Log entries
• Time stamping of production data
• Process control

The device lets you synchronize the time in the network using the following options:
• The Simple Network Time Protocol (SNTP) is a simple solution for low accuracy requirements.
Under ideal conditions, the Simple Network Time Protocol (SNTP) achieves accuracy in the
millisecond range. The accuracy depends on the signal delay.
• The Precision Time Protocol (PTP) along with IEEE 1588 achieves accuracy on the order of
sub-microseconds. This protocol is suitable for demanding applications up to and including
process control.

When the involved devices support the Precision Time Protocol (PTP), it is the better choice. The
Precision Time Protocol (PTP) is more accurate, has advanced methods of error correction, and
causes only a low network load. The implementation of the Precision Time Protocol (PTP) is
comparatively easy.

Note: According to the Precision Time Protocol (PTP) and Simple Network Time Protocol (SNTP)
standards, both protocols can operate in parallel in the same network. However, since both
protocols can influence the system time of the device, situations can occur in which the two
protocols conflict with each other.

4.1 Setting the time

When there is no reference time source available to you, you can manually set the system time in
the device.

When you start the device after it has been powered down for some time, it initializes the clock with
January 1 2023, 01:00 UTC+1. After powered down, the device buffers the settings of its real-time
clock for up to 24 hours.

As an alternative, you can set up the device to obtain the current time using one of the following
protocols:
• Simple Network Time Protocol
• Precision Time Protocol
• 802.1AS protocol

UM Config BRS 81
Release 9.6 12/2023
Synchronizing the system time in the network
4.1 Setting the time

Perform the following steps:

 Open the Time > Basic Settings dialog.

 The System time (UTC) field displays the current date and time with reference to Universal
Time Coordinated (UTC). UTC is the same worldwide and does not take local time shifts
into account.
 The time in the System time field comes from the System time (UTC) plus the Local offset [min]
value and a possible shift due to daylight saving time.
Note: PTP sends the International Atomic Time (TAI). As of July 1, 2020, the TAI time is 37 s
ahead of the Universal Time Coordinated (UTC). When the PTP reference time source of the
UTC offset is set correctly, the device automatically corrects this difference on the display in
the System time (UTC) field.
 To make the device apply the time of your computer to the System time field, click the Set
time from PC button.
Based on the value in the Local offset [min] field, the device calculates the time in the System
time (UTC) field: The System time (UTC) comes from the System time minus the Local offset
[min] value and a possible shift due to daylight saving time.
 The Time source field displays the origin of the time data. The device automatically selects
the source with the greatest accuracy.
The source is initially local.
When SNTP is active and the device receives a valid SNTP packet, the device sets its time
source to sntp.
When PTP is active and the device receives a valid PTP message, the device sets its time
source to ptp. The device prioritizes PTP ahead of SNTP.
 The Local offset [min] value specifies the difference in minutes between Universal Time
Coordinated (UTC) and local time.
 To cause the device to determine the time zone on your PC, click the Set time from PC
button. The device calculates the difference between local time and Universal Time
Coordinated (UTC), and enters the difference into the Local offset [min] field.
Note: The device provides the option to obtain the local offset from a DHCP server.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
clock set <YYYY-MM-DD> <HH:MM:SS> To set the system time of the device.
clock timezone offset <-780..840> To enter the difference in minutes between the
local time and the received Universal Time
Coordinated (UTC).
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

82 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.2 Automatic daylight saving time changeover

4.2 Automatic daylight saving time changeover

When you operate the device in a time zone with a summer time change, the device lets you set
up the automatic daylight saving time changeover.

If the Daylight saving time mode is enabled, the device advances the local system time by one hour
during the summer time. At the end of summer time, the device sets the local system time back
again by one hour.

4.2.1 Setting daylight saving time using pre-defined profiles

The device lets you specify the start and end of daylight saving time using pre-defined profiles.

The device includes the following pre-defined profiles:

• EU
Daylight saving time settings as applicable in the European Union.
• USA
Daylight saving time settings as applicable in the United States of America.

To select the EU profile for the daylight saving time settings, perform the following steps:

 Open the Time > Basic Settings dialog, Daylight saving time tab.
 In the Operation frame, click the Profile... button.
 Select the EU item from the Profile... list.
Selecting a profile overwrites the settings specified in the Summertime begin and
Summertime end frames.
 Click the Ok button.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
clock summer-time mode eu To enable the Daylight saving time mode with the
profile eu.

4.2.2 Setting daylight saving time manually

The network administrator wants to specify the following daylight saving time settings:

Summertime begin
– Week = last
– Day = Sunday
– Month = March
– System time = 02:00

UM Config BRS 83
Release 9.6 12/2023
Synchronizing the system time in the network
4.2 Automatic daylight saving time changeover

Summertime end
– Week = last
– Day = Sunday
– Month = October
– System time = 03:00

For the purpose described above, perform the following steps:

 Open the Time > Basic Settings dialog, Daylight saving time tab.
 Enable the Daylight saving time mode. To do this, in the Operation frame, select the On radio
button.
 In the Summertime begin frame, specify the following settings:
– Week = last
– Day = Sunday
– Month = March
– System time = 02:00
 In the Summertime end frame, specify the following settings:
– Week = last
– Day = Sunday
– Month = October
– System time = 03:00

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
clock summer-time mode recurring To enable the Daylight saving time mode.
clock summer-time recurring start last To specify the time at which the device sets the
sun mar 02:00 clock forward from standard time to summer time.
• last
To specify the last week in the month.
• sun
To specify the day Sunday.
• mar
To specify the month March.
• 02:00
To specify the time 02:00.
clock summer-time recurring end last To specify the time at which the device resets the
sun oct 03:00 clock from summer time to standard time.
• last
To specify the last week in the month.
• sun
To specify the day Sunday.
• oct
To specify the month October.
• 03:00
To specify the time 03:00.

84 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.3 SNTP

4.3 SNTP

The Simple Network Time Protocol (SNTP) lets you synchronize the system time in the network.
The device supports the SNTP client and the SNTP server function.

The SNTP server makes the Universal Time Coordinated (UTC) available. UTC is the time relating
to the coordinated world time measurement. UTC is the same worldwide and does not take local
time shifts into account.

SNTP is a simplified version of Network Time Protocol (NTP). The data packets are identical with
SNTP and NTP. Accordingly, both NTP and SNTP servers serve as a time source for SNTP clients.

Note: Statements in this chapter relating to external SNTP servers also apply to NTP servers.

SNTP knows the following operation modes for the transmission of time:
 Unicast
In Unicast operation mode, an SNTP client sends requests to an SNTP server and expects a
response from this server.
 Broadcast
In Broadcast operation mode, an SNTP server sends SNTP messages to the network in
specified intervals. SNTP clients receive these SNTP messages and evaluate them.

In an IPv6 environment, the Broadcast operation mode operates as follows:

 The SNTP client listens only for SNTP server messages that have the IPv6 Multicast address
set to ff05::101 as the IPv6 destination address.
 The SNTP server sends only SNTP messages to the Multicast address ff05::101. The SNTP
server does not send SNTP messages with the link-local address as the IPv6 source address.
Table 15: Target IPv4 address classes for Broadcast operation mode

IPv4 destination address Send SNTP packets to

0.0.0.0 Nobody
224.0.1.1 Multicast address for SNTP messages
255.255.255.255 Broadcast address

Note: An SNTP server in Broadcast operation mode also responds to direct requests using Unicast
from SNTP clients. In contrast, SNTP clients work in either Unicast or Broadcast operation mode.

UM Config BRS 85
Release 9.6 12/2023
Synchronizing the system time in the network
4.3 SNTP

4.3.1 Preparation

Perform the following steps:

 To get an overview of how the time is passed on, draw a network plan with the devices
participating in SNTP.
When planning, bear in mind that the accuracy of the time depends on the delays of the SNTP
messages. To minimize delays and their variance, place an SNTP server in each network
segment. Each of these SNTP servers synchronizes its own system time as an SNTP client with
its parent SNTP server (SNTP cascade). The highest SNTP server in the SNTP cascade has
the most direct access to a reference time source.

GPS PLC
SNTP
client

SNTP 192.168.1.11
SNTP
server client

192.168.1.12
192.168.1.1
Switch Switch

SNTP SNTP SNTP SNTP

client server client server
192.168.1.2 192.168.1.3
Figure 18: Example of SNTP cascade

86 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.3 SNTP

Note: For precise time distribution, between SNTP servers and SNTP clients you preferably use
network components (routers and switches) that forward the SNTP packets with a low and uniform
transmission time (latency).

 An SNTP client sends its requests to up to 4 set-up SNTP servers. When there is no response
from the first SNTP server, the SNTP client sends its requests to the second SNTP server.
When this request is also unsuccessful, it sends the request to the 3rd and finally to the 4th
SNTP server. If none of these SNTP servers respond, the SNTP client loses its synchronization.
The SNTP client periodically sends requests to each SNTP server until a server delivers a valid
time.

Note: The device provides the option of obtaining a list of SNTP server IP addresses from a DHCP
server.

 If no reference time source is available to you, then determine a device with an SNTP server as
a reference time source. Adjust its system time at regular intervals.

4.3.2 Defining settings of the SNTP client

As an SNTP client, the device obtains the time information from SNTP or NTP servers and
synchronizes its system clock accordingly. To do this, perform the following steps:

 Open the Time > SNTP > Client dialog.

 Set the SNTP operation mode.
In the Configuration frame, select one of the following values in the Mode field:
 unicast
The device sends requests to an SNTP server and expects a response from this server.
 broadcast
The device waits for Broadcast or Multicast messages from SNTP servers on the
network.
 To synchronize the time only once, mark the Disable client after successful sync checkbox.
After synchronization, the device disables the Client function.
 The table displays the SNTP server to which the SNTP client sends a request in Unicast
operation mode. The table contains up to 4 SNTP server definitions.

 To add a table row, click the button.

 Specify the connection data of the SNTP server.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 The State field displays the current status of the Client function.

Table 16: SNTP client settings for the example

Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12

Client function Off On On On On

UM Config BRS 87
Release 9.6 12/2023
Synchronizing the system time in the network
4.3 SNTP

Table 16: SNTP client settings for the example (cont.)

Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12

Configuration: Mode unicast unicast unicast unicast unicast
Request interval [s] 30 30 30 30 30
Server address(es) – 192.168.1.1 192.168.1.2 192.168.1.2 192.168.1.3
192.168.1.1 192.168.1.1 192.168.1.2
192.168.1.1

4.3.3 Specifying SNTP server settings

When operating as an SNTP server, the device distributes its system time as Universal Time
Coordinated (UTC) to the network. To do this, perform the following steps:

 Open the Time > SNTP > Server dialog.

 To enable the function, select the On radio button in the Operation frame.
 To enable the Broadcast operation mode, select the Broadcast admin mode radio button in
the Configuration frame.
In Broadcast operation mode, the SNTP server sends SNTP messages to the network in
specified intervals. The SNTP server also responds to the requests from SNTP clients in
Unicast operation mode.
 In the Broadcast destination address field, you set the IPv4 address to which the SNTP
server sends the SNTP packets. Set a Broadcast address or a Multicast address.
In an IPv6 environment, you cannot set the IPv6 address to which the SNTP server
sends the SNTP packets. The SNTP server uses the Multicast address ff05::101 as
the IPv6 destination address.
 In the Broadcast UDP port field, you specify the number of the UDP port to which the
SNTP server sends the SNTP packets in Broadcast operation mode.
 In the Broadcast VLAN ID field, you specify the VLAN to which the SNTP server sends
the SNTP packets in Broadcast operation mode.
 In the Broadcast send interval [s] field, you specify the time interval at which the SNTP
server of the device sends SNTP Broadcast packets.

Note: Except for the Broadcast destination address field, the remaining settings are applicable
for both IPv4 and IPv6 SNTP servers.

 Apply the settings temporarily. To do this, click the button.

 The State field displays the current status of the Server function.

Table 17: Settings for the example

Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12

Server function On On On Off Off
UDP port 123 123 123 123 123
Broadcast admin mode unmarked unmarked unmarked unmarked unmarked
Broadcast destination 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
address
Broadcast UDP port 123 123 123 123 123

88 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.3 SNTP

Table 17: Settings for the example (cont.)

Device 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.11 192.168.1.12

Broadcast VLAN ID 1 1 1 1 1
Broadcast send interval [s] 128 128 128 128 128
Disable server at local time unmarked unmarked unmarked unmarked unmarked
source

UM Config BRS 89
Release 9.6 12/2023
Synchronizing the system time in the network
4.4 PTP

4.4 PTP

For LAN-controlled applications to operate without latency, precise time management is required.
With Precision Time Protocol (PTP), IEEE 1588 describes a method that enables precise
synchronization of clocks in the network.

PTP permits synchronization with an accuracy of a few 100 ns. PTP uses Multicasts for the
synchronization messages, which keeps the network load low.

4.4.1 Types of clocks

PTP defines the roles of “master” and “slave” for the clocks in the network:
 A master clock (reference time source) distributes its time.
 A slave clock synchronizes itself with the timing signal received from the master clock.

Boundary clock

The transmission time (latency) in routers and switches has a measurable effect on the precision
of the time transmission. To correct such inaccuracies, PTP defines what are known as boundary
clocks.

In a network segment, a boundary clock is the reference time source (master clock) to which the
subordinate slave clocks synchronize. Typically routers and switches take on the role of boundary
clock.

The boundary clock in turn obtains the time from a higher-level reference time source
(Grandmaster).

GPS
PLC
Reference
(Grandmaster Clock)

Switch Ordinary Clock

Ordinary Clock
Slave Master

Boundary Clock
Figure 19: Position of the boundary clock in a network

Transparent Clock

Switches typically take on the Transparent Clock role to enable high accuracy across the cascades.
The Transparent Clock is a Slave clock that corrects its own transmission time when it forwards
received synchronization messages.

90 UM Config BRS
Release 9.6 12/2023
Synchronizing the system time in the network
4.4 PTP

Ordinary Clock

PTP designates the clock in a end device as an Ordinary Clock. An Ordinary Clock functions either
as a master clock or slave clock.

4.4.2 Best Master Clock algorithm

The devices participating in PTP designate a device in the network as a reference time source
(Grandmaster). Here the Best Master Clock algorithm is used, which determines the accuracy of
the clocks available in the network.

The Best Master Clock algorithm evaluates the following criteria:

 Priority 1
 Clock class
 Clock accuracy
 Clock variance
 Priority 2

The algorithm first evaluates the value in the Priority 1 field of the participating devices. The device
with the smallest value in the Priority 1 field becomes the reference time source (Grandmaster).
When the value is the same for multiple devices, the algorithm takes the next criterion. When this
is also the same, it takes the next criterion after this one. If these values are the same for multiple
devices, then the smallest value in the Clock identity field decides which device becomes the
reference time source (Grandmaster).

In the settings of the boundary clock, the device lets you individually specify the values for Priority
1 and Priority 2. This lets you influence which device will be the reference time source (Grandmaster)
in the network.

4.4.3 Delay measurement

The delay of the synchronization messages between the devices affects the accuracy. The delay
measurement lets the devices take into account the average delay.

PTP version 2 offers the following methods for delay measurement:

 e2e (End to End)
The slave clock measures the delay of synchronization messages to the master clock.
 e2e-optimized
The slave clock measures the delay of synchronization messages to the master clock.
This method is available only for transparent clocks. The device forwards the synchronization
messages sent using Multicast only to the master clock, keeping the network load low. When
the device receives a synchronization message from another master clock, it forwards the
synchronization messages only to this new port.
When the device knows no master clock, it forwards synchronization messages to every port.
 p2p (Peer to Peer)
The slave clock measures the delay of synchronization messages to the master clock.
In addition, the master clock measures the delay to each slave clock, even across blocked ports.
This requires that the master and slave clock support Peer-to-Peer (p2p).
In case of interruption of a redundant ring, for example, the slave clock becomes the master
clock and the master clock becomes the slave clock. This switch occurs without loss of
precision, because the clocks already know the delay in the other direction.

UM Config BRS 91
Release 9.6 12/2023
Synchronizing the system time in the network
4.4 PTP

4.4.4 PTP domains

The device transmits synchronization messages only from and to devices in the same PTP domain.
The device lets you set the domain for the boundary clock and for the transparent clock individually.

GPS Ordinary Clock

PLC
Reference
(Grandmaster Clock)

Switch
PTP Subdomain 1

Boundary
Clock

PTP Subdomain 2

Figure 20: Example of PTP domains

4.4.5 Using PTP

To synchronize the clocks precisely with PTP, only use switches with a boundary clock or
transparent clock as nodes.

Perform the following steps:

 To gain an overview of the distribution of clocks, draw a network plan with the devices involved
in PTP.
 Specify the role for each participating switch (boundary clock or transparent clock). In the
device, this setting is called PTP mode.
Table 18: Possible settings for PTP mode

PTP mode Application

v2-boundary-clock As a boundary clock, the device distributes synchronization messages to
the slave clocks in the subordinate network segment.
The boundary clock in turn obtains the time from a higher-level reference
time source (Grandmaster).
v2-transparent- As a transparent clock, the device forwards received synchronization
clock messages after they have been corrected by the delay of the transparent
clock.

 Enable PTP on each participating switch.

PTP then sets itself up on a largely automatic basis.
 Enable PTP on the end devices.
 The device lets you influence which device in the network becomes the reference clock
(Grandmaster). Therefore, change the default value in the Priority 1 and Priority 2 fields for the
Boundary Clock.

92 UM Config BRS
Release 9.6 12/2023
Managing configuration profiles
5.1 Detecting changed settings

5 Managing configuration profiles

If you change the settings of the device during operation, then the device stores the changes in its
memory (RAM). After a reboot the settings are lost.

To keep the changes after a reboot, the device lets you save the settings in a configuration profile
in the non-volatile memory (NVM). To make it possible to quickly switch to other settings, the non-
volatile memory offers storage space for multiple configuration profiles.

If an external memory is connected, then the device automatically saves a copy of the configuration
profile in the external memory (ENVM). You can disable this function.

5.1 Detecting changed settings

The device stores changes made to settings during operation in its volatile memory (RAM). The
configuration profile in the non-volatile memory (NVM) remains unchanged until you save the
changed settings explicitly. Until then, the configuration profiles in memory and non-volatile
memory are different. The device helps you recognize changed settings.

5.1.1 Volatile memory (RAM) and non-volatile memory (NVM)

You can recognize if the settings in the volatile memory (RAM) differ from the settings of the
"selected" configuration profile in the non-volatile memory (NVM). To do this, perform the following
steps:

 Check the banner of the Graphical User Interface:

– When the icon is visible, the settings differ.

– When no icon is visible, the settings match.

Or:
 Open the Basic Settings > Load/Save dialog.
 Check the status of the checkbox in the Information frame:
– When the checkbox is marked, the settings match.
– When the checkbox is unmarked, the settings differ.

show config status

Configuration Storage sync State

--------------------------------
running-config to NV........................out of sync
...

UM Config BRS 93
Release 9.6 12/2023
Managing configuration profiles
5.1 Detecting changed settings

5.1.2 External memory (ACA) and non-volatile memory (NVM)

You can recognize if the settings copied to the external memory (ACA) differ from the settings of
the configuration profile in the non-volatile memory (NVM). To do this, perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Check the status of the checkbox in the Information frame:
– When the checkbox is marked, the settings match.
– When the checkbox is unmarked, the settings differ.

show config status

Configuration Storage sync State

--------------------------------
...
NV to ACA...................................out of sync
...

94 UM Config BRS
Release 9.6 12/2023
Managing configuration profiles
5.2 Saving the settings

5.2 Saving the settings

5.2.1 Saving the configuration profile in the device

If you change the settings of the device during operation, then the device stores the changes in its
memory (RAM). To keep the changes after a reboot, save the configuration profile in the non-volatile
memory (NVM).

Saving a configuration profile

The device stores the settings in the "selected" configuration profile in the non-volatile memory
(NVM).

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Verify that the required configuration profile is "Selected".
You can recognize the “selected” configuration profile because the checkbox in the
Selected column is marked.

 Click the button.

show config profiles nvm To display the configuration profiles contained in

the non-volatile memory (nvm).
enable To change to the Privileged EXEC mode.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

Copying settings to a configuration profile

The device lets you store the settings saved in the memory (RAM) in a configuration profile other
than the "selected" configuration profile. In this way the device adds a configuration profile in the
non-volatile memory (NVM) or overwrites an existing one.

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Click the button and then the Save as.. item.

The dialog displays the Save as.. window.
 In the Name field, change the name of the configuration profile. If you keep the proposed
name, the device will overwrite an existing configuration profile of the same name.
 Click the Ok button.
The new configuration profile is designated as “Selected”.

UM Config BRS 95
Release 9.6 12/2023
Managing configuration profiles
5.2 Saving the settings

show config profiles nvm To display the configuration profiles contained in

the non-volatile memory (nvm).
enable To change to the Privileged EXEC mode.
copy config running-config nvm profile To save the current settings in the configuration
<string> profile named <string> in the non-volatile memory
(nvm). If present, the device overwrites a
configuration profile of the same name. The new
configuration profile is designated as “Selected”.

Selecting a configuration profile

When the non-volatile memory (NVM) contains multiple configuration profiles, you have the option
to select any configuration profile there. The device stores the settings in the “selected”
configuration profile. During the system startup, the device loads the settings of the “selected”
configuration profile into the memory (RAM).

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

The table displays the configuration profiles present in the device. You can recognize the
“selected” configuration profile because the checkbox in the Selected column is marked.
 Select the table row of the desired configuration profile stored in the non-volatile memory
(NVM).

 Click the button and then the Select item.

In the Selected column, the checkbox of the configuration profile is now marked.

enable To change to the Privileged EXEC mode.

show config profiles nvm To display the configuration profiles contained in
the non-volatile memory (nvm).
configure To change to the Configuration mode.
config profile select nvm 1 To select the configuration profile.
Take note of the adjacent name of the
configuration profile.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

96 UM Config BRS
Release 9.6 12/2023
Managing configuration profiles
5.2 Saving the settings

5.2.2 Saving the configuration profile in the external memory

When an external memory is connected and you save a configuration profile, the device
automatically saves a copy in the Selected external memory. In the default setting, the function is
enabled. You can disable this function.

Perform the following steps:

 Open the Basic Settings > External Memory dialog.

 Mark the checkbox in the Backup config when saving column to enable the device to
automatically save a copy in the external memory during the saving process.
 To deactivate the function, unmark the checkbox in the Backup config when saving column.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
config envm config-save usb To enable the function.
When you save a configuration profile, the device
saves a copy in the external memory.
usb = External USB memory
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

5.2.3 Backup the configuration profile on a remote server

The device lets you automatically backup the configuration profile to a remote server.
The prerequisite is that you activate the function before you save the configuration profile.

After you save the configuration profile in the non-volatile memory (NVM), the device sends a copy
to the specified URL.

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

In the Backup config on a remote server when saving frame, perform the following steps:
 In the URL field, specify the server as well as the path and file name of the backed up
configuration profile.
 Click the Set credentials button.
The dialog displays the Credentials window.
 Enter the login credentials needed to authenticate on the remote server.
 In the Operation option list, enable the function.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 97
Release 9.6 12/2023
Managing configuration profiles
5.2 Saving the settings

enable To change to the Privileged EXEC mode.

show config remote-backup To check the status of the function.
configure To change to the Configuration mode.
config remote-backup destination To enter the destination URL for the configuration
profile backup.
config remote-backup username To enter the user name to authenticate on the
remote server.
config remote-backup password To enter the password to authenticate on the
remote server.
config remote-backup operation To enable the function.

If the transfer to the remote server is unsuccessful, then the device logs this event in the System
Log.

5.2.4 Exporting a configuration profile

The device lets you save a configuration profile to a server as an XML file. If you use the Graphical
User Interface, then you have the option to save the XML file directly to your PC.

Prerequisites:
 To save the file on a server, you need a server available on the network.
 To save the file to an SCP or SFTP server, you also need the user name and password for
accessing this server.

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Select the table row of the desired configuration profile.

Export the configuration profile to your PC. To do this, perform the following steps:

 Click the link in the Profile name column.

The configuration profile is downloaded and saved as an XML file on your PC.

98 UM Config BRS
Release 9.6 12/2023
Managing configuration profiles
5.2 Saving the settings

Export the configuration profile to a remote server. To do this, perform the following steps:

 Click the button and then the Export... item.

The dialog displays the Export... window.
 In the URL field, specify the file URL on the remote server:
 To save the file on an FTP server, specify the URL for the file in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>
 To save the file on a TFTP server, specify the URL for the file in the following form:
tftp://<IP address>/<path>/<file name>
 To save the file on an SCP or SFTP server, specify the URL for the file in one of the
following forms:
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Ok button, the device displays the Credentials window. There you
enter User name and Password to log in to the server.
 Click the Ok button.
The configuration profile is now saved as an XML file in the specified location.

show config profiles nvm To display the configuration profiles contained in

the non-volatile memory (nvm).
enable To change to the Privileged EXEC mode.
copy config running-config To save the current settings on a TFTP server.
remote tftp://<IP_address>/ <path>/
<file_name>
copy config nvm remote sftp:// To save the selected configuration profile in the
<user_name>:<password>@<IP_address>/ non-volatile memory (nvm) on a SFTP server.
<path>/<file_name>
copy config nvm profile config3 To save the configuration profile config3 in the
remote tftp://<IP_address>/ <path>/ non-volatile memory (nvm) on a TFTP server.
<file_name>
copy config nvm profile config3 To save the configuration profile config3 in the
remote ftp://<IP_address>[:port]/ non-volatile memory (nvm) on an FTP server.
<path>/<file_name>

UM Config BRS 99
Release 9.6 12/2023
Managing configuration profiles
5.3 Loading settings

5.3 Loading settings

If you save multiple configuration profiles in the memory, then you have the option to load a different
configuration profile.

5.3.1 Activating a configuration profile

The non-volatile memory of the device can contain multiple configuration profiles. If you activate a
configuration profile stored in the non-volatile memory (NVM), then you immediately change the
settings in the device. The device does not require a reboot.

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Select the table row of the desired configuration profile.

 Click the button and then the Activate item.

The device copies the settings to the memory (RAM) and disconnects from the Graphical User
Interface. The device immediately uses the settings of the configuration profile.
 Reload the Graphical User Interface.
 Log in again.
In the Selected column, the checkbox of the configuration profile that was activated before is
marked.

show config profiles nvm To display the configuration profiles contained in

the non-volatile memory (nvm).
enable To change to the Privileged EXEC mode.
copy config nvm profile config3 To activate the settings of the configuration profile
running-config config3 in the non-volatile memory (nvm).
The device copies the settings into the volatile
memory and disconnects the connection to the
Command Line Interface. The device immediately
uses the settings of the configuration profile
config3.

5.3.2 Loading the configuration profile from the external memory

If an external memory is connected, then the device loads a configuration profile from the external
memory during the system startup automatically. The device lets you save these settings in a
configuration profile in non-volatile memory.

When the external memory contains the configuration profile of an identical device, you have the
possibility to transfer the settings from one device to another.

100 UM Config BRS

Release 9.6 12/2023
Managing configuration profiles
5.3 Loading settings

Perform the following steps:

 Verify that the device loads a configuration profile from the external memory during the system
startup.
In the default setting, the function is enabled. If the function is disabled, enable it again as
follows:

 Open the Basic Settings > External Memory dialog.

 In the Config priority column, select the value first.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
config envm load-priority usb first To enable the function.
During the system startup, the device loads a
configuration profile from the external memory.
usb = External USB memory
show config envm settings To display the settings of the external memory
(envm).

Type Status Auto Update Save Config Config Load Prio

------ ----------- ----------- ----------- ----------------
usb ok [x] [x] first

save To save the settings in a configuration profile in the

non-volatile memory (NVM) of the device.

Using the Command Line Interface, the device lets you copy the settings from the external memory
directly into the non-volatile memory (NVM).
show config profiles nvm To display the configuration profiles contained in
the non-volatile memory (nvm).
enable To change to the Privileged EXEC mode.
copy config envm profile config3 nvm To copy the configuration profile config3 from the
external memory (envm) to the non-volatile memory
(nvm).

The device can also automatically load a configuration profile from a script file during the system
startup.

Prerequisites:
 Verify that the external memory is connected before you start the device.
 The root directory of the external memory contains a text file startup.txt with the content
script=<file_name>. The placeholder <file_name> represents the script file that the
device executes during the system startup.
 The root directory of the external memory contains the script file. You have the option to save
the script with a user-specified name. Save the file with the file extension .cli.

Note: Verify that the script saved in the external memory is not empty. If the script is empty, then
the device loads the next configuration profile as per the configuration priority settings.

UM Config BRS 101

Release 9.6 12/2023
Managing configuration profiles
5.3 Loading settings

After applying the script, the device automatically saves the configuration profile from the script file
as an XML file in the external memory. When you type the appropriate command into the script file,
you have the option to disable this function:
 no config envm config-save usb
The device does not save a copy in the external USB memory.

When the script file contains an incorrect command, the device does not apply this command during
the system startup. The device logs the event in the System Log.

5.3.3 Importing a configuration profile

The device lets you import from a server a configuration profile saved as an XML file. If you use the
Graphical User Interface, then you can import the XML file directly from your PC.

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Click the button and then the Import... item.

The dialog displays the Import... window.
 From the Select source drop-down list, select the location from where the device imports the
configuration profile.
– PC/URL
The device imports the configuration profile from the local PC or from a remote server.
– External memory
The device imports the configuration profile from the external memory.

Import the configuration profile from the local PC or from a remote server. To do this, perform the
following steps:

 Import the configuration profile:

 If the file is on an FTP server, then specify the URL in the following form:
ftp://<user>:<password>@<IP address>[:port]/<file name>
 If the file is on a TFTP server, then specify the URL in the following form:
tftp://<IP address>/<path>/<file name>
 If the file is on an SCP or SFTP server, then specify the URL in one of the following
forms:
scp:// or sftp://<IP address>/<path>/<file name>
When you click the Start button, the device displays the Credentials window. There you
enter User name and Password to log in to the server.
scp:// or sftp://<user>:<password>@<IP address>/<path>/<file name>

102 UM Config BRS

Release 9.6 12/2023
Managing configuration profiles
5.3 Loading settings

 In the Destination frame, specify where the device saves the imported configuration profile:
 In the Profile name field, specify the name under which the device saves the
configuration profile.
 In the Storage field, specify the storage location for the configuration profile.
 Click the Ok button.
The device copies the configuration profile into the specified memory.

If you specified the value ram in the Destination frame, then the device disconnects the
Graphical User Interface and uses the settings immediately.

Import the configuration profile from the external memory. To do this, perform the following steps:

 In the Import profile from external memory frame, select the name of the configuration profile
to be imported from the Profile name drop-down list.
The prerequisite is that the external memory contains an exported configuration profile.
 In the Destination frame, specify where the device saves the imported configuration profile:
 In the Profile name field, specify the name under which the device saves the
configuration profile.
 Click the Ok button.
The device copies the configuration profile into the non-volatile memory (NVM) of the device.

If you specified the value ram in the Destination frame, then the device disconnects the
Graphical User Interface and uses the settings immediately.

enable To change to the Privileged EXEC mode.

copy config remote ftp:// To import and activate the settings of a
<IP_address>[:port]/<path>/<file_name> configuration profile saved on an FTP server.
running-config
The device copies the settings into the volatile
memory and disconnects the connection to the
Command Line Interface. The device immediately
uses the settings of the imported configuration
profile.
copy config remote tftp:// To import and activate the settings of a
<IP_address>/ <path>/<file_name> configuration profile saved on a TFTP server.
running-config
The device copies the settings into the volatile
memory and disconnects the connection to the
Command Line Interface. The device immediately
uses the settings of the imported configuration
profile.

UM Config BRS 103

Release 9.6 12/2023
Managing configuration profiles
5.3 Loading settings

copy config remote sftp:// To import and activate the settings of a

<user name>:<password>@<IP_address>/ configuration profile saved on a SFTP server.
<path>/<file_name> running-config
The device copies the settings into the volatile
memory and disconnects the connection to the
Command Line Interface. The device immediately
uses the settings of the imported configuration
profile.
copy config remote ftp:// To import the settings of a configuration profile
<IP_address>[:port]/<path>/<file_name> saved on an FTP server and save the settings in
nvm profile config3
the configuration profile config3 in the non-volatile
memory (nvm).
copy config remote tftp:// To import the settings of a configuration profile
<IP_address>/<path>/<file_name> saved on a TFTP server and save the settings in
nvm profile config3
the configuration profile config3 in the non-volatile
memory (nvm).

Note: Upgrading from Classic to HiOS? Convert your device configuration files using our online
tool: https://convert.hirschmann.com

104 UM Config BRS

Release 9.6 12/2023
Managing configuration profiles
5.4 Reset the device to the default setting

5.4 Reset the device to the default setting

If you reset the settings in the device to the delivery state, then the device deletes the configuration
profiles in the volatile memory and in the non-volatile memory.

If an external memory is connected, then the device also deletes the configuration profiles saved
in the external memory.

The device then reboots and loads the factory settings.

5.4.1 Using the Graphical User Interface or Command Line Interface

Perform the following steps:

 Open the Basic Settings > Load/Save dialog.

 Click the button, then Back to factory....

The dialog displays a message.
 Click the Ok button.
The device deletes the configuration profiles in the memory (RAM) and in the non-volatile
memory (NVM).

If an external memory is connected, then the device also deletes the configuration profiles
saved in the external memory.

After a brief period, the device restarts and loads the delivery settings.

enable To change to the Privileged EXEC mode.

clear factory To delete the configuration profiles from the non-
volatile memory and from the external memory.
If an external memory is connected, then the
device also deletes the configuration profiles saved
in the external memory.
After a brief period, the device restarts and loads
the delivery settings.

5.4.2 Using the System Monitor

Perform the following steps:

 To change to the System Monitor, proceed as described in chapter “Starting the System
Monitor” on page 38.
 To change from the main menu to the Manage configurations menu, press the <4> key.
 To execute the Clear configs and boot params command, press the <1> key.
 To load the factory settings, press the <Enter> key.
The device deletes the configuration profiles in the memory (RAM) and in the non-volatile
memory (NVM).
If an external memory is connected, then the device also deletes the configuration profiles saved
in the external memory.

UM Config BRS 105

Release 9.6 12/2023
Managing configuration profiles
5.4 Reset the device to the default setting

 To change to the main menu, press the <q> key.

 To reboot the device with factory settings, press the <q> key.

106 UM Config BRS

Release 9.6 12/2023
Loading software updates
6.1 Loading a previous software version

6 Loading software updates

Hirschmann is continually working on improving and developing their software. Check regularly if
there is an updated version of the software that provides you with additional benefits. You find
information and software downloads on the Hirschmann product pages on the Internet at
www.hirschmann.com.

The device gives you the following options to update the device software:
 Loading a previous software version
 Software update from the PC
 Software update from a server
 Software update from the external memory

Note: The device settings are kept after you update the device software.

You see the version of the installed device software in the login dialog of the Graphical User
Interface.

To display the version of the installed software when you are already logged in, perform the
following steps:

 Open the Basic Settings > Software dialog.

The Running version field displays the version number and creation date of the currently
running device software that the device loaded during the last system startup.

enable To change to the Privileged EXEC mode.

show system info To display the system information such as the
version number and creation date of the currently
running device software that the device loaded
during the last system startup.

6.1 Loading a previous software version

The device lets you replace the device software with a previous version. The basic settings in the
device are kept after replacing the device software.

Note: Only the settings for functions which are available in the newer device software version are
lost.

UM Config BRS 107

Release 9.6 12/2023
Loading software updates
6.2 Software update from the PC

6.2 Software update from the PC

The prerequisite is that the image file of the device software is saved on a data carrier which is
accessible from your PC.

Perform the following steps:

 Navigate to the folder where the image file of the device software is saved.
 Open the Basic Settings > Software dialog.

 Drag and drop the image file in the area. As an alternative, click in the area to select
the file.
 To start the update procedure, click the Start button.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
During the next system startup, the device loads the installed device software.

108 UM Config BRS

Release 9.6 12/2023
Loading software updates
6.3 Software update from a server

6.3 Software update from a server

To update the software using SFTP or SCP you need a server on which the image file of the device
software is saved.

To update the software using TFTP, SFTP or SCP you need a server on which the image file of the
device software is saved.

Perform the following steps:

 Open the Basic Settings > Software dialog.

 In the Software update frame, URL field, enter the URL for the image file in the following form:
 When the image file is saved on an FTP server:
ftp://<IP_address>[:port]/<path>/<image_file_name>.bin
 When the image file is saved on a TFTP server:
tftp://<IP_address>/<path>/<image_file_name>.bin
 When the image file is saved on a SCP or SFTP server:
scp:// or sftp://<IP_address>/<path>/<image_file_name>.bin
scp:// or sftp://<username>:<password>@<IP_address>/<path>/
<image_file_name>.bin
When you enter the URL without the user name and password, the device displays the
Credentials window. There you enter the login credentials needed to log in to the server.
 To start the update procedure, click the Start button.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
During the next system startup, the device loads the installed device software.

enable To change to the Privileged EXEC mode.

copy firmware remote tftp://10.0.1.159/ To transfer the product.bin file from the TFTP
product.bin system server with the IP address 10.0.1.159 to the
device.

UM Config BRS 109

Release 9.6 12/2023
Loading software updates
6.4 Software update from the external memory

6.4 Software update from the external memory

6.4.1 Manually—initiated by the administrator

The device lets you update the device software with a few mouse clicks. The prerequisite is that
the image file of the device software is located in the external memory.

Perform the following steps:

 Open the Basic Settings > Software dialog.

 Mark the table row which displays the name of the desired image file in the external
memory.
 Right-click to display the context menu.
 To start the update procedure, click in the context menu the Update item.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device displays an
information that the software is successfully updated.
During the next system startup, the device loads the installed device software.

6.4.2 Automatically—initiated by the device

When the following files are located in the external memory during the system startup, the device
updates the device software automatically:
 the image file of the device software
 a text file startup.txt with the content autoUpdate=<Image_file_name>.bin

The prerequisite is that in the Basic Settings > External Memory dialog, you mark the checkbox in the
Software auto update column. This is the default setting in the device.

Perform the following steps:

 Copy the image file of the new device software into the main directory of the external memory.
Use only an image file suitable for the device.
 Create a text file startup.txt in the main directory of the external memory.
 Open the startup.txt file in the text editor and add the following line:
autoUpdate=<Image_file_name>.bin
 Install the external memory in the device.

110 UM Config BRS

Release 9.6 12/2023
Loading software updates
6.4 Software update from the external memory

 Restart the device.

During the booting process, the device checks automatically the following criteria:
– Is an external memory connected?
– Is a startup.txt file in the main directory of the external memory?
– Does the image file exist which is specified in the startup.txt file?
– Is the software version of the image file more recent than the software currently running in
the device?
When the criteria are fulfilled, the device starts the update procedure.
The device copies the currently running device software into the backup memory.
As soon as the update procedure is completed successfully, the device reboots automatically
and loads the new software version.
 Check the result of the update procedure. The log file in the Diagnostics > Report > System Log
dialog contains one of the following messages:
– S_watson_AUTOMATIC_SWUPDATE_SUCCESS
Software update completed successfully
– S_watson_AUTOMATIC_SWUPDATE_ABORTED
Software update aborted
– S_watson_AUTOMATIC_SWUPDATE_ABORTED_WRONG_FILE
Software update aborted due to wrong image file
– S_watson_AUTOMATIC_SWUPDATE_ABORTED_SAVING_FILE
Software update aborted because the device did not save the image file.

UM Config BRS 111

Release 9.6 12/2023
Loading software updates
6.4 Software update from the external memory

112 UM Config BRS

Release 9.6 12/2023
Configuring the ports
7.1 Enabling/disabling the port

7 Configuring the ports

The following port configuration functions are available.

 Enabling/disabling the port
 Selecting the operating mode
 Gigabit Ethernet mode for ports

7.1 Enabling/disabling the port

In the default setting, every port is enabled. For a higher level of access security, disable
unconnected ports. To do this, perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

 To enable a port, mark the checkbox in the Port on column.
 To disable a port, unmark the checkbox in the Port on column.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
no shutdown To enable the interface.

UM Config BRS 113

Release 9.6 12/2023
Configuring the ports
7.2 Selecting the operating mode

7.2 Selecting the operating mode

In the default setting, the ports are set to Autoneg operating mode.

Note: The active automatic configuration has priority over the manual configuration.

Perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

 If the device connected to this port requires a fixed setting, then perform the following
steps:
 Deactivate the function. Unmark the checkbox in the Autoneg column.
 In the Manual configuration column, specify the desired operating mode (transmission
rate, duplex mode).

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
no auto-negotiate To disable the automatic configuration mode.
speed 100 full To set port speed 100 Mbit/s and full-duplex.

114 UM Config BRS

Release 9.6 12/2023
Configuring the ports
7.3 Gigabit Ethernet mode for ports

7.3 Gigabit Ethernet mode for ports

The device supports 2.5 Gbit/s on several interfaces with one of the following SFP transceivers:
 M-SFP-2.5-MM/LC EEC
 M-SFP-2.5-SM-/LC EEC
 M-SFP-2.5-SM/LC EEC
 M-SFP-2.5-SM+/LC EEC

The type of the transceiver plugged into the slot determines the port speed. The device has no
option to set the speed manually. Ports with 2.5 Gbit/s speed only support data rates of 1 Gbit/s
and higher.

Note: For further information about the transceiver order numbers, see the “Accessories” chapter
in the “Installation” user manual.

7.3.1 Example

You use the Gigabit Ethernet mode to get a higher bandwidth for uplinks. To use this function, insert
an applicable transceiver type in the appropriate slot.

Perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

The column Manual configuration displays the value 2.5 Gbit/s FDX for the ports that have a
2.5 Gbit/s SFP transceiver inserted.
You cannot change the speed.

show port 1/1 To display the parameters for slot 1 port 1. The
Physical Mode list entry displays the value 2500 full
for the ports that have a 2.5 Gbit/s SFP transceiver
inserted.
Interface.....................1/1
Name..........................My interface
--
Cable-crossing Setting........-
Physical Mode.................2500 full
Physical Status...............-

UM Config BRS 115

Release 9.6 12/2023
Configuring the ports
7.3 Gigabit Ethernet mode for ports

116 UM Config BRS

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.1 Changing the SNMPv1/v2 community

8 Assistance in the protection from unauthorized access

The device offers functions that help you protect the device against unauthorized access.

After you set up the device, carry out the following steps to reduce possible unauthorized access
to the device.
 Changing the SNMPv1/v2 community
 Disabling SNMPv1/v2
 Disabling HTTP
 Using your own HTTPS certificate
 Using your own SSH key
 Disabling Telnet
 Disabling HiDiscovery
 Restricting access to device management
 Adjusting the session timeouts

8.1 Changing the SNMPv1/v2 community

SNMPv1 and SNMPv2 work unencrypted. Every SNMP packet contains the IP address of the
sender and the plaintext community name with which the sender accesses the device. If the
SNMPv1 and/or SNMPv2 function is active, then the device lets anyone who knows the community
name access the device. Treat the community names with discretion.

The community names public for read-only access and private for read and write access are
preset. If you are using SNMPv1 or SNMPv2, then change the default community name. To do this,
perform the following steps:

 Open the Device Security > Management Access > SNMPv1/v2 Community dialog.
The dialog displays the communities that are set up.
 For the Write community, specify in the Name column the community name.
– Up to 64 alphanumeric characters are allowed.
– The device differentiates between upper and lower case.
– Specify a different community name than for read-only access.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
snmp community rw <community name> To specify the community for read and write
access.
show snmp community To display the communities that have been set up.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

UM Config BRS 117

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.2 Disabling SNMPv1/v2

8.2 Disabling SNMPv1/v2

If you need SNMPv1 or SNMPv2, then use these protocols only in environments protected from
eavesdropping. SNMPv1 and SNMPv2 do not use encryption. The SNMP packets contain the
community in clear text. We recommend using SNMPv3 in the device and disabling the access
using SNMPv1 and SNMPv2. To do this, perform the following steps:

 Open the Device Security > Management Access > Server dialog, SNMP tab.
The dialog displays the settings of the SNMP server.
 To deactivate the SNMPv1 protocol, you unmark the SNMPv1 checkbox.
 To deactivate the SNMPv2 protocol, you unmark the SNMPv2 checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
no snmp access version v1 To deactivate the SNMPv1 protocol.
no snmp access version v2 To deactivate the SNMPv2 protocol.
show snmp access To display the SNMP server settings.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

118 UM Config BRS

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.3 Disabling HTTP

8.3 Disabling HTTP

The web server provides the Graphical User Interface with the protocol HTTP or HTTPS. HTTPS
connections are encrypted, while HTTP connections are unencrypted.

The HTTP protocol is enabled by default. If you disable HTTP, then no unencrypted access to the
Graphical User Interface is possible. To do this, perform the following steps:

 Open the Device Security > Management Access > Server dialog, HTTP tab.
 To disable the HTTP protocol, select the Off radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
no http server To disable the HTTP protocol.

If the HTTP protocol is disabled, then you can reach the Graphical User Interface of the device only
by HTTPS. In the address bar of the web browser, enter the string https:// before the IP address
of the device.

If the HTTPS protocol is disabled and you also disable HTTP, then the Graphical User Interface is
unaccessible. To work with the Graphical User Interface, enable the HTTPS server using the
Command Line Interface. To do this, perform the following steps:
enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
https server To enable the HTTPS protocol.

UM Config BRS 119

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.4 Disabling Telnet

8.4 Disabling Telnet

The device lets you remotely access the device management using Telnet or SSH. Telnet
connections are unencrypted, while SSH connections are encrypted.

The Telnet server is enabled in the device by default. If you disable Telnet, then unencrypted
remote access to the Command Line Interface is no longer possible. To do this, perform the
following steps:

 Open the Device Security > Management Access > Server dialog, Telnet tab.
 To disable the Telnet server, select the Off radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
no telnet server To disable the Telnet server.

If the SSH server is disabled and you also disable Telnet, then access to the Command Line
Interface is only possible through the serial interface of the device. To work remotely with the
Command Line Interface, enable SSH. To do this, perform the following steps:

 Open the Device Security > Management Access > Server dialog, SSH tab.
 To enable the SSH server, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
ssh server To enable the SSH server.

120 UM Config BRS

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.5 Disabling the HiDiscovery access

8.5 Disabling the HiDiscovery access

HiDiscovery lets you assign IP parameters to the device over the network during commissioning.
HiDiscovery communicates in the device management VLAN without encryption and
authentication.

After the device is commissioned, we recommend to set HiDiscovery to read-only or to disable

HiDiscovery access completely. To do this, perform the following steps:

 Open the Basic Settings > Network > Global dialog.

 To take away write permission from the HiDiscovery software, in the HiDiscovery protocol v1/
v2 frame, specify the value readOnly in the Access field.
 To disable HiDiscovery access completely, select the Off radio button in the HiDiscovery
protocol v1/v2 frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

network hidiscovery mode read-only To disable write permission of the HiDiscovery
software.
no network hidiscovery operation To disable HiDiscovery access.

UM Config BRS 121

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.6 Restricting access to device management

8.6 Restricting access to device management

In the default setting, everyone can access the device management from any IP address using any
protocol. The device lets you restrict access to device management for selected protocols from a
specific IP address range.

8.6.1 Restricting access from a specific IP address range

In the following example, the device is to be accessible only from the company network using the
Graphical User Interface. The administrator has additional remote access using SSH. The
company network has the address range 192.168.1.0/24 and remote access from a mobile
network with the IP address range 109.237.176.0/24. The SSH application program knows the
fingerprint of the RSA key.
Table 19: Parameters for the IP access restriction

Parameter Company network Mobile phone network

Network address 192.168.1.0 109.237.176.0
Netmask 24 24
Desired protocols https, snmp ssh

Perform the following steps:

 Open the Device Security > Management Access > IP Access Restriction dialog.
 Unmark the checkbox in the Active column for the table row.
This entry lets users have access to the device from any IP address and the supported
protocols.
Address range of the company network:

 To add a table row, click the button.

 Specify the address range of the company network in the IP address range column:
192.168.1.0/24
 For the address range of the corporate network, deactivate the undesired protocols. The
HTTPS, SNMP, and Active checkboxes remain marked.
Address range of the mobile phone network:

 To add a table row, click the button.

 Specify the address range of the mobile network in the IP address range column:
109.237.176.0/24
 For the address range of the mobile network, deactivate the undesired protocols. The SSH
and Active checkboxes remain marked.
Note: Before you enable the access restriction, verify that the table contains at least one
active rule that grants you access to the device management. Otherwise, access to device
management is only possible using the Command Line Interface through the serial
connection.
 To enable the access restriction, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

122 UM Config BRS

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.6 Restricting access to device management

enable To change to the Privileged EXEC mode.

show network management access global To display if the access restriction is enabled or
disabled.
show network management access rules To display the entries that have been configured.
no network management access operation To disable the IP access restriction.
network management access add 2 To add a rule with index 2 for the address range of
the company network.
network management access modify 2 ip To specify the IP address of the company network.
192.168.1.0
network management access modify 2 mask To specify the netmask of the company network.
24
network management access modify 2 ssh To deactivate SSH for the address range of the
disable company network.
Repeat the operation for every unwanted protocol.
network management access add 3 To add a rule with index 3 for the address range of
the mobile phone network.
network management access modify 3 ip To specify the IP address of the mobile phone
109.237.176.0 network.
network management access modify 3 mask To specify the netmask of the mobile phone
24 network.
network management access modify 3 snmp To deactivate SNMP for the address range of the
disable mobile phone network.
Repeat the operation for every unwanted protocol.
no network management access status 1 To deactivate the default entry.
This entry lets users have access to the device
from any IP address and the supported protocols.
network management access status 2 To activate the rule with index 2 for the address
range of the company network.
network management access status 3 To activate the rule with index 3 for the address
range of the mobile phone network.
show network management access rules To display the entries that have been configured.
network management access operation To enable the access restriction.

UM Config BRS 123

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.7 Adjusting the session timeouts

8.7 Adjusting the session timeouts

The device lets you automatically terminate the session upon inactivity of the logged-on user. The
session timeout is the period of inactivity after the last user action.

You can specify a session timeout for the following applications:

 Command Line Interface sessions using an SSH connection
 Command Line Interface sessions using a Telnet connection
 Command Line Interface sessions using a serial connection
 Graphical User Interface

Timeout for Command Line Interface sessions using a SSH connection

Perform the following steps:

 Open the Device Security > Management Access > Server dialog, SSH tab.
 Specify the timeout period in minutes in the Configuration frame, Session timeout [min] field.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
ssh timeout <0..160> To specify the timeout period in minutes for
Command Line Interface sessions using an SSH
connection.

Timeout for Command Line Interface sessions using a Telnet connection

Perform the following steps:

 Open the Device Security > Management Access > Server dialog, Telnet tab.
 Specify the timeout period in minutes in the Configuration frame, Session timeout [min] field.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
telnet timeout <0..160> To specify the timeout period in minutes for
Command Line Interface sessions using a Telnet
connection.

124 UM Config BRS

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.7 Adjusting the session timeouts

Timeout for Command Line Interface sessions using a serial connection

Perform the following steps:

 Open the Device Security > Management Access > CLI dialog, Global tab.
 Specify the timeout period in minutes in the Configuration frame, Serial interface timeout [min]
field.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

cli serial-timeout <0..160> To specify the timeout period in minutes for
Command Line Interface sessions using a serial
connection.

Session timeout for the Graphical User Interface

Perform the following steps:

 Open the Device Security > Management Access > Web dialog.
 Specify the timeout period in minutes in the Configuration frame, Web interface session timeout
[min] field.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

network management access web timeout To specify the timeout period in minutes for
<0..160> Graphical User Interface sessions

UM Config BRS 125

Release 9.6 12/2023
Assistance in the protection from unauthorized access
8.7 Adjusting the session timeouts

126 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

9 Controlling the data traffic

The device checks the data packets to be forwarded in accordance with defined rules. Data packets
to which the rules apply are either forwarded by the device or blocked. If data packets do not
correspond to any of the rules, then the device blocks the packets.

Routing ports to which no rules are assigned allow packets to pass. As soon as a rule is assigned,
the assigned rules are processed first. After that, the specified standard action of the device takes
effect.

The device provides the following functions for controlling the data stream:
 Service request control (Denial of Service (DoS))
 Denying access to devices based on their IP or MAC address (ACL)

The device observes and monitors the data stream. The device takes the results of the observation
and the monitoring and combines them with the rules for the network security to generate what is
known as a status table. Based on this status table, the device decides whether to accept, drop or
reject data.

The data packets go through the filter functions of the device in the following sequence:
 DoS … if permit or accept, then progress to the next rule
 ACL … if permit or accept, then progress to the next rule

9.1 Helping protect against DoS attacks

Denial of Service (DoS) is a cyberattack that aims to make certain services or devices unusable.
Attackers as well as network administrators can use the port scan method to discover open ports
in a network to find vulnerable devices. The function helps you protect the network against invalid
or falsified data packets targeted at certain services or devices. You have the option of specifying
filters to restrict the data stream for protection against DoS attacks. The filters check the received
data packets. The device discards a data packet if it matches the filter criteria.

To help protect the device itself and other devices in the network from DoS attacks, the device lets
you specify the following filters:
 Filters for TCP and UDP packets
 Filters for IP packets
 Filters for ICMP packets

The filters help prevent an attacking station from:

• Detecting services and applications that use the open ports
• Detecting active devices in a network
• Accessing sensitive data in a network
• Detecting active security devices like a firewall used in a network

Note: You can combine the filters in any way. When you activate several filters, the device applies
the filters in the order in which they are specified in the IP table. If an incoming data packet matches
a filter, the device discards the respective data packet and then stops further processing.

UM Config BRS 127

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

9.1.1 Filters for TCP and UDP packets

To selectively process TCP and UDP packets, the device offers you the following filters:
• Activate the Null Scan filter function
• Activate the Xmas filter function
• Activate the SYN/FIN filter function
• Activate the TCP Offset protection function
• Activate the TCP SYN protection function
• Activate the L4 Port protection function

Activate the Null Scan filter function

With the Null Scan method, the attacking station sends data packets with the following properties:
• No TCP flags are set.
• The TCP sequence number is 0.

The device uses the Null Scan filter function to discard incoming TCP packets that contain malicious
properties.

In the default setting, the Null Scan filter function is disabled. To activate the Null Scan filter function,
perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Null Scan filter function. To do this, in the TCP/UDP frame, mark the Null Scan
filter checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos tcp-null To activate the Null Scan filter function.
no dos tcp-null To deactivate the Null Scan filter function.

Activate the Xmas filter function

With the Xmas method, the attacking station sends data packets with the following properties:
• The TCP flags FIN, URG, and PSH are simultaneously set.
• The TCP sequence number is 0.

The device uses the Xmas filter function to discard incoming TCP packets that contain malicious
properties.

In the default setting, the Xmas filter function is disabled. To activate the Xmas filter function, perform
the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Xmas filter function. To do this, in the TCP/UDP frame, mark the Xmas filter
checkbox.

 Apply the settings temporarily. To do this, click the button.

128 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos tcp-xmas To activate the Xmas filter function.
no dos tcp-xmas To deactivate the Xmas filter function.

Activate the SYN/FIN filter function

With the SYN/FIN method, the attacking station sends data packets with the TCP flags SYN and
FIN set simultaneously. The device uses the SYN/FIN filter function to discard incoming packets with
the TCP flags SYN and FIN set simultaneously.

In the default setting, the SYN/FIN filter function is disabled. To activate the SYN/FIN filter function,
perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the SYN/FIN filter function. To do this, in the TCP/UDP frame, mark the SYN/FIN filter
checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos tcp-syn-fin To activate the SYN/FIN filter function.
no dos tcp-syn-fin To deactivate the SYN/FIN filter function.

Activate the TCP Offset protection function

With the TCP Offset method, the attacking station sends data packets whose fragment offset is
equal to 1. The fragment offset is a field in the IP header which helps to identify the sequence of
fragments in received data packets. The device uses the TCP Offset protection function to discard
incoming TCP data packets whose fragment offset field in the IP header is equal to 1.

Note: The device accepts UDP and ICMP packets whose fragment offset field of the IP header is
equal to 1.

In the default setting, the TCP Offset protection function is disabled. To activate the TCP Offset
protection function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the TCP Offset protection function. To do this, in the TCP/UDP frame, mark the TCP
Offset protection checkbox.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 129

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos tcp-offset To activate the TCP Offset protection function.
no dos tcp-offset To deactivate the TCP Offset protection function.

Activate the TCP SYN protection function

With the TCP SYN method, the attacking station sends data packets with the TCP flag SYN set and
an L4 (layer 4) source port <1024. The device uses the TCP SYN protection function to discard
incoming packets with the TCP flag SYN set and an L4 (layer 4) source port <1024.

In the default setting, the TCP SYN protection function is disabled. To activate the TCP SYN protection
function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the TCP SYN protection function. To do this, in the TCP/UDP frame, mark the TCP
SYN protection checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos tcp-syn To activate the TCP SYN protection function.
no dos tcp-syn To deactivate the TCP SYN protection function.

Activate the L4 Port protection function

An attacking station can send TCP or UDP data packets whose source port number and destination
port number are identical. The device uses the L4 Port protection function to discard incoming TCP
and UDP packets whose L4 source port and destination port number are identical.

In the default setting, the L4 Port protection function is disabled. To activate the L4 Port protection
function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the L4 Port protection function. To do this, in the TCP/UDP frame, mark the L4 Port
protection checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos l4-port To activate the L4 Port protection function.
no dos l4-port To deactivate the L4 Port protection function.

130 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

9.1.2 Filters for IP packets

To selectively process IP packets, the device offers you the following filters:
• Activate the Land Attack filter function

Activate the Land Attack filter function

With the Land Attack method, the attacking station sends data packets whose source and
destination addresses are identical to the IP address of the recipient. The device uses the Land
Attack filter function to discard received packets whose source and destination addresses are
identical.

In the default setting, the Land Attack filter function is disabled. To activate the Land Attack filter
function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Land Attack filter function. To do this, in the IP frame, mark the Land Attack filter
checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos ip-land enable To activate the Land Attack filter function.
no dos ip-land disable To deactivate the Land Attack filter function.

9.1.3 Filters for ICMP packets

To selectively process ICMP packets, the device offers you the following filters:
• Activate the Fragmented packets filter function
• Activate the Packet size filter function
• Activate the Drop broadcast ping function

UM Config BRS 131

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

Activate the Fragmented packets filter function

The device uses the Fragmented packets filter function to protect the network from attacking stations
that send fragmented ICMP packets. Fragmented ICMP packets can cause the destination device
to fail if the destination device processes fragmented ICMP packets incorrectly. The device uses
the Fragmented packets filter function to discard fragmented ICMP packets.

In the default setting, the Fragmented packets filter function is disabled. To activate the Fragmented
packets filter function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Fragmented packets filter function. To do this, in the ICMP frame, mark the
Fragmented packets filter checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos icmp-fragmented To activate the Fragmented packets filter function.
no dos icmp-fragmented To deactivate the Fragmented packets filter function.

Activate the Packet size filter function

The device uses the Packet size filter to discard data packets whose payload size exceeds the size
specified in the Allowed payload size [byte] field.

The Packet size filter function helps protect the network from attacking stations that send ICMP
packets whose payload size exceeds the size specified in the Allowed payload size [byte] field.

In the default setting, the Packet size filter function is disabled. To activate the Packet size filter
function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Packet size filter function. To do this, in the ICMP frame, mark the Packet size
filter checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos icmp payload-check To activate the Packet size filter function.
no dos icmp payload-check To deactivate the Packet size filter function.

132 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.1 Helping protect against DoS attacks

Activate the Drop broadcast ping function

The Drop broadcast ping function helps protect the network from broadcast ping attacks, also known
as ICMP Smurf attacks. With the Broadcast ping method, the attacker floods a target device (the
victim) by sending a large number of ICMP echo request packets to the IPv4 broadcast address.
These packets contain a spoofed IP source address which is the IP address of the victim. Stations
responding to the Broadcast ping send their replies to the victim, thus flooding the victim and
possibly causing instability.

The device uses the Drop broadcast ping function to discard the Broadcast pings.

In the default setting, the Drop broadcast ping function is disabled. To activate the Drop broadcast ping
function, perform the following steps:

 Open the Network Security > DoS > Global dialog.

 Activate the Drop broadcast ping function. To do this, in the ICMP frame, mark the Drop
broadcast ping checkbox.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dos icmp-smurf-attack To activate the Drop broadcast ping function.
no dos icmp-smurf-attack To deactivate the Drop broadcast ping function.

UM Config BRS 133

Release 9.6 12/2023
Controlling the data traffic
9.2 ACL

9.2 ACL

In this menu you can enter the parameters for the Access Control Lists (ACLs).

The device uses ACLs to filter data packets received on VLANs or on individual or multiple ports.
In a ACL, you specify rules that the device uses to filter data packets. When such a rule applies to
a packet, the device applies the actions specified in the rule to the packet. The available actions
are as follows:
 allow (permit)
 discard (deny)
 redirect to a certain port (see Redirection port field)
 mirror (see Mirror port field)

The list below contains criteria that you can apply to filter the data packets:
 Source or destination address of a packet (MAC)
 Source or destination address of a data packet (IPv4)
 Source or destination port of a data packet (IPv4)

You can specify the following ACL types:

 IP ACLs for VLANs
 IP ACLs for ports
 MAC ACLs for VLANs
 MAC ACLs for ports

When you assign both an IP ACL and MAC ACL to the same interface, the device first uses the IP
ACL to filter the data stream. The device applies the MAC ACL rules only after the packets are
filtered through the IP ACL. The priority of an ACL is independent of the index of a rule.

Within an ACL, the device processes the rules in order. The index of the respective rule determines
the order in which the device filters the data stream. When you assign an ACL to a port or VLAN,
you can specify its priority with the index. The lower the number, the higher the priority. The device
processes the rule with the higher priority first.

If none of the rules specified in an ACL applies to a data packet, then the implicit deny rule applies.
As a result, the device drops the received data packets.

Keep in mind that the device directly implements the implicit deny rule.

Note: The number of available ACLs depends on the device. For further information about the ACL
values, see chapter “Technical Data” on page 398.

Note: You can assign a single ACL to any number of ports or VLANs.

The ACL menu contains the following dialogs:

 IPv4 Rule
 MAC Rule
 Assignment

These dialogs provide the following options:

 To specify the rules for the various ACL types.
 To provide the rules with the required priorities.
 To assign the ACLs to ports or VLANs.

134 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.2 ACL

9.2.1 Creating and editing IPv4 rules

When filtering IPv4 data packets, the device lets you:

 add new groups and rules
 add new rules to existing groups
 edit an existing rule
 activate and deactivate groups and rules
 delete existing groups and rules
 change the order of existing rules

Perform the following steps:

 Open the Network Security > ACL > IPv4 Rule dialog.

 Click the button.

The dialog displays the Create window.
 Specify the name of the ACL (group).
 To add the rule in an existing ACL, click the Group name field and select the name from
the drop-down list.
 To add the rule in a new ACL, specify a meaningful name in the Group name field and
click the icon.
 In the Index field you specify the number for the rule within the ACL.
This number defines the priority of the rule.
 Click the Ok button.
The device adds the rule to the ACL (group) in the table.
The rule is active immediately.
 To remove a rule, select the desired table row and click the button.
 Edit the rule parameters in the table. To change a value, double-click the relevant field.

 Apply the settings temporarily. To do this, click the button.

Note: The device lets you use wildcards with the Source IP address and Destination IP address
parameters. If you enter for example, 192.168.?.?, then the device allows addresses that start
with 192.168.

Note: The prerequisite for changing the values in the Source TCP/UDP port and Destination TCP/UDP
port column is that you specify the value tcp or udp in the Protocol column.

Note: The prerequisite for changing the value in the Redirection port and Mirror port column is that
you specify the value permit in the Action column.

UM Config BRS 135

Release 9.6 12/2023
Controlling the data traffic
9.2 ACL

9.2.2 Creating and configuring an IP ACL using the Command Line Interface

In the following example, you set up ACLs to block the communication from computers B and C to
computer A, based on the IP address (TCP/UDP port, etc.).

IP: 10.0.1.11/24 IP: 10.0.1.13/24

C B
Port 1 Port 3
IP: 10.0.1.158/24

IP: 10.0.1.159/24
Port 2 Port 4

D A
Figure 21: Example of an IP ACL

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
ip access-list extended name filter1 To add an IP ACL with name filter1. To add a rule
deny src 10.0.1.11-0.0.0.0 dst denying IP data packets from 10.0.1.11 to
10.0.1.158-0.0.0.0 assign-queue 1
10.0.1.158. Priority 1 (highest priority).
ip access-list extended name filter1 To add a rule to the IP ACL admitting IP data
permit src any dst any packets.
show access-list ip filter1 To display the rules of the IP ACL filter1.
ip access-list extended name filter2 To add an IP ACL with name filter2. To add a rule
deny src 10.0.1.13-0.0.0.0 dst denying IP data packets from 10.0.1.13 to
10.0.1.158-0.0.0.0 assign-queue 1
10.0.1.158. Priority 1 (highest priority).
show access-list ip filter2 To display the rules of the IP ACL filter2.

9.2.3 Creating and editing MAC rules

When filtering MAC data packets, the device lets you:

136 UM Config BRS

Release 9.6 12/2023
Controlling the data traffic
9.2 ACL

Perform the following steps:

 Open the Network Security > ACL > MAC Rule dialog.

 Click the button.

 Apply the settings temporarily. To do this, click the button.

Note: In the Source MAC address and Destination MAC address fields you can use wildcards in the
FF:??:??:??:??:?? or ??:??:??:??:00:01 form. Use capital letters here.

9.2.4 Creating and configuring a MAC ACL using the Command Line Interface

In the following example, AppleTalk and IPX are to be filtered out from the entire network. To do
this, perform the following steps:
enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
mac acl add 1 macfilter To add an MAC ACL with the ID 1 and the name
macfilter.
mac acl rule add 1 1 deny src any any To add a rule to position 1 of the MAC ACL with the
dst any any etype appletalk ID 1 rejecting packets with EtherType 0x809B
(AppleTalk).
mac acl rule add 1 2 deny src any any To add a rule to position 2 of the MAC ACL with the
dst any any etype ipx-old ID 1 rejecting packets with EtherType 0x8137 (IPX
alt).
mac acl rule add 1 3 deny src any any To add a rule to position 3 of the MAC ACL with the
dst any any etype ipx-new ID 1 rejecting packets with EtherType 0x8138
(IPX).
mac acl rule add 1 4 permit src any any To add a rule to position 4 of the MAC ACL with the
dst any any ID 1 forwarding packets.
show acl mac rules 1 To display the rules of the MAC ACL with the ID 1.
interface 1/1,1/2,1/3,1/4,1/5,1/6 To change to the interface configuration mode of
the interfaces 1/1 to 1/6.

UM Config BRS 137

Release 9.6 12/2023
Controlling the data traffic
9.2 ACL

acl mac assign 1 in 1 To assign the MAC ACL with the ID 1 to incoming
data packets (1/1) on interfaces 1/6 to in.
exit To leave the interface mode.
show acl mac assignment 1 To display the assignment of the MAC ACL with the
ID 1 to interfaces or VLANs.

9.2.5 Assigning ACLs to a port or VLAN

When you assign ACLs to a port or VLAN, the device gives you the following options:
 To select the port or VLAN.
 To specify the ACL priority.
 To select the ACL using the group name.

Perform the following steps:

 Open the Network Security > ACL > Assignment dialog.

 Click the button.

The dialog displays the Create window.
 In the Port/VLAN field, specify the desired port or the desired VLAN.
 In the Priority field, specify the priority.
 In the Direction field, specify the data packets to which the device applies the rule.
 In the Group name field, specify the rule the device assigns to the port or the VLAN.
 Click the Ok button.

 Apply the settings temporarily. To do this, click the button.

138 UM Config BRS

Release 9.6 12/2023
Network load control
10.1 Direct packet distribution

10 Network load control

The device features a number of functions that can help you reduce the network load:
 Direct packet distribution
 Multicasts
 Rate limiter
 Prioritization - QoS
 Flow control

10.1 Direct packet distribution

The device reduces the network load with direct packet distribution.

On each of its ports, the device learns the sender MAC address of received data packets. The
device stores the combination “port and MAC address” in its MAC address table (forwarding
database).

By applying the Store and Forward method, the device buffers data received and checks it for
validity before forwarding it. The device rejects invalid and corrupt data packets.

10.1.1 Learning MAC addresses

When the device receives a data packet, it checks if the MAC address of the sender is already
stored in the MAC address table (forwarding database). When the MAC address of the sender is
unknown, the device generates an entry. The device then compares the destination MAC address
of the data packet with the entries stored in the MAC address table (forwarding database):
 The device forwards packets with a known destination MAC address directly to ports that have
already received data packets from this MAC address.
 The device floods data packets with unknown destination addresses, that is, the device forwards
these data packets to every port.

10.1.2 Aging of learned MAC addresses

Addresses that have not been detected by the device for an adjustable period of time (aging time)
are deleted from the MAC address table (forwarding database) by the device. A reboot or resetting
the MAC address table (forwarding database) deletes the entries in the MAC address table
(forwarding database).

UM Config BRS 139

Release 9.6 12/2023
Network load control
10.1 Direct packet distribution

10.1.3 Static address entries

In addition to learning the sender MAC address, the device also provides the option to set MAC
addresses manually. These MAC addresses remain set up and survive resetting of the
MAC address table (forwarding database) as well as rebooting of the device.

Static address entries allow the device to forward data packets directly to selected ports. If you do
not specify a destination port, then the device discards the corresponding data packets.

You manage the static address entries in the Graphical User Interface or in the Command Line
Interface.

Perform the following steps:

 Create a static address entry.

 Open the Switching > Filter for MAC Addresses dialog.

 Add a user-configurable MAC address:
 Click the button.
The dialog displays the Create window.
 In the MAC address field, specify the destination MAC address.
 In the VLAN ID field, specify the VLAN ID.
 In the Port list, select the ports to which the device forwards data packets with the
specified destination MAC address in the specified VLAN.
When you have defined a Unicast MAC address in the MAC address field, select only
one port.
When you have defined a Multicast MAC address in the MAC address field, select one
or more ports.
If you want the device to discard data packets with the destination MAC address, then
do not select any port.
 Click the Ok button.

 Apply the settings temporarily. To do this, click the button.

140 UM Config BRS

Release 9.6 12/2023
Network load control
10.1 Direct packet distribution

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
mac-filter <MAC address> <VLAN ID> To add the MAC address filter, consisting of a MAC
address and VLAN ID.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
mac-filter <MAC address> <VLAN ID> To assign the port to a previously added MAC
address filter.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

 Convert a learned MAC address into a static address entry.

 Open the Switching > Filter for MAC Addresses dialog.

 To convert a learned MAC address into a static address entry, select the value Permanent
in the Status column.

 Apply the settings temporarily. To do this, click the button.

 Disable a static address entry.

 Open the Switching > Filter for MAC Addresses dialog.

 To disable a static address entry, remove it from the table. To do this, select the table row
that contains the value Permanent in the Status column, then click the button.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
no mac-filter <MAC address> <VLAN ID> To cancel the assignment of the MAC address filter
on the port.
exit To change to the Configuration mode.
no mac-filter <MAC address> <VLAN ID> To delete the MAC address filter, consisting of a
MAC address and a VLAN ID.
exit To change to the Privileged EXEC mode.
save To save the settings in the non-volatile memory
(nvm) in the “selected” configuration profile.

 Delete learned MAC addresses.

 To delete the learned addresses from the MAC address table (forwarding database), click
the button.
As an alternative, open the Basic Settings > Restart dialog and click the Clear FDB button.

UM Config BRS 141

Release 9.6 12/2023
Network load control
10.1 Direct packet distribution

clear mac-addr-table To delete the learned MAC addresses from the

MAC address table (forwarding database).

142 UM Config BRS

Release 9.6 12/2023
Network load control
10.2 Multicasts

10.2 Multicasts

By default, the device floods data packets with a Multicast address, that is, the device forwards the
data packets to every port. This leads to an increased network load.

The use of IGMP snooping can reduce the network load caused by Multicast data packets. IGMP
snooping lets the device send Multicast data packets only on those ports to which devices
“interested” in Multicast are connected.

10.2.1 Example of a Multicast application

Surveillance cameras transmit images to monitors in the machine room and in the monitoring room.
With an IP Multicast transmission, the cameras transmit their graphic data over the network in
Multicast packets.

The Internet Group Management Protocol (IGMP) organizes the data streams between the
Multicast routers and the monitors. The switches in the network between the Multicast routers and
the monitors monitor the IGMP data packets continuously (IGMP Snooping).

Switches register logins for receiving a Multicast stream (IGMP report). The device then adds an
entry in the MAC address table (forwarding database) and forwards Multicast packets only to the
ports on which it has previously received IGMP reports.

10.2.2 IGMP snooping

The Internet Group Management Protocol (IGMP) describes the distribution of Multicast
information between routers and connected receivers on Layer 3. IGMP Snooping describes the
function of a switch of continuously monitoring IGMP data packets and optimizing its own
transmission settings for these data packets.

The IGMP Snooping function in the device operates according to RFC 4541 (Considerations for Internet
Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches).

Multicast routers with an active IGMP function periodically request (query) registration of Multicast
streams to determine the associated IP Multicast group members. IP Multicast group members
reply with a Report message. This Report message contains the parameters required by the IGMP
function. The Multicast router enters the IP Multicast group address from the Report message in its
routing table. This causes it to forward data packets with this IP Multicast group in the destination
address field according to its routing table.

When leaving a Multicast group (IGMP version 2 and higher), receivers log out with a “Leave”
message and do not send any more Report messages. If it does not receive any more Report
messages from this receiver within a certain time (aging time), then the Multicast router removes
the routing table entry of a receiver.

When several IGMP Multicast routers are in the same network, the device with the smaller IP
address takes over the query function. When there are no Multicast routers on the network, you
have the option to enable the query function in an appropriately equipped switch.

A switch that connects one Multicast receiver with a Multicast router analyzes the IGMP information
with the IGMP snooping method.

UM Config BRS 143

Release 9.6 12/2023
Network load control
10.2 Multicasts

The IGMP snooping method also makes it possible for switches to use the IGMP function. A switch
stores the MAC addresses derived from IP addresses of the Multicast receivers as recognized
Multicast addresses in its MAC address table (forwarding database). In addition, the switch
identifies the ports on which it has received reports for a specific Multicast address. In this way, the
switch forwards Multicast packets only to ports to which Multicast receivers are connected. The
other ports do not receive these packets.

A special feature of the device is the possibility of determining the processing of data packets with
unknown Multicast addresses. Depending on the setting, the device discards these data packets
or forwards them to every port. By default, the device transmits the data packets only to ports with
connected devices, which in turn receive query packets. You also have the option of additionally
sending known Multicast packets to query ports.

Setting IGMP snooping

Perform the following steps:

 Open the Switching > IGMP Snooping > Global dialog.

 To enable the function, select the On radio button in the Operation frame.
When the IGMP Snooping function is disabled, the device behaves as follows:
 The device ignores the received query and report messages.
 The device forwards (floods) received data packets with a Multicast address as the
destination address to every port.

 Apply the settings temporarily. To do this, click the button.

 Specifying the settings for a port:

 Open the Switching > IGMP Snooping > Configuration dialog, Port tab.
 To activate the IGMP Snooping function on a port, mark the checkbox in the Active column
for the relevant port.

 Apply the settings temporarily. To do this, click the button.

 Specifying the settings for a VLAN:

 Open the Switching > IGMP Snooping > Configuration dialog, VLAN ID tab.
 To activate the IGMP Snooping function for a specific VLAN, mark the checkbox in the Active
column for the relevant VLAN.

 Apply the settings temporarily. To do this, click the button.

Setting the IGMP querier function

The device itself optionally sends active query messages. As an alternative, the device responds
to query messages or detects other Multicast queriers in the network (Querier function).

Prerequisite:

144 UM Config BRS

Release 9.6 12/2023
Network load control
10.2 Multicasts

The IGMP Snooping function is enabled globally.

Perform the following steps:

 Open the Switching > IGMP Snooping > Querier dialog.

 In the Operation frame, enable/disable the Querier function of the device globally.
 To activate the Querier function for a specific VLAN, mark the checkbox in the Active column
for the relevant VLAN.
 The device carries out a simple selection process: When the IP source address of the other
Multicast querier is lower than its own, the device switches to the passive state, in which it
does not send out any more query requests.
 In the IP address column, you specify the IP Multicast address that the device inserts as the
sender address in generated query requests. You use the address of the Multicast router.

 Apply the settings temporarily. To do this, click the button.

IGMP snooping enhancements (table)

The Switching > IGMP Snooping > Snooping Enhancements dialog provides you access to enhanced
settings for the IGMP Snooping function. You activate or deactivate the settings on a per port basis
in a VLAN.

The following settings are possible:

 Static
Use this setting to set the port as a static query port. The device forwards every IGMP message
on a static query port, even if it has previously received no IGMP query messages on this port.
When the static option is disabled and the device has previously received IGMP query
messages, it forwards IGMP messages on this port. When this is the case, the entry displays L
(for learned).
 Learn by LLDP
A port with this setting automatically discovers other Hirschmann devices using the Link Layer
Discovery Protocol (LLDP). The device then learns the IGMP query status of this port from these
Hirschmann devices and sets up the Querier function accordingly. The ALA entry indicates that
the Learn by LLDP function is active. When the device has found another Hirschmann device
on this port in this VLAN, the entry also displays an A (for automatic).
 Forward all
With this setting, the device forwards the data packets addressed to a Multicast address to this
port. The setting is suitable in the following situations, for example:
– For diagnostic purposes.
– For devices in an MRP Ring: After the ring is switched, the Forward all function makes it
possible to reconfigure the network rapidly for data packets with registered Multicast
destination addresses. Activate the Forward all function on every ring port.

Prerequisite:

The IGMP Snooping function is enabled globally.

Perform the following steps:

 Open the Switching > IGMP Snooping > Snooping Enhancements dialog.
 Double-click the desired port in the desired VLAN.

UM Config BRS 145

Release 9.6 12/2023
Network load control
10.2 Multicasts

 To activate one or more functions, select the corresponding options.

 Click the Ok button.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

vlan database To change to the VLAN configuration mode.
igmp-snooping vlan-id 1 forward-all 1/1 To activate the Forward All function for port 1/1
in VLAN 1.

Setting up Multicasts

The device lets you set up the exchange of Multicast data packets. The device provides different
options depending on whether the data packets are to be sent to unknown or known Multicast
receivers.

The settings for unknown Multicast addresses are global for the entire device. The following options
can be selected:
 The device discards unknown multicasts.
 The device forwards unknown multicast data to every port.

Note: The exchange settings for unknown Multicast addresses also apply to the reserved IP
addresses from the Local Network Control Block (224.0.0.0..224.0.0.255). This behavior can
affect higher-level routing protocols.

IGMP Snooping explicitly ignores the following Multicast IP addresses because their mapped
Multicast MAC addresses have special functions:
Table 20: Multicast IP addresses ignored by IGMP Snooping

Multicast IP Address(es) Multicast MAC Address(es) Protocols (Block)

224.0.0.0..224.0.0.255 01:00:5e:00:00:00..01:00:5e:00:00:ff Local Network Control Block
224.0.1.1 01:00:5e:00:01:01 NTP/SNTP (Internetwork
Control Block)
224.0.1.129..224.0.1.132 01:00:5e:00:01:81..01:00:5e:00:01:84 PTP (Internetwork Control
Block)
239.255.16.12 01:00:5e:7f:10:0c HiDiscovery v2
(Administratively Scoped
Block)

Note: According to RFC 1112 (Host Extensions for IP Multicasting), up to 32 Multicast IP addresses
are mapped to the same Multicast MAC address. The table contains only the commonly used
Multicast IP address for a Multicast MAC address, omitting the 31 further possible Multicast IP
addresses.

For each VLAN, you specify the sending of Multicast packets to known Multicast addresses
individually. The following options can be selected:
 The device forwards known Multicasts to the ports that have previously received query
messages (query ports) and to the registered ports. Registered ports are ports with Multicast
receivers registered with the corresponding Multicast group. This option helps ensure that the
transfer works with basic applications without further configuration.
 The device forwards known Multicasts only to the registered ports. The advantage of this setting
is that it uses the available bandwidth optimally through direct distribution.

146 UM Config BRS

Release 9.6 12/2023
Network load control
10.2 Multicasts

Prerequisite:

The IGMP Snooping function is enabled globally.

Perform the following steps:

 Open the Switching > IGMP Snooping > Multicasts dialog.

 In the Configuration frame, you specify how the device forwards data packets to unknown
Multicast addresses.
 In the table, you specify how the device forwards data packets to known Multicast
addresses.
 send to query and registered ports
The device forwards data packets with a known MAC/IP Multicast address to the query
ports and to the registered ports.
 send to registered ports
The device forwards data packets with a known MAC/IP Multicast address to registered
ports.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 147

Release 9.6 12/2023
Network load control
10.3 Rate limiter

10.3 Rate limiter

The rate limiter function helps ensure stable operation even with high data volumes by limiting the
amount of data packets on the ports. The rate limitation is performed individually for each port, as
well as separately for inbound and outbound data packets.

If the data rate on a port exceeds the defined limit, then the device discards the overload on this
port.

Rate limitation occurs entirely on Layer 2. In the process, the rate limiter function ignores protocol
information on higher levels such as IP or TCP. This can affect the TCP data packets.

To minimize these effects, use the following options:

 Limit the rate limitation to certain packet types, for example, Broadcasts, Multicasts, and
Unicasts with an unknown destination address.
 Limit the amount of outbound data packets instead of the inbound data packets. The outbound
rate limitation works better with TCP flow control due to device-internal buffering of the data
packets.
 Increase the aging time for learned Unicast addresses.

Perform the following steps:

 Open the Switching > Rate Limiter dialog.

 Activate the rate limiter and set limits for the data rate. The settings apply on a per port
basis and are separated according to the type of the data packets:
 Received Broadcast data packets
 Received Multicast data packets
 Received Unicast data packets with an unknown destination address
To activate the rate limiter on a port, mark the checkbox for at least one category. In the
Unit column, you specify if the device interpretes the threshold values as percent of the port
bandwidth or as packets per second. The threshold value 0 deactivates the rate limiter.

 Apply the settings temporarily. To do this, click the button.

148 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

10.4 QoS/Priority

QoS (Quality of Service) is a procedure defined in IEEE 802.1D which is used to distribute
resources in the network. QoS lets you prioritize the data of necessary applications.

When there is a heavy network load, prioritizing helps prevent data packets with lower priority from
interfering with delay-sensitive data packets. Delay-sensitive data packets include, for example,
voice, video, and real-time data.

10.4.1 Description of prioritization

For data packet prioritization, traffic classes are defined in the device. The device prioritizes higher
traffic classes over lower traffic classes. The number of traffic classes depends on the device type.

To provide for optimal data flow for delay-sensitive data, you assign higher traffic classes to this
data. You assign lower traffic classes to data that is less sensitive to delay.

Assigning traffic classes to the data

The device automatically assigns traffic classes to inbound data (traffic classification). The device
takes the following classification criteria into account:
 Methods according to which the device carries out assignment of received data packets to traffic
classes:
 trustDot1p
The device uses the priority of the data packet contained in the VLAN tag.
 trustIpDscp
The device uses the QoS information contained in the IP header (ToS/DiffServ).
 untrusted
The device ignores possible priority information within the data packets and uses the priority
of the receiving port directly.
 The priority assigned to the receiving port.

Both classification criteria are configurable.

During traffic classification, the device uses the following rules:

 When the receiving port is set to trustDot1p (default setting), the device uses the data packet
priority contained in the VLAN tag. When the data packets do not contain a VLAN tag, the device
is guided by the priority of the receiving port.
 When the receiving port is set to trustIpDscp, the device uses the QoS information (ToS/
DiffServ) in the IP header. When the data packets do not contain IP packets, the device is
guided by the priority of the receiving port.
 When the receiving port is set to untrusted, the device is guided by the priority of the receiving
port.

UM Config BRS 149

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Prioritizing traffic classes

For prioritization of traffic classes, the device uses the following methods:
 Strict Priority
When transmission of data of a higher traffic class is no longer taking place or the relevant data
is still in the queue, the device sends data of the corresponding traffic class. If every traffic class
is prioritized according to the Strict Priority method, then under high network load the device can
permanently block the data of lower traffic classes.
 Weighted Fair Queuing
The traffic class is assigned a specific bandwidth. This helps ensure that the device sends the
data packets of this traffic class, although there is a great deal of data packets in higher traffic
classes.

10.4.2 Handling of received priority information

Applications label data packets with the following prioritization information:

 VLAN priority according to IEEE 802.1Q (Layer 2)
 Type-of-Service (ToS) or DiffServ (DSCP) for VLAN Management IP packets (Layer 3)

The device lets you evaluate this priority information using the following options:
 trustDot1p
The device assigns VLAN-tagged data packets to the different traffic classes according to their
VLAN priorities. The corresponding allocation is configurable. The device assigns the priority of
the receiving port to data packets it receives without a VLAN tag.
 trustIpDscp
The device assigns the IP packets to the different traffic classes according to the DSCP value
in the IP header, although the packet was also VLAN-tagged. The corresponding allocation is
configurable. The device prioritizes non-IP packets according to the priority of the receiving port.
 untrusted
The device ignores the priority information in the data packets and assigns the priority of the
receiving port to them.

10.4.3 VLAN tagging

For the VLAN and prioritizing functions, IEEE 802.1Q provides for integrating a MAC frame in the
VLAN tag. The VLAN tag consists of 4 bytes and is between the source address field (“Source
Address Field”) and type field (“Length / Type Field”).

d
el ld
r Fi Fie
d
ite ess el
lim dr Fi d
s el
d e
el D A
d
re
s Fi
Fi me on d p e ck ld
e i Ad ld /Ty el
d l d d he Fie
bl ra at Fi ie el C
m rt F tin r ce Fie gth a
F Fi me nce
e a a s u g n t ta d a e
Pr St De So Ta Le Da Da Pa Fr equ
S

7 1 6 6 4 2 42-1500 Octets 4
t

min. 64, max. 1522 Octets

Figure 22: Ethernet data packet with tag

150 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

For data packets with VLAN tags, the device evaluates the following information:
 Priority information
 When VLANs are set up, VLAN tagging

er
tifi
i er en
tif t Id
n Bi at
de 3 m er
lI y, o r ifi
oc
o
o rit al F e nt
r ot ri ic Id
P it r P on N
g B se an it A t
Ta x 8 U C B VL Bi
2 1 12

4 Octets
Figure 23: Structure of the VLAN tagging

A data packets with VLAN tag containing priority information but no VLAN information (VLAN ID
= 0), is known as a Priority Tagged frame.

Note: Network protocols and redundancy mechanisms use the highest traffic class 7. Therefore,
select other traffic classes for application data.

When using VLAN prioritizing, consider the following special features:

 End-to-end prioritizing requires the VLAN tags to be transmitted to the entire network. The
prerequisite is that every network component is VLAN-capable.
 Routers are not able to send and receive packets with VLAN tags through port-based router
interfaces.

10.4.4 IP ToS (Type of Service)

The Type-of-Service field (ToS) in the IP header was already part of the IP protocol from the start,
and is used to differentiate different services in IP networks. Even back then, there were ideas
about differentiated treatment of IP packets, due to the limited bandwidth available and the
unreliable connection paths. Because of the continuous increase in the available bandwidth, there
was no need to use the ToS field.

Only with the real-time requirements of today's networks has the ToS field become significant
again. Selecting the ToS byte of the IP header lets you differentiate between different services.
However, this field is not widely used in practice.

Bits 0 1 2 3 4 5 6 7
Precedence Type of Service MBZ
Table 21: ToS field in the IP header

Bits (0-2): IP Precedence Defined Bits (3-6): Type of Service Bit (7)
Defined
111 - Network Control 0000 - [all normal] 0 - Zero
110 - Internetwork Control 1000 - [minimize delay]
101 - CRITIC / ECP 0100 - [maximize throughput

UM Config BRS 151

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Table 21: ToS field in the IP header (cont.)

Bits (0-2): IP Precedence Defined Bits (3-6): Type of Service Bit (7)
Defined
100 - Flash Override 0010 - [maximize reliability]
011 - Flash 0001 - [minimize monetary cost]
010 - Immediate
001 - Priority
000 - Routine

10.4.5 Handling of traffic classes

The device provides the following options for handling traffic classes:
 Strict Priority
 Weighted Fair Queuing
 Strict Priority combined with Weighted Fair Queuing
 Queue management

Strict Priority description

With the Strict Priority setting, the device first transmits data packets that have a higher traffic class
(higher priority) before transmitting a data packet with the next highest traffic class. When there are
no other data packets remaining in the queue, the device transmits a data packet with the lowest
traffic class (lowest priority). In unfortunate cases, if there is a high volume of high-priority data
packets waiting to be sent on this port, then the device does not send data packets with a low
priority.

In delay-sensitive applications, such as VoIP or video, Strict Priority lets data to be sent
immediately.

Weighted Fair Queuing description

With Weighted Fair Queuing, also called Weighted Round Robin (WRR), you assign a minimum or
reserved bandwidth to each traffic class. This helps ensure that data packets with a lower priority
are also sent although the network is very busy.

The reserved values range from 0% through 100% of the available bandwidth, in steps of 1%.
 A reservation of 0 is equivalent to a "no bandwidth" setting.
 The sum of the individual bandwidths can be up to 100%.

When you assign Weighted Fair Queuing to every traffic class, the entire bandwidth of the
corresponding port is available to you.

152 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Combining Strict Priority and Weighted Fair Queuing

When combining Weighted Fair Queuing with Strict Priority, verify that the highest traffic class of
Weighted Fair Queuing is lower than the lowest traffic class of Strict Priority.

If you combine Weighted Fair Queuing with Strict Priority, then a high Strict Priority network load
can significantly reduce the bandwidth available for Weighted Fair Queuing.

10.4.6 Queue management

Queue Shaping

Queue Shaping throttles the rate at which queues transmit packets. For example, using Queue
Shaping, you rate-limit a higher strict-priority queue so that it lets a lower strict-priority queue to
send packets even though higher priority packets are still available for transmission. The device lets
you setup Queue Shaping for any queue. You specify Queue Shaping as the maximum rate at
which the data packets pass through a queue by assigning a percentage of the available
bandwidth.

Defining settings for queue management

Perform the following steps:

 Open the Switching > QoS/Priority > Queue Management dialog.

The total assigned bandwidth in the Min. bandwidth [%] column is 100%.
 To activate Weighted Fair Queuing for Traffic class = 0, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 5.
 To activate Weighted Fair Queuing for Traffic class = 1, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 20.
 To activate Weighted Fair Queuing for Traffic class = 2, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 30.
 To activate Weighted Fair Queuing for Traffic class = 3, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 20.
 To activate Weighted Fair Queuing and Queue Shaping for Traffic class = 4, proceed as
follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 10.
 In the Max. bandwidth [%] column, specify the value 10.
When using a Weighted Fair Queuing and Queue Shaping combination for a specific traffic
class, specify a higher value in the Max. bandwidth [%] column than the value specified in
the Min. bandwidth [%] column.
 To activate Weighted Fair Queuing for Traffic class = 5, proceed as follows:
 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 5.

UM Config BRS 153

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

 To activate Weighted Fair Queuing for Traffic class = 6, proceed as follows:

 Unmark the checkbox in the Strict priority column.
 In the Min. bandwidth [%] column, specify the value 10.
 To activate Strict Priority and Queue Shaping for Traffic class = 7, proceed as follows:
 Mark the checkbox in the Strict priority column.
 In the Max. bandwidth [%] column, specify the value 10.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
cos-queue weighted 0 To enable Weighted Fair Queuing for traffic
class 0.
cos-queue min-bandwidth: 0 5 To assign a weight of 5 % to traffic class 0.
cos-queue weighted 1 To enable Weighted Fair Queuing for traffic
class 1.
cos-queue min-bandwidth: 1 20 To assign a weight of 20 % to traffic class 1.
cos-queue weighted 2 To enable Weighted Fair Queuing for traffic
class 2.
cos-queue min-bandwidth: 2 30 To assign a weight of 30 % to traffic class 2.
cos-queue weighted 3 To enable Weighted Fair Queuing for traffic
class 3.
cos-queue min-bandwidth: 3 20 To assign a weight of 20 % to traffic class 3.
show cos-queue
Queue Id Min. bandwidth Max. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 0 0 strict
5 0 0 strict
6 0 0 strict
7 0 0 strict

Combining Weighted Fair Queuing and Queue Shaping

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
cos-queue weighted 4 To enable Weighted Fair Queuing for traffic
class 4.
cos-queue min-bandwidth: 4 10 To assign a weight of 10 % to traffic class 4.
cos-queue max-bandwidth: 4 10 To assign a weight of 10 % to traffic class 4.
cos-queue weighted 5 To enable Weighted Fair Queuing for traffic
class 5.
cos-queue min-bandwidth: 5 5 To assign a weight of 5 % to traffic class 5.

154 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

cos-queue weighted 6 To enable Weighted Fair Queuing for traffic

class 6.
cos-queue min-bandwidth: 6 10 To assign a weight of 10 % to traffic class 6.
show cos-queue
Queue Id Min. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 10 10 weighted
5 5 0 weighted
6 10 0 weighted
7 0 0 strict

Setting up Queue Shaping

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
cos-queue max-bandwidth: 7 10 To assign a weight of 10 % to traffic class 7.
show cos-queue
Queue Id Min. bandwidth Scheduler type
-------- -------------- -------------- --------------
0 5 0 weighted
1 20 0 weighted
2 30 0 weighted
3 20 0 weighted
4 10 10 weighted
5 5 0 weighted
6 10 0 weighted
7 0 10 strict

10.4.7 Management prioritization

The device lets you prioritize the management packets so that you can access the device
management at any time in situations with high network load.

When prioritizing management packets, the device sends the management packets with priority
information.
 On Layer 2, the device modifies the VLAN priority in the VLAN tag.
The prerequisite for this function is that the corresponding ports are set to allow sending packets
with a VLAN tag.
 On Layer 3, the device modifies the IP-DSCP value.

UM Config BRS 155

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

10.4.8 Setting prioritization

Assigning the port priority

Perform the following steps:

 Open the Switching > QoS/Priority > Port Configuration dialog.

 In the Port priority column, you specify the priority with which the device forwards the data
packets received on this port without a VLAN tag.
 In the Trust mode column, you specify the criteria the device uses to assign a traffic class
to data packets received.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
vlan priority 3 To assign interface 1/1 the port priority 3.
exit To change to the Configuration mode.

Assigning VLAN priority to a traffic class

Perform the following steps:

 Open the Switching > QoS/Priority > 802.1D/p Mapping dialog.

 To assign a traffic class to a VLAN priority, insert the associated value in the Traffic class
column.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
classofservice dot1p-mapping 0 2 To assign a VLAN priority of 0 to traffic class 2.
classofservice dot1p-mapping 1 2 To assign a VLAN priority of 1 to traffic class 2.
exit To change to the Privileged EXEC mode.
show classofservice dot1p-mapping To display the assignment.

156 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Assign port priority to received data packets

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
classofservice trust untrusted To assign the untrusted mode to the interface.
classofservice dot1p-mapping 0 2 To assign a VLAN priority of 0 to traffic class 2.
classofservice dot1p-mapping 1 2 To assign a VLAN priority of 1 to traffic class 2.
vlan priority 1 To specify the value 1 for the port priority.
exit To change to the Configuration mode.
exit To change to the Privileged EXEC mode.
show classofservice trust To display the Trust mode of the ports/interfaces.
Interface Trust Mode
--------- -------------
1/1 untrusted
1/2 dot1p
1/3 dot1p
1/4 dot1p
1/5 dot1p
1/6 dot1p
1/7 dot1p

Assigning DSCP to a traffic class

Perform the following steps:

 Open the Switching > QoS/Priority > IP DSCP Mapping dialog.

 Specify the desired value in the Traffic class column.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
classofservice ip-dscp-mapping cs1 1 To assign the DSCP value CS1 to traffic class 1.
show classofservice ip-dscp-mapping To display the IP DSCP assignments
IP DSCP Traffic Class
------------- -------------
be 2
1 2
. .
. .
(cs1) 1
. .

UM Config BRS 157

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Assign the DSCP priority to received IP data packets

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
classofservice trust ip-dscp To assign the trust ip-dscp mode globally.
exit To change to the Configuration mode.
show classofservice trust To display the Trust mode of the ports/interfaces.
Interface Trust Mode
---------- -------------
1/1 ip-dscp
1/2 dot1p
1/3 dot1p
. .
. .
1/5 dot1p
. .

Configuring traffic shaping on a port

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
traffic-shape bw 50 To limit the maximum bandwidth of the port 1/2 to
50%.
exit To change to the Configuration mode.
exit To change to the Privileged EXEC mode.
show traffic-shape To display the Traffic Shaping configuration.

Interface Shaping rate

--------- ------------
1/1 0 %
1/2 50 %
1/3 0 %
1/4 0 %

158 UM Config BRS

Release 9.6 12/2023
Network load control
10.4 QoS/Priority

Configuring Layer 2 management priority

Perform the following steps:

 Open the Switching > QoS/Priority > Global dialog.

 In the VLAN priority for management packets field, specify the VLAN priority with which the
device sends management data packets.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

network management priority dot1p 7 To assign the VLAN priority of 7 to management
packets. The device sends management packets
with the highest priority.
show network parms To display the priority of the VLAN in which the
device management is located.

IPv4 Network
------------
...
Management VLAN priority....................7
...

Configuring Layer 3 management priority

Perform the following steps:

 Open the Switching > QoS/Priority > Global dialog.

 In the IP DSCP value for management packets field, specify the DSCP value with which the
device sends management data packets.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

network management priority ip-dscp 56 To assign the DSCP value of 56 to management
packets. The device sends management packets
with the highest priority.
show network parms To display the priority of the VLAN in which the
device management is located.

IPv4 Network
------------
...
Management IP-DSCP value....................56

UM Config BRS 159

Release 9.6 12/2023
Network load control
10.5 Flow control

10.5 Flow control

The flow control mechanism defined in IEEE 802.3 helps ensure that no data packets are lost due
to buffer overflow on a port. Shortly before the buffer memory of a port is completely full, the device
signals to the connected devices that it is not accepting any more data packets from them.
 In full-duplex mode, the device sends a pause data packet.
 In half-duplex mode, the device simulates a collision.

The following figure displays how flow control works. Workstations 1, 2, and 3 want to
simultaneously transmit a large amount of data to Workstation 4. The combined bandwidth of
Workstations 1, 2, and 3 is greater than the bandwidth of Workstation 4. This causes an overflow
on the receive queue of port 4. The left funnel symbolizes this status.

When the flow control function on ports 1, 2 and 3 of the device is enabled, the device reacts before
the funnel overflows. The funnel on the right illustrates ports 1, 2 and 3 sending a message to the
transmitting devices to control the transmition speed. This results in the receiving port no longer
being overwhelmed and is able to process the incoming data packets.

Port 1 Port 4
Switch
Port 2 Port 3

Workstation 1 Workstation 2 Workstation 3 Workstation 4

Figure 24: Example of flow control

10.5.1 Flow Control with a half-duplex link

In the example, there is a half-duplex link between Workstation 2 and the device.

Before the send queue of port 2 overflows, the device sends data back to Workstation 2.
Workstation 2 detects a collision and stops transmitting.

160 UM Config BRS

Release 9.6 12/2023
Network load control
10.5 Flow control

10.5.2 Flow Control with a full-duplex link

In the example, there is a full-duplex link between Workstation 2 and the device.

Before the send queue of port 2 overflows, the device sends a request to Workstation 2 to include
a small break in the sending transmission.

10.5.3 Setting up the Flow Control

Perform the following steps:

 Open the Switching > Global dialog.

 Mark the Flow control checkbox.
With this setting you enable flow control in the device.
 Open the Basic Settings > Port dialog, Configuration tab.
 To enable the Flow Control on a port, mark the checkbox in the Flow control column.

 Apply the settings temporarily. To do this, click the button.

Note: When you are using a redundancy function, you deactivate the flow control on the
participating ports. If the flow control and the redundancy function are active at the same time, it is
possible that the redundancy function operates differently than intended.

UM Config BRS 161

Release 9.6 12/2023
Network load control
10.5 Flow control

162 UM Config BRS

Release 9.6 12/2023
Configuring template-based TSN
11.1 Underlying facts

11 Configuring template-based TSN

11.1 Underlying facts

When you use the TSN function, the following basic conditions apply:
 The device operates using the Store and Forward method. Thus, the device has to receive the
complete data packet before it makes a forwarding decision.
 You specify the Base time and Cycle time once in the device. Both settings are valid for each
port participating in TSN.
 You set up a Gate Control List per port based on predefined templates for easier setup.
 Verify that the sum of the Gate Control List entry times is less than or equal to the specified
Cycle time.
 The device uses a guard band to help protect the time slot for high priority packets from packets
that "leak" from the previous time slot. The decisive factor for the interval length of the guard
band is the port speed of the sending port.
We recommend the following interval lengths for the guard band. The values are based on the
port speed and the maximum allowed size of Ethernet packets:
– 2.5 Gbit/s: 5 µs
– 1 Gbit/s: 13 µs
– 100 Mbit/s: 124 µs
 The Cycle time range is 50000..10000000 ns.
 The Gate Control List interval range is 1000..10000000 ns.
 Verify that the Cycle time as well as the Gate Control List intervals are multiples of 1 µs, 2 µs or
4 µs.
Table 22: Dependency between Cycle time and granularity

Cycle time Granularity

50 µs..4 ms 1 µs
4.002 ms..8 ms 2 µs
8.004 ms..10 ms 4 µs

UM Config BRS 163

Release 9.6 12/2023
Configuring template-based TSN
11.2 Example

11.2 Example

This example describes how to set up the devices for a scenario with the following conditions:
• Cycle time = 1 ms
• Time slot for high priority packets = 500 µs
• Time slot for low-priority packets = 487 µs

In this example, each device is connected to the network with a port speed of 1 Gbit/s.
Table 23: Structure of the cycle

Time slot Traffic classes Duration

High priority packets 7 500 µs
Low-priority packets 0,1,2,3,4,5,6 487 µs
Guard band – 13 µs

11.2.1 Time calculation

The device automatically calculates the duration of the time slot for the low-priority packets. The
calculation is based on the following parameters:
• Cycle time
• Duration of the time slot for high priority packets
• Duration of the guard band

11.2.2 Set up the devices

Using the previously specified times, you set up the devices using the Graphical User Interface or
the Command Line Interface. For each device involved, perform the following steps.

Check and adjust the Cycle time

Perform the following steps:

 Open the Switching > TSN > Configuration dialog.

 Check in the Configuration frame the value in the Cycle time [ns] field.
 If necessary, adjust the value.

 Apply the settings temporarily. To do this, click the button.

164 UM Config BRS

Release 9.6 12/2023
Configuring template-based TSN
11.2 Example

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
show tsn configuration
Port Status Conf. cycle time[ns] Conf. base time
Default gate states Curr. cycle time[ns] Curr. base time
Config change pending Time of last activation
---- --------------------- -------------------- -----------------------------
1/1 [x] disabled 1000000 1970-01-01 00:00:00.000000000
7,6,5,4,3,2,1,0 1000000 1970-01-01 00:00:00.000000000
[ ] 2018-07-12 08:10:58.813000000

1/2 [x] disabled 1000000 1970-01-01 00:00:00.000000000

7,6,5,4,3,2,1,0 1000000 1970-01-01 00:00:00.000000000
[ ] 2018-07-11 07:24:35.204000000

1/3 [ ] disabled 1000000 1970-01-01 00:00:00.000000000

7,6,5,4,3,2,1,0 0 1970-01-01 00:00:00.000000000
[ ] 1970-01-01 00:00:00.000000000

1/4 [ ] disabled 1000000 1970-01-01 00:00:00.000000000

7,6,5,4,3,2,1,0 0 1970-01-01 00:00:00.000000000
[ ] 1970-01-01 00:00:00.000000000

tsn cycle-time 1000000 If necessary, adjust the value.

Select a template and set up the Gate Control List

The device provides predefined templates to help you set up the Gate Control List. In the following
example, you use the template default 2 time slots. After you select the template, you can
adjust the duration of the time slots. Perform the following steps for each port for which you want
to use the TSN function.

Perform the following steps:

 Open the Switching > TSN > Gate Control List > Configured dialog.
 Select the tab for the port for which you want to specify the settings.

UM Config BRS 165

Release 9.6 12/2023
Configuring template-based TSN
11.2 Example

 Select a template in the Configuration frame.

Perform the following steps:
– Click the Template button.
– Select the default 2 time slots item.
– Click the Ok button.
 Adjust the values in the Interval [ns] column:
– Enter the value 500000 in the row for high priority packets.
– Enter the value 13000 in the row for the guard band.
– The device calculates the third value automatically when saving the changes.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
tsn gcl modify 1 interval 500000 To adjust the duration in nanoseconds of the time
slot for high priority packets.
tsn gcl modify 3 interval 13000 To adjust the duration in nanoseconds of the time
slot for the guard band.
The device automatically calculates the duration of
the time slot for low-priority packets. You cannot
set the time slot for low-priority packets.

166 UM Config BRS

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

12 VLANs

In the simplest case, a virtual LAN (VLAN) consists of a group of network participants in one
network segment who can communicate with each other as though they belonged to a separate
LAN.

More complex VLANs span out over multiple network segments and are also based on logical
(instead of only physical) connections between network participants. VLANs are an element of
flexible network design. It is easier to reconfiguring logical connections centrally than cable
connections.

The device supports independent VLAN learning according to IEEE 802.1Q which defines the
VLAN function.

Using VLANs has many benefits. The following list displays the top benefits:
 Network load limiting
VLANs reduce the network load considerably as the devices transmit Broadcast, Multicast, and
Unicast packets with unknown (unlearned) destination addresses only inside the virtual LAN.
The rest of the data network forwards the data packets as normal.
 Flexibility
You have the option of forming user groups based on the function of the participants apart from
their physical location or medium.
 Clarity
VLANs give networks a clear structure and make maintenance easier.

12.1 Examples of VLANs

The following practical examples provide a quick introduction to the structure of a VLAN.

Note: When configuring VLANs you use an interface for accessing the device management that
will remain unchanged. For this example, you use either interface 1/6 or the serial connection to set
up the VLANs.

UM Config BRS 167

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

12.1.1 Example 1

The example displays a minimal VLAN configuration (port-based VLAN). An administrator has
connected multiple end devices to a transmission device and assigned them to 2 VLANs. This
effectively prohibits any data transmission between the VLANs, whose members communicate only
within their own VLANs.

A VLAN D
2

1 2 3 4 5

B C VLAN
3

Figure 25: Example of a simple port-based VLAN

When setting up the VLANs, you add communication rules for every port, which you set up in
ingress (incoming) and egress (outgoing) tables.

The ingress table specifies which VLAN ID a port assigns to the incoming data packets. Hereby,
you use the port address of the end device to assign it to a VLAN.

The egress table specifies on which ports the device sends the packets from this VLAN.
 T = Tagged (with a tag field, marked)
 U = Untagged (without a tag field, unmarked)

For this example, the status of the TAG field of the data packets has no relevance, so you use the
setting U.
Table 24: Ingress table

Terminal Port Port VLAN identifier (PVID)

A 1 2
B 2 3
C 3 3
D 4 2
5 1

Table 25: Egress table

VLAN ID Port
1 2 3 4 5
1 U
2 U U
3 U U

168 UM Config BRS

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

Perform the following steps:

 Setting up the VLAN

 Open the Switching > VLAN > Configuration dialog.

 Click the button.

The dialog displays the Create window.
 In the VLAN ID field, specify the value 2.
 Click the Ok button.
 For the VLAN, specify the name VLAN2:
Double-click in the Name column and specify the name.
For VLAN 1, in the Name column, change the value Default to VLAN1.
 Repeat the previous steps to add VLAN 3 with the name VLAN3.

enable To change to the Privileged EXEC mode.

vlan database To change to the VLAN configuration mode.
vlan add 2 To add VLAN 2.
name 2 VLAN2 To assign the name 2 to the VLAN VLAN2.
vlan add 3 To add VLAN 3.
name 3 VLAN3 To assign the name 3 to the VLAN VLAN3.
name 1 VLAN1 To assign the name 1 to the VLAN VLAN1.
exit To change to the Privileged EXEC mode.
show vlan brief To display the current VLAN configuration.
Max. VLAN ID................................... 4042
Max. supported VLANs........................... 128
Number of currently configured VLANs........... 3
vlan unaware mode.............................. disabled
VLAN ID VLAN Name VLAN Type VLAN Creation Time
---- -------------------------------- --------- ------------------
1 VLAN1 default 0 days, 00:00:05
2 VLAN2 static 0 days, 02:44:29
3 VLAN3 static 0 days, 02:52:26

 Setting up the ports

 Open the Switching > VLAN > Configuration dialog.

 To assign the port to a VLAN, specify the desired value in the corresponding column.
Possible values:
 T = The port is a member of the VLAN. The port transmits tagged data packets.
 U = The port is a member of the VLAN. The port transmits untagged data packets.
 F = The port is not a member of the VLAN.
Changes using the GVRP function are disabled.
 - = The port is not a member of this VLAN.
Changes using the GVRP function are allowed.
Because end devices usually interpret untagged data packets, you specify the value U.

 Apply the settings temporarily. To do this, click the button.

 Open the Switching > VLAN > Port dialog.

UM Config BRS 169

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

 In the Port-VLAN ID column, specify the related VLAN:

2 or 3
 Because end devices usually interpret untagged data packets, in the Acceptable packet
types column, you specify the value admitAll for end device ports.

 Apply the settings temporarily. To do this, click the button.

The value in the Ingress filtering column has no affect on how this example functions.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
vlan participation include 2 The port 1/1 becomes a member of the VLAN 2
and transmits the data packets without a VLAN tag.
vlan pvid 2 To assign the Port VLAN ID 1/1 to port 2.
exit To change to the Configuration mode.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
vlan participation include 3 The port 1/2 becomes a member of the VLAN 3
and transmits the data packets without a VLAN tag.
vlan pvid 3 To assign the Port VLAN ID 1/2 to port 3.
exit To change to the Configuration mode.
interface 1/3 To change to the interface configuration mode of
interface 1/3.
vlan participation include 3 The port 1/3 becomes a member of the VLAN 3
and transmits the data packets without a VLAN tag.
vlan pvid 3 To assign the Port VLAN ID 1/3 to port 3.
exit To change to the Configuration mode.
interface 1/4 To change to the interface configuration mode of
interface 1/4.
vlan participation include 2 The port 1/4 becomes a member of the VLAN 2
and transmits the data packets without a VLAN tag.
vlan pvid 2 To assign the Port VLAN ID 1/4 to port 2.
exit To change to the Configuration mode.
exit To change to the Privileged EXEC mode.
show vlan id 3 To display details for VLAN 3.
VLAN ID : 3
VLAN Name : VLAN3
VLAN Type : Static
Interface Current Configured Tagging
---------- -------- ----------- --------
1/1 - Autodetect Tagged
1/2 Include Include Untagged
1/3 Include Include Untagged
1/4 - Autodetect Tagged
1/5 - Autodetect Tagged

170 UM Config BRS

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

12.1.2 Example 2

The second example displays a more complex configuration with 3 VLANs (1 to 3). Along with the
Switch from example 1, you use a second Switch (on the right in the example).

A D VLAN E G
2

Management
Station (optional)
1 2 3 4 5 1 2 3 4 5

VLAN 1

B C VLAN F H
3

Figure 26: Example of a more complex VLAN configuration

The terminal devices (A to H) of the individual VLANs are spread over 2 transmission devices
(Switches). Such VLANs are therefore known as distributed VLANs. An optional network
management station is also shown, which has access to the device management of each network
component if the associated VLAN is set up correctly.

Note: In this case, VLAN 1 has no significance for the end device communication, but it is required
for the administration of the transmission devices through what is known as the Management
VLAN.

As in the previous example, uniquely assign the ports with their connected terminal devices to a
VLAN. With the direct connection between both transmission devices (uplink), the ports transport
packets for both VLANs. To differentiate these uplinks you use “VLAN tagging”, which handles the
data packets accordingly. Thus, you maintain the assignment to the respective VLANs.

Perform the following steps:

 Add Uplink Port 5 to the ingress and egress tables from example 1.
 Create new ingress and egress tables for the right switch, as described in the first example.

The egress table specifies on which ports the device sends the packets from this VLAN.
 T = Tagged (with a tag field, marked)
 U = Untagged (without a tag field, unmarked)

In this example, tagged packets are used in the communication between the transmission devices
(Uplink), as packets for different VLANs are differentiated at these ports.
Table 26: Ingress table for device on left

Terminal Port Port VLAN identifier (PVID)

A 1 2
B 2 3
C 3 3
D 4 2
Uplink 5 1

UM Config BRS 171

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

Table 27: Ingress table for device on right

Terminal Port Port VLAN identifier (PVID)

Uplink 1 1
E 2 2
F 3 3
G 4 2
H 5 3

Table 28: Egress table for device on left

VLAN ID Port
1 2 3 4 5
1 U
2 U U T
3 U U T

Table 29: Egress table for device on right

VLAN ID Port
1 2 3 4 5
1 U
2 T U U
3 T U U

The communication relationships here are as follows: end devices on ports 1 and 4 of the left
device and end devices on ports 2 and 4 of the right device are members of VLAN 2 and can thus
communicate with each other. The behavior is the same for the end devices on ports 2 and 3 of the
left device and the end devices on ports 3 and 5 of the right device. These belong to VLAN 3.

The end devices “see” their respective part of the network. Participants outside this VLAN cannot
be reached. The device also sends Broadcast, Multicast, and Unicast packets with unknown
(unlearned) destination addresses only inside a VLAN.

Here, the devices use VLAN tagging (IEEE 801.1Q) within the VLAN with the ID 1 (Uplink). The
letter T in the egress table of the ports indicates VLAN tagging.

The configuration of the example is the same for the device on the right. Proceed in the same way,
using the ingress and egress tables specified above to adapt the previously set up left device to the
new environment.

Perform the following steps:

 Setting up the VLAN

 Open the Switching > VLAN > Configuration dialog.

 Click the button.

The dialog displays the Create window.
 In the VLAN ID field, specify the VLAN, for example 2.

172 UM Config BRS

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

 Click the Ok button.

 For the VLAN, specify the name VLAN2:
Double-click in the Name column and specify the name.
For VLAN 1, in the Name column, change the value Default to VLAN1.
 Repeat the previous steps to add VLAN 3 with the name VLAN3.

enable To change to the Privileged EXEC mode.

 Setting up the ports

 Open the Switching > VLAN > Configuration dialog.

 To assign the port to a VLAN, specify the desired value in the corresponding column.
Possible values:
 T = The port is a member of the VLAN. The port transmits tagged data packets.
 U = The port is a member of the VLAN. The port transmits untagged data packets.
 F = The port is not a member of the VLAN.
Changes using the GVRP function are disabled.
 - = The port is not a member of this VLAN.
Changes using the GVRP function are disabled.
Because end devicees usually interpret untagged data packets, you specify the value U.
You specify the T setting on the uplink port on which the VLANs communicate with each
other.

 Apply the settings temporarily. To do this, click the button.

 Open the Switching > VLAN > Port dialog.
 In the Port-VLAN ID column, specify the related VLAN:
1, 2 or 3
 Because end devices usually interpret untagged data packets, in the Acceptable packet
types column, you specify the value admitAll for end device ports.

UM Config BRS 173

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

 For the uplink port, in the Acceptable packet types column, specify the value
admitOnlyVlanTagged.
 Mark the checkbox in the Ingress filtering column for the uplink ports to evaluate VLAN tags
on this port.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
vlan participation include 1 The port 1/1 becomes a member of the VLAN 1
and transmits the data packets without a VLAN tag.
vlan participation include 2 The port 1/1 becomes a member of the VLAN 2
and transmits the data packets without a VLAN tag.
vlan tagging 2 enable The port 1/1 becomes a member of the VLAN 2
and transmits the data packets with a VLAN tag.
vlan participation include 3 The port 1/1 becomes a member of the VLAN 3
and transmits the data packets without a VLAN tag.
vlan tagging 3 enable The port 1/1 becomes a member of the VLAN 3
and transmits the data packets with a VLAN tag.
vlan pvid 1 To assign the Port VLAN ID 1 to port 1/1.
vlan ingressfilter To activate ingress filtering on port 1/1.
vlan acceptframe vlanonly Port 1/1 only forwards packets with a VLAN tag.
exit To change to the Configuration mode.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
vlan participation include 2 The port 1/2 becomes a member of the VLAN 2
and transmits the data packets without a VLAN tag.
vlan pvid 2 To assign the Port VLAN ID 2 to port 1/2.
exit To change to the Configuration mode.
interface 1/3 To change to the interface configuration mode of
interface 1/3.
vlan participation include 3 The port 1/3 becomes a member of the VLAN 3
and transmits the data packets without a VLAN tag.
vlan pvid 3 To assign the Port VLAN ID 3 to port 1/3.
exit To change to the Configuration mode.
interface 1/4 To change to the interface configuration mode of
interface 1/4.
vlan participation include 2 The port 1/4 becomes a member of the VLAN 2
and transmits the data packets without a VLAN tag.
vlan pvid 2 To assign the Port VLAN ID 2 to port 1/4.
exit To change to the Configuration mode.
interface 1/5 To change to the interface configuration mode of
interface 1/5.
vlan participation include 3 The port 1/5 becomes a member of the VLAN 3
and transmits the data packets without a VLAN tag.
vlan pvid 3 To assign the Port VLAN ID 3 to port 1/5.

174 UM Config BRS

Release 9.6 12/2023
VLANs
12.1 Examples of VLANs

exit To change to the Configuration mode.

exit To change to the Privileged EXEC mode.
show vlan id 3 To display details for VLAN 3.
VLAN ID......................3
VLAN Name....................VLAN3
VLAN Type....................Static
VLAN Creation Time...........0 days, 00:07:47 (System Uptime)
VLAN Routing.................disabled

Interface Current Configured Tagging

---------- -------- ----------- --------
1/1 Include Include Tagged
1/2 - Autodetect Untagged
1/3 Include Include Untagged
1/4 - Autodetect Untagged
1/5 Include Include Untagged

UM Config BRS 175

Release 9.6 12/2023
VLANs
12.2 Guest VLAN / Unauthenticated VLAN

12.2 Guest VLAN / Unauthenticated VLAN

A Guest VLAN lets a device provide port-based Network Access Control (IEEE 802.1x) to non-
802.1x capable supplicants. This feature provides a mechanism to allow guests to access external
networks only. If you connect non-802.1x capable supplicants to an active unauthorized 802.1x
port, then the supplicants send no responds to 802.1x requests. Since the supplicants send no
responses, the port remains in the unauthorized state. The supplicants have no access to external
networks.

The Guest VLAN supplicant is a per-port basis configuration. When you set up a Guest VLAN on a
port and connect non-802.1x capable supplicants to this port, the device assigns the supplicants to
the Guest VLAN. Adding supplicants to a Guest VLAN causes the port to change to the authorized
state allowing the supplicants to access to external networks.

An Unauthenticated VLAN lets the device provide service to 802.1x capable supplicants which
authenticate incorrectly. This function lets the unauthorized supplicants have access to limited
services. If you set up an Unauthenticated VLAN on a port with 802.1x port authentication and the
global operation enabled, then the device places the port in an Unauthenticated VLAN. When a
802.1x capable supplicant incorrectly authenticates on the port, the device adds the supplicant to
the Unauthenticated VLAN. If you also set up a Guest VLAN on the port, then non-802.1x capable
supplicants use the Guest VLAN.

If the port has an Unauthenticated VLAN assigned, then the reauthentication timer counts down.
When the time specified in the Reauthentication period [s] column expires and supplicants are present
on the port, the Unauthenticated VLAN reauthenticates. When no supplicants are present, the
device places the port in the set-up Guest VLAN.

The following example explains how to add a Guest VLAN. Add an Unauthorized VLAN in the same
manner.

Perform the following steps:

 Open the Switching > VLAN > Configuration dialog.

 Click the button.

The dialog displays the Create window.
 In the VLAN ID field, specify the value 10.
 Click the Ok button.
 For the VLAN, specify the name Guest:
Double-click in the Name column and specify the name.

 Click the button.

The dialog displays the Create window.
 In the VLAN ID field, specify the value 20.
 Click the Ok button.
 For the VLAN, specify the name Not authorized:
Double-click in the Name column and specify the name.
 Open the Network Security > 802.1X > Global dialog.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

176 UM Config BRS

Release 9.6 12/2023
VLANs
12.2 Guest VLAN / Unauthenticated VLAN

 Open the Network Security > 802.1X > Port Configuration dialog.
 Specify the following settings for port 1/4:
– The value auto in the Port control column
– The value 10 in the Guest VLAN ID column
– The value 20 in the Unauthenticated VLAN ID column

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

vlan database To change to the VLAN configuration mode.
vlan add 10 To add VLAN 10.
vlan add 20 To add VLAN 20.
name 10 Guest To rename VLAN 10 to Guest.
name 20 Unauth To rename VLAN 20 to Unauth.
exit To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
dot1x system-auth-control enable To enable the 802.1X function globally.
dot1x port-control auto To enable port control on port 1/4.
interface 1/4 To change to the interface configuration mode of
interface 1/4.
dot1x guest-vlan 10 To assign the guest vlan to port 1/4.
dot1x unauthenticated-vlan 20 To assign the unauthorized vlan to port 1/4.
exit To change to the Configuration mode.

UM Config BRS 177

Release 9.6 12/2023
VLANs
12.3 RADIUS VLAN assignment

12.3 RADIUS VLAN assignment

The RADIUS VLAN assignment feature makes it possible for a RADIUS VLAN ID attribute to be
associated with an authenticated client. When a client authenticates successfully, and the RADIUS
server sends a VLAN attribute, the device associates the client with the RADIUS assigned VLAN.
As a result, the device adds the physical port as an member to the appropriate VLAN and sets the
port VLAN ID (PVID) with the given value. The port transmits the data packets without a VLAN tag.

178 UM Config BRS

Release 9.6 12/2023
VLANs
12.4 Creating a Voice VLAN

12.4 Creating a Voice VLAN

Use the Voice VLAN feature to separate voice and data packets on a port, by VLAN and/or priority.
A significant benefit of the voice VLAN is that a high volume of data on the port does not affect the
sound quality of an IP phone.

The device uses the source MAC address to identify and prioritize the voice data flow. Identifying
by MAC address reduces the potential for a "rogue client" to connect to the port and manipulate
voice data packets.

Another benefit of the Voice VLAN feature is that a VoIP phone obtains a VLAN ID or priority
information using LLDP-MED. As a result, the VoIP phone sends voice data packets with VLAN tag,
priority tag or untagged. This depends on the Voice VLAN Interface configuration.

The following Voice VLAN interface modes are possible. The first 3 methods segregate and
prioritize voice and data packets. The segregation of the data packets improves the quality of the
voice data stream in case of high data volumes.
 Configuring the port to using the vlan mode lets the device tag the voice data coming from a
VoIP phone with the user-defined voice VLAN ID. The device assigns regular data to the default
port VLAN ID.
 Configuring the port to use the dot1p-priority mode lets the device tag the data coming from
a VoIP phone with VLAN 0 and the user-defined priority. The device assigns the default priority
of the port to regular data.
 Specify both the voice VLAN ID and the priority using the vlan/dot1p-priority mode. In this
mode the VoIP phone sends voice data with the user-defined voice VLAN ID and priority
information. The device assigns the default PVID and priority of the port to regular data.
 When set up as untagged, the phone sends untagged packets.
 When set up as none, the phone uses its own configuration to send voice data packets.

UM Config BRS 179

Release 9.6 12/2023
VLANs
12.4 Creating a Voice VLAN

180 UM Config BRS

Release 9.6 12/2023
Redundancy
13.1 Network Topology vs. Redundancy Protocols

13 Redundancy

13.1 Network Topology vs. Redundancy Protocols

When using Ethernet, a significant prerequisite is that data packets follow a single (unique) path
from the sender to the receiver. The following network topologies support this prerequisite:
 Line topology
 Star topology
 Tree topology

Figure 27: Network with line, star and tree topologies

To maintain communication in case a connection failure is detected, install additional physical

connections between the network nodes. Redundancy protocols help ensure that the additional
connections remain switched off while the original connection is still working. When a connection
failure is detected, the redundancy protocol generates a new path from the sender to the receiver
through the alternative connection.

To introduce redundancy onto Layer 2 of a network, you first define which network topology you
require. Depending on the network topology selected, you then choose from the redundancy
protocols that can be used with this network topology.

13.1.1 Network topologies

Meshed topology

For networks with star or tree topologies, redundancy procedures are only possible in connection
with physical looping. The result is a meshed topology.

Figure 28: Meshed topology: Tree topology with physical loops

UM Config BRS 181

Release 9.6 12/2023
Redundancy
13.1 Network Topology vs. Redundancy Protocols

For operating in this network topology, the device provides you with the following redundancy
protocols:
 Rapid Spanning Tree Protocol (RSTP)

Ring topology

In networks with a line topology, you can use redundancy procedures by connecting the ends of
the line. This results in a ring topology.

Figure 29: Ring topology: Line topology with connected ends

For operating in this network topology, the device provides you with the following redundancy
protocols:
 Media Redundancy Protocol (MRP)
 Rapid Spanning Tree Protocol (RSTP)

13.1.2 Redundancy Protocols

For operating in different network topologies, the device provides you with the following redundancy
protocols:
Table 30: Overview of redundancy protocols

Redundancy Network Comments

protocol topology
MRP Ring The switching time can be selected and is practically
independent of the number of devices.
An MRP Ring consists of up to 50 devices that support the
Media Redundancy Protocol (MRP) according to IEC 62439.
When you only use Hirschmann devices, up to 100 devices are
possible in the MRP Ring.
Ring/Network Ring
coupling
RSTP Random The switching time depends on the network topology and the
structure number of devices.
 typ. < 1 s with RSTP
 typ. < 30 s with STP
Link Random A Link Aggregation Group (LAG) is a combination of 2 or more
Aggregation structure links between 2 switches to increase bandwidth. Each involved
link operates in full-duplex mode and with the same data rate.
Link Backup Random When the device detects an error on the primary link, the device
structure transfers the data packets to the backup link. You typically use
Link Backup in service-provider or enterprise networks.
HIPER Ring Ring Extend an existing HIPER Ring or replace a device already
Client participating as a client in a HIPER Ring.

Note: If you are using a redundancy function, then you deactivate the flow control on the
participating device ports. If the flow control and the redundancy function are active at the same
time, it is possible that the redundancy function operates differently than intended.

182 UM Config BRS

Release 9.6 12/2023
Redundancy
13.1 Network Topology vs. Redundancy Protocols

13.1.3 Combinations of redundancy protocols

Table 31: Overview of redundancy protocol combinations

MRP RSTP Link Aggreg. Link Backup HIPER Ring

MRP ▲ ― ― ― ―
RSTP ▲ 1) ▲ ― ― ―
Link Aggreg. ― ▲2) ▲ ― ―
Link Backup ▲ ▲ ▲ ▲ ―
HIPER Ring ▲ ▲1) ▲2) ▲ ▲

▲ Combination applicable
○ Combination not applicable
1) A redundant coupling between these network topologies will possibly lead to loops.
To redundantly couple these topologies, refer to chapter “FuseNet function” on page 216.
2) Combination applicable on the same port

UM Config BRS 183

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

13.2 Media Redundancy Protocol (MRP)

Since May 2008, the Media Redundancy Protocol (MRP) has been a standardized solution for ring
redundancy in the industrial environment.

MRP is compatible with redundant ring coupling, supports VLANs, and is distinguished by very
short reconfiguration times.

An MRP Ring consists of up to 50 devices that support the Media Redundancy Protocol (MRP)
according to IEC 62439. When you only use Hirschmann devices, up to 100 devices are possible
in the MRP Ring.

When you use the fixed MRP redundant port (Fixed Backup) and the Ring Manager device detects
a primary ring link failure, it forwards data to the secondary ring link. When the primary link is
restored, the secondary link continues to be in use.

13.2.1 Network Structure

The concept of ring redundancy lets you construct high-availability ring-shaped network structures.

Using the Ring manager function, the two ends of a backbone in a line structure can be closed to a
redundant ring. The Ring Manager device keeps the redundant line open as long as the line
structure is intact. When a segment becomes inoperable, the Ring Manager device immediately
closes the redundant line, and line structure is intact again.

Figure 30: Line structure

Figure 31: Redundant ring structure

RM = Ring Manager
—— main line
- - - redundant line

184 UM Config BRS

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

13.2.2 Reconfiguration time

When a line section failure is detected, the Ring Manager device changes the MRP Ring back into
a line structure. You define the maximum time for the reconfiguration of the line in the Ring Manager
device.

Possible values for the maximum delay time:

• 500ms
• 30ms

Note: If every device in the ring supports the shorter delay time, then you can set up the
reconfiguration time with a value less than 500ms.

Otherwise the devices that only support longer delay times might not be reachable due to
overloading. Loops can occur as a result.

13.2.3 Advanced mode

For times even shorter than the specified reconfiguration time, the device provides the Advanced
mode. When the ring participants inform the Ring Manager device about interruptions in the ring
through Link Down notifications, the Advanced mode speeds up the link failure detection.

Hirschmann devices support Link Down notifications. Therefore, you generally activate the
Advanced mode in the Ring Manager device.

When you are using devices that do not support Link Down notifications, the Ring Manager device
reconfigures the line in the selected maximum reconfiguration time.

13.2.4 Prerequisites for MRP

Before setting up an MRP Ring, verify that the following conditions are fulfilled:
 All ring participants support MRP.
 The ring participants are connected to each other through the ring ports. Apart from its
neighbors, no other ring participants are connected to the respective device.
 All ring participants support the configuration time specified in the Ring Manager device.
 There is exactly one Ring Manager device in the ring.

If you are using VLANs, then set up every ring port with the following settings:
 Deactivate ingress filtering - see the Switching > VLAN > Port dialog.
 Define the port VLAN ID (PVID) - see the Switching > VLAN > Port dialog.
– PVID = 1 in cases where the device transmits the MRP data packets untagged (VLAN ID =
0 in Switching > L2-Redundancy > MRP dialog)
By setting the PVID = 1, the device automatically assigns the received untagged packets to
VLAN 1.
– PVID = any in cases where the device transmits the MRP data packets in a VLAN (VLAN ID
≥1 in the Switching > L2-Redundancy > MRP dialog)
 Define egress rules - see Switching > VLAN > Configuration dialog.
– U (untagged) for the ring ports of VLAN 1 in cases where the device transmits the MRP data
packets untagged (VLAN ID = 0 in the Switching > L2-Redundancy > MRP dialog, the MRP Ring
is not assigned to a VLAN).
– T (tagged) for the ring ports of the VLAN which you assign to the MRP Ring. Select T, in
cases where the device transmits the MRP data packets in a VLAN (VLAN ID ≥1 in the
Switching > L2-Redundancy > MRP dialog).

UM Config BRS 185

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

13.2.5 Advanced Information

MRP Packets

The Media Redundancy Protocol (MRP) uses Test, Link Change, and Topology Change (FDB
Flush) packets.

The Ring Manager device is connected to the ring with 2 ring ports. As long as all connections in
the ring are operational, the Ring Manager device sets one of its ports, the redundant port, into the
blocking state. In this state, the redundant port neither receives nor sends normal (payload) data
packets. This way, the Ring Manager device prevents a network loop.

The Ring Manager device periodically sends test packets into the ring from both ring ports. The test
packets are special packets. The Ring Manager device sends and receives test packets even at
the redundant port although the redundant port blocks normal packets. The Ring Manager device
expects to receive the test packets on its respective other ring port. If the Ring Manager device
does not receive any expected test packets for a specified amount of time, it detects a ring failure.

If the Advanced mode function is active, the Ring Manager device also reacts to Link Down packets.
The prerequisite is that each device in the ring can send a Link Change packet when the link to the
next device in the ring changes. These packets help the Ring Manager device react more quickly
to a link failure or recovery. The Ring Manager device receives the Link Change packets even on
its redundant port.

On reconfiguration of the ring, the Ring Manager device flushes its MAC address table (forwarding
database) and sends Topology Change packets to the devices participating in the ring. The
Topology Change packets prompt the other devices participating in the ring to flush their
MAC address table (forwarding database), too. This procedure helps forward the payload packets
over the new path more quickly. This procedure applies regardless of whether the ring
reconfiguration was caused by a Link Down or a Link Up notification.
Table 32: MRP Packets

Packet Type Send Mode Time Parameter Value

Test packet1 Periodically Send interval 50 ms (for ring recovery time 500 ms)
20 ms (for ring recovery time 200 ms)
Reception timeout 400 ms (for ring recovery time 500 ms)
160 ms (for ring recovery time 200 ms)
Link Down packet2 Event-driven On link-down of a ring -
port
Topology Change Event-driven On reconfiguration -
packet3
1. Sent by the Ring Manager device only.
2. Sent by supporting ring participants.
3. The reception of a Topology Change packet prompts the supporting devices participating in the ring to flush their
MAC address table (forwarding database).

186 UM Config BRS

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

MRP Packet Prioritization

The devices participating in the ring send Test, Link Change, and Topology Change packets with
a user-configurable VLAN ID. The default VLAN ID is 0. The devices send the test packets
untagged and thus without priority (Class of Service) information.

To help minimize the reconfiguration time under high network load, you can add a VLAN tag and
thus priority information to these packets. The devices then forward and send these packets with
the IEEE 802.1Q Class of Service priority 7 (Network control).

To prioritize the test packets, perform the following steps on the Ring Manager and Ring Client
devices:
 Specify the MRP VLAN ID to a value ≥1.
 Specify the ring ports as T (tagged) members of this MRP VLAN.

Note: When you set the MRP VLAN ID to a value ≥1 in the Switching > L2-Redundancy > MRP dialog,
the device adds its ring ports as T (tagged) members of this MRP VLAN. If the MRP VLAN does
not yet exist, the device automatically sets up this VLAN. After setting a new MRP VLAN ID, check
the Switching > VLAN > Configuration dialog for the VLAN and the port settings.

13.2.6 Example Configuration

A backbone network contains 3 devices in a line structure. To increase the availability of the
network, you convert the line structure to a redundant ring structure. Devices from different
manufacturers are used. All devices support MRP. On every device you define ports 1/1 and 1/2
as ring ports.

When a primary ring link failure is detected, the Ring Manager device sends data on the secondary
ring link. When the primary link is restored, the secondary link reverts back to the backup mode.

1 2 3
1.1 1.2 1.1 1.2 1.1 1.2

Figure 32: Example of MRP Ring

RM = Ring Manager
—— main line
- - - redundant line

The following example configuration describes the configuration of the Ring Manager device (1).
You set up the 2 other devices (2 to 3) in the same way, but without enabling the Ring manager
function. This example does not use a VLAN. You specify the value 30ms as the ring recovery time.
Every device supports the Advanced mode function.
 Set up the network to meet your demands.
 To minimize the ring recovery time in case of a link-up after a failure, set up the speed and
duplex mode of the ring ports as follows:
– For 100 Mbit/s TX ports, disable Automatic Negotiation and manually set up 100M FDX.
– For the other port types, keep the port-specific default settings.

UM Config BRS 187

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

Note: Set up each device of the MRP Ring individually. Before you connect the redundant line,
verify that you have completed the configuration of every device of the MRP Ring. You thus help
avoid loops during the configuration phase.

You deactivate the flow control on the participating ports.

If the flow control and the redundancy function are active at the same time, it is possible that the
redundancy function operates differently than intended. (Default setting: flow control deactivated
globally and activated on every port.)

Disable the Spanning Tree function in every device in the network. To do this, perform the following
steps:

 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Disable the function.
In the state on delivery, Spanning Tree is enabled in the device.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
no spanning-tree operation To switch Spanning Tree off.
show spanning-tree global To display the parameters for checking.

Enable MRP on every device in the network. To do this, perform the following steps:

 Open the Switching > L2-Redundancy > MRP dialog.

 Specify the desired ring ports.

In the Command Line Interface you first define an additional parameter, the MRP domain ID. Set
up every ring participant with the same MRP domain ID. The MRP domain ID is a sequence of
16 number blocks (8-bit values).

When configuring with the Graphical User Interface, the device uses the default value 255 255 255
255 255 255 255 255 255 255 255 255 255 255 255 255.
mrp domain add default-domain To add an MRP domain with the ID default-
domain.
mrp domain modify port primary 1/1 To specify port 1/1 as ring port 1.
mrp domain modify port secondary 1/2 To specify port 1/2 as ring port 2.

188 UM Config BRS

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

Enable the Fixed backup port. To do this, perform the following steps:

 Enable the Ring manager function.

For the other devices in the ring, leave the setting as Off.
 To allow the device to continue sending data on the secondary port after the ring is
restored, mark the Fixed backup checkbox.

Note: When the device reverts back to the primary port, the maximum ring recovery time can
be exceeded.

When you unmark the Fixed backup checkbox, and the ring is restored, the Ring Manager
device blocks the secondary port and unblocks the primary port.

mrp domain modify port secondary 1/2 To activate the Fixed backup function on the
fixed-backup enable secondary port. The secondary port continues
forwarding data after the ring is restored.

 Enable the Ring manager function.

For the other devices in the ring, leave the setting as Off.

mrp domain modify mode manager To designate the device as the Ring Manager
device. For the other devices in the ring, leave the
default setting.

 Select the checkbox in the Advanced mode field.

mrp domain modify advanced-mode To activate the Advanced mode.

enabled

 In the Ring recovery field, select the value 30ms.

mrp domain modify recovery-delay To specify the value 30ms as the max. delay time
200ms for the reconfiguration of the ring.

Note: If selecting the value 30ms for the ring recovery does not provide the ring stability necessary
to meet the requirements of the network, then select the value 500ms.

 Switch the operation of the MRP Ring on.

 Apply the settings temporarily. To do this, click the button.

mrp domain modify operation enable To activate the MRP Ring.

UM Config BRS 189

Release 9.6 12/2023
Redundancy
13.2 Media Redundancy Protocol (MRP)

When every ring participant is set up, close the line to create the ring. To do this, you connect the
devices at the ends of the line through their ring ports.

Check the messages from the device. To do this, perform the following steps:
show mrp To display the parameters for checking.

The Operation field displays the operating state of the ring port.

Possible values:
 forwarding
The port is enabled, connection exists.
 blocked
The port is blocked, connection exists.
 disabled
The port is disabled.
 not-connected
No connection exists.
The Information field displays messages for the redundancy configuration and the possible
causes of detected errors.

When the device operates in the Ring Client or Ring Manager mode, the following messages
are possible:
 Redundancy available
The redundancy is set up. When a component of the ring is inoperable, the redundant line
takes over its function.
 Configuration error: Error on ringport link.
An error is detected in the cabling of the ring ports.

When the device operates in the Ring Manager mode, the following messages are possible:
 Configuration error: Packets from another ring manager received.
Another device exists in the ring that operates in the Ring Manager mode.
Enable the Ring manager function on exactly one device in the ring.
 Configuration error: Ring link is connected to wrong port.
A line in the ring is connected with a different port instead of with a ring port. The device
only receives test data packets on one ring port.

When applicable, integrate the MRP Ring into a VLAN. To do this, perform the following steps:

 In the VLAN ID field, define the MRP VLAN ID. The MRP VLAN ID determines in which of
the set-up VLANs the device transmits the MRP packets.
To set the MRP VLAN ID, first set up the VLANs and the corresponding egress rules in the
Switching > VLAN > Configuration dialog.
– If the MRP Ring is not assigned to a VLAN (like in this example), then leave the
VLAN ID as 0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as U
(untagged) for the ring ports in VLAN 1.
– If the MRP Ring is assigned to a VLAN, then enter a VLAN ID >0.
In the Switching > VLAN > Configuration dialog, specify the VLAN membership as T
(tagged) for the ring ports in the selected VLAN.

mrp domain modify vlan <0..4042> To assign the VLAN ID.

190 UM Config BRS

Release 9.6 12/2023
Redundancy
13.3 HIPER Ring Client

13.3 HIPER Ring Client

The concept of HIPER Ring Redundancy enables the construction of high-availability, ring-shaped
network structures. The HIPER Ring Client function lets the network administrator extend an existing
HIPER Ring or replace a client device already participating in a HIPER Ring.

When the device senses that the link on a ring port becomes inoperable, the device sends a Link
Down packet to the Ring Manager device and flushes the MAC address table (forwarding
database). Once the Ring Manager device receives the Link Down packet, it immediately forwards
the data stream over both the primary and secondary ring ports. Thus, the Ring Manager device is
able to maintain the integrity of the HIPER Ring.

The device only supports Fast Ethernet and Gigabit Ethernet ports as ring ports. Furthermore, you
can include the ring ports in a LAG instance.

In the default state, the HIPER Ring Client mode is inactive, and the primary and secondary ports
are not set up.

To minimize the ring recovery time in case of a link-up after a failure, set up the speed and duplex
mode of the ring ports as follows:
• For 100 Mbit/s TX ports, disable Automatic Negotiation and manually specify 100M FDX.
• For the other port types, keep the port-specific default settings.

Note: Deactivate in the Switching > L2-Redundancy > Spanning Tree > Port dialog the Spanning Tree
function for the ring ports. STP and HIPER Ring have different reaction times.

13.3.1 VLANS on the HIPER Ring

The device lets you forward VLAN data over the HIPER Ring. Thus, the device provides
redundancy for your VLAN data. The device forwards management data around the ring, for
example, on VLAN 1. For the data to reach the management station, the devices participating in
the ring forward the untagged management data to their ring ports. Also, specify the ring ports as
members of VLAN 1.

When you have other VLANs traversing your ring, the devices participating in the ring forward the
other VLAN data as tagged.

Specify the VLAN settings. To do this, perform the following steps on the Ring Manager and Ring
Client devices:

 Open the Switching > VLAN > Configuration dialog.

 Forward untagged VLAN management data on the ring ports.
For VLAN 1, select in the columns related to the ring ports the U item from the drop-down
list.
 Block redundancy protocol packets from being forwarded to the non-ring ports:
For VLAN 1, select in the columns not related to the ring ports the - item from the drop-
down list.
 Allow a device participating in the ring to forward VLAN data to and from ports with VLAN
membership.
For the other VLANs, select in the columns related to the ring ports the T item from the
drop-down list.

UM Config BRS 191

Release 9.6 12/2023
Redundancy
13.3 HIPER Ring Client

 Open the Switching > VLAN > Port dialog.

 Assign VLAN 1 membership to the ring ports.
Enter the value 1 in the Port-VLAN ID column of the ring port rows.
 Assign VLAN membership to the non-ring ports.
Enter the appropriate VLAN ID in the Port-VLAN ID column of the non-ring port rows.

13.3.2 Advanced Information

The HIPER Ring is the proprietary predecessor of MRP. The HIPER Ring works similar to MRP but
uses different packets. For setting up a new redundant ring, Hirschmann recommends using MRP.

HIPER Ring Packets

The HIPER Ring protocol uses Test, Link Down, and Topology Change packets.

Note: HiOS devices offer HIPER Ring Client functions. The HIPER Ring Manager functions are
offered by devices with Classic Software. The HIPER Ring Manager functions are mentioned here
only for completeness. For details, refer to the documentation of your HIPER Ring Manager device.

The Ring Manager (RM) device is connected to the ring with 2 ring ports. As long as all connections
in the ring are operational, the Ring Manager device sets one of its ports, the redundant port, into
the blocking state. In this state, the redundant port neither receives nor sends normal (payload)
data packets. This way, the Ring Manager device prevents a network loop.

When a link between 2 devices participating in the ring becomes inoperable, the affected devices
send a Link Down packet to the Ring Manager device. This helps the Ring Manager device react
more quickly to a link failure. The Ring Manager device receives the Link Down packets even on
its redundant port.

192 UM Config BRS

Release 9.6 12/2023
Redundancy
13.3 HIPER Ring Client

Packet Type Send Mode Time Parameter Value

Test packet1 Periodically Send interval2 20 ms (Ring recovery time accelerated)

60 ms (Ring recovery time standard)
Reception timeout 280 ms (Ring recovery time accelerated)
480 ms (Ring recovery time standard)
Link Down packet3 Event-driven On link-down of a -
ring port
Topology Change Event-driven On reconfiguration -
packet4
1. Sent by the HIPER Ring Manager device (Classic Software) only.
2. Specified in the HIPER Ring Manager device (Classic Software) only.
3. Sent by supporting ring participants.
4. The reception of a Topology Change packet prompts the supporting devices participating in the ring to flush their
MAC address table (forwarding database).

HIPER Ring Packet Prioritization

The devices participating in the ring send Test, Link Change, and Topology Change packets with
the fixed VLAN ID 1. In the default setting, the packets are untagged and thus without priority (Class
of Service) information. To help minimize the reconfiguration time under high network load, you can
add a VLAN tag and thus priority information to these packets. The Ring Manager and Ring Client
devices then forward and send these packets with the IEEE 802.1Q Class of Service priority 7
(Network control).

To do that, specify on the Ring Manager device (Classic software) and Ring Client devices the ring
ports as T (tagged) members of VLAN 1.

Note: These settings for VLAN 1 are different from the VLAN settings described in chapter “VLANS
on the HIPER Ring” on page 191.

UM Config BRS 193

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

13.4 Spanning Tree

Note: The Spanning Tree Protocol (STP) is a protocol for MAC bridges. For this reason, the
following description uses the term bridge for the device.

Local networks are getting bigger and bigger. This applies to both the geographical expansion and
the number of network participants. Therefore, it is advantageous to use multiple bridges, for
example:
 to reduce the network load in sub-areas,
 to set up redundant connections and
 to overcome distance limitations.

However, using multiple bridges with multiple redundant connections between the subnetworks can
lead to loops and thus interruption of communication across the network. To help avoid this, you
can use Spanning Tree. Spanning Tree helps avoid loops through the systematic deactivation of
redundant connections. Redundancy enables the systematic reactivation of individual connections
as needed.

RSTP is a further development of the Spanning Tree Protocol (STP) and is compatible with it. When
a connection or a bridge becomes inoperable, the STP requires a maximum of 30 seconds to
reconfigure. This is no longer acceptable in time-sensitive applications. RSTP achieves average
reconfiguration times of less than a second. When you use RSTP in a ring topology with 10 to
20 devices, you can even achieve reconfiguration times in the order of milliseconds.

Note: RSTP reduces a layer 2 network topology with redundant paths into a tree structure
(Spanning Tree) that does not contain any more redundant paths. One of the devices takes over
the role of the root bridge here. The maximum number of devices permitted in an active branch from
the root bridge to the tip of the branch is specified by the variable Max age for the current root bridge.
The preset value for Max age is 20, which can be increased up to 40.

If the device working as the root is inoperable and another device takes over its function, then the
Max age setting of the new root bridge determines the maximum number of devices allowed in a
branch.

Note: The RSTP standard requires that every device within a network operates with the (Rapid)
Spanning Tree Algorithm. When STP and RSTP are used at the same time, the advantages of
faster reconfiguration with RSTP are lost in the network segments that are operated in combination.

A device that only supports RSTP works together with MSTP devices by not assigning an MST
region to itself, but rather the Common Spanning Tree (CST).

13.4.1 Basics

Because RSTP is a further development of the STP, every of the following descriptions of the STP
also apply to RSTP.

194 UM Config BRS

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

The tasks of the STP

The Spanning Tree Algorithm reduces network topologies built with bridges and containing ring
structures due to redundant links to a tree structure. In doing so, STP opens ring structures
according to preset rules by deactivating redundant paths. When a path is interrupted because a
network component becomes inoperable, STP reactivates the previously deactivated path again.
This lets redundant links increase the availability of communication.

STP determines a bridge that represents the STP tree structure‘s base. This bridge is called root
bridge.

Features of the STP algorithm:

 automatic reconfiguration of the tree structure in the case of a bridge becoming inoperable or
the interruption of a data path
 the tree structure is stabilized up to the maximum network size,
 stabilization of the topology within a short time period
 topology can be specified and reproduced by the administrator
 transparency for the end devices
 low network load relative to the available transmission capacity due to the tree structure set-up

Bridge parameters

In the context of Spanning Tree, each bridge and its connections are uniquely described by the
following parameters:
 Bridge Identifier
 Root Path Cost for the bridge ports,
 Port Identifier

Bridge Identifier

The Bridge Identifier consists of 8 bytes. The bridge with the smallest number for the Bridge
Identifier has the highest bridge priority.

According to the original standard IEEE 802.1D-1998, the 2 highest-value bytes are the Bridge
Priority. When configuring the bridge, the bridge administrator can change the default setting for
the Bridge Priority which is 32768 (8000H).

In the newer standard IEEE 802.1Q-2014, the Bridge Priority is interpreted differently. The highest
4 bits represent the Bridge Priority. The lower 12 bits are reserved for the VLAN ID and are all zero.
As a result, the bridge administrator can set the Bridge Priority in steps of 4096. The default value
is 32768 (8000H), and the max. value is 61440 (F000H).

The 6 lowest-value bytes of the Bridge Identifier are the MAC address of the bridge. The MAC
address lets each bridge have a unique Bridge Identifier.

MSB LSB

80 00 00 80 63 51 74 00

Priority MAC Address

Figure 33: Bridge Identifier, Example (interpretation according to IEEE 802.1D-1998, values in hexadecimal
notation)

UM Config BRS 195

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

Root Path Cost

Each path that connects 2 bridges is assigned a cost for the transmission (path cost). The device
determines this value based on the transmission speed (see table 34 on page 196). The device
assigns a higher path cost to paths with lower transmission speeds.

As an alternative, the Administrator can set the path cost. Like the device, the Administrator assigns
a higher path cost to paths with lower transmission speeds. However, since the Administrator can
choose this value freely, he has a tool with which he can give a certain path an advantage among
redundant paths.

The root path cost is the sum of the individual path costs from the port of the connected bridge to
the root bridge.

1
PC = 200 000 PC = 200 000 000

PC Path costs
Ethernet (100 Mbit/s)
PC = 200 000
Ethernet (10 Mbit/s)
2 3
Figure 34: Path costs

Table 34: Recommended path costs for RSTP based on the data rate.

Data rate Recommended value Recommended range Possible range

≤100 kbit/s 200 0000001 20000000-200000000 1-200000000
1 Mbit/s 20000000a 2000000-200000000 1-200000000
10 Mbit/s 2000000a 200000-20000000 1-200000000
100 Mbit/s 200000a 20000-2000000 1-200000000
1 Gbit/s 20000 2000-200000 1-200000000
10 Gbit/s 2000 200-20000 1-200 000000
100 Gbit/s 200 20-2000 1-200000000
1 Tbit/s 20 2-200 1-200000000
10 Tbit/s 2 1-20 1-200000000
1. Verify that bridges, which conform to IEEE 802.1D-1998 and only support 16-bit values for the past costs, use the value
65535 (FFFFH) for path costs in cases where they are used in conjunction with bridges that support 32-bit values for
the path costs.

196 UM Config BRS

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

Port Identifier

According to the original standard IEEE 802.1D-1998, the Port Identifier consists of 2 bytes. The
lower-value byte contains the physical port number. This provides a unique identifier for the port of
this bridge. The higher-value byte is the Port Priority, which is specified by the Administrator (default
value: 128 or 80H).

In the newer standard IEEE 802.1Q-2014, the Port Priority is interpreted differently. The highest
4 bits represent the Port Priority. The lower 12 bits are the port number. This allows for bridges with
up to 4095 ports. As a result, the bridge administrator can set the Port Priority in steps of 4096,
when viewed as a 16-bit number. The default value is 32768 (8000H), and the max. value is 61440
(F000H). When viewed as 4-bit number, the default value is 8 (8H), the min. value is 0 (0H), and
the max. value is 15 (FH).

MSB LSB

Priority Port number

Figure 35: Port Identifier (interpretation according to IEEE 802.1D-1998)

Max Age and Diameter

The “Max Age” and “Diameter” values largely determine the maximum expansion of a Spanning
Tree network.

Diameter

The number of connections between the devices in the network that are furthest removed from
each other is known as the network diameter.

Diameter = 7

1 2 3 4 5 6 7

Root-Bridge

Figure 36: Definition of diameter

The network diameter that can be achieved in the network is MaxAge-1.

In the state on delivery, MaxAge = 20 and the maximum diameter that can be achieved is 19. When
you set the maximum value of 40 for MaxAge, the maximum diameter that can be achieved is 39.

UM Config BRS 197

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

MaxAge

Every STP-BPDU contains a “MessageAge” counter. When a bridge is passed through, the counter
increases by 1.

Before forwarding a STP-BPDU, the bridge compares the “MessageAge” counter with the
“MaxAge” value specified in the device:
 When MessageAge < MaxAge, the bridge forwards the STP-BPDU to the next bridge.
 When MessageAge = MaxAge, the bridge discards the STP-BPDU.

Root-Bridge
MaxAge= 5

Message Message Message Message Message Message

Age= 0 Age= 1 Age= 2 Age= 3 Age= 4 Age= 5

Message
Age= 5

Figure 37: Transmission of an STP-BPDU depending on MaxAge

13.4.2 Rules for Creating the Tree Structure

Bridge information

To determine the tree structure, the bridges need more detailed information about the other bridges
located in the network.

To obtain this information, each bridge sends a BPDU (Bridge Protocol Data Unit) to the other
bridges.

The contents of a BPDU include:

 Bridge identifier
 Root path costs
 Port identifier

(see IEEE 802.1D)

198 UM Config BRS

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

Setting up the tree structure

The bridge with the smallest number for the bridge identifier is called the root bridge. It is (or will
become) the root of the tree structure.

The structure of the tree depends on the root path costs. Spanning Tree selects the structure so
that the path costs between each individual bridge and the root bridge become as small as possible.
 When there are multiple paths with the same root path costs, the bridge further away from the
root decides which port it blocks. For this purpose, it uses the bridge identifiers of the bridge
closer to the root. The bridge blocks the port that leads to the bridge with the numerically higher
ID (a numerically higher ID is the logically worse one). When 2 bridges have the same priority,
the bridge with the numerically larger MAC address has the numerically higher ID, which is
logically the worse one.
 When multiple paths with the same root path costs lead from one bridge to the same bridge, the
bridge further away from the root uses the port identifier of the other bridge as the last criterion
(see figure 35 on page 197). In the process, the bridge blocks the port that leads to the port with
the numerically higher ID. A numerically higher ID is the logically worse one. When 2 ports have
the same priority, the port with the higher port number has the numerically higher ID, which is
logically the worse one.

Determine root path

Equal no Path with lowest

path costs? path costs = root path

yes

Path with highest

Equal priority in no priority (numerically
bridge identification? lower value) in bridge
identification = root path
yes

Use the bridge with

lowest MAC address
= designated bridge

Equal no Path with highest

port priority? port priority (numerically
lower value) = root path
yes

Path with lowest

port number of designated
bridge = root path

Root path determined

Figure 38: Flow diagram for specifying the root path

UM Config BRS 199

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

13.4.3 Examples

Example of determining the root path

You can use the network plan to follow the flow chart (see figure 38 on page 199) for determining
the root path. The administrator has specified a priority in the bridge identification for each bridge.
The bridge with the smallest numerical value for the bridge identification takes on the role of the
root bridge, in this case, bridge 1. In the example every sub-path has the same path costs. The
protocol blocks the path between bridge 2 and bridge 3 because a connection from bridge 3
through bridge 2 to the root bridge would result in higher path costs.

The path from bridge 6 to the root bridge is interesting:

 The path through bridge 5 and bridge 3 has the same root path costs as the path through
bridge 4 and bridge 2.
 STP selects the path using the bridge that has the lowest MAC address in the bridge
identification (bridge 4 in the illustration).
 There are also 2 paths between bridge 6 and bridge 4.
The port identifier is decisive here (Port 1 < Port 3).

Root Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768

2 3

P-BID = 32 768

P-BID = 32 768 P-BID = 32 768

Port 3 MAC 00:01:02:03:04:06
MAC 00:01:02:03:04:05 4 5
Port 1

P-BID Priority of the bridge identifikation (BID)

P-BID = 32 768
= BID without MAC Address
Root path
6 Interrupted path
Figure 39: Example of a network plan for determining the root path

Note: When the current root bridge goes down, the MAC address in the bridge identifier alone
determines which bridge becomes the new root bridge, because the Administrator does not change
the default values for the priorities of the bridges in the bridge identifier, apart from the value for the
root bridge.

200 UM Config BRS

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

Example of manipulating the root path

You can use the network plan to follow the flow chart (see figure 38 on page 199) for determining
the root path. The Administrator has performed the following:
• Left the default value of 32768 (8000H) for every bridge apart from bridge 1 and bridge 5, and
• assigned to bridge 1 the value 16384 (4000H), thus making it the root bridge.
• To bridge 5 he assigned the value 28672 (7000H).

The protocol blocks the path between bridge 2 and bridge 3 because a connection from bridge 3
through bridge 2 to the root bridge would result in higher path costs.

The path from bridge 6 to the root bridge is interesting:

 The bridges select the path through bridge 5 because the value 28672 for the priority in the
bridge identifier is smaller than value 32768.

Root Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768

2 3

P-BID = 32 768

P-BID = 32 768 P-BID = 28 672

4 5

P-BID Priority of the bridge identifikation (BID)

P-BID = 32 768
= BID without MAC Address
Root path
6 Interrupted path
Figure 40: Example of a network plan for manipulating the root path

UM Config BRS 201

Release 9.6 12/2023
Redundancy
13.4 Spanning Tree

Example of manipulating the tree structure

The Management Administrator soon discovers that this configuration with bridge 1 as the root
bridge is invalid. On the paths from bridge 1 to bridge 2 and bridge 1 to bridge 3, the control packets
which the root bridge sends to every other bridge add up.

When the Management Administrator sets up bridge 2 as the root bridge, the burden of the control
packets on the subnetworks is distributed much more evenly. The result is the configuration shown
in the following figure. The path costs for most of the bridges to the root bridge have decreased.

Root-Bridge
P-BID = 16 384

P-BID = 32 768 P-BID = 32 768 P-BID = 32 768 P-BID = 32 768

Port 2
7 4 3 1
Port 1
MAC 00:01:02:03:04:05

P-BID = 32 768 P-BID = 32 768

6 5
MAC 00:01:02:03:04:06

P-BID Priority of the bridge identifikation (BID)

= BID without MAC Address
Root path
Interrupted path
Figure 41: Example of manipulating the tree structure

202 UM Config BRS

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

13.5 Rapid Spanning Tree Protocol

The Rapid Spanning Tree Protocol (RSTP) uses the same algorithm for determining the tree
structure as Spanning Tree Protocol (STP). When a link or bridge becomes inoperable, the Rapid
Spanning Tree Protocol (RSTP) adds mechanisms that speed up the reconfiguration.

The ports play a significant role in this context.

13.5.1 Port roles

The Rapid Spanning Tree Protocol (RSTP) assigns each bridge port one of the following roles:
 Root Port:
This is the port at which a bridge receives data packets with the lowest path costs from the root
bridge.
When there are multiple ports with equally low path costs, the bridge ID of the bridge that leads
to the root (designated bridge) decides which of its ports is given the role of the root port by the
bridge further away from the root.
When a bridge has multiple ports with equally low path costs to the same bridge, the bridge uses
the port ID of the bridge leading to the root (designated bridge) to decide which port it selects
locally as the root port. See figure 38 on page 199.
The root bridge itself does not have a root port.
 Designated port:
The bridge in a network segment that has the lowest root path costs is the designated bridge.
When more than one bridge has the same root path costs, the bridge with the smallest value
bridge identifier becomes the designated bridge. The designated port on this bridge is the port
that connects a network segment leading away from the root bridge. When a bridge is
connected to a network segment with more than one port (through a hub, for example), the
bridge gives the role of the designated port to the port with the better port ID.
 Edge port
Every network segment with no additional RSTP bridges is connected with exactly one
designated port. In this case, this designated port is also an edge port. The distinction of an edge
port is the fact that it does not receive any RST BPDUs (Rapid Spanning Tree Bridge Protocol
Data Units).
 Alternate port
When the connection to the root bridge is lost, this blocked port takes over the task of the root
port. The alternate port provides a backup for the connection to the root bridge.

UM Config BRS 203

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

 Backup port
This is a blocked port that serves as a backup in case the connection to the designated port of
this network segment (without any RSTP bridges) is lost
 Disabled port
This is a port that does not participate in the Spanning Tree Operation, that means, the port is
switched off or does not have any connection.

BID = 16 384

BID = 20 480 BID = 24 576

2 3

BID = 40 960

BID = 28 672 BID = 32 768

P-BID Priority of the bridge identifikation (BID)
Port 2 = BID without MAC Address
4 5 Root path
Port 1
Interrupted path
Root port
Designated port
Alternate port
Backup port
Edge port
Figure 42: Port role assignment

13.5.2 Port states

Depending on the tree structure and the state of the selected connection paths, RSTP assigns the
ports their states.
Table 35: Relationship between port state values for STP and RSTP

STP port state Administrative MAC RSTP Port state Active topology (port role)
bridge port state Operational
Disabled Disabled FALSE Discarding1 Excluded (disabled)
Disabled Enabled FALSE Discardinga Excluded (disabled)
Blocking Enabled TRUE Discarding2 Excluded (alternate, backup)
Listening Enabled TRUE Discardingb Included (root, designated)
Learning Enabled TRUE Learning Included (root, designated)
Forwarding Enabled TRUE Forwarding Included (root, designated)
1. The dot1d-MIB displays Disabled.
2. The dot1d-MIB displays Blocked.

Meaning of the RSTP port states:

 Disabled: Port does not belong to the active topology
 Discarding: No address learning in the MAC address table (forwarding database), no data
packets except for STP-BPDUs

204 UM Config BRS

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

 Learning: Address learning active in the MAC address table (forwarding database), no data
packets apart from STP-BPDUs
 Forwarding: Address learning in the MAC address table (forwarding database) active, sending
and receiving of every packet type (not only STP-BPDUs)

13.5.3 Spanning Tree Priority Vector

To assign roles to the ports, the RSTP bridges exchange configuration information with each other.
This information is known as the Spanning Tree Priority Vector. It is part of the RST BPDUs and
contains the following information:
 Bridge identification of the root bridge
 Root path costs of the sending bridge
 Bridge identification of the sending bridge
 Port identifiers of the ports through which the message was sent
 Port identifiers of the ports through which the message was received

Based on this information, the bridges participating in RSTP are able to determine port roles
themselves and define the port states of their own ports.

13.5.4 Fast reconfiguration

Why can RSTP react faster than STP to an interruption of the root path?
 Introduction of edge-ports:
During a reconfiguration, RSTP sets an edge port into the transmission mode after 3 seconds
(default setting). To ascertain that no bridge sending BPDUs is connected, RSTP waits for the
“Hello Time” to elapse.
When you verify that an end device is and remains connected to this port, there are no waiting
times at this port in the case of a reconfiguration.
 Introduction of alternate ports:
As the port roles are already distributed in normal operation, a bridge can immediately switch
from the root port to the alternate port after the connection to the root bridge is lost.
 Communication with neighboring bridges (point-to-point connections):
Decentralized, direct communication between neighboring bridges enables reaction without
wait periods to status changes in the spanning tree topology.
 Address table:
With Spanning Tree Protocol (STP), the age of the entries in the MAC address table (forwarding
database) determines the updating of communication. The Rapid Spanning Tree Protocol
(RSTP) immediately deletes the entries in those ports affected by a reconfiguration.
 Reaction to events:
Without having to match any time specifications, Rapid Spanning Tree Protocol (RSTP)
immediately reacts to events, for example, connection interruption and connection
reinstatement.

Note: Data packages could be duplicated and/or arrive at the recipient in the wrong order during
the reconfiguration phase of the RSTP topology. You may also use the Spanning Tree Protocol
(STP) or select another redundancy procedure described in this manual.

UM Config BRS 205

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

13.5.5 Configuring the device

RSTP sets up the network topology completely autonomously. The device with the lowest bridge
priority automatically becomes the root bridge. However, to define a specific network structure, you
specify a device as the root bridge. In general, a device in the backbone takes on this role.

Perform the following steps:

 Set up the network to meet your requirements, initially without redundant lines.
 You deactivate the flow control on the participating ports.
If the flow control and the redundancy function are active at the same time, it is possible that the
redundancy function operates differently than intended. (Default setting: flow control
deactivated globally and activated on every port.)
 Disable MRP on every device.
 Enable Spanning Tree on every device in the network.
In the state on delivery, Spanning Tree is switched on in the device.

Perform the following steps:

 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Enable the function.
 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
spanning-tree operation To enable Spanning Tree.
show spanning-tree global To display the parameters for checking.

Now connect the redundant lines.

Define the settings for the device that takes over the role of the root bridge.

Perform the following steps:

 In the Priority field you specify a numerically lower value.

The bridge with the numerically lowest bridge ID has the highest priority and becomes the
root bridge of the network.
 Apply the settings temporarily. To do this, click the button.

spanning-tree mst priority 0 <0..61440> To specify the bridge priority of the device.

Note: Specify the bridge priority in the range

0..61440 in steps of 4096.

After saving, the dialog shows the following information:

• The Bridge is root checkbox is marked.
• The Root port field shows the value 0.0.
• The Root path cost field shows the value 0.

206 UM Config BRS

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

show spanning-tree global To display the parameters for checking.

 If applicable, then change the values in the Forward delay [s] and Max age fields.
– The root bridge transmits the changed values to the other devices.
 Apply the settings temporarily. To do this, click the button.

spanning-tree forward-time <4..30> To specify the delay time for the status change in
seconds.
spanning-tree max-age <6..40> To specify the maximum permissible branch
length, for example the number of devices to the
root bridge.
show spanning-tree global To display the parameters for checking.

Note: The parameters Forward delay [s] and Max age have the following relationship:

Forward delay [s] ≥ (Max age/2) + 1

If you enter values in the fields that contradict this relationship, then the device replaces these
values with the last valid values or with the default value.

Note: When possible, do not change the value in the “Hello Time” field.

Check the following values in the other devices:

• Bridge ID (bridge priority and MAC address) of the corresponding device and the root bridge.
• Number of the device port that leads to the root bridge.
• Path cost from the root port of the device to the root bridge.

Perform the following steps:

show spanning-tree global To display the parameters for checking.

UM Config BRS 207

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

13.5.6 Guards

The device lets you activate various protection functions (guards) in the device ports.

The following protection functions help protect the network from incorrect configurations, loops and
attacks with STP-BPDUs:
 BPDU Guard – for manually specified edge ports (end device ports)
You activate this protection function globally in the device.

Terminal device ports do not normally receive any STP-BPDUs. If an attacker still attempts to
feed in STP-BPDUs on this port, then the device deactivates the device port.
 Root Guard – for designated ports
You activate this protection function separately for every device port.

When a designated port receives an STP-BPDU with better path information to the root bridge,
the device discards the STP-BPDU and sets the transmission state of the port to discarding
instead of root.
When there are no STP-BPDUs with better path information to the root bridge, after 2 × Hello
time [s] the device resets the state of the port to a value according to the port role.

208 UM Config BRS

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

 TCN Guard – for ports that receive STP-BPDUs with a Topology Change flag
You activate this protection function separately for every device port.

Hacker

If the protection function is activated, then the device ignores Topology Change flags in received
STP-BPDUs. This does not change the content of the MAC address table (forwarding database)
of the device port. However, additional information in the BPDU that changes the topology is
processed by the device.
 Loop Guard – for root, alternate and backup ports
You activate this protection function separately for every device port.

If the port does not receive any more STP-BPDUs, then this protection function helps prevent
the transmission status of a port from unintentionally being changed to forwarding. If this
situation occurs, then the device designates the loop status of the port as inconsistent, but does
not forward any data packets.

Activating the BPDU Guard

Perform the following steps:

 Open the Switching > L2-Redundancy > Spanning Tree > Global dialog.
 Mark the BPDU guard checkbox.
 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

UM Config BRS 209

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

configure To change to the Configuration mode.

spanning-tree bpdu-guard To activate the BPDU Guard.
show spanning-tree global To display the parameters for checking.

 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Switch to the CIST tab.
 For end device ports, mark the checkbox in the Admin edge portcolumn.
 Apply the settings temporarily. To do this, click the button.

interface <x/y> To change to the interface configuration mode of

interface <x/y>.
spanning-tree edge-port To designate the port as a terminal device port
(edge port).
show spanning-tree port x/y To display the parameters for checking.
exit To leave the interface mode.

When an edge port receives an STP-BPDU, the device behaves as follows:

 The device deactivates this port.
In the Basic Settings > Port dialog, Configuration tab, the checkbox for this port in the Port on column
is unmarked.
 The device designates the port.

You can determine if a port has disabled itself because of a received a BPDU. To do this, perform
the following steps:

In the Switching > L2-Redundancy > Spanning Tree > Port dialog, Guards tab, the checkbox in the
BPDU guard effect column is marked.

show spanning-tree port x/y To display the parameters of the port for checking.
The value of the BPDU guard effect parameter is
enabled.

Reset the status of the device port to the value forwarding. To do this, perform the following steps:
 When the port still receives BPDUs:
– Remove the manual definition as an edge port (end device port).
or
– Deactivate the BPDU Guard.
 Activate the device port again.

210 UM Config BRS

Release 9.6 12/2023
Redundancy
13.5 Rapid Spanning Tree Protocol

Activating Root Guard / TCN Guard / Loop Guard

Perform the following steps:

 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog.
 Switch to the Guards tab.
 For designated ports, select the checkbox in the Root guard column.
 For ports that receive STP-BPDUs with a Topology Change flag, select the checkbox in
the TCN guard column.
 For root, alternate or backup ports, mark the checkbox in the Loop guard column.

Note: The Root guard and Loop guard functions are mutually exclusive. If you try to activate the
Root guard function while the Loop guard function is active, then the device deactivates the Loop
guard function.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface <x/y> To change to the interface configuration mode of
interface <x/y>.
spanning-tree guard-root To switch the Root Guard on at the designated
port.
spanning-tree guard-tcn To switch the TCN Guard on at the port that
receives STP-BPDUs with a Topology Change
flag.
spanning-tree guard-loop To switch the Loop Guard on at a root, alternate or
backup port.
exit To leave the interface mode.
show spanning-tree port x/y To display the parameters of the port for checking.

UM Config BRS 211

Release 9.6 12/2023
Redundancy
13.6 Link Aggregation

13.6 Link Aggregation

The Link Aggregation function using the single switch method helps you overcome 2 limitations with
Ethernet links, namely bandwidth, and redundancy.

The Link Aggregation function helps you overcome bandwidth limitations of individual ports. The Link
Aggregation function lets you combine 2 or more connections into one logical connection between
2 devices. The parallel links increase the bandwidth between the 2 devices.

You typically use the Link Aggregation function on the network backbone. The function provides you
an inexpensive way to incrementally increase bandwidth.

Furthermore, the Link Aggregation function provides for redundancy with a seamless failover. When
a link goes down, with 2 or more links set up in parallel, the other links in the group continue to
forward the data packets.

The device uses a hash option to determine load balancing across the port group. Tagging the
egress data packets lets the device transmit associated packets across the same link.

The default settings for a new Link Aggregation instance are as follows:
 In the Configuration frame, the value in the Hashing option field is sourceDestMacVlan.
 In the Active column, the checkbox is marked.
 In the Send trap (Link up/down) column, the checkbox is marked.
 In the Static link aggregation column, the checkbox is unmarked.
 In the Hashing option column, the value is sourceDestMacVlan.
 In the Active ports (min.) column, the value is 1.

13.6.1 Methods of Operation

The device operates on the Single Switch method. The Single Switch method provides you an
inexpensive way to grow the network. The single switch method states that you need one device
on each side of a link to provide the physical ports. The device balances the network load across
the group member ports.

The device also uses the Same Link Speed method in which the group member ports operate in
full-duplex, point-to-point links having the same transmission rate. The first port that you add to the
group is the master port and determines the bandwidth for the other member ports of the Link
Aggregation Group.

The device lets you set up up to 2 Link Aggregation groups. The number of useable ports per Link
Aggregation group depends on the device.

Hash Algorithm

The frame distributor is responsible for receiving frames from the end devices and transmitting
them over the Link Aggregation Group. The frame distributor implements a distribution algorithm
responsible for choosing the link used for transmitting any given packet. The hash option helps you
achieve load balancing across the group.

The following list contains options which you set for link selection.
 Source MAC address, VLAN ID, EtherType, and receiving port
 Destination MAC address, VLAN ID, EtherType, and receiving port

212 UM Config BRS

Release 9.6 12/2023
Redundancy
13.6 Link Aggregation

 Source/Destination MAC address, VLAN ID, EtherType, and receiving port

 Source IP address and Source TCP/UDP port
 Destination IP address and destination TCP/UDP port
 Source/destination IP address and source/destination TCP/UDP port

Static and Dynamic Links

The device lets you set up static and dynamic links.

 Static Links - The administrator sets up and maintains the links manually. For example, when a
link fails and there is a media converter between the devices, the media converter continues
forwarding the data packets on the link, causing the link to fail. Another possibility is that cabling
or an undetected configuration mistake causes undesirable network behavior. In this case, the
network administrator manually changes the link setup to restore the data stream.
 Dynamic Links - The device confirms that the setup on the remote device is able to handle link
aggregation and failover occurs automatically.

13.6.2 Link Aggregation Example

Connect multiple workstations using one aggregated link group between Switch 1 and 2. By
aggregating multiple links, higher speeds are achievable without a hardware upgrade.

Switch 1 Switch 2
Server 2 Port 5 Port 5 Server 1
Hub 4 Port 6 Port 1 Port 6 Hub 1
Hub 5 Port 7 Port 2 Port 7 Hub 2
Hub 6 Port 8 Port 8 Hub 3

Figure 43: Link Aggregation Switch to Switch Network

Set up Switch 1 and 2 in the Graphical User Interface. To do this, perform the following steps:

 Open the Switching > L2-Redundancy > Link Aggregation dialog.

 Click the button.

The dialog displays the Create window.
 From the Trunk port drop-down list, select the instance number of the link aggregation
group.
 From the Port drop-down list, select port 1/1.
 Click the Ok button.
 Repeat the preceding steps and select the port 1/2.
 Click the Ok button.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
link-aggregation add lag/1 To add a Link Aggregation Group lag/1.
link-aggregation modify lag/1 To add port 1/1 to the Link Aggregation Group.
addport 1/1
link-aggregation modify lag/1 To add port 1/2 to the Link Aggregation Group.
addport 1/2

UM Config BRS 213

Release 9.6 12/2023
Redundancy
13.7 Link Backup

13.7 Link Backup

Link Backup provides a redundant link for the data packets on Layer 2 devices. When the device
detects an error on the primary link, the device transfers the data packets to the backup link. You
typically use Link Backup in service-provider or enterprise networks.

You set up the backup links in pairs, one as a primary and one as a backup. When providing
redundancy for enterprise networks for example, the device lets you set up more than one pair. The
maximum number of link backup pairs is: total number of physical ports / 2. Furthermore, when the
state of a port participating in a link backup pair changes, the device sends an SNMP trap.

When configuring link backup pairs, remember the following rules:

 A link pair consists of any combination of physical ports. For example, one port is a 100 Mbit
port and the other is a 1000 Mbit SFP port.
 A specific port is a member of one link backup pair at any given time.
 Verify that the ports of a link backup pair are members of the same VLAN with the same
VLAN ID. When the primary port or backup port is a member of a VLAN, assign the second port
of the pair to the same VLAN.

The default setting for this function is inactive without any link backup pairs.

Note: Verify that the Spanning Tree Protocol (STP) is disabled on the Link Backup ports.

13.7.1 Fail Back Description

Link Backup also lets you set up a Fail Back option. When you activate the Fail back function and
the primary link returns to normal operation, the device first blocks the data packets on the backup
port and then forwards the data packets to the primary port. This process helps protect the device
from causing loops in the network.

When the primary port returns to the link up and active state, the device supports 2 modes of
operation:
 When you inactivate Fail back, the primary port remains in the blocking state until the backup
link fails.
 When you activate Fail back, and after the Fail back delay [s] timer expires, the primary port returns
to the forwarding state and the backup port changes to down.

In the cases listed above, the port forcing its link to forward the data packets, first sends a Topology
Change packet to the remote device. The Topology Change packet helps the remote device quickly
relearn the MAC addresses.

13.7.2 Example Configuration

In the example network below, you connect ports 2/3 and 2/4 on Switch A to the uplink Switches B
and C. When you set up the ports as a Link Backup pair, one of the ports forwards the data packets
and the other port is in the blocking state.

The primary, port 2/3 on Switch A, is the active port and is forwarding the data packets to port 1 on
Switch B. Port 2/4 on Switch A is the backup port and blocks the data packets.

When Switch A disables port 2/3 because of a detected error, port 2/4 on Switch A starts
forwarding data packets to port 2 on Switch C.

214 UM Config BRS

Release 9.6 12/2023
Redundancy
13.7 Link Backup

When port 2/3 returns to the active state, “no shutdown“, with Fail back activated, and Fail back delay
[s] set to 30 seconds. After the timer expires, port 2/4 first blocks the data packets and then port 2/
3 starts forwarding data packets.

Switch B Switch C

Port 1 Port 2

Port 2/3 Port 2/4

Switch A
Figure 44: Link Backup example network

The following tables contain examples of parameters to set up Switch A.

Perform the following steps:

 Open the Switching > L2-Redundancy > Link Backup dialog.

 Enter a new Link Backup pair in the table:
 Click the button.
The dialog displays the Create window.
 From the Primary port drop-down list, select port 2/3.
From the Backup port drop-down list, select port 2/4.
 Click the Ok button.
 In the Description textbox, enter Link_Backup_1 as the name for the backup pair.
 To activate the Fail back function for the link backup pair, mark the Fail back checkbox.
 Set the fail back timer for the link backup pair, enter 30 s in Fail back delay [s].
 To activate the link backup pair, mark the Active checkbox.
 To enable the function, select the On radio button in the Operation frame.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 2/3 To change to the interface configuration mode of
interface 2/3.
link-backup add 2/4 To add a Link Backup instance where port 2/3 is
the primary port and port 2/4 is the backup port.
link-backup modify 2/4 description To specify the string Link_Backup_1 as the name
Link_Backup_1 of the backup pair.
link-backup modify 2/4 failback-status To enable the fail back timer.
enable
link-backup modify 2/4 failback-time 30 To specify the fail back delay time as 30 s.
link-backup modify 2/4 status enable To enable the Link Backup instance.
exit To change to the Configuration mode.
link-backup operation To enable the Link Backup function globally in the
device.

UM Config BRS 215

Release 9.6 12/2023
Redundancy
13.8 FuseNet function

13.8 FuseNet function

The FuseNet protocols let you couple rings that are operating with one of the following redundancy
protocols:
 MRP
 HIPER Ring
 RSTP

Note: The prerequisite for coupling a network to the main ring using the Ring/Network Coupling
function is that the connected network contains only network devices that support the Ring/Network
Coupling function.

Use the following table to select the FuseNet coupling protocol to be used in the network:

Main Ring Connected Network

MRP HIPER Ring RSTP
MRP – Ring/Network Coupling Ring/Network Coupling
HIPER Ring – Ring/Network Coupling Ring/Network Coupling
RSTP – – –

– no suitable coupling protocol

216 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

13.9 Ring/Network Coupling function

Based on a ring, the Ring/Network Coupling function couples rings or network segments redundantly.
Ring/Network Coupling connects 2 rings/network segments through 2 separate paths.

When the devices in the coupled network are Hirschmann devices, the Ring/Network Coupling
function supports the coupling following ring protocols in the primary and secondary rings:
 HIPER Ring
 Fast HIPER Ring
 MRP

The Ring/Network Coupling function can also couple network segments of a bus and mesh structures.

13.9.1 Methods of Ring/Network Coupling

The 1-Switch coupling

Two ports of one device in the first ring/network connect to one port each of two devices in the
second ring/network. See figure 52 on page 225.

In the 1-Switch coupling method, the main line forwards data and the device blocks the redundant
line.

When the main line no longer functions, the device immediately unblocks the redundant line. When
the main line is restored, the device blocks data on the redundant line. The main line forwards data
again.

The ring coupling detects and handles an error within 500 ms (typically 150 ms).

The 2-Switch coupling

One port each from two devices in the first ring/network connects to one port each of two devices
in the second ring/network segment. See figure 54 on page 228.

The device with the redundant line connected and the device with the main line connected use
control packets to inform each other about their operating states, using the existing network or a
dedicated control line.

When the main line goes down, the redundant device (Stand-by) unblocks the redundant line.
When the main line comes up again, the device connected to the main line informs the redundant
device of this. The Stand-by device then again blocks data on the redundant line. The device
connected to the main line then again forwards data on the main line.

The ring coupling detects and handles a fault within 500 ms (typically 150 ms).

UM Config BRS 217

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Selection of a coupling method

The type of coupling configuration is primarily determined by the network topological and the
desired level of availability.
Table 36: Selection criteria for the configuration types for redundant coupling

1-Switch coupling 2-Switch coupling 2-Switch coupling with

Control line
Application The 2 devices are in The 2 devices are in The 2 devices are in
impractical topological practical topological practical topological
positions. positions. positions.
Therefore, putting a link Installing a control line Installing a control line
between the devices would involve a lot of would not involve much
would involve a lot of effort effort. effort.
for 2-Switch coupling.
Disadvantage If the Switch set up for the More effort is needed to More effort is needed to
redundant coupling connect both devices to connect both devices to
becomes inoperable, then the network (compared the network (compared
no connection remains with 1-Switch coupling). with 1-Switch and 2-
between the networks. Switch coupling).
Advantage Less effort involved in When one of the devices When one of the devices
connecting the 2 devices set up for the redundant set up for the redundant
to the network (compared coupling becomes coupling becomes
with 2-Switch coupling). inoperable, the coupled inoperable, the coupled
networks are still networks are still
connected. connected.
The partner determination
between the coupling
devices occurs more
reliable and faster than
without the control line.

218 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

13.9.2 Advanced Information

Link Topology of 1-Switch coupling

5 6

3 4

RM
Figure 45: Example of 1-Switch coupling
1: Ring
2: Backbone
3: Partner coupling port
4: Coupling port
5: Main line
6: Redundant line

In a 1-Switch coupling (see figure 45), one device manages both coupling lines:
 The partner coupling port (3) connects the main line (5).
 The coupling port (4) connects the redundant line (6).

The single coupling device sends the following test packets:

 The partner coupling port (3) sends Ring/Network Coupling unicast test packets A.
 The coupling port (4) sends Ring/Network Coupling unicast test packets B.

Note: The 2 ring ports (unnumbered) connect the local redundant ring (red lines in graphic) and do
not send any Ring/Network Coupling test packets.

UM Config BRS 219

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Link Topology of 2-Switch coupling

3 4

Figure 46: Example of 2-Switch coupling

1: Ring
2: Backbone
3: Main line
4: Redundant line

In a 2-Switch coupling (see figure 46), the 2 devices have specific roles:
 The coupling port (1) of the primary device connects the main line (see figure 47).
 The partner coupling port (1) of the secondary device connects the stand-by line (4) (see
figure 48).

The primary device (see figure 47) sends no test packets.

The secondary device (see figure 48) sends the following test packets:
 The 2 ring ports (unnumbered) send Ring/Network Coupling unicast test packets A.
 The coupling port (4) sends Ring/Network Coupling unicast test packets B.

1 2

Figure 47: 2-Switch coupling, Primary device

1: Coupling port
2: Partner coupling port

220 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

2 1

Figure 48: 2-Switch coupling, Stand-by device

1: Coupling port
2: Partner coupling port

Link Topology of 2-Switch coupling with Control Line

This topology differs from the previous one by the additional control line. The control line helps
speed up reconfiguration.

3 4
5
RM

STAND-BY ON STAND-BY ON

Figure 49: Example of 2-Switch coupling with control line

1: Ring
2: Backbone
3: Main line
4: Redundant line
5: Control line

In a 2-Switch coupling with Control Line (see figure 49), both devices are connected as follows:
 The primary device and the secondary device connect the control line (5) through their control
ports (unnumbered).
 The coupling port (1) of the primary device connects the main line (see figure 50).
 The partner coupling port (1) of the secondary device connects the stand-by line (4) (see
figure 51).

The primary device (see figure 50) sends control packets on its control port.

UM Config BRS 221

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

The secondary device (see figure 51) sends the following packets:
 The control port (unnumbered) sends control packets.
 The 2 ring ports (unnumbered) send Ring/Network Coupling unicast test packets A.
 The coupling port (4) sends Ring/Network Coupling unicast test packets B.

1 3 2

Figure 50: 2-Switch coupling with Control Line, Primary device

1: Coupling port
2: Partner coupling port
3: Control line

2 3 1

Figure 51: 2-Switch coupling with Control Line, Stand-by device

1: Coupling port
2: Partner coupling port
3: Control line

Packets

The Ring/Network Coupling function uses Test, Control, Link Change, and Topology Change packets.
Table 37: Ring/Network Coupling packets

Packet Type Send Mode Time Parameter Value

Unicast test packet A1 Cyclical Send interval 80 ms (50 ms during config.

phase)
Reception timeout 1500 ms
Unicast test packet B2 Cyclical Send interval 80 ms (50 ms during config.
phase)
Reception timeout 1500 ms
Control packet3 Event-driven On reconfiguration -

Link Change packet4 Event-driven On link-down or link-up of a -

ring port or coupling port
Topology Change Event-driven On reconfiguration -
packet
1. 2-Switch coupling: Sent by the secondary (stand-by) device only. Destination address: Device MAC Address+1, source
address: Device MAC Address+2.
2. 2-Switch coupling: Sent by the secondary (stand-by) device only. Destination address: Device MAC Address+2, source
address: Device MAC Address+1 (addresses swapped with respect to unicast test packet A).
3. Destination address (multicast): 01:80:63:07:00:02, source address: 00:80:63:07:10:01.
4. Sent by supporting ring participants.

222 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

1-Switch coupling: The local device periodically sends test packets A into the ring from both ring
ports. The local device expects to receive the test packets A back on its respective other ring port.
If the local device receives no test packets A for a specified amount of time, the local device detects
a network failure.

The local device also sends test packets B from its partner coupling port. The test packets B are
special packets that the local device receives at the coupling port although the coupling port blocks
the reception of normal packets. The local device expects to receive the test packets B back on its
coupling port. If the local device receives no test packets B for a specified amount of time, the local
device detects a coupling network failure.

2-Switch coupling: The secondary (stand-by) device periodically sends test packets A into the
ring from both ring ports. The secondary device expects to receive the test packets A back on its
respective other ring port. If the secondary device receives no test packets A for a specified amount
of time, the secondary device detects a network failure.

The secondary (stand-by) device also sends test packets B from its coupling port. The test
packets B are special packets that the secondary device sends from its coupling port although the
coupling port blocks the sending of normal packets. The primary device forwards received test
packets B to the secondary device. The secondary device expects to receive the test packets B
back on its ring port connected to the primary device. If the secondary device receives no test
packets B for a specified amount of time, the secondary device detects a coupling network failure.

In extended redundancy mode, the same packets are used, only the reaction to a detected network
failure differs.

On reconfiguration of the Ring/Network coupling, the secondary (stand-by) device flushes its
MAC address table (forwarding database) and sends Ring/Network coupling Topology Change
packets to its partner device. It also sends Ring/Network coupling Topology Change packets to the
connected rings.

If a device participating in a connected ring receives a Ring/Network coupling Topology Change

packet, it flushes its MAC address table (forwarding database). It also converts the Ring/Network
coupling Topology Change packet to a ring Topology Change packet and sends the Topology
Change packet on. The Topology Change packets prompt the other devices participating in the ring
to flush their MAC address table (forwarding database), too. This applies to all rings that the Ring/
Network coupling connects. This procedure helps forward the payload packets over the new path
more quickly.

The Ring/Network coupling devices also act on ring Topology Change packets from a Ring
Manager device because the Ring/Network coupling devices are members of that ring.

UM Config BRS 223

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Packet Prioritization

The Ring/Network Coupling devices send their test packets, control packets, Link Down packets,
and Ring/Network coupling Topology Change packets with the fixed VLAN ID 1. In the default
setting, these packets are sent untagged and thus without priority (Class of Service) information.
To help minimize the reconfiguration time under high network load, you can add a VLAN tag and
thus priority information to these packets. The devices then send and forward the packets with the
IEEE 802.1Q Class of Service priority 7 (Network control).

To prioritize these packets, set up each of the following ports as T (tagged) member of VLAN 1:
 In the local ring where the coupling device (or devices) are located:
 The coupling port of the respective coupling device (local or secondary)
 The partner coupling port of the respective coupling device (local or primary)
 The ring ports of all devices in the local ring, including the Ring Manager device
 In the remote ring:
 The port of the device in the remote ring connected to the coupling port
 The port of the device in the remote ring connected to the partner coupling port
 The 2 ring ports connecting the 2 devices just mentioned to each other

Note: In a 2-Switch coupling with Control Line, the VLAN membership settings of both control ports
must match. You can keep the default settings of the control ports (VLAN 1 membership untagged).

Link Topology Requirements

In the absence of packet prioritization, the following links must be direct, without any intervening
devices:
 The 2 coupling links connecting the coupling device (or devices) in the local ring with the
2 coupled devices in the remote ring
 The link in the remote ring connecting the 2 coupled devices
 In a 2-Switch coupling: The link in the local ring connecting the 2 coupling devices
 In a 2-Switch coupling with Control Line, Hirschmann recommends to use a direct line but this
is not strictly required.

This helps ensure that the packets are transmitted with minimal delay and high reliability. This again
helps minimize the reconfiguration time under high network load.

Note: Hirschmann recommends the above link topology even with packet prioritization.

13.9.3 Prepare the Ring/Network Coupling

Using the images in the dialog you define the role of the devices within the Ring/Network Coupling.

In the following screen shots and diagrams, the following conventions are used:
 Blue boxes and lines indicate devices or connections of the items currently being described.
 Solid lines indicate a main connection.
 Dash lines indicate a stand-by connection.
 Dotted lines indicate the control line.

224 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the required radio button.
 one-switch coupling
 two-switch coupling, master
 two-switch coupling, slave
 two-switch coupling with control line, master
 two-switch coupling with control line, slave

Note: Refrain from operating the Spanning Tree and the Ring/Network Coupling functions on the same
ports.

1-Switch coupling

5 6

3 4

RM
Figure 52: Example of 1-Switch coupling
1: Ring
2: Backbone
3: Partner coupling port
4: Coupling port
5: Main line
6: Redundant line

The main line, indicated by the solid blue line, which is connected to the partner coupling port
provides coupling between the two networks in the normal mode of operation. If the main line is
inoperable, then the redundant line, indicated by the dashed blue line, which is connected to the
coupling port takes over the ring/network coupling. One switch performs the coupling switch-over.

UM Config BRS 225

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

The following settings apply to the device displayed in blue in the selected graphic.

2 1

Figure 53: 1-switch coupling

1: Coupling port
2: Partner coupling port

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the one-switch coupling radio button.
Note: Set up the Partner coupling port and the ring ports on different ports.
 In the Coupling port frame, select the port on which you want to connect the redundant line
from the Port drop-down list.
 In the Partner coupling port frame, select the port on which you connect the main line from
the Port drop-down list.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 Connect the redundant line to the Partner coupling port.
In the Partner coupling port frame, the State field displays the status of the Partner coupling
port.
 Connect the main line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
In the Information frame, the Redundancy field displays if the redundancy is available. The
Configuration failure field displays if the settings are complete and correct.

For the coupling ports, perform the following steps:

Note: The following settings are required for the coupling ports.
 Open the Basic Settings > Port dialog, Configuration tab.
 For the ports selected as the coupling ports, specify the settings according to the
parameters in the following table.

 Apply the settings temporarily. To do this, click the button.

226 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

If you have set up VLANs on the coupling ports, then you specify the VLAN settings on the coupling
and partner coupling ports. To do this, perform the following steps:

 Open the Switching > VLAN > Port dialog.

 Change the Port-VLAN ID setting to the value of the VLAN ID set up on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > Configuration dialog.
 To tag the redundant connections for VLAN 1 and VLAN Membership, enter the value T in
the cells corresponding to both coupling ports on the VLAN 1 table row.

 Apply the settings temporarily. To do this, click the button.

The coupling device now sends the redundancy packets with the highest priority on VLAN 1.

 In the Configurationframe, Redundancy mode option list, specify the type of redundancy:
 With the redundant ring/network coupling setting, either the main line or the redundant line
is active. The setting lets the devices toggle between both lines.
 When you activate the extended redundancy setting, the main line and the redundant line
can become active simultaneously if required. The setting lets you add redundancy to
the remote (coupled) network. When the connection between the coupling devices in
the second network becomes inoperable the coupling devices continue to transmit and
receive data.
Note: During the reconfiguration period, packet duplications can occur. Therefore, select this
setting only if your devices detect package duplications.
The Coupling mode describes the type of the backbone network to which you connect the ring
network. See figure 52 on page 225.
 In the Configuration frame, Coupling mode option list, specify the type of the second network:
 If you connect to a ring network, then select the ring coupling radio button.
 If you connect to a bus or mesh structure, then select the network coupling radio button.

 Apply the settings temporarily. To do this, click the button.

You can reset the coupling settings to the default state. To do this, perform the following steps:

 Click the button.

UM Config BRS 227

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

2-Switch coupling

3 4

Figure 54: Example of 2-Switch coupling

1: Ring
2: Backbone
3: Main line
4: Redundant line

The coupling between 2 networks is performed by the main line, indicated by the solid blue line. If
the main line or one of the connected devices becomes inoperable, then the redundant line,
indicated by the dashed black line, takes over the network coupling. The coupling is performed by
2 devices.

The devices send control packets to each other over the network.

The primary device connected to the main line, and the stand-by device connected to the redundant
line are partners with regard to the coupling.
 Connect the 2 partners using the ring ports.

2-Switch coupling, Primary device

The following settings apply to the device displayed in blue in the selected graphic.

1 2

Figure 55: 2-Switch coupling, Primary device

1: Coupling port
2: Partner coupling port

228 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling, master radio
button.
 In the Coupling port frame, select the port on which you connect the network segments from
the Port drop-down list.
Set up the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 Connect the main line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
When the partner is already operating in the network, the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy field displays if the redundancy is available. The
Configuration failure field displays if the settings are complete and correct.
To help prevent continuous loops while the connections are in operation on the ring coupling
ports, perform one of the following actions. The device sets the port state of the coupling port
to “off”:
• disable the operation
• change the configuration

For the coupling ports, perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

 For the ports selected as the coupling ports, specify the settings according to the
parameters in the following table.

 Apply the settings temporarily. To do this, click the button.

If you have set up VLANs on the coupling ports, then you specify the VLAN settings on the coupling
and partner coupling ports. To do this, perform the following steps:

 Open the Switching > VLAN > Port dialog.

 Change the Port-VLAN ID setting to the value of the VLAN ID set up on the ports.
 Unmark the Ingress filtering checkbox for both coupling ports.
 Open the Switching > VLAN > Configuration dialog.
 To tag the redundant connections for VLAN 1 and to establish the VLAN membership,
enter the value T in the cells corresponding to both coupling ports on the VLAN 1 table row.

 Apply the settings temporarily. To do this, click the button.

The coupling device now sends the redundancy packets with the highest priority on VLAN 1.

UM Config BRS 229

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

2-Switch coupling, Stand-by device

The following settings apply to the device displayed in blue in the selected graphic.

2 1

Figure 56: 2-Switch coupling, Stand-by device

1: Coupling port
2: Partner coupling port

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling, slave radio button.
 In the Coupling port frame, select the port on which you connect the network segments from
the Port drop-down list.
Set up the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

To help prevent continuous loops while the connections are in operation on the ring coupling
ports, perform one of the following actions. The device sets the port state of the coupling port
to “off”:
• disable the operation
• change the configuration

For the coupling ports, perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

 For the ports selected as the coupling ports, specify the settings according to the
parameters in the following table.

 Apply the settings temporarily. To do this, click the button.

230 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

If you have set up VLANs on the coupling ports, then you specify the VLAN settings on the coupling
and partner coupling ports. To do this, perform the following steps:

 Open the Switching > VLAN > Port dialog.

 Apply the settings temporarily. To do this, click the button.

The coupling devices now send the redundancy packets with the highest priority on VLAN 1.

Specify the Redundancy mode and Coupling mode settings. To do this, perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Configuration frame, Redundancy mode option list, select one of the following radio
buttons:
 redundant ring/network coupling
With this setting, either the main line or the redundant line is active. The setting lets the
devices toggle between both lines.
 extended redundancy
With this setting, the main line and the redundant line are active simultaneously. The
setting lets you add redundancy to the second network. When the connection between
the coupling devices in the second network becomes inoperable, the coupling devices
continue to transmit and receive data.

During the reconfiguration period, packet duplications can occur. Therefore, select this
setting only if your devices detect package duplications.
 In the Configuration frame, Coupling mode option list, select one of the following radio
buttons:
 If you connect to a ring network, then select the ring coupling radio button.
 If you connect to a bus or mesh structure, then select the network coupling radio button.
The Coupling mode describes the type of the backbone network to which you connect the
ring network. See figure 54 on page 228.

 Apply the settings temporarily. To do this, click the button.

Reset the coupling settings to the default state. To do this, perform the following steps:

 Click the button.

UM Config BRS 231

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

2-Switch coupling with Control Line

3 4
5
RM

STAND-BY ON STAND-BY ON

Figure 57: Example of 2-Switch coupling with control line

1: Ring
2: Backbone
3: Main line
4: Redundant line
5: Control line

The coupling between 2 networks is performed by the main line, indicated by the solid blue line. If
the main line or one of the adjacent devices become inoperable, then the redundant line, indicated
by the dashed blue line, takes over coupling the 2 networks. The ring coupling is performed by
2 devices.

The devices send control packets over a control line indicated by the dotted blue line. See figure 58
on page 233.

232 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

The primary device connected to the main line, and the stand-by device connected to the redundant
line are partners with regard to the coupling.
 Connect the 2 partners using the ring ports.

2-Switch coupling with Control Line, Primary device

The following settings apply to the device displayed in blue in the selected graphic.

1 3 2

Figure 58: 2-Switch coupling with Control Line, Primary device

1: Coupling port
2: Partner coupling port
3: Control line

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling with control line,
master radio button.
 In the Coupling port frame, select the port on which you connect the network segments from
the Port drop-down list.
Set up the Coupling port and the ring ports on different ports.
 In the Control port frame, select the port on which you connect the control line from the Port
drop-down list.
Set up the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 Connect the redundant line to the Coupling port.
In the Coupling port frame, the State field displays the status of the Coupling port.
When the partner is already operating in the network, the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
 Connect the control line to the Control port.
In the Control port frame, the State field displays the status of the Control port.
When the partner is already operating in the network, the IP address field in the Partner
coupling port frame displays the IP address of the partner port.
In the Information frame, the Redundancy field displays if the redundancy is available. The
Configuration failure field displays if the settings are complete and correct.

UM Config BRS 233

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

For the coupling ports, perform the following steps:

 Open the Basic Settings > Port dialog, Configuration tab.

 For the ports selected as the coupling ports, specify the settings according to the
parameters in the following table.

 Apply the settings temporarily. To do this, click the button.

If you have set up VLANs on the coupling ports, then you specify the VLAN settings on the coupling
and partner coupling ports. To do this, perform the following steps:

 Open the Switching > VLAN > Port dialog.

 Apply the settings temporarily. To do this, click the button.

The coupling device now sends the redundancy packets with the highest priority on VLAN 1.

2-Switch coupling with Control Line, Stand-by device

The following settings apply to the device displayed in blue in the selected graphic.

2 3 1

Figure 59: 2-Switch coupling with Control Line, Stand-by device

1: Coupling port
2: Partner coupling port
3: Control line

Perform the following steps:

 Open the Switching > L2-Redundancy > FuseNet > Ring/Network Coupling dialog.
 In the Mode frame, Type option list, select the two-switch coupling with control line,
slave radio button.
 In the Coupling port frame, select the port on which you connect the network segments from
the Port drop-down list.
Set up the Coupling port and the ring ports on different ports.

234 UM Config BRS

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

 In the Control port frame, select the port on which you connect the control line from the Port
drop-down list.
Set up the Coupling port and the ring ports on different ports.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

For the coupling ports, perform the following steps:

 Open the Switching > VLAN > Port dialog.

 Apply the settings temporarily. To do this, click the button.

The coupling devices now send the redundancy packets with the highest priority on VLAN 1.

UM Config BRS 235

Release 9.6 12/2023
Redundancy
13.9 Ring/Network Coupling function

Specify the Redundancy mode and Coupling mode settings. To do this, perform the following steps:

 Apply the settings temporarily. To do this, click the button.

Reset the coupling settings to the default state. To do this, perform the following steps:

 Click the button.

236 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.1 Sending SNMP traps

14 Operation diagnosis

The device provides you with the following diagnostic tools:

 Sending SNMP traps
 Monitoring the Device Status
 Out-of-Band signaling using the signal contact
 Event counter at port level
 Detecting non-matching duplex modes
 Auto-Disable
 Displaying the SFP status
 Topology discovery
 Detecting IP address conflicts
 Detecting loops
 Reports
 Monitoring data stream on a port (port mirroring)
 Syslog
 Event log
 Cause and action management during selftest

14.1 Sending SNMP traps

The device immediately reports unusual events which occur during normal operation to the network
management station. This is done by messages called SNMP traps that bypass the polling
procedure (“polling” means querying the data stations at regular intervals). SNMP traps allow you
to react quickly to unusual events.

Examples of such events are:

 Hardware reset
 Changes to the configuration
 Segmentation of a port

The device sends SNMP traps to various hosts to increase the transmission reliability for the
messages. The unacknowledged SNMP trap message consists of a packet containing information
about an unusual event.

The device sends SNMP traps to those hosts specified in the trap destination table. The device lets
you set up the trap destination table with the network management station using SNMP.

14.1.1 List of SNMP traps

The following table displays possible SNMP traps sent by the device.
Table 38: Possible SNMP traps

Name of the SNMP trap Meaning

authenticationFailure When a station attempts to access an agent without
authorisation, the device sends this trap.
coldStart Sent after the system startup.
hm2DevMonSenseExtNvmRemova When the external memory has been removed, the device sends
l this trap.

UM Config BRS 237

Release 9.6 12/2023
Operation diagnosis
14.1 Sending SNMP traps

Table 38: Possible SNMP traps (cont.)

Name of the SNMP trap Meaning

linkDown When the connection on a port is interrupted, the device sends
this trap.
linkUp When connection is established to a port, the device sends this
trap.
hm2DevMonSenseHumidity When the humidity exceeds or falls below the specified
threshold values, the device sends this trap.
hm2DevMonSensePSState When the status of a power supply unit changes, the device
sends this trap.
hm2SigConStateChange When the status of the signal contact changes in the operation
monitoring, the device sends this trap.
newRoot When the sending agent becomes the new root of the spanning
tree, the device sends this trap.
topologyChange When the port changes from blocking to forwarding or from
forwarding to blocking, the device sends this trap.
alarmRisingThreshold When the RMON input exceeds its upper threshold, the device
sends this trap.
alarmFallingThreshold When the RMON input goes below its lower threshold, the
device sends this trap.
hm2AgentPortSecurityViolat When a MAC address detected on this port does not match the
ion current settings of the parameter
hm2AgentPortSecurityEntry, the device sends this trap.
hm2DiagSelftestActionTrap When a self test for the four categories task, resource,
software, and hardware is performed according to the specified
settings, the device sends this trap.
hm2MrpReconfig When the configuration of the MRP Ring changes, the device
sends this trap.
hm2DiagIfaceUtilizationTra When the actual value of the interface exceeds the specified
p upper threshold value or falls below the specified lower
threshold value, the device sends this trap.
hm2LogAuditStartNextSector When the audit trail after completing one sector starts a new
one, the device sends this trap.
hm2PtpSynchronizationChanc When the status of the PTP synchronization has been changed,
e the device sends this trap.
hm2ConfigurationSavedTrap After the device has successfully saved its settings locally, the
device sends this trap.
hm2ConfigurationChangedTra When you change the settings of the device for the first time after
p it has been saved locally, the device sends this trap.
hm2PlatformStpInstanceLoop When the port in this STP instance changes to the Loop
InconsistentStartTrap Inconsistent status, the device sends this trap.
hm2PlatformStpInstanceLoop When the port in this STP instance leaves the Loop Inconsistent
InconsistentEndTrap status receiving a BPDU packet, the device sends this trap.

238 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.1 Sending SNMP traps

14.1.2 SNMP traps for configuration activity

After you save a configuration in the memory, the device sends a hm2ConfigurationSavedTrap.
This SNMP trap contains both the state variables of non-volatile memory (NVM) and external
memory (ENVM) indicating if the running configuration is in sync with the non-volatile memory, and
with the external memory. You can also trigger this SNMP trap by copying a configuration file to the
device, replacing the active saved configuration.

Furthermore, the device sends a hm2ConfigurationChangedTrap, whenever you change the local
configuration, indicating a mismatch between the running and saved configuration.

14.1.3 SNMP trap setting

The device lets you send an SNMP trap as a reaction to specific events. Set up at least one trap
destination that receives SNMP traps.

Perform the following steps:

 Open the Diagnostics > Status Configuration > Alarms (Traps) dialog.

 Click the button.

The dialog displays the Create window.
 In the Name frame, specify the name that the device uses to identify itself as the source of
the SNMP trap.
 In the Address frame, specify the IP address of the trap destination to which the device
sends the SNMP traps.
 In the Active column, select the entries that the device takes into account when it sends
SNMP traps.

 Apply the settings temporarily. To do this, click the button.

For example, in the following dialogs you specify when the device triggers an SNMP trap:
 Basic Settings > Port dialog
 Basic Settings > Power over Ethernet > Global dialog
 Network Security > Port Security dialog
 Switching > L2-Redundancy > Link Aggregation dialog
 Diagnostics > Status Configuration > Device Status dialog
 Diagnostics > Status Configuration > Security Status dialog
 Diagnostics > Status Configuration > Signal Contact dialog
 Diagnostics > Status Configuration > MAC Notification dialog
 Diagnostics > System > IP Address Conflict Detection dialog
 Diagnostics > System > Selftest dialog
 Diagnostics > Ports > Port Monitor dialog
 Advanced > Digital IO Module dialog

UM Config BRS 239

Release 9.6 12/2023
Operation diagnosis
14.1 Sending SNMP traps

14.1.4 ICMP messaging

The device lets you use the Internet Control Message Protocol (ICMP) for diagnostic applications,
for example ping and trace route. The device also uses ICMP for time-to-live and discarding
messages in which the device forwards an ICMP message back to the packet source device.

Use the ping network tool to test the path to a particular host across an IP network. The traceroute
diagnostic tool displays paths and transit delays of packets across a network.

240 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.2 Monitoring the Device Status

14.2 Monitoring the Device Status

The device status provides an overview of the overall condition of the device. Many process
visualization systems record the device status for a device to present its condition in graphic form.

The device displays its current status as error or ok in the Device status frame. The device
determines this status from the individual monitoring results.

The device lets you:

 Out-of-Band signalling using a signal contact
 signal the changed device status by sending an SNMP trap
 detect the device status in the Basic Settings > System dialog of the Graphical User Interface
 query the device status in the Command Line Interface

The Global tab of the Diagnostics > Status Configuration > Device Status dialog lets you set up the
device to send a trap to the management station for the following events:
 Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
 When you operate the device outside of the user-specified temperature threshold values
 Loss of the redundancy (when the device operates in the Ring Manager mode)
 The interruption of link connection(s)
Set up at least one port for this feature. In the table of the Port tab, Propagate connection error
column, you specify for which ports the device will propagate a link interruption to the device
status. In the default setting, link connection monitoring is inactive.
 The removal of the external memory
The configuration profile in the external memory is out-of-sync with the settings in the device.

Select the corresponding entries to decide which events the device status includes.

Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.

14.2.1 Events which can be monitored

Table 39: Device Status events

Name Meaning
Connection errors Activate this function to monitor every port link event in which the Propagate
connection error checkbox is marked.
Temperature Activate this function to monitor if the temperature exceeds the specified
upper threshold value or falls below the specified lower threshold value.
External memory Activate this function to monitor the presence of an external storage device.
removal
External memory not in The device monitors synchronization between the device settings and the
sync configuration profile stored in the external memory (ENVM).
Ring redundancy When ring redundancy is present, activate this function to monitor.
Humidity Activate this function to monitor when the humidity exceeds or falls below
the specified threshold values.
Power supply Activate this function to monitor the power supply.

UM Config BRS 241

Release 9.6 12/2023
Operation diagnosis
14.2 Monitoring the Device Status

14.2.2 Configuring the Device Status

Perform the following steps:

 Open the Diagnostics > Status Configuration > Device Status dialog, Global tab.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.
 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, add at least one trap
destination that receives SNMP traps.

 Apply the settings temporarily. To do this, click the button.

 Open the Basic Settings > System dialog.
 To monitor the temperature, in the System data frame, you specify the temperature
threshold values.
 To monitor the humidity, in the System data frame, you specify the humidity threshold
values.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
device-status trap To send an SNMP trap when the device status
changes.
device-status monitor envm-not-in-sync To monitor the configuration profiles in the device
and in the external memory.
The Device status changes to error in the following
situations:
• The configuration profile only exists in the
device.
• The configuration profile in the device differs
from the configuration profile in the external
memory.
device-status monitor envm-removal To monitor the active external memory. When you
remove the active external memory from the
device, the value in the Device status frame changes
to error.
device-status monitor power-supply 1 To monitor the power supply unit 1. When the
device has a detected power supply fault, the value
in the Device status frame changes to error.

242 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.2 Monitoring the Device Status

device-status monitor ring-redundancy To monitor the ring redundancy.

The Device status changes to error in the following
situations:
• The redundancy function becomes active (loss
of redundancy reserve).
• The device is a normal ring participant and
detects an error in its settings.
device-status monitor temperature To monitor the temperature in the device. When
the temperature exceeds the specified upper
threshold value or falls below the specified lower
threshold value, the value in the Device status frame
changes to error.
device-status monitor humidity To monitor the humidity in the device. When the
humidity exceeds or falls below the specified
threshold values, the value in the Device status
frame changes to error.

To enable the device to monitor an active link without a connection, first enable the global function,
then enable the individual ports.

Perform the following steps:

 Open the Diagnostics > Status Configuration > Device Status dialog, Global tab.
 For the Connection errors parameter, mark the checkbox in the Monitor column.
 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
 For the Propagate connection error parameter, mark the checkbox in the column of the ports
to be monitored.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
device-status monitor link-failure To monitor the ports/interfaces link. When the link
interrupts on a monitored port/interface, the value
in the Device status frame changes to error.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
device-status link-alarm To monitor the port/interface link. When the link
interrupts on the port/interface, the value in the
Device status frame changes to error.

Note: The above commands activate monitoring and trapping for the supported components.
When you want to activate or deactivate monitoring for individual components, you will find the
corresponding syntax in the “Command Line Interface” reference manual or in the help of the
Command Line Interface console. To display the help in Command Line Interface, insert a question
mark ? and press the <Enter> key.

UM Config BRS 243

Release 9.6 12/2023
Operation diagnosis
14.2 Monitoring the Device Status

14.2.3 Displaying the Device Status

Perform the following steps:

 Open the Basic Settings > System dialog.

enable To change to the Privileged EXEC mode.

show device-status all To display the device status and the setting for the
device status determination.

244 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.3 Security Status

14.3 Security Status

The Security Status provides an overview of the overall security of the device. Many processes aid
in system visualization by recording the security status of the device and then presenting its
condition in graphic form. The device displays the overall security status in the Basic Settings >
System dialog, Security status frame.

In the Global tab of the Diagnostics > Status Configuration > Security Status dialog the device displays
its current status as error or ok in the Security status frame. The device determines this status from
the individual monitoring results.

The device lets you:

 Out-of-Band signalling using a signal contact
 signal the changed security status by sending an SNMP trap
 detect the security status in the Basic Settings > System dialog of the Graphical User Interface
 query the security status in the Command Line Interface

14.3.1 Events which can be monitored

Perform the following steps:

 Specify the events that the device monitors.
 For the corresponding parameter, mark the checkbox in the Monitor column.
Table 40: Security Status events

Name Meaning
Password default settings After installation change the passwords to increase security.
unchanged When active and the default passwords remain unchanged, the
device displays an alarm.
Min. password length shorter than 8 Create passwords more than 8 characters long to maintain a
high security posture. When active, the device monitors the Min.
password length setting.
Password policy settings The device monitors the settings located in the Device Security >
deactivated User Management dialog for password policy requirements.
User account password policy The device monitors the settings of the Policy check checkbox.
check deactivated When Policy check is inactive, the device sends an SNMP trap.
Telnet server active Activate this function to monitor when the Telnet function is
active.
HTTP server active Activate this function to monitor when the HTTP function is
active.
SNMP unencrypted Activate this function to monitor when the SNMPv1 or SNMPv2
function is active.
Access to system monitor with serial The device monitors the System Monitor status.
interface possible
Saving the configuration profile on The device monitors the possibility to save settings to the
the external memory possible external non-volatile memory.
Link interrupted on enabled device The device monitors the link status of active ports.
ports
Access with HiDiscovery possible Activate this function to monitor when the HiDiscovery function
has write access to the device.

UM Config BRS 245

Release 9.6 12/2023
Operation diagnosis
14.3 Security Status

Table 40: Security Status events (cont.)

Name Meaning
Load unencrypted config from The device monitors the security settings for loading the
external memory configuration from the external NVM.
IEC61850-MMS active The device monitors the IEC 61850-MMS protocol activation
setting.
Self-signed HTTPS certificate The device monitors the HTTPS server for self-generated digital
present certificates.
Modbus TCP active The device monitors the Modbus TCP/IP protocol activation
setting.

14.3.2 Configuring the Security Status

Perform the following steps:

 Open the Diagnostics > Status Configuration > Security Status dialog, Global tab.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.

 Apply the settings temporarily. To do this, click the button.

 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, add at least one trap
destination that receives SNMP traps.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
security-status monitor pwd-change To monitor the password for the locally set up user
account admin. When the password for the admin
user account is the default setting, the value in the
Security status frame changes to error.
security-status monitor pwd-min-length To monitor the value specified in the Min. password
length policy. When the value for the Min. password
length policy is less than 8, the value in the Security
status frame changes to error.
security-status monitor pwd-policy- To monitor the password policy settings.
config When the value for at least one of the following
policies is specified as 0, the value in the Security
status frame changes to error.
• Upper-case characters (min.)
• Lower-case characters (min.)
• Digits (min.)
• Special characters (min.)
security-status monitor pwd-policy- To monitor the password policy settings. When the
inactive value for at least one of the following policies is
specified as 0, the value in the Security status frame
changes to error.
security-status monitor telnet-enabled To monitor the Telnet server. When you enable the
Telnet server, the value in the Security status frame
changes to error.

246 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.3 Security Status

security-status monitor http-enabled To monitor the HTTP server. When you enable the
HTTP server, the value in the Security status frame
changes to error.
security-status monitor snmp-unsecure To monitor the SNMP server.
When at least one of the following conditions
applies, the value in the Security status frame
changes to error:
• The SNMPv1 function is enabled.
• The SNMPv2 function is enabled.
• The encryption for SNMPv3 is disabled.
You enable the encryption in the Device
Security > User Management dialog, in the SNMP
encryption type field.
security-status monitor sysmon-enabled To monitor the activation of the System Monitor 1
function in the device.
security-status monitor extnvm-upd- To monitor the activation of the external non
enabled volatile memory update.
security-status monitor iec61850-mms- To monitor the IEC61850-MMS function. When you
enabled enable the IEC61850-MMS function, the value in the
Security status frame changes to error.
security-status trap When the device status changes, to send a SNMP
trap.

To enable the device to monitor an active link without a connection, first enable the global function,
then enable the individual ports.

Perform the following steps:

 Open the Diagnostics > Status Configuration > Security Status dialog, Global tab.
 For the Link interrupted on enabled device ports parameter, mark the checkbox in the Monitor
column.

 Apply the settings temporarily. To do this, click the button.

 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.
 For the Link interrupted on enabled device ports parameter, mark the checkbox in the column
of the ports to be monitored.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
security-status monitor no-link-enabled To monitor the link on active ports. When the link
interrupts on an active port, the value in the Security
status frame changes to error.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
security-status monitor no-link To monitor the link on interface/port 1.

UM Config BRS 247

Release 9.6 12/2023
Operation diagnosis
14.3 Security Status

14.3.3 Displaying the Security Status

Perform the following steps:

 Open the Basic Settings > System dialog.

enable To change to the Privileged EXEC mode.

show security-status all To display the security status and the setting for the
security status determination.

248 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.4 Out-of-Band signaling

14.4 Out-of-Band signaling

The device uses the signal contact to control external devices and monitor device functions.
Function monitoring lets you perform remote diagnostics.

The device reports the operating status using a break in the potential-free signal contact (relay
contact, closed circuit) for the selected mode. The device monitors the following functions:
 Incorrect supply voltage
– at least one of the 2 supply voltages is not operating
– the internal supply voltage is not operating
 When you operate the device outside of the user-specified temperature threshold values
 When you operate the device outside of the user-specified humidity threshold values
 Events for ring redundancy
Loss of the redundancy (when the device operates in the Ring Manager mode)
In the default setting, ring redundancy monitoring is inactive. The device is a normal ring
participant and detects an error in the local configuration.
 The interruption of link connection(s)
Set up at least one port for this feature. In the Propagate connection error frame, you specify which
ports the device signals for a link interruption. In the default setting, link monitoring is inactive.
 The removal of the external memory.
The configuration profile in the external memory does not match the settings in the device.

Select the corresponding entries to decide which events the device status includes.

Note: With a non-redundant voltage supply, the device reports the absence of a supply voltage. To
disable this message, feed the supply voltage over both inputs or ignore the monitoring.

14.4.1 Controlling the Signal contact

With the Manual setting mode you control this signal contact remotely.

Application options:
 Simulation of an error detected during SPS error monitoring
 Remote control of a device using SNMP, such as switching on a camera

Perform the following steps:

 Open the Diagnostics > Status Configuration > Signal Contact dialog, Global tab.
 To control the signal contact manually, in the Configuration frame, select the Manual
setting item from the Mode drop-down list.
 To open the signal contact, you select the open radio button in the Configuration frame.
 To close the signal contact, you select the close radio button in the Configuration frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.

UM Config BRS 249

Release 9.6 12/2023
Operation diagnosis
14.4 Out-of-Band signaling

signal-contact 1 mode manual To select the manual setting mode for signal
contact 1.
signal-contact 1 state open To open signal contact 1.
signal-contact 1 state closed To close signal contact 1.

14.4.2 Monitoring the Device and Security Statuses

In the Configuration field, you specify which events the signal contact indicates.
 Device status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status dialog.
 Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Security Status dialog.
 Device/Security status
Using this setting the signal contact indicates the status of the parameters monitored in the
Diagnostics > Status Configuration > Device Status and the Diagnostics > Status Configuration >
Security Status dialog.

Configuring the operation monitoring

Perform the following steps:

 Open the Diagnostics > Status Configuration > Signal Contact dialog, Global tab.
 To monitor the device functions using the signal contact, in the Configuration frame, specify
the value Monitoring correct operation in the Mode field.
 For the parameters to be monitored, mark the checkbox in the Monitor column.
 To send an SNMP trap to the management station, activate the Send trap function in the
Traps frame.

 Apply the settings temporarily. To do this, click the button.

 In the Diagnostics > Status Configuration > Alarms (Traps) dialog, add at least one trap
destination that receives SNMP traps.

 Apply the settings temporarily. To do this, click the button.

 You specify the temperature threshold values for the temperature monitoring in the Basic
Settings > System dialog.
 You specify the humidity threshold values for the humidity monitoring in the Basic Settings >
System dialog.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
signal-contact 1 monitor temperature To monitor the temperature in the device. When
the temperature exceeds the specified upper
threshold value or falls below the specified lower
threshold value, the signal contact opens.

250 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.4 Out-of-Band signaling

signal-contact 1 monitor humidity To monitor the humidity in the device. When the
humidity exceeds or falls below the specified
threshold values, the signal contact opens.
signal-contact 1 monitor ring- To monitor the ring redundancy.
redundancy The signal contact opens in the following
situations:
• The redundancy function becomes active (loss
of redundancy reserve).
• The device is a normal ring participant and
detects an error in its settings.
signal-contact 1 monitor link-failure To monitor the ports/interfaces link. When the link
interrupts on a monitored port/interface, the signal
contact opens.
signal-contact 1 monitor envm-removal To monitor the active external memory. When you
remove the active external memory from the
device, the signal contact opens.
signal-contact 1 monitor envm-not-in- To monitor the configuration profiles in the device
sync and in the external memory.
The signal contact opens in the following
situations:
• The configuration profile only exists in the
device.
• The configuration profile in the device differs
from the configuration profile in the external
memory.
signal-contact 1 monitor power-supply 1 To monitor the power supply unit 1. When the
device has a detected power supply fault, the
signal contact opens.
signal-contact 1 monitor module-removal To monitor module 1. When you remove module 1
1 from the device, the signal contact opens.
signal-contact 1 trap To send an SNMP trap when the status of the
operation monitoring changes.
no signal-contact 1 trap To disable the SNMP trap

To enable the device to monitor an active link without a connection, first enable the global function,
then enable the individual ports.

Perform the following steps:

 In the Monitor column, activate the Link interrupted on enabled device ports function.
 Open the Diagnostics > Status Configuration > Device Status dialog, Port tab.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.

UM Config BRS 251

Release 9.6 12/2023
Operation diagnosis
14.4 Out-of-Band signaling

signal-contact 1 monitor link-failure To monitor the ports/interfaces link. When the link
interrupts on a monitored port/interface, the signal
contact opens.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
signal-contact 1 link-alarm To monitor the port/interface link. When the link
interrupts on the port/interface, the signal contact
opens.

Events which can be monitored

Table 41: Device Status events

Name Meaning
Connection errors Activate this function to monitor every port link event in which the
Propagate connection error checkbox is marked.
Temperature Activate this function to monitor if the temperature exceeds the
specified upper threshold value or falls below the specified lower
threshold value.
External memory removed Activate this function to monitor the presence of an external
storage device.
External memory not in sync with The device monitors synchronization between the device
NVM settings and the configuration profile stored in the external
memory (ENVM).
Ring redundancy When ring redundancy is present, activate this function to
monitor.
Humidity Activate this function to monitor when the humidity exceeds or
falls below the specified threshold values.
Power supply Activate this function to monitor the power supply.

Displaying the signal contact status

The device gives you additional options for displaying the status of the signal contact:
 Display in the Graphical User Interface
 Query in the Command Line Interface

Perform the following steps:

 Open the Basic Settings > System dialog.

The Signal contact status frame displays the signal contact status and informs you about
alarms that have occurred.

show signal-contact 1 all To display the signal contact settings for the
specified signal contact.

252 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.5 Port event counter

14.5 Port event counter

The port statistics table assists experienced network administrators in identifying potential network
interruptions.

This table displays the contents of various event counters. The packet counters add up the events
sent and the events received. In the Basic Settings > Restart dialog, you can reset the event counters.
Table 42: Examples indicating known weaknesses

Counter Indication of known possible weakness

Received fragments • Non-functioning controller of the connected device
• Electromagnetic interference in the transmission medium
CRC Error • Non-functioning controller of the connected device
• Electromagnetic interference in the transmission medium
• Inoperable component in the network
Collisions • Non-functioning controller of the connected device
• Network over extended/lines too long
• Collision or a detected fault with a data packet

Perform the following steps:

 To display the event counter, open the Basic Settings > Port dialog, Statistics tab.
 To reset the counters, in the Basic Settings > Restart dialog, click the Clear port statistics
button.

14.5.1 Detecting non-matching duplex modes

Potential problems occur when 2 ports directly connected to each other have mismatched duplex
modes. These potential problems are difficult to detect. The automatic detection and reporting of
this situation has the benefit of recognizing mismatched duplex modes before potential problems
occur.

This situation arises from an incorrect configuration, for example, deactivation of the automatic
configuration on the remote port.

A typical effect of this non-matching is that at a low data rate, the connection seems to be
functioning, but at a higher bi-directional data stream level the local device records a lot of detected
CRC errors, and the connection falls significantly below its nominal capacity.

The device lets you detect this situation and report it to the network management station. In the
process, the device evaluates the detected error counters of the port in the context of the port
settings.

Possible causes of port error events

The following table lists the duplex operating modes for TX ports, with the possible fault events. The
meanings of terms used in the table are as follows:
 Duplex problem detected
Mismatched duplex modes.

UM Config BRS 253

Release 9.6 12/2023
Operation diagnosis
14.5 Port event counter

 EMI
Electromagnetic interference.
 Network extension
The network extension is too great, or too many cascading hubs.
 Collisions, Late Collisions
In half-duplex mode, collisions mean normal operation.
In full-duplex mode, no incrementation of the port counters for collisions or Late Collisions.
 CRC Error
The device evaluates these detected errors as non-matching duplex modes in the manual full-
duplex mode.
Table 43: Evaluation of non-matching of the duplex mode

No. Automatic Current duplex Detected error Duplex modes Possible causes
configuration mode events (≥ 10 after
link up)
1 marked Half-duplex None OK
2 marked Half-duplex Collisions OK
3 marked Half-duplex Late Collisions Duplex problem Potential duplex
detected problem, EMI,
network
extension
4 marked Half-duplex CRC Error OK EMI
5 marked Full-duplex None OK
6 marked Full-duplex Collisions OK EMI
7 marked Full-duplex Late Collisions OK EMI
8 marked Full-duplex CRC Error OK EMI
9 unmarked Half-duplex None OK
10 unmarked Half-duplex Collisions OK
11 unmarked Half-duplex Late Collisions Duplex problem Potential duplex
detected problem, EMI,
network
extension
12 unmarked Half-duplex CRC Error OK EMI
13 unmarked Full-duplex None OK
14 unmarked Full-duplex Collisions OK EMI
15 unmarked Full-duplex Late Collisions OK EMI
16 unmarked Full-duplex CRC Error Duplex problem Potential duplex
detected problem, EMI

254 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.6 Auto-Disable

14.6 Auto-Disable

The device can disable a port on various user-selectable events, such as a detected error or
change of condition. Each of these events leads to the shutdown of the port. To recover the port,
either clear the condition that caused the port shutdown or specify a timer to automatically re-
enable the port.

If the device disables the port, then the device no longer forwards data packets to and from that
port. The port LED blinks green 3 times per period and indicates the reason for disabling. In
addition, the device generates a log file entry which lists the causes of the deactivation. When you
re-enable the port after a timeout using the Auto-Disable function, the device generates a log entry.

The Auto-Disable function provides a recovery function which automatically enables an auto-
disabled port after a user-defined time. When this function enables a port, the device sends an
SNMP trap with the port number, but without a value for the Reason parameter.

The Auto-Disable function serves the following purposes:

 It assists the network administrator in port analysis.
 It reduces the possibility that this port causes the network to be instable.

The Auto-Disable function is available for the following functions:

 Link flap (Port Monitor function)
 CRC/Fragments (Port Monitor function)
 Duplex Mismatch detection (Port Monitor function)
 Spanning Tree
 Port Security
 Overload detection (Port Monitor function)
 Link speed/Duplex mode detection (Port Monitor function)

In the following example, you set up the device to disable a port due to detected violations to the
threshold values specified the Diagnostics > Ports > Port Monitor dialog, CRC/Fragments tab, and then
automatically re-enable a port.

Perform the following steps:

 Open the Diagnostics > Ports > Port Monitor dialog, CRC/Fragments tab.
 Verify that the threshold values specified in the table concur to your preferences for port
1/1.
 Open the Diagnostics > Ports > Port Monitor dialog, Global tab.
 To enable the function, select the On radio button in the Operation frame.
 To allow the device to disable the port due to detected errors, mark the checkbox in the
CRC/Fragments on column for port 1/1.

UM Config BRS 255

Release 9.6 12/2023
Operation diagnosis
14.6 Auto-Disable

 In the Action column you can choose how the device reacts to detected errors. In this
example, the device disables port 1/1 for threshold value violations and then automatically
re-enables the port.
 To allow the device to disable and automatically re-enable the port, select the value
auto-disable and set up the Auto-Disable function. The value auto-disable only
works in conjunction with the Auto-Disable function.
The device can also disable a port without auto re-enabling.
 To allow the device to disable the port only, select the value disable port.
To manually re-enable a disabled port, select the table row of the port and click the
button.
 When you set up the Auto-Disable function, the value disable port also automatically
re-enables the port.
 Open the Diagnostics > Ports > Port Monitor dialog, Auto-disable tab.
 To allow the device to auto re-enable the port after it was disabled due to detected
threshold value violations, mark the checkbox in the CRC error column.
 Open the Diagnostics > Ports > Port Monitor dialog, Port tab.
 Specify the delay time as 120 s in the Reset timer [s] column for the ports you want to
enable.
Note: The Reset item lets you enable the port before the time specified in the Reset timer [s]
column has expired.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
port-monitor condition crc-fragments To specify the CRC-Fragment counter to
count 2000 2000 parts per million.
port-monitor condition crc-fragments To set the measure interval to 15 seconds for
interval 15 CRC-Fragment detection.
auto-disable timer 120 To specify the waiting period of 120 seconds, after
which the Auto-disable function re-enables the port.
exit To change to the Configuration mode.
auto-disable reason crc-error To activate the auto-disable CRC function.
port-monitor condition crc-fragments To activate the CRC-Fragments condition to trigger
mode an action.
port-monitor operation To activate the Port Monitor function.

When the device disables a port due to threshold value violations, the device lets you use the
following commands to manually reset the disabled port.

Perform the following steps:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
auto-disable reset To let you enable the port before the time has
expired.

256 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.7 Displaying the SFP status

14.7 Displaying the SFP status

The SFP status display lets you look at the current SFP module connections and their properties.
The properties include:
 module type
 serial number of media module
 temperature in º C
 transmission power in mW
 receive power in mW

Perform the following step:

 Open the Diagnostics > Ports > SFP dialog.

UM Config BRS 257

Release 9.6 12/2023
Operation diagnosis
14.8 Topology discovery

14.8 Topology discovery

IEEE 802.1AB defines the Link Layer Discovery Protocol (LLDP). LLDP lets you automatically
detect the LAN network topology.

Devices with LLDP active:

 broadcast their connection and management information to neighboring devices on the shared
LAN. When the receiving device has its LLDP function active, evaluation of the devices occur.
 receive connection and management information from neighbor devices on the shared LAN,
provided these adjacent devices also have LLDP active.
 build a management information database and object definitions for storing information about
adjacent devices with LLDP active.

As the main element, the connection information contains an exact, unique identifier for the
connection end point: MAC (Service Access Point). This is made up of a device identifier which is
unique on the entire network and a unique port identifier for this device.
 Chassis identifier (its MAC address)
 Port identifier (its port-MAC address)
 Description of port
 System name
 System description
 Supported system capabilities
 System capabilities currently active
 Interface ID of the management address
 VLAN-ID of the port
 Auto-negotiation status on the port
 Medium, half/full-duplex setting and port speed setting
 Information about the VLANs installed in the device (VLAN-ID and VLAN name, irrespective of
whether the port is a VLAN participant).

A network management station can call up this information from devices with activated LLDP. This
information lets the network management station map the topology of the network.

Non-LLDP-capable devices normally block the special Multicast LLDP IEEE MAC address used for
information exchange. Non-LLDP-capable devices therefore discard LLDP packets. If you position
a non-LLDP-capable device between 2 LLDP-capable devices, then the non-LLDP-capable device
prohibits information exchanges between the 2 LLDP-capable devices.

The Management Information Base (MIB) for a device with LLDP capability holds the LLDP
information in the lldp MIB and in the private HM2-LLDP-EXT-HM-MIB and HM2-LLDP-MIB.

14.8.1 Displaying the Topology discovery results

Display the topology of the network. To do this, perform the following step:

 Open the Diagnostics > LLDP > Topology Discovery dialog, LLDP tab.

When you use a port to connect several devices, for example through a hub, the table contains a
line for each connected device.

If you connect the port to devices with the topology discovery function active, then the devices
exchange LLDP Data Units (LLDPDU) and the topology table displays these neighboring devices.

258 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.8 Topology discovery

When a port connects only devices without an active topology discovery, the table contains a line
for this port to represent the connected devices. This line contains the number of connected
devices.

The MAC address table (forwarding database) contains MAC addresses of devices that the
topology table hides for the sake of clarity.

14.8.2 LLDP-Med

LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between
endpoint devices. Endpoints include devices such as IP phones, or other Voice over IP (VoIP)
devices or servers and network devices such as switches. It specifically provides support for VoIP
applications. LLDP-MED provides this support using an additional set of common type-length-value
(TLV) advertisement messages, for capabilities discovery, network policy, Power over Ethernet,
inventory management and location information.

The device supports the following TLV messages:

 capabilities TLV
Lets the LLDP-MED endpoints determine the capabilities that the connected device supports
and what capabilities the device has enabled.
 Network policy TLV
Lets both network connectivity devices and endpoints advertise VLAN configurations and
associated attributes for the specific application on that port. For example, the device notifies a
phone of the VLAN number. The phone connects to a switch, obtain its VLAN number, and then
starts communicating with the call control.

LLDP-MED provides the following functions:

 Network policy discovery, including VLAN ID, 802.1p priority and DSCP (Differentiated Services
Code Point)
 Device location and topology discovery based on LAN-level MAC/port information
 Endpoint move detection notification, from network connectivity device to the associated VoIP
management application
 Extended device identification for inventory management
 Identification of endpoint network connectivity capabilities, for example, multi-port IP Phone with
embedded switch or bridge capability
 Application level interactions with the Link Layer Discovery Protocol (LLDP) elements to provide
timely startup of LLDP to support rapid availability of an Emergency Call Service
 Applicability of LLDP-MED to Wireless LAN environments, support for Voice over Wireless LAN

UM Config BRS 259

Release 9.6 12/2023
Operation diagnosis
14.9 Detecting loops

14.9 Detecting loops

Loops in the network cause connection interruptions or data loss. This also applies to temporary
loops. The automatic detection and reporting of this situation lets you detect it faster and diagnose
it more easily.

An incorrect configuration causes loops, for example, deactivating Spanning Tree.

The device lets you detect the effects typically caused by loops and report this situation
automatically to the network management station. You have the option here to specify the
magnitude of the loop effects that trigger the device to send a report.

BPDU frames sent from the designated port and received on either a different port of the same
device or the same port within a short time, is a typical effect of a loop.

To check if the device has detected a loop, perform the following steps:

 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab.
 Check the value in the Port state and Port role fields. If the Port state field displays the value
discarding and the Port role field displays the value backup, then the port is in a loop
status.
or
 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, Guards tab.
 Check the value in the Loop state column. If the field displays the value true, then the port
is in a loop status.

260 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.10 Reports

14.10 Reports

The following lists reports and buttons available for diagnostics:

 System Log file
The log file is an HTML file in which the device writes device-internal events.
 Audit Trail
Logs successful commands and user comments. The file also includes SNMP logging.
 Persistent Logging
When the external memory is present, the device saves log entries in a file in the external
memory. These files remain available even after powering off the device. The maximum size,
maximum number of retainable files, and the severity of logged events are configurable. After
obtaining the user-defined maximum size or maximum number of retainable files, the device
archives the entries and starts a new file. The device deletes the oldest file and renames the
other files to maintain the number of files set up. To review these files, use the Command Line
Interface or copy them to an external server for future reference.
 Download support information
This button lets you download system information as a ZIP archive.

In service situations, these reports provide the technician with the necessary information.

14.10.1 Global settings

Using this dialog you enable or disable where the device sends reports, for example, to a Console,
a syslog server, or a connection to the Command Line Interface. You also set at which severity level
the device writes events into the reports.

Perform the following steps:

 Open the Diagnostics > Report > Global dialog.

 To send a report to the console, specify the desired level in the Console logging frame,
Severity field.
 To enable the function, select the On radio button in the Console logging frame.

 Apply the settings temporarily. To do this, click the button.

The device buffers logged events in 2 separate storage areas so that the device keeps log entries
for urgent events. Specify the minimum severity for events that the device logs to the buffered
storage area with a higher priority.

Perform the following steps:

 To send events to the buffer, specify the desired level in the Buffered logging frame, Severity
field.

 Apply the settings temporarily. To do this, click the button.

When you activate the logging of SNMP requests, the device logs the requests as events in the
syslog. The Log SNMP get request function logs user requests for device configuration information.
The Log SNMP set request function logs device setup events. Specify the minimum level for events
that the device logs in the syslog.

UM Config BRS 261

Release 9.6 12/2023
Operation diagnosis
14.10 Reports

Perform the following steps:

 Enable the Log SNMP get request function for the device to send SNMP Read requests as
events to the syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Enable the Log SNMP set request function for the device to send SNMP Write requests as
events to the syslog server.
To enable the function, select the On radio button in the SNMP logging frame.
 Choose the desired severity level for the get and set requests.

 Apply the settings temporarily. To do this, click the button.

When active, the device logs configuration changes made using the Command Line Interface, to
the audit trail. This feature is based on IEEE 1686 for Substation Intelligent Electronic Devices.

Perform the following steps:

 Open the Diagnostics > Report > Global dialog.

 To enable the function, select the On radio button in the CLI logging frame.

 Apply the settings temporarily. To do this, click the button.

The device lets you save the following system information data in one ZIP file on your PC:
 audittrail.html
 config.xml
 defaultconfig.xml
 script
 runningconfig.xml
 supportinfo.html
 systeminfo.html
 systemlog.html

The device names the ZIP archive automatically in the format

<IP_address>_<system_name>.zip.

Perform the following steps:

 Click the button.

After a while, you can download the ZIP archive.
 Select the directory in which you want to save the support information.
 Click the Ok button.

262 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.10 Reports

14.10.2 Syslog

The device lets you send messages about device internal events to one or more syslog servers (up
to 8). Additionally, you also include SNMP requests to the device as events in the syslog.

Note: To display the logged events, open the Diagnostics > Report > Audit Trail dialog or the
Diagnostics > Report > System Log dialog.

Perform the following steps:

 Open the Diagnostics > Syslog dialog.

 To add a table row, click the button.

 In the IP address column, enter the IP address of the syslog server.
You can specify a valid IPv4 or IPv6 address for the syslog server.
 In the Destination UDP port column, specify the UDP port on which the syslog server expects
the log entries.
 In the Min. severity column, specify the minimum severity level that an event requires for the
device to send a log entry to this syslog server.
 Mark the checkbox in the Active column.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

In the SNMP logging frame, set up the following settings for SNMP read and write requests:

Perform the following steps:

 Open the Diagnostics > Report > Global dialog.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
logging host add 1 addr 10.0.1.159 To add a recipient in the syslog servers list. The
severity 3 value 3 specifies the severity level of the event that
the device logs. The value 3 means error.
logging host add 2 addr 2001::1 severity To add an IPv6 recipient in the syslog servers list.
4 The value 4 means warning.
logging syslog operation To enable the Syslog function.
exit To change to the Privileged EXEC mode.
show logging host To display the syslog host settings.

UM Config BRS 263

Release 9.6 12/2023
Operation diagnosis
14.10 Reports

No. Server IP Port Max. Severity Type Status

----- -------------- ----- -------------- ---------- -------
1 10.0.1.159 514 error systemlog active
2 2001::1 514 warning systemlog active
configure To change to the Configuration mode.
logging snmp-requests get operation To log the reception of SNMP Get requests.
logging snmp-requests get severity 5 The value 5 specifies the severity level of the event
that the device logs when it receives an SNMP Get
request. The value 5 means notice.
logging snmp-requests set operation To log the reception of SNMP Set requests.
logging snmp-requests set severity 5 The value 5 specifies the severity level of the event
that the device logs when it receives an SNMP Set
request. The value 5 means notice.
exit To change to the Privileged EXEC mode.
show logging snmp To display the SNMP logging settings.
Log SNMP GET requests : enabled
Log SNMP GET severity : notice
Log SNMP SET requests : enabled
Log SNMP SET severity : notice

14.10.3 System Log

The device lets you call up a log file of the system events. The table in the Diagnostics > Report >
System Log dialog lists the logged events.

Perform the following steps:

 To update the content of the log, click the button.

 To save the content of the log as an HTML file, click the button.

 To delete the content of the log, click the button.

 To search the content of the log for a key word, use the search function of your web
browser.

Note: You have the option to also send the logged events to one or more syslog servers.

14.10.4 Audit Trail

The Diagnostics > Report > Audit Trail dialog contains system information and changes to the device
settings performed through the Command Line Interface and SNMP. In the case of a change in the
device settings, the dialog displays Who changed What and When.

The Diagnostics > Syslog dialog lets you specify up to 8 syslog servers to which the device sends
Audit Trails.

The following list contains log events:

 changes to configuration parameters
 Commands (except show commands) using the Command Line Interface

264 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.10 Reports

 Command logging audit-trail <string> using the Command Line Interface which logs the
comment
 Automatic changes to the System Time
 watchdog events
 locking a user after several unsuccessful login attempts
 User login, either locally or remote, using the Command Line Interface
 Manual, user-initiated, logout
 Timed logout after a user-defined period of inactivity in the Command Line Interface
 file transfer operation including a Firmware Update
 Configuration changes using HiDiscovery
 Automatic configuration or firmware updates using the external memory
 Blocked access to the device management due to invalid login
 rebooting
 opening and closing SNMP over HTTPS tunnels
 Detected power failures

UM Config BRS 265

Release 9.6 12/2023
Operation diagnosis
14.11 Network analysis with TCPdump

14.11 Network analysis with TCPdump

Tcpdump is a packet-sniffing UNIX utility used by network administrators to sniff and analyze the
data stream on a network. A couple of reasons for sniffing data streams on a network are to verify
connectivity between hosts or to analyze the data stream traversing the network.

TCPDump in the device provides the possibility to decode or capture packets received and
transmitted by the Management CPU. This function is available using the debug command. For
further information on the TCPDump function, see the “Command Line Interface” reference
manual.

266 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.12 Monitoring the data stream

14.12 Monitoring the data stream

The device lets you forward data packets that pass through the device to a destination port. There
you can monitor and evaluate the data packets.

The device provides you with the following options:

 Port Mirroring function

14.12.1 Port Mirroring function

The Port Mirroring function lets you copy data packets from physical source ports to a physical
destination port.

You monitor the data packets on the source ports in the sending and receiving directions with a
management tool connected on the destination port, for example an RMON probe. The function has
no effect on the data stream running on the source ports.

Switch PLC

Backbone

RMON-Probe

Figure 60: Example

On the destination port, the device only forwards the data packets copied from the source ports.

Before you switch on the Port Mirroring function, mark the checkbox Allow management to access the
device management through the destination port. The device lets users access the device
management through the destination port without interrupting the active Port Mirroring session.

Note: The device duplicates multicasts, broadcasts and unknown unicasts on the destination port.

The VLAN settings on the destination port remain unchanged. Prerequisite for access to the device
management on the destination port is that the destination port is a member of the device
management VLAN.

UM Config BRS 267

Release 9.6 12/2023
Operation diagnosis
14.12 Monitoring the data stream

Enabling the Port Mirroring function

Perform the following steps:

 Open the Diagnostics > Ports > Port Mirroring dialog.

 Specify the source ports.
Mark the checkbox in the Enabled column for the relevant ports.
 Specify the destination port.
In the Destination port frame, select the desired port from the Primary port drop-down list.
The drop-down list only displays available ports. Ports that are already specified as source
ports are unavailable.
 When needed, specify a second destination port.
In the Destination port frame, select the desired port from the Secondary port drop-down list.
The prerequisite is that you have already specified the primary destination port.
 To access the device management through the destination port:
In the Destination port frame, mark the Allow management checkbox.

 Apply the settings temporarily. To do this, click the button.

To deactivate the Port Mirroring function and restore the default settings, click the button.

268 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.13 Self-test

14.13 Self-test

The device checks its assets during the system startup and occasionally thereafter. The device
checks system task availability or termination and the available amount of memory. Furthermore,
the device checks for application functionality and any hardware degradation in the chip set.

If the device detects a loss in integrity, then the device responds to the degradation with a user-
defined action. The following categories are available for configuration.
 task
Action to be taken in case a task is unsuccessful.
 resource
Action to be taken due to the lack of resources.
 software
Action taken for loss of software integrity; for example, code segment checksum or access
violations.
 hardware
Action taken due to hardware degradation

Set up each category to produce an action in case the device detects a loss in integrity. The
following actions are available for configuration.
 log only
This action writes a message to the logging file.
 send trap
Sends an SNMP trap to the trap destination.
 reboot
If activated, then a detected error in the category will cause the device to reboot.

Perform the following steps:

 Open the Diagnostics > System > Selftest dialog.

 In the Action column, specify the action to perform for a cause.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
selftest action task log-only To send a message to the event log when a task is
unsuccessful.
selftest action resource send-trap To send an SNMP trap when there are insufficient
resources.
selftest action software send-trap To send an SNMP trap when the software integrity
has been lost.
selftest action hardware reboot To reboot the device when hardware degradation
occurs.

Disabling these functions lets you decrease the time required to restart the device after a cold start.
You find these options in the Diagnostics > System > Selftest dialog, Configuration frame.
 RAM test checkbox
Activates/deactivates RAM selftest during a cold start.

UM Config BRS 269

Release 9.6 12/2023
Operation diagnosis
14.13 Self-test

 SysMon1 is available checkbox

Activates/deactivates System Monitor 1 during a cold start.
 Load default config on error checkbox
Activates/deactivates the loading of the default device configuration in case no readable
configuration is available during the system startup.

The following settings block your access to the device permanently in case the device does not
detect any readable configuration profile at system startup.
 The SysMon1 is available checkbox is unmarked.
 The Load default config on error checkbox is unmarked.

This is the case, for example, when the password of the configuration profile that you are loading
differs from the password set in the device. To have the device unlocked again, contact your sales
partner.

Perform the following steps:

selftest ramtest To activate RAM selftest on cold start.
no selftest ramtest To deactivate RAM selftest.
selftest system-monitor To activate System Monitor 1.
no selftest system-monitor To deactivate System Monitor 1.
show selftest action To display the actions to be taken in the event of
device degradation.
Cause Action
--------- ----------
task reboot
resource reboot
software reboot
hardware reboot

show selftest settings To display the selftest settings.

Selftest settings
-----------------
Test RAM on cold start......................enabled
System Monitor 1............................enabled
Boot default configuration on error.........enabled

270 UM Config BRS

Release 9.6 12/2023
Operation diagnosis
14.14 Copper cable test

14.14 Copper cable test

Use this function to check a copper cable attached to a port for a short or open circuit. The test
interrupts the data stream, when in progress, on this port.

The table displays the state and lengths of each individual pair. The device returns a result with the
following meaning:
 normal - indicates that the cable is operating properly
 open - indicates an interruption in the cable
 short circuit - indicates a short circuit in the cable
 untested - indicates an untested cable
 Unknown - cable unplugged

UM Config BRS 271

Release 9.6 12/2023
Operation diagnosis
14.14 Copper cable test

272 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.1 DHCP server

15 Advanced functions of the device

15.1 DHCP server

The Dynamic Host Configuration Protocol (DHCP) lets a server assign the IP settings to the devices
on the network (clients). This reduces the effort required for manual setup. The DHCP server stores
and assigns the available IP addresses and further settings, if specified.

The procedure for assigning the IP settings consists of 4 phases:

• DISCOVER sent by the DHCP client
• OFFER sent by the DHCP server
• REQUEST sent by the DHCP client
• ACKNOWLEDGE sent by the DHCP server

The device lets you activate the DHCP Server function globally or on single physical ports.

15.1.1 Settings that the server assigns to the clients

When operating as a DHCP server, the device assigns the IP settings to the client devices based
on the following parameters:
• MAC address of the client device
• Physical port to which the client device is connected
• VLAN of which the client device is a member

The device assigns the following IP settings to the client devices:

• IP address
• Subnet mask
• Default gateway, if specified
• Further network settings, if specified

15.1.2 Pools

The device stores the IP settings in two types of pools.

• Static pools
To assign the same IP address to a specific device each time, the device stores the relevant IP
settings in a pool whose address range is exactly one IP address.
Static pools are useful, for example, to assign a fixed IP address to a server, NAS, or printer.
• Dynamic pools
To assign IP addresses from a certain address range, the device stores the relevant IP settings
in a pool whose address range includes multiple IP addresses.
Dynamic pools are useful, for example, to assign a certain IP address to client devices that
belong to a certain VLAN.

UM Config BRS 273

Release 9.6 12/2023
Advanced functions of the device
15.1 DHCP server

Setting up a static pool

In the following example, you set up the device to assign IP settings from a certain static pool to a
certain client device connected to a certain port.

The static pool is to be set up based on the following parameters:

 MAC address of the client device: ec:e5:55:d6:50:01
 Physical port to which the client device is connected on the server device: 1/1
 IP address that the device should assign to the client device: 192.168.23.42
 The assigned IP settings are valid for 2 days: 172800

Perform the following steps:

 Open the Advanced > DHCP > DHCP Server > Pool dialog.

 Add a table row. To do this, click the button.

 Specify the following settings for the table row:
– IP range start column = 192.168.23.42
– Port column = 1/1
– MAC address column = ec:e5:55:d6:50:01
– Lease time [s] column = 172800
– Active column = marked

 Apply the settings temporarily. To do this, click the button.

 Open the Advanced > DHCP > DHCP Server > Global dialog.
 Verify that the DHCP function is active on port 1/1.
If not already done, mark the checkbox in the DHCP server active column for port 1/1.
 Enable the DHCP server globally. To do this, select the On radio button in the Operation
frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dhcp-server pool add 1 static To add a static pool with index 1 with the IP
192.168.23.42 address 192.168.23.42.
dhcp-server pool modify 1 mode To assign the static pool with index 1 to physical
interface 1/1 port 1/1.
dhcp-server pool modify 1 mode mac To assign the static pool with index 1 to a client
EC:E5:55:D6:50:01 device with MAC address EC:E5:55:D6:50:01.
dhcp-server pool modify 1 leasetime To specify the lease time of the static pool with
172800 index 1.
dhcp-server pool mode 1 enable To enable the static pool with index 1.
dhcp-server operation To enable the DHCP server globally.
interface 1/1 To change to the interface configuration mode of
port 1/1.
dhcp-server operation To activate the DHCP server function on this port.

274 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.1 DHCP server

Setting up a dynamic pool

In the following example, you set up the device to assign an IP address from a certain address
range to client devices connected to a certain port.

The dynamic pool is to be set up based on the following parameters:

 MAC address of the client device or further information in the DHCP request is not to be
evaluated.
 Physical port to which the client devices are connected on the server device: 1/2
 Address range from which the device assigns an IP address to the client devices:
192.168.23.92..192.168.23.142
 The assigned IP settings are valid for 2 days: 172800

Perform the following steps:

 Open the Advanced > DHCP > DHCP Server > Pool dialog.

 Add a table row. To do this, click the button.

 Specify the following settings for the table row:
– IP range start column = 192.168.23.92
– IP range end column = 192.168.23.142
– Port column = 1/2
– Lease time [s] column = 172800
– Active column = Marked

 Apply the settings temporarily. To do this, click the button.

 Open the Advanced > DHCP > DHCP Server > Global dialog.
 Verify that the DHCP function is active on port 1/2.
If not already done, mark the checkbox in the DHCP server active column for port 1/2.
 Enable the DHCP server globally. To do this, select the On radio button in the Operation
frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
dhcp-server pool add 2 dynamic To add a dynamic pool with index 2 with a range
192.168.23.92 192.168.23.142 from 192.168.23.92 to 192.168.23.142.
dhcp-server pool modify 2 mode To assign the static pool with index 2 to physical
interface 1/2 port 1/2.
dhcp-server pool modify 2 leasetime To specify the lease time of the dynamic pool with
172800 index 2.
dhcp-server pool mode 2 enable To enable the dynamic pool with index 2.
dhcp-server operation To enable the DHCP server globally.
interface 1/2 To change to the interface configuration mode of
port 1/2.
dhcp-server operation To activate the DHCP server function on this port.

UM Config BRS 275

Release 9.6 12/2023
Advanced functions of the device
15.2 DHCP L2 Relay

15.2 DHCP L2 Relay

A network administrator uses the DHCP Layer 2 Relay Agent to add DHCP client information. This
information is required by Layer 3 Relay Agents and DHCP servers to assign an address and
configuration to a client.

When a DHCP client and server are in the same IP subnet, they exchange IP address requests and
replies directly. However, having a DHCP server on each subnet is expensive and often impractical.
An alternative to having a DHCP server in every subnet is to use the network devices to relay
packets between a DHCP client and a DHCP server located in a different subnet.

A Layer 3 Relay Agent is generally a router that has IP interfaces in both the client and server
subnets and routes the data packets between them. However, in Layer 2 switched networks, there
are one or more network devices, switches for example, between the client and the Layer 3 Relay
Agent or DHCP server. In this case, this device provides a Layer 2 Relay Agent to add the
information that the Layer 3 Relay Agent and DHCP server require to perform their roles in address
and configuration assignment.

For the DHCPv6 protocol, a Relay Agent is used to add Relay Agent options to DHCPv6 packets
exchanged between a client and a DHCPv6 server. The Lightweight DHCPv6 Relay Agent (LDRA)
is described in RFC 6221.

The LDRA processes 2 types of messages:

 The first type of message is the Relay-Forward message which contains unique information
about the client.
 The second type of message is the Relay-Reply message which the DHCPv6 server sends to
the Relay Agent. The Relay Agent then validates the message to include the information
encapsulated in the initial Relay-Forward message and if valid, sends the packet to the client.

The Relay-Forward message contains Interface-ID information, also known as Option 18. This
option provides information that identifies the interface on which the client request was sent. The
device discards DHCPv6 packets that do not contain Option 18 information.

15.2.1 Circuit and Remote IDs

In an IPv4 environment, before forwarding the request of a client to the DHCP server, the device
adds the Circuit ID and the Remote ID to the Option 82 field of the DHCP request packet.
 The Circuit ID stores on which port the device received the request of the client.
 The Remote ID contains the MAC address, the IP address, the system name, or a user-defined
character string. Using it, the participating devices identify the Relay Agent that received the
request of the client.

The device and other Relay Agents use this information to re-direct the answer from the DHCP
Relay Agent to the original client. The DHCP server is able to analyze this data for example to
assign the client an IP address from a specific address pool.

Also, the replay packet of the DHCP server contains the Circuit ID and the Remote ID. Before
forwarding the answer to the client, the device removes the information from the Option 82 field.

276 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.2 DHCP L2 Relay

15.2.2 DHCP L2 Relay configuration

The Advanced > DHCP L2 Relay > Configuration dialog lets you activate the function on the active ports
and on the VLANs. In the Operation frame, select the On radio button. Then click the button.

The device forwards DHCPv4 packets with Option 82 information and DHCPv6 packets with
Option 18 information on those ports for which the checkbox in the Active column and in the Trusted
port column is marked. Typically, these are ports in the network of the DHCP server.

The ports to which the DHCP clients are connected, you activate the DHCP L2 Relay function, but
leave the Trusted port checkbox unmarked. On these ports, the device discards DHCPv4 packets
with Option 82 information and DHCPv6 packets with Option 18 information.

An example configuration for the DHCPv4 L2 Relay function is shown below. The configuration
steps for DHCPv6 L2 Relay function are similar, except for the Circuit ID and Remote ID entries
that can only be specified for Option 82.

Switch 2
Port 1/1 Port 1/2

Port 1/2
Switch 1 DHCP
Server
Port 1/VLAN 2

DHCP Client
Figure 61: DHCP Layer 2 Example Network

Perform the following steps on Switch 1:

 Open the Advanced > DHCP L2 Relay > Configuration dialog, Interface tab.
 For port 1/1, specify the settings as follows:
– Mark the checkbox in the Active column.
 For port 1/2, specify the settings as follows:
– Mark the checkbox in the Active column.
– Mark the checkbox in the Trusted port column.
 Open the Advanced > DHCP L2 Relay > Configuration dialog, VLAN ID tab.
 Specify the settings for VLAN 2 as follows:
– Mark the checkbox in the Active column.
– Mark the checkbox in the Circuit ID column.
– To use the IP address of the device as the Remote ID, in the Remote ID type column,
specify the value ip.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 277

Release 9.6 12/2023
Advanced functions of the device
15.2 DHCP L2 Relay

Perform the following steps on Switch 2:

 Open the Advanced > DHCP L2 Relay > Configuration dialog, Interface tab.
 For port 1/1 and 1/2, specify the settings as follows:
– Mark the checkbox in the Active column.
– Mark the checkbox in the Trusted port column.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

Verify that VLAN 2 is present. Then perform the following steps on Switch 1:
 Set up VLAN 2, and specify port 1/1 as a member of VLAN 2.
enable To change to the Privileged EXEC mode.
vlan database To change to the VLAN configuration mode.
dhcp-l2relay circuit-id 2 To activate the Circuit ID and the DHCP Option 82
on VLAN 2.
dhcp-l2relay remote-id ip 2 To specify the IP address of the device as the
Remote ID on VLAN 2.
dhcp-l2relay mode 2 To activate the DHCP L2 Relay function on VLAN 2.
exit To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
dhcp-l2relay mode To activate the DHCP L2 Relay function on the port.
exit To change to the Configuration mode.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
dhcp-l2relay trust To specify the port as Trusted port.
dhcp-l2relay mode To activate the DHCP L2 Relay function on the port.
exit To change to the Configuration mode.
dhcp-l2relay mode To enable the DHCP L2 Relay function in the device.

Perform the following steps on Switch 2:

enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
dhcp-l2relay trust To specify the port as Trusted port.
dhcp-l2relay mode To activate the DHCP L2 Relay function on the port.
exit To change to the Configuration mode.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
dhcp-l2relay trust To specify the port as Trusted port.
dhcp-l2relay mode To activate the DHCP L2 Relay function on the port.
exit To change to the Configuration mode.
dhcp-l2relay mode To enable the DHCP L2 Relay function in the device.

278 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.3 GARP function

15.3 GARP function

If an attribute for a participant is registered or deregistered according to the GARP function, then the
participant is modified according to specific rules. The participants are a set of reachable end
stations and network devices. The defined set of participants at any given time, along with their
attributes, is the reachability tree for the subset of the network topology. The device forwards the
data frames only to the registered end stations. The station registration helps prevent attempts to
send data to the end stations that are unreachable.

15.3.1 Configuring GMRP

The GARP Multicast Registration Protocol (GMRP) is a Generic Attribute Registration Protocol
(GARP) that provides a mechanism allowing network devices and end stations to dynamically
register group membership. The devices register group membership information with the devices
attached to the same LAN segment. The GARP function also lets the devices disseminate the
information across the network devices that support extended filtering services.

Note: Before you enable the GMRP function, verify that the MMRP function is disabled.

The following example describes the configuration of the GMRP function. The device provides a
constrained multicast flooding facility on a selected port. To do this, perform the following steps:

 Open the Switching > GARP > GMRP dialog.

 To provide constrained Multicast Flooding on a port, mark the checkbox in the GMRP active
column.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
garp gmrp operation To enable the GMRP function on the port.
exit To change to the Configuration mode.
garp gmrp operation To enable the GMRP function globally.

UM Config BRS 279

Release 9.6 12/2023
Advanced functions of the device
15.3 GARP function

15.3.2 Configuring GVRP

You use the GVRP function to allow the device to exchange VLAN configuration information with
other GVRP-capable devices. Thus reducing unnecessary traffic of Broadcast and unknown
Unicast data packets. Besides, the GVRP function dynamically sets up VLANs on devices
connected through 802.1Q trunk ports.

The following example describes the configuration of the GVRP function. The device lets you
exchange VLAN configuration information with other GVRP-capable devices. To do this, perform
the following steps:

 Open the Switching > GARP > GVRP dialog.

 To exchange VLAN configuration information with other GVRP-capable devices, mark
checkbox in the GVRP active column for the port.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
interface 3/1 To change to the interface configuration mode of
interface 3/1.
garp gvrp operation To enable the GVRP function on the port.
exit To change to the Configuration mode.
garp gvrp operation To enable the GVRP function globally.

280 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

15.4 MRP-IEEE

The IEEE 802.1ak amendment to the IEEE 802.1Q standard introduced the Multiple Registration
Protocol (MRP) to replace the Generic Attribute Registration Protocol (GARP). The IEEE standards
association also modified and replaced the GARP applications, GARP Multicast Registration
Protocol (GMRP) and GARP VLAN Registration Protocol (GVRP), with the Multiple MAC
Registration Protocol (MMRP) and the Multiple VLAN Registration Protocol (MVRP).

To confine forwarding the data packets to the required areas of a network, the MRP applications
distribute attribute values to MRP enabled devices across a LAN. The MRP applications register
and de-register Multicast group memberships and VLAN identifiers.

Note: The Multiple Registration Protocol (MRP) requires a loop free network. To help prevent loops
in the network, use a network protocol such as the Media Redundancy Protocol, Spanning Tree
Protocol, or Rapid Spanning Tree Protocol with MRP.

15.4.1 MRP operation

Each participant contains an applicant component and an MRP Attribute Declaration (MAD)
component. The applicant component is responsible for forming the attribute values and their
registration and de-registration. The MAD component generates MRP messages for transmission
and processes messages received from other participants. The MAD component encodes and
transmits the attributes to other participants in MRP Data Units (MRPDU). In the switch, an MRP
Attribute Propagation (MAP) component distributes the attributes to participating ports.

A participant exists for each MRP application and each LAN port. For example, a participant
application exists on an end device and another application exists on a switch port. The Applicant
state machine records the attribute and port for each MRP participant declaration on an end device
or switch. Applicant state machine variable changes trigger the transmission of MRPDUs to
communicate the declaration or withdrawal.

To establish an MMRP instance, an end device first sends a Join empty (JoinMt) message with the
appropriate attributes. The switch then floods the JoinMt to the participating ports and to the
neighboring switches. The neighboring switches flood the message to their participating port, and
so on, establishing a path for the group data packets.

15.4.2 MRP timers

The default timer settings help prevent unnecessary attribute declarations and withdraws. The
timer settings allow the participants to receive and process MRP messages before the Leave or
LeaveAll timers expire.

When you reconfigure the timers, maintain the following relationships:

 To allow for re-registration after a Leave or LeaveAll event, although there is a lost message,
set the value of the LeaveTime as follows: ≥ (2x JoinTime) + 60 in 1/100 s
 To minimize the volume of rejoining data packets generated following a LeaveAll event, specify
the value for the LeaveAll timer larger than the LeaveTime value.

UM Config BRS 281

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

The following list contains various MRP events that the device transmits:
 Join - Controls the interval for the next Join message transmission
 Leave - Controls the length of time that a switch waits in the Leave state before changing to the
withdraw state
 LeaveAll - Controls the frequency with which the switch generates LeaveAll messages

When expired, the Periodic timer initiates a Join request MRP message that the switch sends to
participants on the LAN. The switches use this message to help prevent unnecessary withdraws.

15.4.3 MMRP

When a device receives Broadcast, Multicast or unknown data packets on a port, the device floods
the data packets to the other ports. This process causes unnecessary use of bandwidth on the LAN.

The Multiple MAC Registration Protocol (MMRP) lets you control the data packets flooding by
distributing an attribute declaration to participants on a LAN. The attribute values that the MAD
component encodes and transmits on the LAN in MRP messages are Group service requirement
information and 48-bit MAC addresses.

The switch stores the attributes in a filtering database as MAC address registration entries. The
forwarding process uses the filtering database entries only to transmit data through those ports
necessary to reach Group member LANs.

Switches facilitate the group distribution mechanisms based on the Open Host Group concept,
receiving packets on the active ports and forwarding only to ports with group members. This way,
any MMRP participants requiring packets transmitted to a particular group or groups, requests
membership in the group. MAC service users send packets to a particular group from anywhere on
the LAN. A group receives these packets on the LANs attached to registered MMRP participants.
MMRP and the MAC Address Registration Entries thus restrict the packets to required segments of
a loop-free LAN.

To maintain the registration and deregistration state and to receive data packets, a port declares
interest periodically. Every device on a LAN with the MMRP function enabled maintains a filtering
database and forwards the data packets with the group MAC addresses to the listed participants.

MMRP example

In this example, Host A intends to listen to the data packets destined for group G1. Switch A
processes the MMRP Join request received from host A and sends the request to both of the
neighboring switches. The devices on the LAN now recognize that there is a host interested in
receiving the data packets destined for group G1. When Host B starts transmitting data destined
for group G1, the data flows on the path of registrations and Host A receives it.

Switch 1 Switch 2 Switch 3

Port 2 Port 3 Port 4 Port 5

Port 1 Port 6

MMRP Join G1 Request

Multicast Traffic for G1

Host A Host B
Figure 62: MMRP Network for MAC address Registration

282 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

Enable the MMRP function on the switches. To do this, perform the following steps:

 Open the Switching > MRP-IEEE > MMRP dialog, Configuration tab.
 To activate port 1 and port 2 as MMRP participants, mark the checkbox in the MMRP
column for port 1 and port 2 on switch 1.
 To activate port 3 and port 4 as MMRP participants, mark the checkbox in the MMRP
column for port 3 and port 4 on switch 2.
 To activate port 5 and port 6 as MMRP participants, mark the checkbox in the MMRP
column for port 5 and port 6 on switch 3.
 To send periodic events allowing the device to maintain the registration of the MAC
address group, enable the Periodic state machine. Select the On radio button in the
Configuration frame.

 Apply the settings temporarily. To do this, click the button.

To enable the MMRP ports on switch 1, use the following commands. Substituting the appropriate
interfaces in the commands, enable the MMRP functions and ports on switches 2 and 3.
enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
mrp-ieee mmrp operation To enable the MMRP function on the port.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
mrp-ieee mmrp operation To enable the MMRP function on the port.
exit To change to the Configuration mode.
mrp-ieee mrp periodic-state-machine To enable the Periodic state machine function
globally.
mrp-ieee mmrp operation To enable the MMRP function globally.

15.4.4 MVRP

The Multiple VLAN Registration Protocol (MVRP) is an MRP application that provides dynamic
VLAN registration and withdraw services on a LAN.

The MVRP function provides a maintenance mechanism for the Dynamic VLAN Registration
Entries, and for transmitting the information to other devices. This information lets MVRP-aware
devices establish and update their VLAN membership information. When members are present on
a VLAN, the information indicates through which ports the switch forwards the data packets to
reach those members.

The main purpose of the MVRP function is to allow switches to discover some of the VLAN
information that you otherwise manually set up. Discovering this information lets switches
overcome the limitations of bandwidth consumption and convergence time in large VLAN networks.

UM Config BRS 283

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

MVRP example

Set up a network comprised of MVRP aware switches (1-4) connected in a ring topology with end
device groups, A1, A2, B1, and B2 in 2 different VLANs, A and B. With STP enabled on the
switches, the ports connecting switch 1 to switch 4 are in the discarding state, helping prevent a
loop condition.

B1 Port 3 Port 2 Port 3 Port 2

A2
Switch 1 Port 1 Port 4 Switch 2

Port 8 Port 5

Port 7 Port 6 Port 4 B2

Switch 4 Port 3 Switch 3

VLAN A Registrations VLAN A Join Requests

A1 VLAN B Join Requests
VLAN B Registrations
Figure 63: MVRP Example Network for VLAN Registration

In the MVRP example network, the LANs first send a Join request to the switches. The switch
enters the VLAN registration in the MAC address table (forwarding database) for the port receiving
the frames.

The switch then propagates the request to the other ports, and sends the request to the neighboring
LANs and switches. This process continues until the switches have registered the VLANs in the
MAC address table (forwarding database) of the receive port.

Enable MVRP on the switches. To do this, perform the following steps:

 Open the Switching > MRP-IEEE > MVRP dialog, Configuration tab.
 To activate the ports 1 through 3 as MVRP participants, mark the checkbox in the MVRP
column for the ports 1 through 3 on switch 1.
 To activate the ports 2 through 4 as MVRP participants, mark the checkbox in the MVRP
column for the ports 2 through 4 on switch 2.
 To activate the ports 3 through 6 as MVRP participants, mark the checkbox in the MVRP
column for the ports 3 through 6 on switch 3.
 To activate port 7 and port 8 as MVRP participants, mark the checkbox in the MVRP column
for port 7 and port 8 on switch 4.
 To maintain the registration of the VLANs, enable the Periodic state machine.
Select the On radio button in the Configuration frame.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

284 UM Config BRS

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

To enable the MVRP ports on switch 1, use the following commands. Substituting the appropriate
interfaces in the commands, enable the MVRP functions and ports on switches 2, 3 and 4.
enable To change to the Privileged EXEC mode.
configure To change to the Configuration mode.
interface 1/1 To change to the interface configuration mode of
interface 1/1.
mrp-ieee mvrp operation To enable the MVRP function on the port.
interface 1/2 To change to the interface configuration mode of
interface 1/2.
mrp-ieee mvrp operation To enable the MVRP function on the port.
exit To change to the Configuration mode.
mrp-ieee mvrp periodic-state-machine To enable the Periodic state machine function
globally.
mrp-ieee mvrp operation To enable the MVRP function globally.

UM Config BRS 285

Release 9.6 12/2023
Advanced functions of the device
15.4 MRP-IEEE

286 UM Config BRS

Release 9.6 12/2023
Industry Protocols

16 Industry Protocols

For a long time, automation communication and office communication were on different paths. The
requirements and the communication properties were too different.

Office communication moves large quantities of data with low demands with respect to the transfer
time. Automation communication moves small quantities of data with high demands with respect to
the transfer time and availability.

While the transmission devices in the office are usually kept in temperature-controlled, relatively
clean rooms, the transmission devices used in automation are exposed to wider temperature
ranges. Dirty, dusty and damp ambient conditions make additional demands on the quality of the
transmission devices.

With the continued development of communication technology, the demands and the
communication properties have moved closer together. The high bandwidths now available in
Ethernet technology and the protocols they support enable large quantities to be transferred and
exact transfer times to be specified.

With the first active optical LAN worldwide at the University of Stuttgart in 1984, Hirschmann laid
the foundation for industry-compatible office communication devices. Thanks to Hirschmann's
initiative with the world's first rail hub in the 1990s, Ethernet transmission devices such as switches,
routers and firewalls are now available for the toughest automation conditions.

The desire for uniform, continuous communication structures encouraged many manufacturers of
automation devices to come together and use standards to aid the progress of communication
technology in the automation sector. This is why we now have protocols that let us communicate
through Ethernet from the office right down to the field level.

Output Input

Input
Ethernet
Output

Figure 64: Example of communication.

UM Config BRS 287

Release 9.6 12/2023
Industry Protocols
16.1 IEC 61850/MMS

16.1 IEC 61850/MMS

IEC 61850/MMS is an industrial communication protocol standardized by the International

Electrotechnical Commission (IEC). The protocol is to be found in substation automation, for
example in the control technology of energy suppliers.

This protocol, which works in a packet-oriented way, is based on the TCP/IP transport protocol and
uses the Manufacturing Messaging Specification (MMS) for the client-server communication. The
protocol is object-oriented and defines a standardized configuration language that comprises,
among other things, functions for SCADA, Intelligent Electronic Devices (IED) and for the network
control technology.

Part 6 of the IEC 61850 standard defines the configuration language SCL (Substation
Configuration Language). SCL describes the properties of the device and the system structure in
an automatically processable form. The properties of the device described with SCL are stored in
the ICD file in the device.

16.1.1 Switch model for IEC 61850

The Technical Report, IEC 61850 90-4, specifies a bridge model. The bridge model represents the
functions of a switch as objects of an Intelligent Electronic Device (IED). An MMS client (for
example the control room software) uses these objects to monitor and set up the device.

Physical Device
Logical Device LN LPHD LN LPN0

LN LBRI

LN LCCH LN LCCH LN LCCH

LN LCCF LN LCCF LN LCCF

LN LBSP LN LBSP LN LBSP LN LBSP

LN LPLD LN LPLD LN LPLD LN LPLD

LN LPCP LN LPCP LN LPCP LN LPCP

A paired redundant ports B

Port Number 1 2 3 4
Figure 65: Bridge model based on Technical Report IEC 61850 90-4

Table 44: Classes of the bridge model based on TR IEC61850 90-4

Class Description
LN LLN0 Zero logical node of the Bridge IED:
Defines the logical properties of the device.
LN LPHD Physical Device logical node of the Bridge IED:
Defines the physical properties of the device.
LN LBRI Bridge logical node:
Represents general settings of the bridge functions of the device.
LN LCCH Communication Channel logical node:
Defines the logical Communication Channel that consists of one or more
physical device ports.

288 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.1 IEC 61850/MMS

Table 44: Classes of the bridge model based on TR IEC61850 90-4 (cont.)

Class Description
LN LCCF Channel Communication Filtering logical node:
Defines the VLAN and Multicast settings for the higher-level Communication
Channel.
LN LBSP Port Spanning Tree Protocol logical node:
Defines the Spanning Tree statuses and settings for the respective physical
device port.
LN LPLD Port Layer Discovery logical node:
Defines the LLDP statuses and settings for the respective physical device port.
LN LPCP Physical Communication Port logical node:
Represents the respective physical device port.

16.1.2 Integration into a Control System

Preparation of the device

Perform the following steps:

 Check that the device has an IP address assigned.
 Open the Advanced > Industrial Protocols > IEC61850-MMS dialog.
 To start the MMS server, select in the Operation frame the On radio button, and click button.
Afterwards, an MMS client is able to connect to the device and to read and monitor the objects
defined in the bridge model.

UM Config BRS 289

Release 9.6 12/2023
Industry Protocols
16.1 IEC 61850/MMS

IEC61850/MMS does not provide any authentication mechanisms. If the write access for
IEC61850/MMS is activated, then every client that can access the device using TCP/IP is capable
of changing the settings of the device. As a result, incorrect device settings and potential network
interruptions may occur.

NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE

Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce possible unauthorized access.

Failure to follow these instructions can result in equipment damage.

 To allow the MMS client to change the settings, mark the Write access checkbox, and click the
button.

Offline configuration

The device lets you download the ICD file using the Graphical User Interface. This file contains the
properties of the device described with SCL and lets you set up the substation without directly
connecting to the device.
 Open the Advanced > Industrial Protocols > IEC61850-MMS dialog.
 To load the ICD file to your PC, click the button.

Monitoring the device

The IEC61850/MMS server integrated into the device lets you monitor multiple statuses of the
device by means of the Report Control Block (RCB). Up to 5 MMS clients can register for a Report
Control Block at the same time.

The device lets you monitor the following statuses:

Table 45: Statuses of the device that can be monitored with IEC 61850/MMS

Class RCB object Description

LN LPHD TmpAlm When the temperature measured in the device exceeds or falls
below the specified temperature threshold values, the status
changes.
PhyHealth When the status of the LPHD.TmpAlm RCB object changes, the
status changes.
LN LPHD TmpAlm When the temperature measured in the device exceeds or falls
below the specified temperature threshold values, the status
changes.
PwrSupAlm When one of the redundant power supplies becomes inoperable
or starts operating again, the status changes.
PhyHealth When the status of the LPHD.PwrSupAlm or LPHD.TmpAlm RCB
object changes, the status changes.

290 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.1 IEC 61850/MMS

Table 45: Statuses of the device that can be monitored with IEC 61850/MMS (cont.)

Class RCB object Description

LN LBRI RstpRoot When the device takes over or relinquishes the role of the root
bridge, the status changes.
RstpTopoCnt When the topology changes due to a change of the root bridge,
the status changes.
LN LCCH ChLiv When the link status of the physical port changes, the status
changes.
LN LPCP PhyHealth When the link status of the physical port changes, the status
changes.

UM Config BRS 291

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

16.2 Modbus TCP function

Modbus TCP is an application layer messaging protocol providing client/server communication

between the client and devices connected in Ethernet TCP/IP networks.

The Modbus TCP function lets you install the device in networks already using Modbus TCP and
retrieve information saved in the registers in the device.

16.2.1 Client/Server Modbus TCP/IP Mode

The device supports the client/server model of Modbus TCP/IP. This device operates as a server
in this constellation and responds to requests from a client for information saved in the registers.

Request Indication
Modbus Modbus
Client Conﬁrmation Response
Server

Figure 66: Client/Server Modbus TCP/IP Mode

The client / server model uses four types of messages to exchange data between the client and
server:
 Modbus TCP/IP Request, the client generates a request for information and sends it to the
server.
 Modbus TCP/IP Indication, the server receives a request as an indication that a client requires
information.
 Modbus TCP/IP Response, when the required information is available, the server sends a reply
containing the requested information. When the requested information is unavailable, the server
sends an Exception Response to notify the client of the error detected during the processing.
The Exception Response contains an exception code indicating the reason for the detected
error.
 Modbus TCP/IP Confirmation, the client receives a response from the server, containing the
requested information.

16.2.2 Supported Functions and Memory Mapping

The device supports functions with the public codes 0x03 (Read Holding Registers) and 0x05
(Write Single Coil). The codes let you read the information saved in the registers such as the
system information, including the system name, system location, software version, IP address,
MAC address. The codes also let you read the port information and port statistics. The 0x05 code
lets you reset the port counters individually or globally.

The following list contains definitions for the values entered in the Format column:
 Bitmap: a group of 32-bits, encoded into the Big-endian byte order and saved in 2 registers. Big-
endian systems save the most significant byte of a word in the smallest address and save the
least significant byte in the largest address.
 F1: 16-bit unsigned integer
 F2: Enumeration - power supply alarm
– 0 = power supply good
– 1 = power supply failure detected

292 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

 F3: Enumeration - OFF/ON

– 0 = Off
– 1 = On
 F4: Enumeration - port type
– 0 = Giga - Gigabit Interface Converter (GBIC)
– 1 = Copper - Twisted-Pair (TP)
– 2 = Fiber - 10 Mbit/s
– 3 = Fiber - 100 Mbit/s
– 4 = Giga - 10/100/1000 Mbit/s (triple speed)
– 5 = Giga - Copper 1000 Mbit/s TP
– 6 = Giga - Small Form-factor Pluggable (SFP)
 F9: 32-bit unsigned long
 String: octets, saved in sequence, 2 octets per register.

Modbus TCP/IP Codes

The addresses in the following tables allow the client to reset port counters and retrieve specific
information from the device registers.
Table 46: System/Global Information

Address Qty Description Min Max Step Unit Format

0000 128 System Name - - - - String
0080 128 System Contact - - - - String
0100 128 System Location - - - - String
0180 128 Software Version - - - - String
0200 32 OrderCode - - - - String
0220 16 Serial Number - - - - String
0230 1 IP Address[0] 0 254 1 - F1
0231 1 IP Address[1] 0 254 1 - F1
0232 1 IP Address[2] 0 254 1 - F1
0233 1 IP Address[3] 0 254 1 - F1
0234 1 NetMask[0] 0 255 1 - F1
0235 1 NetMask[1] 0 255 1 - F1
0236 1 NetMask[2] 0 255 1 - F1
0237 1 NetMask[3] 0 255 1 - F1
0238 1 GateWay[0] 0 254 1 - F1
0239 1 GateWay[1] 0 254 1 - F1
023A 1 GateWay[2] 0 254 1 - F1
023B 1 GateWay[3] 0 254 1 - F1
023C 3 MacAddress - - - - String
023F 1 PowerAlarm1 0 1 1 - F2
0240 1 PowerAlarm2 0 1 1 - F2
0241 1 StpState 0 1 1 - F1
0242 2 Number of Ports 1 64 1 - F1
0244 1 Reset Counter (all Counter) 0 1 1 - F1
0245 4 Port Present Map - - - - Bitmap
0249 4 Port Link Map - - - - Bitmap
024D 4 Port Stp State Map - - - - Bitmap
0251 4 Port Activity Map - - - - Bitmap

UM Config BRS 293

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

Table 47: Port Information

Address Qty Description Min Max Step Unit Format

0400 1 Port 1 Type 0 6 1 - F4
0401 1 Port 2 Type 0 6 1 - F4
...
043F 1 Port 64 Type 0 6 1 - F4
0440 1 Port 1 Link Status 0 1 1 - F1
0441 1 Port 2 Link Status 0 1 1 - F1
...
047F 1 Port 64 Link Status 0 1 1 - F1
0480 1 Port 1 STP State 0 1 1 - F1
0481 1 Port 2 STP State 0 1 1 - F1
...
04BF 1 Port 64 STP State 0 1 1 - F1
04C0 1 Port 1 Activity 0 1 1 - F1
04C1 1 Port 2 Activity 0 1 1 - F1
...
04FF 1 Port 64 Activity 0 1 1 - F1
0500 1 Port 1 Counter Reset 0 1 1 - F1
0501 1 Port 2 Counter Reset 0 1 1 - F1
...
053F 1 Port 64 Counter Reset 0 1 1 - F1

Table 48: Port Statistics

Address Qty Description Min Max Step Unit Format

0800 2 Port1 - Number of bytes received 0 4294967295 1 - F9
(2³²-1)
0802 2 Port1 - Number of bytes sent 0 4294967295 1 - F9
0804 2 Port1 - Number of frames received 0 4294967295 1 - F9
0806 2 Port1 - Number of frames sent 0 4294967295 1 - F9
0808 2 Port1 - Total bytes received 0 4294967295 1 - F9
080A 2 Port1 - Total frames received 0 4294967295 1 - F9
080C 2 Port1 - Number of broadcast frames 0 4294967295 1 - F9
received
080E 2 Port1 - Number of multicast frames 0 4294967295 1 - F9
received
0810 2 Port1 - Number of frames with CRC 0 4294967295 1 - F9
error
0812 2 Port1 - Number of oversized frames 0 4294967295 1 - F9
received
0814 2 Port1 - Number of bad fragments 0 4294967295 1 - F9
rcvd(<64 bytes)
0816 2 Port1 - Number of jabber frames 0 4294967295 1 - F9
received
0818 2 Port1 - Number of collisions occurred 0 4294967295 1 - F9
081A 2 Port1 - Number of late collisions 0 4294967295 1 - F9
occurred
081C 2 Port1 - Number of 64-byte frames 0 4294967295 1 - F9
rcvd/sent
081E 2 Port1 - Number of 65-127 byte frames 0 4294967295 1 - F9
rcvd/sent

294 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

Table 48: Port Statistics (cont.)

Address Qty Description Min Max Step Unit Format

0820 2 Port1 - Number of 128-255 byte frames 0 4294967295 1 - F9
rcvd/sent
0822 2 Port1 - Number of 256-511 byte frames 0 4294967295 1 - F9
rcvd/sent
0824 2 Port1 - Number of 512-1023 byte 0 4294967295 1 - F9
frames rcvd/sent
0826 2 Port1 - Number of 1023-MAX byte 0 4294967295 1 - F9
frames rcvd/sent
0828 2 Port1 - Number of Mac Error Packets 0 4294967295 1 - F9
082A 2 Port1 - Number of dropped received 0 4294967295 1 - F9
packets
082C 2 Port1 - Number of multicast frames 0 4294967295 1 - F9
sent
082E 2 Port1 - Number of broadcast frames 0 4294967295 1 - F9
sent
0830 2 Port1 - Number of <64 byte fragments 0 4294967295 1 - F9
w/ good CRC
0832 2 Port2 - Number of bytes received 0 4294967295 1 - F9
0834 2 Port2 - Number of bytes sent 0 4294967295 1 - F9
0836 2 Port2 - Number of frames received 0 4294967295 1 - F9
0838 2 Port2 - Number of frames sent 0 4294967295 1 - F9
083A 2 Port2 - Total bytes received 0 4294967295 1 - F9
083C 2 Port2 - Total frames received 0 4294967295 1 - F9
083E 2 Port2 - Number of broadcast frames 0 4294967295 1 - F9
received
0840 2 Port2 - Number of multicast frames 0 4294967295 1 - F9
received
0842 2 Port2 - Number of frames with CRC 0 4294967295 1 - F9
error
0844 2 Port2 - Number of oversized frames 0 4294967295 1 - F9
received
0846 2 Port2 - Number of bad fragments 0 4294967295 1 - F9
rcvd(<64 bytes)
0848 2 Port2 - Number of jabber frames 0 4294967295 1 - F9
received
084A 2 Port2 - Number of collisions occurred 0 4294967295 1 - F9
084C 2 Port2 - Number of late collisions 0 4294967295 1 - F9
occurred
084E 2 Port2 - Number of 64-byte frames 0 4294967295 1 - F9
rcvd/sent
0850 2 Port2 - Number of 65-127 byte frames 0 4294967295 1 - F9
rcvd/sent
0852 2 Port2 - Number of 128-255 byte frames 0 4294967295 1 - F9
rcvd/sent
0854 2 Port2 - Number of 256-511 byte frames 0 4294967295 1 - F9
rcvd/sent
0856 2 Port2 - Number of 512-1023 byte 0 4294967295 1 - F9
frames rcvd/sent
0858 2 Port2 - Number of 1023-MAX byte 0 4294967295 1 - F9
frames rcvd/sent
085A 2 Port2 - Number of Mac Error Packets 0 4294967295 1 - F9
085C 2 Port2 - Number of dropped received 0 4294967295 1 - F9
packets
085E 2 Port2 - Number of multicast frames 0 4294967295 1 - F9
sent

UM Config BRS 295

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

Table 48: Port Statistics (cont.)

Address Qty Description Min Max Step Unit Format

0860 2 Port2 - Number of broadcast frames 0 4294967295 1 - F9
sent
0862 2 Port2 - Number of <64 byte fragments 0 4294967295 1 - F9
w/ good CRC
...

144E 2 Port64 - Number of bytes received 0 4294967295 1 - F9

1450 2 Port64 - Number of bytes sent 0 4294967295 1 - F9
1452 2 Port64 - Number of frames received 0 4294967295 1 - F9
1454 2 Port64 - Number of frames sent 0 4294967295 1 - F9
1456 2 Port64 - Total bytes received 0 4294967295 1 - F9
1458 2 Port64 - Total frames received 0 4294967295 1 - F9
145A 2 Port64 - Number of broadcast frames 0 4294967295 1 - F9
received
145C 2 Port64 - Number of multicast frames 0 4294967295 1 - F9
received
145E 2 Port64 - Number of frames with CRC 0 4294967295 1 - F9
error
1460 2 Port64 - Number of oversized frames 0 4294967295 1 - F9
received
1462 2 Port64 - Number of bad fragments 0 4294967295 1 - F9
rcvd(<64 bytes)
1464 2 Port64 - Number of jabber frames 0 4294967295 1 - F9
received
1466 2 Port64 - Number of collisions 0 4294967295 1 - F9
occurred
1468 2 Port64 - Number of late collisions 0 4294967295 1 - F9
occurred
146A 2 Port64 - Number of 64-byte frames 0 4294967295 1 - F9
rcvd/sent
146C 2 Port64 - Number of 65-127 byte frames 0 4294967295 1 - F9
rcvd/sent
146E 2 Port64 - Number of 128-255 byte 0 4294967295 1 - F9
frames rcvd/sent
1470 2 Port64 - Number of 256-511 byte 0 4294967295 1 - F9
frames rcvd/sent
1472 2 Port64 - Number of 512-1023 byte 0 4294967295 1 - F9
frames rcvd/sent
1474 2 Port64 - Number of 1023-MAX byte 0 4294967295 1 - F9
frames rcvd/sent
1476 2 Port64 - Number of Mac Error Packets 0 4294967295 1 - F9
1478 2 Port64 - Number of dropped received 0 4294967295 1 - F9
packets
147A 2 Port64 - Number of multicast frames 0 4294967295 1 - F9
sent
147C 2 Port64 - Number of broadcast frames 0 4294967295 1 - F9
sent
147E 2 Port64 - Number of <64 byte fragments 0 4294967295 1 - F9
w/ good CRC

296 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

16.2.3 Example Configuration

In the following example, you set up the device to respond to client requests. The prerequisite for
this configuration is that the client device is set up with an IP address within the given range. The
Write access function remains inactive for this example. When you activate the Write access function,
the device lets you reset the port counters only. In the default setting the Modbus TCP and Write
access functions are inactive.

The Modbus TCP function does not provide any authentication mechanisms. If the write access for
Modbus TCP is activated, then every client that can access the device using TCP/IP is capable of
changing the settings of the device. As a result, incorrect device settings and potential network
interruptions may occur.

NOTICE
RISK OF UNAUTHORIZED ACCESS TO THE DEVICE

Only activate the write access if you have taken additional measures (for example Firewall, VPN,
etc.) to reduce possible unauthorized access.

Failure to follow these instructions can result in equipment damage.

Perform the following steps:

 Open the Device Security > Management Access > IP Access Restriction dialog.

 Add a table row. To do this, click the button.

 Specify the IP address range in the table row where the Index column has the value 2. To
do this, enter the following values:
– In the Address column: 10.17.1.0
– In the Netmask column: 255.255.255.248
 Verify that the checkbox in the Modbus TCP column is marked.
 Activate the IP address range. To do this, mark the checkbox in the Active column.

 Apply the settings temporarily. To do this, click the button.

 Open the Diagnostics > Status Configuration > Security Status dialog, Global tab.
 Verify that the checkbox related to the parameter Modbus TCP active is marked.
 Open the Advanced > Industrial Protocols > Modbus TCP dialog.
 The standard Modbus TCP listening port, port 502, is the default setting. However, when you
wish to listen on another TCP port, enter the value for the listening port in the TCP port field.
 To enable the function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

When you enable the Modbus TCP function, the Security Status function detects the activation
and displays an alarm in the Basic Settings > System dialog, Security status frame.

enable To change to the Privileged EXEC mode.

network management access add 2 To add the entry for the address range in the
network. Number of the next available index in this
example: 2.
network management access modify 2 ip To specify the IP address.
10.17.1.0

UM Config BRS 297

Release 9.6 12/2023
Industry Protocols
16.2 Modbus TCP function

network management access modify 2 mask To specify the netmask.

29
network management access modify 2 To specify that the device lets Modbus TCP have
modbus-tcp enable access to the device management.
network management access operation To enable the IP access restriction.
configure To change to the Configuration mode.
security-status monitor modbus-tcp- To specify that the device monitors the activation of
enabled the Modbus TCP server.
modbus-tcp operation To activate the Modbus TCP server.
modbus-tcp port <1..65535> To specify the TCP port for Modbus TCP
communication (optionally). The default setting is
port 502.
show modbus-tcp To display the Modbus TCP Server settings.
Modbus TCP/IP server settings
--------------------------
Modbus TCP/IP server operation................enabled
Write-access..................................disabled
Listening port................................502
Max number of sessions........................5
Active sessions...............................0
show security-status monitor To display the security-status settings.
Device Security Settings
Monitor
----------------------------------
Password default settings unchanged...........monitored
...
Write access using HiDiscovery is possible....monitored
Loading unencrypted configuration from ENVM...monitored
IEC 61850 MMS is enabled......................monitored
Modbus TCP/IP server active...................monitored
show security-status event To display occurred security status events.
Time stamp Event Info
-------------------- ----------------------- ------
2014-01-01 01:00:39 password-change(10) -
....................................................
2014-01-01 01:00:39 ext-nvm-load-unsecure(21) -
2014-01-01 23:47:40 modbus-tcp-enabled(23) -
show network management access rules 1 To display the restricted management access rules
for index 1.
Restricted management access settings
-------------------------------------
Index.......................................1
IP Address..................................10.17.1.0
Prefix Length...............................29
HTTP........................................yes
SNMP........................................yes
Telnet......................................yes
SSH.........................................yes
HTTPS.......................................yes
IEC61850-MMS................................yes
Modbus TCP/IP...............................yes
Active......................................[x]

298 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

16.3 EtherNet/IP function

EtherNet/IP is an industrial communication protocol that is deployed worldwide and is maintained by

the Open DeviceNet Vendor Association (ODVA). It is based on the protocols TCP/IP and UDP/IP
over Ethernet. EtherNet/IP is supported by leading manufacturers, thus providing a wide base for
effective data communication in the industry sector.

UDP/IP Unicast

UDP/IP Unicast/Multicast
Controller EtherNet/IP-Stack
Figure 67: EtherNet/IP network

EtherNet/IP adds the industry protocol CIP (Common Industrial Protocol) to the standard Ethernet
protocols. EtherNet/IP implements CIP at the Session layer and above and adapts CIP to the
specific EtherNet/IP technology at the Transport layer and below. In the case of automation
applications, EtherNet/IP implements CIP on the application level. Therefore, EtherNet/IP is ideally
suited to the industrial control technology sector.

FTP HTTP DNS CIP SNMP BOOTP DHCP

TCP UDP

IEEE 802.3 Ethernet

Figure 68: IEEE 802.3 EtherNet/IP

In particular, you find EtherNet/IP in the USA and in conjunction with Rockwell controllers.

For further information on EtherNet/IP, see the ODVA website at www.odva.org.

16.3.1 Integration into a Control System

Perform the following steps:

 Open the Switching > IGMP Snooping > Global dialog.

Verify that the IGMP Snooping function is enabled.
 Open the Advanced > Industrial Protocols > EtherNet/IP dialog.
Verify that the EtherNet/IP function is enabled.
 Open the Advanced > Industrial Protocols > EtherNet/IP dialog.
 To save the EDS as a ZIP archive on your PC, click Download.
The ZIP archive contains the EtherNet/IP configuration file and the icon used to set up the
controller to connect to the device.

UM Config BRS 299

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Configuration of a PLC using the example of Rockwell software

Perform the following steps:

 Open the “EDS Hardware Installation Tool” of RSLinx.
 Use the “EDS Hardware Installation Tool” to add the EDS file.
 Restart the “RSLinx” service so that RSLinx takes over the EDS file of the device.
 Use RSLinx to check if RSLinx has detected the device.
 Open your Logix 5000 project.
 Integrate the device into the Ethernet port of the controller as a new module (Generic Ethernet
Module).
Table 49: Settings for integrating a Generic Ethernet Module

Setting I/O connection Input only Listen only

Comm Format Data - DINT Data - DINT Input data - DINT -
Run/Program
IP Address IP address of the IP address of the IP address of the
device device device
Input Assembly Instance 2 2 2
Input Size 7 7 7
Output Assembly Instance 1 254 255
Output Size 1 0 0
Configuration Assembly 3 3 3
Instance
Configuration Size 0 0 0

 In the module properties, enter a value of at least 100 ms for the Request Packet Interval (RPI).

Note: Monitoring the I/O connection to the CPU of the device as a detected failure can result in a
potential system failure. Therefore, do not consider the I/O connection to the CPU when monitoring.

The I/O connection between the programmable logic controller (PLC) and the device can be
interrupted by a management program. For example, a management station can saturate the CPU
of the device with higher priority Real Time (RT) data. In this case, the device can still transmit or
receive data packets and the system remains operational.

Example of integration from the Sample Code Library

The Sample Code Library is a website from Rockwell. The object of the website is to provide users
with a place where they can exchange their best architecture integration applications.

On the website samplecode.rockwellautomation.com, search for catalog number 9701. This is the
catalog number of an example for integrating the Hirschmann device into RS Logix 5000 rel. 16,
PLC firmware release 16.

16.3.2 EtherNet/IP Entity Parameters

The following paragraphs identify the objects and operations supported by the device.

300 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Supported operations
Table 50: Overview of the supported EtherNet/IP requests for the objects instances

Service Code Identity TCP/IP Ethernet Link Switch Agent Base Switch
Object Interface Object Object Object
Object
0x01 All attributes All attributes All attributes All attributes All attributes
Get Attribute All
0x02 – Settable Settable – –
Set Attribute All attributes attributes
(0x3, 0x5, (0x6, 0x9)
0x6, 0x8,
0x9, 0xA)
0x0e All attributes All attributes All attributes All attributes All attributes
Get Attribute
Single
0x10 – Settable Settable Settable attributes –
Set Attribute attributes attributes (0x5, 0x7)
Single (0x3, 0x5, (0x6, 0x9,
0x6, 0x8, 0x65, 0x67,
0x9, 0xA, 0x68, 0x69,
0x64) 0x6C)
0x05 Parameter – – – –
Reset (0x0, 0x1)
0x35 – – – Save switch –
Save configuration
Configuration
Vendor specific
0x36 – – – Add MAC filter –
Mac Filter STRUCT of:
Vendor specific USINT VlanId
ARRAY of:
6 USINT Mac
DWORD
PortMask

Identity object

The device supports the identity object (Class Code 0x01) of EtherNet/IP. The Hirschmann
manufacturer ID is 634. Hirschmann uses the ID 44 (0x2C) to indicate the product type "Managed
Ethernet Switch".
Table 51: Instance attributes (only instance 1 is available)

Id Attribute Access Data type Description

Rule
0x1 Vendor ID Get UINT Hirschmann634
0x2 Device Get UINT Managed Ethernet Switch 44 (0x2C) (0x2C)
Type
0x3 Product Get UINT Product Code: mapping is defined for every
Code device type

UM Config BRS 301

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 51: Instance attributes (only instance 1 is available) (cont.)

Id Attribute Access Data type Description

Rule
0x4 Revision Get STRUCT of: Revision of the EtherNet/IP implementation, 2.1.
USINT Major
USINT Minor
0x5 Status Get WORD Support for the following Bit status only:
0: Owned (constantly 1)
2: Configured (constantly 1)
4: Extend Device Status
5: 0x3: No I/O connection established
0x7: At least one I/O connection established,
6: all in idle mode.
7:
0x6 Serial Get UDINT Serial number of the device (contains last 3 Bytes
number of MAC address).
0x7 Product Get SHORT- Displayed as "Hirschmann" + product family +
name STRING product ID + software variant.

TCP/IP Interface Object

The device supports only Instance 1 of the TCP/IP Interface Object (Class Code 0xF5) of EtherNet/
IP.

Depending on the write access status, the device stores the complete settings in its flash memory.
Saving the settings can take up to 10 seconds. If the saving process is interrupted for example, due
to an inoperable power supply, then the operation of the device might be impossible.

Note: The device replies to the configuration change Get Request with a Response although the
configuration has not yet been saved completely.

Table 52: Class attributes

Id Attribute Access Data type Description

Rule
0x1 Revision Get UINT Revision of this object: 3
0x2 Max Instance Get UINT Maximum instance number: 1
0x3 Number of instance Get UINT Number of object instances
currently added: 1

Table 53: Attributes of Instance 1

Id Attribute Access Data type Description

Rule
0x1 Status Get DWORD 0: Interface Status
(0=Interface not configured,
1=Interface contains valid
config)
6: ACD status (default 0)
7: ACD fault (default 0)

302 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 53: Attributes of Instance 1 (cont.)

Id Attribute Access Data type Description

Rule
0x2 Interface Capability Get DWORD 0: BOOTP Client
flags 1: DNS Client
2: DHCP Client
3: DHCP-DNS Update
4: Configuration setable (within
CIP)
Other bits reserved (0)
7: ACD capable (0=not capable,
1=capable)
0x3 Config Control Set/Get DWORD 0: 0x0=using stored config
1: 0x1=using BOOTP
0x2=using DHCP
2:
3:
4: One device uses DNS for
name lookup (constantly 0
because it is unsupported)
Other bits reserved (0)
0x4 Physical Link Object Get STRUCT of: Path to the Physical Link Object,
UINT PathSize constantly {0x20, 0xF6, 0x24,
0x01} describing instance 1 of the
EPATH Path Ethernet Link Object.
0x5 Interface Set/Get STRUCT of: IP Stack Configuration (IP-
Configuration UDINT IpAddress Address, Netmask, Gateway, 2
Name servers (DNS, if supported)
UDINT Netmask and the domain name).
UDINT
GatewayAddress
UDINT NameServer1
UDINT NameServer2
STRING DomainName
0x6 Hostname Set/Get STRING Hostname (for DHCP DNS
Update)
0x7 Safety Network Unsupported
Number
0x8 TTL Value Get/Set USINT Time to live value for IP multicast
packets Range 1..255 (default 1)
0x9 Mcast Config Get/Set STRUCT of: Alloc Control = 0
USINT AllocControl Number of IP multicast addresses
= 32
USINT reserved Multicast start address =
UINT NumMcast 239.192.1.0
UDINT McastStartAddr
0xA Selected Acd Get/Set BOOL 0=ACD disable
1=ACD enable (default)

UM Config BRS 303

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 53: Attributes of Instance 1 (cont.)

Id Attribute Access Data type Description

Rule
0xB Last Conflict Get STRUCT of: ACD Diagnostic Parameters
Detected USINT AcdActivity
ARRAY of:
6 USINT RemoteMac
ARRAY of:
28 USINT ArpPdu

Table 54: Hirschmann extensions to the TCP/IP Interface Object

Id Attribute Access Data type Description

Rule
0x64 Cable Test Set/Get STRUCT of: Interface
USINT Interface Status (1=Active, 2=Success,
3=Failure, 4=Uninitialized)
USINT Status
0x65 Cable Pair Size Get USINT Size of the Cable Test Result
STRUCT of:
2 Pair for 100BASE
4 Pair for 1000BASE
0x66 Cable Test Result Get STRUCT of: 100BASE:{
USINT Interface {Interface, CablePair1,
CableStatus, CableMinLength,
USINT CablePair CableMaxLength,
USINT CableStatus CableFailureLocation}
USINT {Interface, CablePair2,
CableMinLength CableStatus, CableMinLength,
CableMaxLength,
USINT CableFailureLocation}
CableMaxLength }
USINTCableFailureL 1000BASE:{
ocation {Interface, CablePair1,
CableStatus, CableMinLength,
CableMaxLength,
CableFailureLocation}
{Interface, CablePair2,
CableStatus, CableMinLength,
CableMaxLength,
CableFailureLocation}
{Interface, CablePair3,
CableStatus, CableMinLength,
CableMaxLength,
CableFailureLocation}
{Interface, CablePair4,
CableStatus, CableMinLength,
CableMaxLength,
CableFailureLocation}
}

304 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Ethernet Link object

The information in the following tables are part of the Ethernet Link Object. To access the
information, use the following values:
• Class(####)
• Instance(###)
• Attribute(#)

Specify at least one instance in the device, for example, Instance 1 is the CPU Ethernet interface
instance (Class Code 0xF6) of EtherNet/IP.

Table 55: Instance attributes

Id Attribute Access Data type Description

Rule
0x1 Interface Speed Get UDINT Used interface speed in Mbit/s (10,
100, 1000, …).
0 is used when the speed has not been
determined or is invalid because of
detected errors.
0x2 Interface Flags Get DWORD Interface Status Flags:
0: Link State (0=No link, 1=Link)
1: Duplex mode (0=Half, 1=Full)
2: Auto-negotiation Status
3: 0x0=Auto-negotiation in progress
0x1=Auto-negotiation failed
4: 0x2=Failed but speed detected
0x3=Auto-negotiation success
0x4=No Auto-negotiation
5: Manual configuration require reset
(constantly 0 because it is not
needed)
6: Hardware error
0x3 Physical Address Get ARRAY of: MAC address of physical interface
6 USINT
0x4 Interface Counters Get STRUCT of: InOctets, InUcastPackets,
UDINT InNUcastPackets, InDiscards,
MibIICounter1 InErrors, InUnknownProtos,
UDINT OutOctets, OutUcastPackets,
MibIICounter2 OutNUcastPackets, OutDiscards,
… OutErrors

0x5 Media Counters Get STRUCT of: Detected errors:

UDINT Alignment, FCS, single collision,
EthernetMib multiple collision, SQE Test, deferred
Counter1 transmissions, late collisions,
UDINT excessive collisions, MAC TX, carrier
EthernetMib sense, frame too long, MAC RX
Counter2
…

UM Config BRS 305

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 55: Instance attributes (cont.)

Id Attribute Access Data type Description

Rule
0x6 Interface Control Get/Set STRUCT of: Control Bits:
WORD ControlBits 0: Auto-negotiation enable/disable
(0=disable, 1=enable)
1: Duplex mode (0=Half, 1=Full),
if Auto-negotiation disabled
UINT Interface speed in Mbit/s: 10,100,…,
ForcedInterface if Auto-negotiation disabled
Speed
0x7 Interface type Get USINT Type of interface:
0: Unknown interface type
1: The interface is internal
2: Twisted-pair
3: Optical fiber
0x8 Interface state Get USINT Current state of the interface:
0: Unknown interface state
1: The interface is enabled
2: The interface is disabled
3: The interface is testing
0x9 Admin State Set/Get USINT Administrative state:
1: Enable the interface
2: Disable the interface
0xA Interface label Get SHORT-STRING Human readable ID

Table 56: Hirschmann extensions to the Ethernet Link Object

Id Attribute Access Data type Description

Rule
0x64 Ethernet Interface Get USINT Interface/Port Index (ifIndex out of
Index MIBII)
0x65 Port Control Get/Set DWORD 0: Link state
(0=link down, 1=link up)
1: Link admin state
(0=disabled, 1=enabled)
8: Access violation alarm (read-only)
9: Utilization alarm (read-only)
0x66 Interface Utilization Get USINT The existing Counter out of the private
MIB hm2IDiagfaceUtilization is used.
Utilization in percentage (Unit 1%=100,
%/100). RX Interface Utilization.
0x67 Interface Utilization Get/Set USINT Within this parameter the variable
Alarm Upper hm2DiagIfaceUtilizationAlarmUpperTh
Threshold reshold can be accessed. Utilization in
percentage (Unit 1%=100).
RX Interface Utilization Upper Limit.
0x68 Interface Utilization Get/Set USINT Within this parameter the variable
Alarm Lower hm2DiagIfaceUtilizationAlarmLowerTh
Threshold reshold can be accessed. Utilization in
percentage (Unit 1%=100). RX
Interface Utilization Lower Limit.

306 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 56: Hirschmann extensions to the Ethernet Link Object (cont.)

Id Attribute Access Data type Description

Rule
0x69 Broadcast limit Get/Set USINT Broadcast limiter Service
(Egress BC-Frames limitation,
0=disabled), Frames/second
0x6A Ethernet Interface Get/Set STRING Interface/Port Description
Description (from MIB II ifDescr), for example
"Unit: 1 Slot: 2 Port: 1 - 10/100 Mbit TX"
or
"unavailable", max. 64 Bytes.
0x6B Port Monitor Get/Set DWORD 0: Link Flap (0=Off, 1=On)
1: CRC/Fragment (0=Off, 1=On)
2: Duplex Mismatch (0=Off, 1=On)
3: Overload-Detection (0=Off, 1=On)
4: Link-Speed/ Duplex Mode
(0=Off, 1=On)
5: Deactivate port action (0=Off,
1=On)
6: Send trap action (0=Off, 1=On)
7: Active Condition (displays which
8: condition caused an action to
occur)
9: 00001 : Link Flap
B
10: 00010B: CRC/Fragments
11: 00100B: Duplex Mismatch
01000B: Overload-Detection
10000B: Link-Speed/ Duplex
mode
12: Reserved (constantly 0)
13: Reserved (constantly 0)
14: Reserved (constantly 0)
15: Reserved (constantly 0)
0x6C Quick Connect Get/Set USINT Quick Connect on the interface
(0=Off, 1=On)
If you enable Quick Connect, then the
device sets the port speed to 100FD,
disables auto-negotiation, and
Spanning Tree on the interface.

UM Config BRS 307

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 56: Hirschmann extensions to the Ethernet Link Object (cont.)

Id Attribute Access Data type Description

Rule
0x6D SFP Diagnostics Get STRUCT of:
STRING
ModuleType
SHORT-STRING
SerialNumber
USINT Connector
USINT Supported
DINT Temperature in °C
DINT TxPower in mW
DINT RxPower in mW
DINT RxPower in dBm
DINT TxPower in dBm

Table 57: Assignment of ports to Ethernet Link Object Instances

Ethernet Port Ethernet Link Object Instance

CPU 1
1 2
2 3
3 4
4 5
… …

Note: The number of ports depends on the type of hardware used. The Ethernet Link Object only
exists, if the port is connected.

308 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Switch Agent object

The device supports the Hirschmann specific Ethernet Switch Agent Object (Class Code 0x95) for
the device settings and information parameters with Instance 1.
Table 58: Class attributes

Id Attribute Access Data type Description

Rule
0x1 Switch Status Get DWORD 0: Like the signal contact, the
value indicates the Device
Overall state
(0=ok, 1=failed)
1: Device Security Status
(0=ok, 1=failed)
2: Power Supply 1
(0=ok, 1=failed)
3: Power Supply 2
(0=ok, 1=failed or not existing)
4-5: Reserved
6: Signal Contact 1
(0=closed, 1=open)
7: Signal Contact 2
(0=closed, 1=open or not
existing)
8: Reserved
9: Temperature
(0=ok, 1=failure)
10: Module removed (1=removed)
11: ACA22-USB-C (EEC) removed
(1=removed)
12: ACA31 removed (1=removed)
13- Reserved
22:
23: MRP (0=disabled, 1=enabled)
24: Reserved
25: Reserved
26: RSTP (0=disabled, 1=enabled)
27: LAG (0=disabled, 1=enabled)
28: Reserved
29- Reserved
30
31: Connection Error (1=failure)
0x2 Switch Get STRUCT of:
Temperature INT TemperatureF in °F
INT TemperatureC in °C
0x3 Reserved Get UDINT Reserved for future use (constantly
0)
0x4 Switch Max Ports Get UINT Maximum number of Ethernet Switch
Ports

UM Config BRS 309

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 58: Class attributes (cont.)

Id Attribute Access Data type Description

Rule
0x5 Multicast Get/Set WORD 0: IGMP Snooping
Settings (IGMP (0=disabled, 1=enabled)
Snooping) 1: IGMP Querier
(0=disabled, 1=enabled)
2: IGMP Querier Mode (read-
only)
(0=Non-Querier, 1=Querier)
3:
4: IGMP Querier Packet Version
5: Off=0 IGMP Querier disabled
V1=1
6: V2=2
7: V3=3
8: Treatment of Unknown
9: Multicasts:
0=Send To All Ports
10: 2=Discard
0x6 Switch Existing Get ARRAY of: Bitmask of existing switch ports
Ports DWORD Per bit starting with Bit 0 (=Port 1)
(0=Port not available, 1=Port
existing)
Array (bit mask) size is adjusted to
the size of maximum number of
switch ports (for max. 28 Ports
1 DWORD is used)
0x7 Switch Port Get/Set ARRAY of: Bitmask Link Admin Status switch
Control DWORD ports
Per bit starting with Bit 0 (=Port 1)
(0=Port enabled, 1=Port disabled)
Array (bit mask) size is adjusted to
the size of maximum number of
Switch ports (for max. 28 Ports
1 DWORD is used)
0x8 Switch Ports Get ARRAY of: Instance number of the Ethernet-
Mapping USINT Link-Object
Starting with Index 0 (=Port 1)
All Ethernet Link Object Instances for
the existing Ethernet Switch Ports
(1..N, maximum number of ports).
When the entry is 0, the Ethernet
Link Object for this port does not exist

310 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 58: Class attributes (cont.)

Id Attribute Access Data type Description

Rule
0x9 Switch Action Get DWORD Status of the last executed action (for
Status example config save, software
update, etc.)
0: Flash Save Configuration In
Progress/Flash Write In
Progress
1: Flash Save Configuration
Failed/Flash Write Failed
4: Configuration changed
(configuration not in sync.
between running configuration

The Hirschmann specific Ethernet Switch Agent Object provides you with the additional vendor
specific service, with the Service Code 0x35 for saving the device settings. When you send a
request from your PC to save the device settings, the device sends a reply after saving the settings
in the flash memory.

Base Switch object

The Base Switch object provides the CIP application-level interface to basic status information for
a managed Ethernet switch (revision 1).

Only Instance 1 of the Base Switch (Class Code 0x51) is available.

Table 59: Instance attributes

Id Attribute Access Data type Description

Rule
0x1 Device Up Time Get UDINT Time since the device powered up
0x2 Total port count Get UDINT Number of physical ports
0x3 System Firmware Get SHORT-STRING Human readable representation of
Version System Firmware Version
0x4 Power source Get WORD Status of switch power source
0x5 Port Mask Size Get UINT Number of DWORD in port array
attributes
0x6 Existing ports Get ARRAY of: Port Mask
DWORD
0x7 Global Port Get ARRAY of: Port Admin Status
Admin State DWORD
0x8 Global Port link Get ARRAY of: Port Link Status
Status DWORD
0x9 System Boot Get SHORT-STRING Readable System Firmware
Loader Version Version
0xA Contact Status Get UDINT Switch Contact Closure

UM Config BRS 311

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 59: Instance attributes (cont.)

Id Attribute Access Data type Description

Rule
0xB Aging Time Get UDINT Range 10..1000000 · 1/10 seconds
(default 300)
0=Learning off
0xC Temperature C Get DINT Switch temperature in degrees
Celsius
0xD Temperature F Get DINT Switch temperature in degrees
Fahrenheit

Message Router

The Message Router object (Class Code 0x20) distributes Explicit Request messages to the
appropriate handler object.
Table 60: Class attributes

Id Attribute Access Data type Description

Rule
1 Revision Get UINT Revision: 1
2 Largest Instance Get UINT Largest instance number: 1
Number
3 Number of Get UINT Number of instances currently existing: 1
Instances
Currently Existing
4 Optional Attribute Get ARRAY of: Optional attribute list: 0
List BYTES Unsupported for Get_single service
5 Optional Service Get ARRAY of: Optional Service List: 0
List BYTES Unsupported for Get_single service
6 Maximum ID Get UINT Maximum ID Number Class Attributes: 7
Number Class
Attributes
7 Maximum ID Get UINT Maximum ID Number Instance Attributes: 0
Number Instance
Attributes

Assembly

The Assembly object (Class Code 0x04) binds attributes of multiple objects. This property lets the
device send or receive data to or from any object over a single connection. You can use Assembly
objects to bind Input or Output data. The terms Input and Output are specified from the viewpoint
of the network. Input produces data on the network and Output consumes data from the network.
Table 61: Supported instances

Instance Description Service

1 POWER_LINK_ASSEMBLY Get_single
100 INPUT_ASSEMBLY_NUM Get_single
150 OUTPUT_ASSEMBLY Get_single/Set_single
151 CONFIG_ASSEMBLY_NUM Get_single/Set_single

312 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 61: Supported instances (cont.)

Instance Description Service

152 HEARBEAT_INPUT_ONLY_ASSEMBLY Get_single/Set_single
153 HEARBEAT_LISTEN_ONLY_ASSEMBLY Get_single/Set_single
154 EXPLICT_ASSEMBLY Get_single/Set_single

Table 62: Class attributes

Id Attribute Access Data type Description

rule
1 Revision Get UINT Revision: 2
2 Largest Instance Get UINT Largest instance number: 154
Number
3 Number of Get UINT Number of instances currently existing: 7
Instances
Currently Existing
4 Optional Attribute Unsupported
List
5 Optional Service Unsupported
List
6 Maximum ID Get UINT Maximum ID Number Class Attributes: 7
Number Class
Attributes
7 Maximum ID Get UINT Maximum ID Number Instance Attributes: 4
Number Instance
Attributes

Table 63: Instance attributes

Id Attribute Access Data type Description

Rule
3 Data Get ARRAY of:
BYTES
4 Size Get UINT Number of bytes in Attribute 3

Connection Manager

The Connection Manager Class (Class Code 0x06) allocates and manages the internal resources
associated with both I/O and Explicit Messaging connections.
Table 64: Class attributes

Id Attribute Access Data type Description

rule
1 Revision Get UINT Revision: 1
2 Largest Instance Get UINT largest instance number: 1
Number
3 Number of Get UINT Number of instances currently existing: 1
Instances
Currently Existing
4 Optional Attribute Unsupported
List

UM Config BRS 313

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 64: Class attributes (cont.)

Id Attribute Access Data type Description

rule
5 Optional Service Unsupported
List
6 Maximum ID Get UINT Maximum ID Number Class Attributes: 7
Number Class
Attributes
7 Maximum ID Get UINT Maximum ID Number Instance Attributes: 14
Number Instance
Attributes

QoS object

The QoS object (0x48) provides sending EtherNet/IP messages with non-zero DiffServ code points
(DSCP). The QoS object supports one instance.
Table 65: Class attributes

Id Attribute Access Rule Data type Description

0x1 Revision Get UINT Revision of this object: 1
0x2 Max Instance Get UINT Maximum instance number: 1
0x3 Number Get UINT Number of object instances currently
of instance added: 1
0x4 Optional Unsupported
Attribute List
0x5 Optional Unsupported
Service List
0x6 Maximum Get UINT Maximum ID Number Class Attributes: 7
ID Number Class
Attributes
0x7 Maximum Get UINT Maximum ID Number Instance Attributes:
ID Number 8
Instance
Attributes

Table 66: Instance attributes

Id Attribute Access Rule Data type Description

0x1 802.1Q Unsupported
TagEnable
0x2 DSCP PTP Event Unsupported
0x3 DSCP Unsupported
PTPGeneral
0x4 DSCP Urgent Get/Set USINT DSCP value for CIP transport class 0/1
Urgent priority messages.
(default 55)
0x5 DSCP Scheduled Get/Set USINT DSCP value for CIP transport class 0/1
Scheduled priority messages.
(default 47)

314 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 66: Instance attributes (cont.)

Id Attribute Access Rule Data type Description

0x6 DSCP High Get/Set USINT DSCP value for CIP transport class 0/1
High priority messages.
(default 43)
0x7 DSCP Low Get/Set USINT DSCP value for CIP transport class 0/1
Low priority messages.
(default 31)
0x8 DSCP Explicit Get/Set USINT DSCP value for CIP explicit messages
(transport class 2/3 and UCMM) and all
other EtherNet/IP encapsulation
messages.
(default 27)

Services, Connections and I/O Data

The device supports the following connection types and parameters.

Table 67: Settings for integrating a new module

Setting I/O connection Input only Listen only

Comm Format: Data - DINT Data - DINT Input Data - DINT -
Run/Program
IP Address IP address of the IP address of the IP address of the
device device device
Input Assembly 100 100 100
Instance
Input Size 32 32 32
Output Assembly 150 152 153
Instance
Output Size 32 0 0
Configuration Assembly 151 151 151
Instance
Data Size 10 10 10

Table 68: Device I/O data structure

I/O Data Value (data types and sizes to be defined) Direction Size 1
Device Status Bitmask (see Switch Agent Attribute 0x1) Input DWORD
Link Status Bitmask, 1 Bit per port Input DWORD
(0=No link, 1=Link up)
Output Links Admin Bitmask (1 Bit per port) to acknowledge output. Input DWORD
State applied Link state change can be denied, for example
for controller access port.
(0=Port enabled, 1=Port disabled)
Utilization Alarm 2 Bitmask, 1 Bit per port Input DWORD
(0=No alarm, 1=Alarm on port)
Access Violation Alarm 3 Bitmask, 1 Bit per port Input DWORD
(0=No alarm, 1=Alarm on port)
Multicast Connections Integer, number of connections Input DINT

UM Config BRS 315

Release 9.6 12/2023
Industry Protocols
16.3 EtherNet/IP function

Table 68: Device I/O data structure (cont.)

I/O Data Value (data types and sizes to be defined) Direction Size 1
TCP/IP Connections Integer, number of connections Input DINT
Quick Connect Mask Bitmask (1 Bit per port) Input DINT
(0=Quick Connect disabled, 1=Quick Connec
enabled)
Link Admin State Bitmask, 1 Bit per port Output DWORD
(0=Port enabled, 1=Port disabled)
1. The default size of the port bit masks is 32 bits (DWORD). For devices with more than 28 ports the port bit masks have
been extended to n * DWORD.
2. You specify the utilization alarm settings in the Basic Settings > Port dialog, Ingress Utilization tab. The upper threshold
value is the limit, where the alarm condition becomes active. The lower threshold value is the limit, where an active alarm
condition becomes inactive.
3. You specify the Access Violation alarm settings in the Network Security > Port Security dialog. The upper threshold value
is the limit, where the alarm condition becomes active. The lower threshold value is the limit, where an active alarm
condition becomes inactive.

Table 69: Mapping of the data types to bit sizes

Object type Bit size

BOOL 1 bit
DINT 32 bit
DWORD 32 bit
SHORT-STRING max. 32 bytes
STRING max. 64 bytes
UDINT 32 bit
UINT 16 bit
USINT 8 bit
WORD 16 bit

316 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

16.4 PROFINET function

PROFINET is an industrial communication protocol that is deployed worldwide. It is based on the

protocols TCP/IP and UDP/IP over Ethernet. This is a crucial aspect in fulfilling the requirements
for consistency from the management level right down to the field level.

PROFINET enhances the existing Profibus technology for applications that require fast data
communication and the use of industrial IT functions.

DCP (Discovery and Configuration Protocol)

Alarm High, Alarm Low
ARP, UDP/IP Unicast

ARP, UDP/IP Unicast

Controller Alarm High, Alarm Low PROFINET Stack
PNIO (PROFINET IO cyclic frame)
DCP (Discovery and Configuration Protocol)
Figure 69: Communication between the Controller and the device

In particular, you find PROFINET in Europe and with Siemens controllers.

PROFINET uses the device description language GSDML (Generic Station Description Markup
Language, based on XML) to describe devices and their properties so that they can be processed
automatically. You find the device description in the GSD (Generic Station Description) file of the
device.

For further information on PROFINET, see the PROFIBUS Organization website at

www.profibus.com.

The devices conform to class B for PROFINET.

16.4.1 Device Models for PROFINET GSDML Version 2.41

The device generates GSDML files in the GSDML V.2.41 format. Within the GSDML file, the device
is modeled according to GSDML standard V.2.4.

Bus Interface

Slot 0

Compact
SubSl SubSl SubSl SubSl SubSl SubSl SubSl =Subslot
0x8001 0x8002 0x8003 0x8004 0x8005 0x8006

Port 1 Port 2 Port 3 Port 4 Port 5 Port 6

Figure 70: Compact device

UM Config BRS 317

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Bus Interface

Slot 0 Slot 1 Slot 2

Module 1 Module 2 Modular
SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl =
0x 0x 0x 0x 0x 0x 0x 0x Subslot
8001 8002 80.. 80.n 8001 8002 80.. 80.n

Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n

Figure 71: Modular device

Bus Interface

Slot 0
Slot 1 Slot ..
Module 1 Module ..
SubSl SubSl SubSl SubSl SubSl SubSl SubSl SubSl
SubSl SubSl SubSl SubSl 0x 0x 0x 0x 0x 0x 0x 0x
0x8001 0x8002 0x80.. 0x80.n 8001 8002 80.. 80.n 8001 8002 80.. 80.n

Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n Port 1 Port 2 Port .. Port n
Figure 72: Mixed device

16.4.2 Graphical User Interface and Command Line Interface

When you set up the device successfully in a PROFINET environment, the PROFINET IO controller
establishes an Application Relation (AR) with the device.

After the user logs in through the Command Line Interface, the device displays a message that an
Application Relation is active. In the Advanced > Industrial Protocols > PROFINET dialog, the Graphical
User Interface displays equivalent information, for example, the number of running Application
Relations.

16.4.3 Integrate the device into a Control System

Preparing the device

First you install, connect and set up the device. Then you integrate the device into a Control
System. To do this, perform the following steps:

 Open the Basic Settings > System dialog.

 Verify that a valid system name for the device is specified in the System name field.

 Apply the settings temporarily. To do this, click the button.

 Open the Basic Settings > Network > IPv4 dialog.
 In the Management interface frame, select the Local radio button.

318 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Apply the settings temporarily. To do this, click the button.

 Open the Switching > VLAN > Configuration dialog.

 Apply the settings temporarily. To do this, click the button.

 Open the Diagnostics > Status Configuration > Device Status dialog, Global and Port tabs.
 Set up the alarms you want to monitor.

 Apply the settings temporarily. To do this, click the button.

 Open the Advanced > Industrial Protocols > PROFINET dialog.
 Download the GSD(ML) file and the icon onto your local computer.
 To enable the PROFINET function, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

Changing the default values

Functions that directly affect the PROFINET function require the following default values to be
changed. When you obtain the device as a specially available PROFINET variant, the following
values are already predefined:

PROFINET Advanced > Industrial Protocols > PROFINET dialog

• Operation = On
• Name of station = "" (empty string)
Network Basic Settings > Network > Global dialog
• HiDiscovery protocol v1/v2 Access = readOnly
Basic Settings > Network > IPv4 dialog
• IP address assignment = Local
• IP address = 0.0.0.0
• Netmask = 0.0.0.0
• Gateway address = 0.0.0.0
VLAN ID Switching > VLAN > Configuration dialog
• VLAN ID = 1
The uplink port is a member of VLAN 1 and transmits the data packets with a
VLAN tag.
LLDP Diagnostics > LLDP > Configuration dialog
• Transmit interval [s] = 5
• Transmit delay [s] = 1

Configuring the PLC

The following illustrates the configuration of the PLC using the example of the TIA Portal software
from Siemens, and assumes that you are familiar with operating the software.

The device also supports engineering stations from other manufacturers, such as PC Worx from
Phoenix Contact.

UM Config BRS 319

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

In the PLC default setting, the PLC detects the interruption of the I/O connection to the device and
treats the interruption as a failure. The PLC considers 3 consecutive real time packets missing from
a partner PLC or from the device as an interruption. According to the default setting, the PLC treats
this as a system failure. To change this default setting, you employ TIA Portal programming
measures.

Note: Monitoring the I/O connection to the CPU of the device as a detected failure can result in a
potential system failure. Therefore, do not consider the I/O connection to the CPU when monitoring.

The device management data packets can interrupt the I/O connection between the PLC and the
device. For example, a management station can saturate the CPU of the device with higher priority
real time data. In this case, because the device can still transmit or receive data packets, the
system remains operational.

Providing the GSDML file

The Hirschmann device provides you with the following option for generating GDSML files and
icons:
 You can use the Advanced > Industrial Protocols > PROFINET dialog in the GUI to download the
GSDML file and the icon of the device.

16.4.4 Incorporating the device in the configuration

Incorporating the GSDML-based device in the network device settings includes the following
actions:
• “Incorporate the device” on page 321
• “Rename the device” on page 325
• “Set up the IO Cycle” on page 330
• “Configure Media Redundancy” on page 336
• “Adding modules for modular devices” on page 341
• “Adding digital I/O modules in non-modular devices” on page 345
• “Adding digital I/O modules in modular devices” on page 349
• “Adding an SFP transceiver as a submodule in non-modular devices” on page 353
• “Configuring the port properties” on page 356
• “Configuring the connection options” on page 361
• “Swapping devices” on page 370
• “Topology discovery” on page 370
• “Configuring the topology” on page 371
• “Communication diagnosis” on page 371

320 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Incorporate the device

Perform the following steps:

 Open the TIA Portal application.
 Open your project. To do this, select your project and click the Open button.

 In the Project view frame, select the Open the project view object.

UM Config BRS 321

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Install the GSDML file.

– In the menu bar, click the items Options > Manage general station description files (GSD).

– In the Manage general station description files dialog, Installed GSDs tab, Source path field, browse
and select the GSD folder for the GSDML file previously saved on your computer. Click the
OK button.

– Mark the GSDML file and click the Install button.

322 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

– After the GSDML file installation is completed, click the Close button.

You find the new device under the items Other field devices > PROFINET IO > Network
Components > Hirschmann Automation and Control GmbH.

UM Config BRS 323

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Drag the selected device and drop it onto the Network view worksheet.

 Assign the device to the PLC. To do this, click the Not assigned link in the device tile, then select
the required item.

 Click the Save project icon.

324 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Rename the device

Perform the following steps:

 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 325

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

326 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab. The Properties tab contains additional tabs.

 In the tree view, PROFINET interface [X1] branch, select the Ethernet addresses item.

UM Config BRS 327

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the IP protocol frame, select the Set IP address in the project radio button.

 In the IP address field, enter the required IP address.

328 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the PROFINET frame, unmark the Generate PROFINET device name automatically checkbox.

 Enter the same name as specified in the Hirschmann device in the PROFINET device name item.

The device is now included in the configuration.

UM Config BRS 329

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Set up the IO Cycle

Perform the following steps:

 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

330 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

UM Config BRS 331

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Assign the device to the PLC.

 Right-click the Not assigned link in the device tile.
 In the context menu, select the Assign to new IO controller item.

The Select IO controller window opens.

 Select the required item, then click the OK button.

As an alternative, click the Not assigned link in the device tile, then select the required item.

332 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab.

The Properties tab contains additional tabs.

UM Config BRS 333

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the General tab, navigate to the PROFINET interface [X1] > Advanced options > Real time settings >
IO cycle item.

 In the Update time frame, select the Set update time manually radio button.

 From the Update time[ms] drop-down list, select the desired item.

334 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the Watchdog time frame, select the desired item from the Accepted update cycles without IO data
drop-down list.

 Click the Save project button.

UM Config BRS 335

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Configure Media Redundancy

Perform the following steps:

 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

336 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

UM Config BRS 337

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab.

The Properties tab contains additional tabs.

338 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the General tab, navigate to the PROFINET interface [X1] > Advanced options > Media redundancy
item.

 From the Media redundancy role drop-down list, select the desired item.

 From the Ring port 1 drop-down list, select the desired item.

UM Config BRS 339

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 From the Ring port 2 drop-down list, select the desired item.

 Mark the Diagnostics interrupts checkbox to receive MRP ring Open/Close alarms.

 Click the Save project button.

Note: When an Application Relation is already established, do not disable any of the MRP Ring
ports using the I/O modules (PROFINET).

340 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Adding modules for modular devices

Perform the following steps:

 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 341

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 Select the Network view tab.
 Click the icon of the device that is under test.

342 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Hardware catalog tab in the right margin to display the Catalog pod.

The tree view displays the available media modules.

UM Config BRS 343

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the tree view, select the required module.

In the Device view tab, the slot which is physically connected to the device is highlighted.
 Drag the selected module, and drop it onto the highlighted slot in the Device view tab.

Note: The TIA Portal automatically adds the fixed ports when you add a module in the Device view
tab. If the module has SFP slots, you need to set up the SFPs. See section “Adding an SFP
transceiver as a submodule in non-modular devices” on page 353.

344 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Adding digital I/O modules in non-modular devices

In non-modular devices, device data modules and port data modules are available that transfer the
I/O data packets in the PROFINET network. For inserting a device data module or port data module,
perform the following steps:
 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 345

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

346 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Hardware catalog tab in the right margin to display the available media modules.

 Select the required Device data module or Port data module.

In the Device view tab, the slot which is logically connected to the device is highlighted.

UM Config BRS 347

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Drag the selected module, and drop it onto the highlighted slot in the Device view tab.

 Click the Save project icon.

348 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Adding digital I/O modules in modular devices

In modular devices, device data modules and port data modules are available that transfer the I/O
data packets in the PROFINET network. For inserting a device data module or port data module,
perform the following steps:
 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 349

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 Select the Device view tab to display the device details.

350 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Hardware catalog tab in the right margin to display the Catalog pod.

The tree view displays the available media modules.

UM Config BRS 351

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the tree view, Media module - input/output branch, select the required device data module or
port data module.

In the Device view tab, the slot which is logically connected to the device is highlighted.
 Drag the selected module, and drop it onto the highlighted slot in the Device view tab.

352 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Adding an SFP transceiver as a submodule in non-modular devices

In the TIA Portal, you can set up SFP (Small Form-factor Pluggable) transceivers as submodules
in the free SFP slots of the device representation. To set up an SFP submodule, perform the
following steps:
 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 353

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

 Select the Device view tab to display the device details.

354 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Hardware catalog tab in the right margin to display the available SFP submodules.

 Select the required SFP submodule.

In the Device view tab, the slot which is logically connected to the device is highlighted.

UM Config BRS 355

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Drag the selected SFP submodule, and drop it onto the highlighted slot in the Device view tab.

 Click the Save project icon.

Note: Verify that the SFP submodule you added in the TIA Portal and the physically connected SFP
submodule are of the same type. Otherwise, the Application Relation may not be set up correctly.

Configuring the port properties

In a modular device with n I/O modules, the I/O modules are represented by the slots 1 through n.
The ports of a particular I/O module are represented by subslots in the respective slot. The device
data module is represented by the next to last slot (n+1) and the port data module is represented
by the last slot (n+2).

A non-modular device with n ports only has the slot 0. The ports are represented as subslots 1
through n in slot 0. The device data module is represented by the next to last subslot (n+1) and the
port data module is represented by the last subslot (n+2).

356 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Set up the port link monitoring alarm. To do this, perform the following steps:
 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 357

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

358 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab.

The Properties tab contains additional tabs.

 In the General tab, navigate to the PROFINET interface [X1] > Advanced options item, then click the
required port.

UM Config BRS 359

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the Port options section, Connection frame, mark the Monitor checkbox.

 Click the Save project button.

Note: To test the port link monitor function, you can temporarily unplug the data cable from the
respective port.

360 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Configuring the connection options

Perform the following steps:

 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

UM Config BRS 361

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

362 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab.

The Properties tab contains additional tabs.

 In the General tab, navigate to the PROFINET interface [X1] > Advanced options item, then click the
required port.

UM Config BRS 363

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the Port options section, Connection frame, select the desired item from the Transmission rate/
duplex drop-down list other than the Automatic item.

The device automatically marks the Monitor and Enable autonegotiation checkboxes.

364 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Unmark the Monitor and Enable autonegotiation checkboxes.

 Click the Save project button.

If you change the port setting to a value other than Automatic settings, then the device disables
the port for a short time. If you have positioned the port on the path between the I/O controller and
the I/O device, then this interruption can possibly lead to a failure in establishing the Application
Relation. Make the following provisions before changing the port setting:

Note: Before disabling RSTP on certain ports, make sure that this will not result in loops.

Deactivate RSTP on the device ports between the I/O controller and the I/O device.

 Open the Switching > L2-Redundancy > Spanning Tree > Port dialog, CIST tab.
 Unmark the STP active checkbox for the relevant ports.

 Apply the settings temporarily. To do this, click the button.

UM Config BRS 365

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Set up the topology monitoring alarm. To do this, perform the following steps:
 Click the Project view icon.

The dialog displays the Project view window.

 Click the Overview tab in the footer.

The dialog displays the Overview window.

366 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Double-click the Devices & networks icon.

The dialog displays the Devices & networks window.

 In the Network view tab, click the icon of the device.

UM Config BRS 367

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 Select the Device view tab to display the device details.

 Select the Properties tab.

The Properties tab contains additional tabs.

 In the General tab, navigate to the PROFINET interface [X1] > Advanced options item, then click the
required port.

368 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

 In the Port interconnection section, Partner port frame, Partner port field, browse and select the port
of the partner device with which the device is connected.

 To apply the changes, click the button.

 Click the Save project button.

UM Config BRS 369

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Note: PROFINET monitors the topology configuration. If you connect the port of the Hirschmann
device to a different port of the partner device, then the Hirschmann device generates an alarm with
the error message Wrong partner port.

The alarm ceases when you reconnect the port of the Hirschmann device to the set-up port of the
partner device.

Swapping devices

Hirschmann devices support the device swapping function with an engineering station.

When identical devices are swapped, the engineering station assigns the parameters of the original
device to the new device.

The device swapping function with the TIA Portal has the following prerequisites:
 S7 1511 with software release from v2.6, currently available for CPU 1511 or higher
 Hirschmann device software release from 08.8.00
 The neighboring devices support LLDP.
 The topology is set up and loaded onto the TIA Portal.

Prerequisites for the replacement device:

 The replacement device is exactly of the same type as the original device.
 The replacement device is connected to the exact same place in the network (same ports and
neighboring devices).
 The replacement device has a PROFINET default configuration:
– System name = "" (empty string)
– IP address = 0.0.0.0
Netmask = 0.0.0.0
Gateway address = 0.0.0.0
or
DHCP is activated
– PROFINET is activated

When these conditions are met, the engineering station automatically assigns the parameters of
the original device (device name, IP parameters, and configuration data) to the replacement device.

Perform the following steps:

 Make a note of the port assignments on the original device. Remove the original device from the
system.
The PLC now detects an error.
 Insert the replacement device in the same position in the network. When you reconnect the
ports, verify that the port assignments are the same as for the original device.
The PLC finds the replacement device and sets it up the same way as the original device.
The PLC then detects proper operation.
 When necessary, reset the PLC to Run.

Topology discovery

After you initialize the Topology discovery, the engineering station looks for connected devices.

370 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Configuring the topology

The TIA Portal gives you the option to set up the topology and monitor it accordingly. The TIA Portal
displays the connection parameters (quality and settings) in a colored graphic.

Communication diagnosis

The TIA Portal monitors the communication quality and outputs messages relating to detected
communication problems.

16.4.5 PROFINET parameters

Alarms

The device supports alarms on the device and port levels.

Table 70: Alarms supported

Alarms on device level Change in device status

Failure of redundant power supply
Failure/removal of ACA
Removal of modules
Alarms on port level Change in link status

Record parameters

The device provides records for:

 Device parameters
 Device status
 Port status/parameters
Table 71: Device parameters

Byte Content Access Value Meaning

0 Send alarm if rw 0 Do not send an alarm
status changes 1 Send an alarm if the status of device changes.
1 Power Alarm rw 0 Do not send an alarm
1 When a power supply fails, send an alarm.
2 ACA Alarm rw 0 Do not send an alarm
1 When the ACA is removed, send an alarm.
3 Module Alarm rw 0 Do not send an alarm
1 When the module connections are changed, send
an alarm.

UM Config BRS 371

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Table 72: Device status

Byte Content Access Value Meaning

0 Device status ro 0 Unavailable
1 OK
2 Error
1 Power supply unit 1 ro 0 Unavailable
1 OK
2 Error
2 Power supply unit 2 ro 0 OK
1 Unavailable
2 Error
3 Power supply unit 3 ro 0 Unavailable
1 OK
2 Error
4 Power supply unit 4 ro 0 Unavailable
1 OK
2 Error
5 Power supply unit 5 ro 0 Unavailable
1 OK
2 Error
6 Power supply unit 6 ro 0 Unavailable
1 OK
2 Error
7 Power supply unit 7 ro 0 Unavailable
1 OK
2 Error
8 Power supply unit 8 ro 0 Unavailable
1 OK
2 Error
9 Signal contact 1 ro 0 Unavailable
1 Closed
2 Open
10 Signal contact 2 ro 0 Unavailable
1 Closed
2 Open
11 Temperature ro 0 Unavailable
1 OK
2 Threshold value for temperature exceeded or not
reached
12 Fan ro 0 Unavailable
1 OK
2 Fan failure

372 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Table 72: Device status

Byte Content Access Value Meaning

13 Module removal ro 0 Unavailable
1 OK
2 A module has been removed.
14 ACA removed ro 0 Unavailable
1 OK
2 The ACA has been removed.
15 Not used 0
1
2
16 Not used 0
1
2
17 Connection ro 0 Unavailable
1 OK
2 Connection failure

Table 73: Port status/parameters

Byte Content Access Value Meaning

0 Report port error rw 0 Do not send an alarm
1 When one of the port alarm reasons
represented by bytes 4 .. 10 occurs,
send an alarm.
1 Report connection error rw 0 Do not send an alarm
1 Send alarm if the connection has failed.
2 Transmission rate too high rw 0 Do not send an alarm
1 When the threshold values for the
Note: The configuration of transmission rate are exceed, send an
this parameter might not be alarm.
available in the TIA Portal.
3 Port on rw 0 Unavailable
1 Port enabled
2 Port disabled
4 Link status ro 0 Unavailable
1 Connection exists
2 Connection interrupted
5 Bit rate ro 0 Unavailable
1 Unknown
2 10 Mbit/s
3 100 Mbit/s
4 1 Gbit/s
6 2.5 Gbit/s

UM Config BRS 373

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Table 73: Port status/parameters

Byte Content Access Value Meaning

6 Duplex ro 0 Unavailable
1 Half-duplex
2 Full-duplex
7 Auto-negotiation ro 0 Unavailable
1 Disabled
2 Enabled

I/O Data

You find the bit assignment for the I/O data in the following table.
Table 74: Device I/O data

Direction Byte Bit Meaning

Bit values: 0 OK or unavailable
1 Reason for report exists
Input 0 General
0 Device status
1 Signal contact 1
2 Signal contact 2
3 Temperature
4 Fan
5 Module removal
6 ACA removed
7 Not used
Input 1 Power supply status
0 Power supply unit 1
1 Power supply unit 2
2 Power supply unit 3
3 Power supply unit 4
4 Power supply unit 5
5 Power supply unit 6
6 Power supply unit 7
7 Power supply unit 8

374 UM Config BRS

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Table 74: Device I/O data

Direction Byte Bit Meaning

Input 2 Supply voltage status
0 Not used
1 Not used
2 Connection error
3 Not used
4 Not used
5 Not used
6 Not used
7 Not used
Output Not defined

Table 75: Port I/O data (Input)

Direction Byte Bit Meaning

Bit values: 0 No connection
1 Active connection
Input 0 Connection status for ports 1 to 8
0 Port 1
1 Port 2
2 Port 3
3 Port 4
4 Port 5
5 Port 6
6 Port 7
7 Port 8
Input 1 Connection status for ports 9 to 16
0 Port 9
1 Port 10
2 Port 11
3 Port 12
4 Port 13
5 Port 14
6 Port 15
7 Port 16
Input n Connection for port (n x 8) + 1 to port (n x 8) + 8
0 Port (n x 8) + 1
1 Port (n x 8) + 2
2 Port (n x 8) + 3
3 Port (n x 8) + 4
4 Port (n x 8) + 5
5 Port (n x 8) + 6
6 Port (n x 8) + 7
7 Port (n x 8) + 8

UM Config BRS 375

Release 9.6 12/2023
Industry Protocols
16.4 PROFINET function

Table 76: Port I/O data (Output)

Direction Byte Bit Meaning

Bit values: 0 Port activated
1 Port not activated
Output 0 Status "Port activated" for ports 1 to 8
0 Port 1 activated
1 Port 2 activated
2 Port 3 activated
3 Port 4 activated
4 Port 5 activated
5 Port 6 activated
6 Port 7 activated
7 Port 8 activated
Output 1 Status "Port activated" for ports 9 to 16
0 Port 9 activated
1 Port 10 activated
2 Port 11 activated
3 Port 12 activated
4 Port 13 activated
5 Port 14 activated
6 Port 15 activated
7 Port 16 activated
Output n Status "Port activated" for port (n x 8) + 1 to port
(n x 8) + 8
0 Port (n x 8) + 1 activated
1 Port (n x 8) + 2 activated
2 Port (n x 8) + 3 activated
3 Port (n x 8) + 4 activated
4 Port (n x 8) + 5 activated
5 Port (n x 8) + 6 activated
6 Port (n x 8) + 7 activated
7 Port (n x 8) + 8 activated

376 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

A Setting up the configuration environment

A.1 Setting up a DHCP/BOOTP server

The following example describes the configuration of a DHCP server using the haneWIN DHCP
Server software. This shareware software is a product of IT-Consulting Dr. Herbert Hanewinkel.
You can download the software from www.hanewin.net. You can test the software for 30 calendar
days from the date of the first installation, and then decide if you want to purchase a license.

Perform the following steps:

 Install the DHCP server on your PC.
To carry out the installation, follow the installation assistant.
 Start the haneWIN DHCP Server program.

Figure 73: Start window of the haneWIN DHCP Server program

Note: When Windows is activated, the installation procedure includes a service that is
automatically started in the basic configuration. This service is also active although the program
itself has not been started. When started, the service responds to DHCP queries.

 In the menu bar, click the items Options > Preferences to open the program settings window.
 Select the DHCP tab.
 Specify the settings displayed in the figure.

Figure 74:DHCP setting

 Click the OK button.
 To enter the configuration profiles, click in the menu bar the items Options > Configuration Profiles.

UM Config BRS 377

Release 9.6 12/2023
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

 Specify the name for the new configuration profile.

Figure 75:Adding configuration profiles

 Click the Add button.
 Specify the netmask.

Figure 76:Netmask in the configuration profile

 Click the Apply button.
 Select the Boot tab.
 Enter the IP address of your tftp server.
 Enter the path and the file name for the configuration file.

Figure 77:Configuration file on the tftp server

 Click the Apply button and then the OK button.
 Add a profile for each device type.
When devices of the same type have different configurations, you add a profile for each
configuration.

Figure 78:Managing configuration profiles

 To complete the addition of the configuration profiles, click the OK button.

378 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.1 Setting up a DHCP/BOOTP server

 To enter the static addresses, in the main window, click the Static button.

Figure 79:Static address input

 Click the Add button.

Figure 80:Adding static addresses

 Enter the MAC address of the device.
 Enter the IP address of the device.

Figure 81:Entries for static addresses

 Select the configuration profile of the device.
 Click the Apply button and then the OK button.
 Add an entry for each device that will get its parameters from the DHCP server.

Figure 82:DHCP server with entries

UM Config BRS 379

Release 9.6 12/2023
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

A.2 Setting up a DHCP server with Option 82

Perform the following steps:

 Install the DHCP server on your PC.
To carry out the installation, follow the installation assistant.
 Start the haneWIN DHCP Server program.

Figure 83: Start window of the haneWIN DHCP Server program

380 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

Figure 84: DHCP setting

 To enter the static addresses, click the Add button.

Figure 85: Adding static addresses

 Mark the Circuit Identifier checkbox.

 Mark the Remote Identifier checkbox.

Figure 86: Default setting for the fixed address assignment

 In the Hardware address field, specify the value Circuit Identifier and the value Remote Identifier for
the switch and port.
The DHCP server assigns the IP address specified in the IP address field to the device that you
connect to the port specified in the Hardware address field.
The hardware address is in the following form:
ciclhhvvvvssmmpprirlxxxxxxxxxxxx
 ci
Sub-identifier for the type of the Circuit ID
 cl
Length of the Circuit ID.
 hh
Hirschmann identifier:
01 when a Hirschmann device is connected to the port, otherwise 00.
 vvvv
VLAN ID of the DHCP request.
Default setting: 0001 = VLAN 1
 ss

UM Config BRS 381

Release 9.6 12/2023
Setting up the configuration environment
A.2 Setting up a DHCP server with Option 82

Socket of device at which the module with that port is located to which the device is
connected. Specify the value 00.
 mm
Module with the port to which the device is connected.
 pp
Port to which the device is connected.
 ri
Sub-identifier for the type of the Remote ID
 rl
Length of the Remote ID.
 xxxxxxxxxxxx
Remote ID of the device (for example MAC address) to which a device is connected.

Figure 87: Specifying the addresses

P LC S witch (Option 82)

MAC =
IP = 00:80:63:10:9a:d7
192.168.112.100

DHC P S erver
IP =
192.168.112.1

IP =
192.168.112.100

Figure 88: Application example of using Option 82

382 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.3 Preparing access using SSH

A.3 Preparing access using SSH

You can connect to the device using SSH. To do this, perform the following steps:
 Generate a key in the device.
or
 Transfer your own key onto the device.
 Prepare access to the device in the SSH client program.

Note: In the default setting, the key is already existing and access using SSH is enabled.

A.3.1 Generating a key in the device

The device lets you generate the key directly in the device. To do this, perform the following steps:

 Open the Device Security > Management Access > Server dialog, SSH tab.
 To disable the SSH server, select the Off radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 To generate a RSA key, in the Signature frame, click the Create button.
 To enable the SSH server, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
ssh key rsa generate To generate a new RSA key.

A.3.2 Loading your own key onto the device

OpenSSH gives experienced network administrators the option of generating an own key. To
generate the key, enter the following commands on your PC:
ssh-keygen(.exe) -q -t rsa -f rsa.key -C '' -N ''
rsaparam -out rsaparam.pem 2048

The device lets you transfer your own SSH key onto the device. To do this, perform the following
steps:

 Open the Device Security > Management Access > Server dialog, SSH tab.
 To disable the SSH server, select the Off radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

 When the host key is located on your PC or on a network drive, drag and drop the file that
contains the key in the area. As an alternative, click in the area to select the file.

UM Config BRS 383

Release 9.6 12/2023
Setting up the configuration environment
A.3 Preparing access using SSH

 Click the Start button in the Key import frame to load the key onto the device.
 To enable the SSH server, select the On radio button in the Operation frame.

 Apply the settings temporarily. To do this, click the button.

Perform the following steps:

 Copy the self-generated key from your PC to the external memory.
 Copy the key from the external memory into the device.
enable To change to the Privileged EXEC mode.
copy sshkey envm <file name> To load your own key onto the device from the
external memory.

A.3.3 Preparing the SSH client program

The PuTTY program lets you access the device using SSH. You can download the software from
www.putty.org.

Perform the following steps:

 Start the program by double-clicking on it.

Figure 89: PuTTY input screen

 In the Host Name (or IP address) field you enter the IP address of your device.
The IP address (a.b.c.d) consists of 4 decimal numbers with values from 0 to 255. The 4 decimal
numbers are separated by points.
 To select the connection type, select the SSH radio button in the Connection type option list.
 Click the Open button to set up the data connection to your device.

384 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.3 Preparing access using SSH

Before the connection is established, the PuTTY program displays a security alarm message and
lets you check the key fingerprint.

Figure 90: Security alert prompt for the fingerprint

Before the connection is established, the PuTTY program displays a security alarm message and
lets you check the key fingerprint.
 Check the fingerprint of the key to help ensure that you have actually connected to the desired
device.
 When the fingerprint matches your key, click the Yes button.

For experienced network administrators, another way of accessing your device through an SSH is
by using the OpenSSH Suite. To set up the data connection, enter the following command:

ssh admin@10.0.112.53

admin is the user name.

10.0.112.53 is the IP address of your device.

UM Config BRS 385

Release 9.6 12/2023
Setting up the configuration environment
A.4 HTTPS certificate

A.4 HTTPS certificate

Your web browser establishes the connection to the device using the Hypertext Transfer Protocol
Secure (HTTPS). The prerequisite is that you enable the HTTPS server function in theDevice
Security > Management Access > Server dialog, HTTPS tab.

A.4.1 HTTPS certificate management

A standard certificate according to X.509/PEM (Public Key Infrastructure) is required for encryption.
In the default setting, a self-generated certificate is already present in the device. To do this,
perform the following steps:

 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 To generate a X509/PEM certificate, in the Certificate frame, click the Create button.

 Apply the settings temporarily. To do this, click the button.

 Restart the HTTPS server to activate the key. Restart the server using the Command Line
Interface.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
https certificate generate To generate a https X.509/PEM Certificate.
no https server To disable the HTTPS function.
https server To enable the HTTPS function.

 The device also lets you transfer an externally generated X.509/PEM certificate onto the device:

 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 When the certificate is located on your PC or on a network drive, drag and drop the
certificate in the area. As an alternative, click in the area to select the certificate.
 Click on the Start button to copy the certificate to the device.

 Apply the settings temporarily. To do this, click the button.

enable To change to the Privileged EXEC mode.

copy httpscert envm <file name> To copy HTTPS certificate from external non-
volatile memory device.

386 UM Config BRS

Release 9.6 12/2023
Setting up the configuration environment
A.4 HTTPS certificate

configure To change to the Configuration mode.

no https server To disable the HTTPS function.
https server To enable the HTTPS function.

Note: To activate the certificate after the device generated or you transfered it, reboot the device
or restart the HTTPS server. Restart the HTTPS server using the Command Line Interface.

A.4.2 Access through HTTPS

The default setting for HTTPS data connection is TCP port 443. If you change the number of the
HTTPS port, then reboot the device or the HTTPS server. Thus the change becomes effective. To
do this, perform the following steps:

 Open the Device Security > Management Access > Server dialog, HTTPS tab.
 To enable the function, select the On radio button in the Operation frame.
 To access the device by HTTPS, enter HTTPS instead of HTTP in your web browser,
followed by the IP address of the device.

enable To change to the Privileged EXEC mode.

configure To change to the Configuration mode.
https port 443 To specify the number of the TCP port on which the
web server receives HTTPS requests from clients.
https server To enable the HTTPS function.
show https To display the status of the HTTPS server and the
port number.

When you make changes to the HTTPS port number, disable the HTTPS server and enable it again
to make the changes effective.

The device uses Hypertext Transfer Protocol Secure (HTTPS) and establishes a new data
connection. When you log out at the end of the session, the device terminates the data connection.

UM Config BRS 387

Release 9.6 12/2023
Setting up the configuration environment
A.4 HTTPS certificate

388 UM Config BRS

Release 9.6 12/2023
Appendix
B.1 Literature references

B Appendix

B.1 Literature references

A small selection of books on network topics, ordered by publication date (newest first):
 TSN – Time-Sensitive Networking (in German)
Wolfgang Schulte
VDE Verlag, 2020
ISBN 978-3-8007-5078-8
 Time-Sensitive Networking For Dummies, Belden/Hirschmann Special Edition (in English)
Oliver Kleineberg, Axel Schneider
Wiley, 2018
ISBN 978-1-119-52791-6 (Print), ISBN 978-1-119-52799-2 (eBook)
 IPv6: Grundlagen - Funktionalität - Integration (in German)
Silvia Hagen
Sunny Connection, 3rd edition, 2016
ISBN 978-3-9522942-3-9 (Print), ISBN 978-3-9522942-8-4 (eBook)
 IPv6 Essentials (in English)
Silvia Hagen
O'Reilly, 3rd edition, 2014
ISBN 978-1-449-31921-2 (Print)
 TCP/IP Illustrated, Volume 1: The Protocols (2nd Edition) (in English)
W. R. Stevens, Kevin R. Fall
Addison Wesley, 2011
ISBN 978-0-321-33631-6
 Measurement, Control and Communication Using IEEE 1588 (in English)
John C. Eidson
Springer, 2006
ISBN 978-1-84628-250-8 (Print), ISBN 978-1-84628-251-5 (eBook)
 TCP/IP: Der Klassiker. Protokollanalyse. Aufgaben und Lösungen (in German)
W. R. Stevens
Hüthig-Verlag, 2008
ISBN 978-3-7785-4036-7
 Optische Übertragungstechnik in der Praxis (in German)
Christoph Wrobel
Hüthig-Verlag, 3rd edition, 2004
ISBN 978-3-8266-5040-6

UM Config BRS 389

Release 9.6 12/2023
Appendix
B.2 Maintenance

B.2 Maintenance

390 UM Config BRS

Release 9.6 12/2023
Appendix
B.3 Management Information Base (MIB)

B.3 Management Information Base (MIB)

The Management Information Base (MIB) is designed in the form of an abstract tree structure.

The branching points are the object classes. The "leaves" of the MIB are called generic object
classes.

When this is required for unique identification, the generic object classes are instantiated, that
means the abstract structure is mapped onto reality, by specifying the port or the source address.

Values (integers, time ticks, counters or octet strings) are assigned to these instances; these values
can be read and, in some cases, modified. The object description or object ID (OID) identifies the
object class. The subidentifier (SID) is used to instantiate them.

Example:

The generic object class hm2PSState (OID = 1.3.6.1.4.1.248.11.11.1.1.1.1.2) is the

description of the abstract information power supply status. However, it is not possible to read
any value from this, as the system does not know which power supply is meant.

Specifying the subidentifier 2 maps this abstract information onto reality (instantiates it), thus
identifying it as the operating status of power supply 2. A value is assigned to this instance and can
be read. The instance get 1.3.6.1.4.1.248.11.11.1.1.1.1.2.1 returns the response 1, which
means that the power supply is ready for operation.

Definition of the syntax terms used:

Integer An integer in the range -231..231-1
IP address xxx.xxx.xxx.xxx
(xxx = integer in the range 0..255)
MAC address 12-digit hexadecimal number in accordance with ISO/IEC 8802-3
Object x.x.x.x… (for example 1.3.6.1.1.4.1.248...)
Identifier
Octet String ASCII character string
PSID Power supply identifier (number of the power supply unit)
TimeTicks Stopwatch, Elapsed time = numerical value / 100 (in seconds)
numerical value = integer in the range 0..232-1
Timeout Time value in hundredths of a second
time value = integer in the range 0..232-1
Type field 4-digit hexadecimal number in accordance with ISO/IEC 8802-3
Counter Integer (0..232-1), when certain events occur, the value increases by 1.

UM Config BRS 391

Release 9.6 12/2023
Appendix
B.3 Management Information Base (MIB)

1 iso

3 org

6 dod

1 internet

2 mgmt 4 private 6 snmp V2

1 mib-2 1 enterprises 3 modules

1 system 248 hirschmann 10 Framework

2 interfaces 11 hm2Configuration 11 mpd

3 at 12 hm2Platform5 12 Target

4 ip 13 Notification

5 icmp 15 usm

6 tcp 16 vacm

7 udp

11 snmp

16 rmon

17 dot1dBridge

26 snmpDot3MauMGT
Figure 91: Tree structure of the Hirschmann MIB

When you have downloaded a software update from the product pages on the Internet, the ZIP
archive of the device software also contains the MIBs.

392 UM Config BRS

Release 9.6 12/2023
Appendix
B.4 List of RFCs

B.4 List of RFCs

RFC 768 UDP

RFC 783 TFTP
RFC 791 IP
RFC 792 ICMP
RFC 793 TCP
RFC 826 ARP
RFC 854 Telnet
RFC 855 Telnet Option
RFC 951 BOOTP
RFC 1112 IGMPv1
RFC 1157 SNMPv1
RFC 1155 SMIv1
RFC 1212 Concise MIB Definitions
RFC 1213 MIB2
RFC 1493 Dot1d
RFC 1542 BOOTP-Extensions
RFC 1643 Ethernet-like -MIB
RFC 1757 RMON
RFC 1867 Form-Based File Upload in HTML
RFC 1901 Community based SNMP v2
RFC 1905 Protocol Operations for SNMP v2
RFC 1906 Transport Mappings for SNMP v2
RFC 1945 HTTP/1.0
RFC 2068 HTTP/1.1 protocol as updated by draft-ietf-http-v11-spec-rev-03
RFC 2131 DHCP
RFC 2132 DHCP-Options
RFC 2233 The Interfaces Group MIB using SMI v2
RFC 2236 IGMPv2
RFC 2246 The TLS Protocol, Version 1.0
RFC 2346 AES Ciphersuites for Transport Layer Security
RFC 2365 Administratively Scoped IP Multicast
RFC 2578 SMIv2
RFC 2579 Textual Conventions for SMI v2
RFC 2580 Conformance statements for SMI v2
RFC 2613 SMON
RFC 2618 RADIUS Authentication Client MIB
RFC 2620 RADIUS Accounting MIB
RFC 2674 Dot1p/Q
RFC 2818 HTTP over TLS
RFC 2851 Internet Addresses MIB
RFC 2863 The Interfaces Group MIB
RFC 2865 RADIUS Client
RFC 2866 RADIUS Accounting

UM Config BRS 393

Release 9.6 12/2023
Appendix
B.4 List of RFCs

RFC 2868 RADIUS Attributes for Tunnel Protocol Support

RFC 2869 RADIUS Extensions
RFC 2869bis RADIUS support for EAP
RFC 2933 IGMP MIB
RFC 3164 The BSD syslog protocol
RFC 3376 IGMPv3
RFC 3410 Introduction and Applicability Statements for Internet Standard Management
Framework
RFC 3411 An Architecture for Describing Simple Network Management Protocol (SNMP)
Management Frameworks
RFC 3412 Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP)
RFC 3413 Simple Network Management Protocol (SNMP) Applications
RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
RFC 3415 View-based Access Control Model (VACM) for the Simple Network Management
Protocol (SNMP)
RFC 3418 Management Information Base (MIB)
for the Simple Network Management Protocol (SNMP)
RFC 3580 802.1X RADIUS Usage Guidelines
RFC 3584 Coexistence between Version 1, Version 2, and Version 3 of the Internet-
standard Network Management Framework
RFC 3621 Power Ethernet MIB
RFC 4022 Management Information Base for the Transmission Control Protocol (TCP)
RFC 4113 Management Information Base for the User Datagram Protocol (UDP)
RFC 4188 Definitions of Managed Objects for Bridges
RFC 4251 SSH protocol architecture
RFC 4291 IPv6 Addressing Architecture
RFC 4252 SSH authentication protocol
RFC 4253 SSH transport layer protocol
RFC 4254 SSH connection protocol
RFC 4293 Management Information Base for the Internet Protocol (IP)
RFC 4318 Definitions of Managed Objects for Bridges with Rapid Spanning Tree Protocol
RFC 4330 Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
RFC 4363 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast
Filtering, and Virtual LAN Extensions
RFC 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast
Listener Discovery (MLD) Snooping Switches
RFC 4836 Definitions of Managed Objects for IEEE 802.3 Medium Attachment Units
(MAUs)
RFC 4861 Neighbor Discovery for IPv6
RFC 6221 Leightweight DHCPv6 Relay Agent
RFC 8200 IPv6 Specification
RFC 8415 DHCPv6

394 UM Config BRS

Release 9.6 12/2023
Appendix
B.5 Underlying IEEE Standards

B.5 Underlying IEEE Standards

IEEE 802.1AB Station and Media Access Control Connectivity Discovery

IEEE 802.1D MAC Bridges (switching function)
IEEE 802.1Q Virtual LANs (VLANs, MRP, Spanning Tree)
IEEE 802.1X Port Authentication
IEEE 802.3 Ethernet
IEEE 802.3ac VLAN Tagging
IEEE 802.3x Flow Control
IEEE 802.3af Power over Ethernet

UM Config BRS 395

Release 9.6 12/2023
Appendix
B.6 Underlying IEC Norms

B.6 Underlying IEC Norms

IEC 62439 High availability automation networks

MRP – Media Redundancy Protocol based on a ring topology

396 UM Config BRS

Release 9.6 12/2023
Appendix
B.7 Underlying ANSI Norms

B.7 Underlying ANSI Norms

ANSI/TIA-1057 Link Layer Discovery Protocol for Media Endpoint Devices, April 2006

UM Config BRS 397

Release 9.6 12/2023
Appendix
B.8 Technical Data

B.8 Technical Data

16.4.6 Switching

Size of the MAC address table 16384

(forwarding database)
(incl. static filters)
Max. number of statically set-up MAC 100
address filters
Max. number of MAC address filters 1024
learnable through IGMP Snooping
Max. number of MAC address entries 64
(MMRP)
Number of priority queues 8 Queues
Port priorities that can be set 0..7
MTU (Max. allowed length of packets 9720 Bytes
a port can receive or transmit)

16.4.7 VLAN

VLAN ID range 1..4042

Number of VLANs max. 128 simultaneously per device
max. 128 simultaneously per port

16.4.8 Access Control Lists (ACL)

Max. number of ACLs 50

Max. number of rules per ACL 256
Max. number of rules per port 256
Number of total configurable rules 2048 (8 × 256)
Max. number of VLAN assignments 12
Max. number of rules which log an 128
event
Max. number of Ingress rules 514

398 UM Config BRS

Release 9.6 12/2023
Appendix
B.9 Copyright of integrated Software

B.9 Copyright of integrated Software

The product contains, among other things, Open Source Software files developed by third parties
and licensed under an Open Source Software license.

You can find the license terms in the Graphical User Interface in the Help > Licenses dialog.

UM Config BRS 399

Release 9.6 12/2023
Appendix
B.10 Abbreviations used

B.10 Abbreviations used

ACA Name of the external memory

ACL Access Control List
BOOTP Bootstrap Protocol
CLI Command Line Interface
DHCP Dynamic Host Configuration Protocol
DHCPv6 Dynamic Host Configuration Protocol for IPv6
DUID DHCP Unique Identifier
EUI Extended Unique Identifier
FDB Forwarding Database
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ICMP Internet Control Message Protocol
IEEE Institute of Electrical and Electronics Engineers
IGMP Internet Group Management Protocol
IP Internet Protocol
IPv6 Internet Protocol version 6
LDRA Lightweight DHCPv6 Relay Agent
LED Light Emitting Diode
LLDP Link Layer Discovery Protocol
MAC Media Access Control
MIB Management Information Base
MRP Media Redundancy Protocol
NDP Neighbor Discovery Protocol
NMS Network Management System
PC Personal Computer
PTP Precision Time Protocol
QoS Quality of Service
RFC Request For Comment
RM Redundancy Manager
RSTP Rapid Spanning Tree Protocol
SCP Secure Copy
SFP Small Form-factor Pluggable
SFTP SSH File Transfer Protocol
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TP Twisted-pair
UDP User Datagram Protocol

400 UM Config BRS

Release 9.6 12/2023
Appendix
B.10 Abbreviations used

URL Uniform Resource Locator

UTC Coordinated Universal Time
VLAN Virtual Local Area Network

UM Config BRS 401

Release 9.6 12/2023
Appendix
B.10 Abbreviations used

402 UM Config BRS

Release 9.6 12/2023
Index

C Index

0-9
2-Switch coupling, Primary device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
2-Switch coupling, Stand-by device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

A
Access roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Access security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Advanced Information, HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Advanced Information, MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Advanced Information, Ring/Network Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Advanced mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185, 187
Aging time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239, 371
Alarm messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Alarm setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Alternate port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203, 209
APNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ARIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Authentication list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Automatic configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

B
Backup port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204, 209
Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Best Master Clock algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
BOOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Boundary clock (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
BPDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
BPDU guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208, 209
Bridge Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Bridge Protocol Data Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

C
CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Classless inter domain routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Closed circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Command tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Common Industrial Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuration modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Conformity class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

UM Config BRS 403

Release 9.6 12/2023
Index

D
Data traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Delay (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Delay measurement (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Delay time (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Designated bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Designated port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203, 208
Destination table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Device description language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Device replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Device status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
DHCP L2 Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82, 87, 273, 377, 380
DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Diameter (Spanning Tree) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Disabled port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
DSCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149, 158

E
Edge port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203, 208
EDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Engineering Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Engineering system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
EtherNet/IP website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

F
FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
FDB (MAC address table) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
First installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Flow control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

G
GARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42, 51
Generic Ethernet Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Generic object classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Global Config mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
GMRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Grandmaster (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
GSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317, 319, 323
GSD file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
GSDML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

H
HaneWin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377, 380
Hardware reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
HiDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
HIPER Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
HIPER Ring Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
HIPER Ring Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
HIPER Ring Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
HiView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Host address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

404 UM Config BRS

Release 9.6 12/2023
Index

I
IANA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
IEC 61850 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
IEEE MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
IGMP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143, 299
Industrial HiVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Integrated Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42, 51, 58
IP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149, 151
IPv6 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
IPv6 address types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
ISO/OSI layer model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

L
LACNIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Leave message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Link monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241, 249
Login dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Loop guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209, 211
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229, 230, 233, 235

M
MAC address filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
MAC destination address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
MAC address table (forwarding database) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
MaxAge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
MMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
MRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182, 184, 185
MRP Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
MRP Packet Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
MRP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

N
Netmask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42, 51
Network load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194, 195
Network management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Non-volatile memory (NVM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
NVM (non-volatile memory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

O
Object classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Object description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Object ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
ODVA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
ODVA website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
OpenSSH-Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Operation monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Ordinary clock (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

UM Config BRS 405

Release 9.6 12/2023
Index

P
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20, 22
Path costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196, 199
PC Worx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Polling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Port Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Port priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Port roles (RSTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Port State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Prefix length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Priority queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Priority tagged frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Privileged Exec mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PROFIBUS Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Protection functions (guards) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
PTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
PTP domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
PuTTY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Q
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

406 UM Config BRS

Release 9.6 12/2023
Index

R
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
RAM (memory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Rapid Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182, 203
Real time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Reconfiguration time (MRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Reference time source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81, 87, 91
Relay contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Remote diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Report message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Request Packet Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
RFC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Ring Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Ring/Network coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Ring/Network Coupling Advanced Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Ring/Network Coupling packet prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Ring/Network Coupling packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Ring/Network coupling, Link Topology of 1-Switch coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Ring/Network coupling, Link Topology of 2-Switch coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Ring/Network coupling, Link Topology of 2-Switch coupling with Control Line . . . . . . . . . . . . . 221
Ring/Network Coupling, Topology requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
RIPE NCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
RM (Ring Manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
RMON probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Root Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Root guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208, 211
Root path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200, 201
Root Path Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Root port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203, 209
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Router Advertisement Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56, 60
RPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
RST BPDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203, 205
RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

UM Config BRS 407

Release 9.6 12/2023
Index

S
Secure Shell (SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Serial interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Service Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Service Shell deactivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Setting the time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
SFP module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Signal contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SNMP trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237, 239
SNTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Software version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
SSH (Secure Shell) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Starting the graphical user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Store-and-forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
STP-BPDU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Strict Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Subidentifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 323
System requirements (Graphical User Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

T
Tab Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
TCN guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209, 211
TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 317
Technical questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Threshold value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
TIA Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Topology Change flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
ToS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149, 151
Traffic class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152, 157
Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Training courses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Transmission reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Transparent clock (PTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237, 239
Trap destination table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Tree structure (Spanning Tree) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199, 202
TSN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Type of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

U
UDP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299, 317
User Exec mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
User name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19, 21

V
Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
VLAN (HIPER Ring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
VLAN mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
VLAN priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
VLAN tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151, 167
VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
VT100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

408 UM Config BRS

Release 9.6 12/2023
Index

W
Weighted Fair Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Weighted Round Robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

UM Config BRS 409

Release 9.6 12/2023
Index

410 UM Config BRS

Release 9.6 12/2023
Further support

D Further support

Technical questions

For technical questions, please contact any Hirschmann dealer in your area or Hirschmann directly.

You find the addresses of our partners on the Internet at www.hirschmann.com.

Technical Documents

The current manuals and operating instructions for Hirschmann products are available at
doc.hirschmann.com.

Customer Innovation Center

With the Customer Innovation Center, you decide against any compromise in any case. Our client-
customized package leaves you free to choose the service components you want to use.

UM Config BRS 411

Release 9.6 12/2023
Readers’ Comments

E Readers’ Comments

Your assessment of this manual:

Very Good Good Satisfactory Mediocre Poor

Precise description O O O O O
Readability O O O O O
Understandability O O O O O
Examples O O O O O
Structure O O O O O
Comprehensive O O O O O
Graphics O O O O O
Drawings O O O O O
Tables O O O O O

Did you discover any errors in this manual?

If so, on what page?

Suggestions for improvement and additional information:

412 UM Config BRS

Release 9.6 12/2023
Readers’ Comments

General comments:

Sender:

Company / Department:

Name / Telephone number:

Street:

Zip code / City:

E-mail:

Date / Signature:

Dear User,

Please fill out and return this page

 as a fax to the number +49 (0)7127/14-1600 or
 per mail to
Hirschmann Automation and Control GmbH
Department IRD-NT
Stuttgarter Str. 45-51
72654 Neckartenzlingen
Germany

UM Config BRS 413

Release 9.6 12/2023

Ros 100125 1421 5242
No ratings yet
Ros 100125 1421 5242
1,750 pages
Icr 2 0456 00 Configuration Manual 6.5.2 20250303
No ratings yet
Icr 2 0456 00 Configuration Manual 6.5.2 20250303
193 pages
Archer C54 (EU) &archer C50 (ES) 6.0
No ratings yet
Archer C54 (EU) &archer C50 (ES) 6.0
103 pages
OpenScape UC Application V7 OpenScape Desktop Client Enterprise Web Embedded Edition User Guide Issue 4
No ratings yet
OpenScape UC Application V7 OpenScape Desktop Client Enterprise Web Embedded Edition User Guide Issue 4
403 pages
Encyclopaedia Judaica, v. 11 (Ja-Kas) PDF
100% (4)
Encyclopaedia Judaica, v. 11 (Ja-Kas) PDF
842 pages
AC750 Wireless Travel Router Manual
No ratings yet
AC750 Wireless Travel Router Manual
231 pages
TL-WR841N (Eu) V13 Ug
No ratings yet
TL-WR841N (Eu) V13 Ug
90 pages
Modicon Switch Configuration Manual
No ratings yet
Modicon Switch Configuration Manual
382 pages
TL-WR844N (Eu) Ug Rev1.0.0
No ratings yet
TL-WR844N (Eu) Ug Rev1.0.0
147 pages
TL-WR841N V13
No ratings yet
TL-WR841N V13
182 pages
Westermo - MG - Ibex Series v6 10 0 1
No ratings yet
Westermo - MG - Ibex Series v6 10 0 1
670 pages
Microsens Product Manual FW g6
100% (1)
Microsens Product Manual FW g6
515 pages
ManualCollection MSP HiOS 3A MR 09000 en
No ratings yet
ManualCollection MSP HiOS 3A MR 09000 en
1,161 pages
Indigenous Grade 1
100% (1)
Indigenous Grade 1
49 pages
TL-WR740N (EU) V7 UG 1474248366966c
No ratings yet
TL-WR740N (EU) V7 UG 1474248366966c
87 pages
ManualCollection EAGLE HiSecOS-04600 en
No ratings yet
ManualCollection EAGLE HiSecOS-04600 en
773 pages
Archer C50 (EU) - UG - V1
No ratings yet
Archer C50 (EU) - UG - V1
135 pages
User Manual RSPE32
No ratings yet
User Manual RSPE32
975 pages
Archer C24 (EU) - UG - V1
No ratings yet
Archer C24 (EU) - UG - V1
107 pages
MRX UserManual
No ratings yet
MRX UserManual
254 pages
User Guide: 300Mbps Wireless N Router TL-WR840N
No ratings yet
User Guide: 300Mbps Wireless N Router TL-WR840N
131 pages
Tsunami 8000 Software Guide 2.6.0
No ratings yet
Tsunami 8000 Software Guide 2.6.0
310 pages
Tl-Wr902ac 3.0 - Ug
No ratings yet
Tl-Wr902ac 3.0 - Ug
221 pages
Managed Switch Software User Manual
No ratings yet
Managed Switch Software User Manual
197 pages
57 ManualCollection - GRS103 - HiOS-2S-09100 - en
No ratings yet
57 ManualCollection - GRS103 - HiOS-2S-09100 - en
643 pages
User Guide: AC1200 Wireless Dual Band Router
No ratings yet
User Guide: AC1200 Wireless Dual Band Router
121 pages
TCS CLI 8.4.2.4 20-Jul-2011
No ratings yet
TCS CLI 8.4.2.4 20-Jul-2011
1,822 pages
Linking Words
No ratings yet
Linking Words
10 pages
Network Storage Router E1200 160 User Guide
No ratings yet
Network Storage Router E1200 160 User Guide
200 pages
Dell Powerconnect 5548 Users Guide
No ratings yet
Dell Powerconnect 5548 Users Guide
728 pages
Xerox Wireless Print Solutions Adapter
No ratings yet
Xerox Wireless Print Solutions Adapter
54 pages
700 - 7000 Managed Industrial Ethernet Switches Software Manual
No ratings yet
700 - 7000 Managed Industrial Ethernet Switches Software Manual
153 pages
Motorola AP 5131 Manual
No ratings yet
Motorola AP 5131 Manual
614 pages
English Tantra Books
0% (1)
English Tantra Books
13 pages
uC-TCP-IP 3.03.00 User's Manual
No ratings yet
uC-TCP-IP 3.03.00 User's Manual
181 pages
Mercusys - Manual Usuario - MR70X - UG - REV1.0.0
No ratings yet
Mercusys - Manual Usuario - MR70X - UG - REV1.0.0
85 pages
Ubee UBC1329-AA00 User Guide
No ratings yet
Ubee UBC1329-AA00 User Guide
103 pages
Kerio Control Adminguide en 7.3.0 3861 PDF
No ratings yet
Kerio Control Adminguide en 7.3.0 3861 PDF
269 pages
SpiderCloud System Commissioning Guide (LCI) Release 3.1
50% (2)
SpiderCloud System Commissioning Guide (LCI) Release 3.1
76 pages
Srethercat e
No ratings yet
Srethercat e
40 pages
Cyberlink 2100 Manual
No ratings yet
Cyberlink 2100 Manual
188 pages
Tsunami8100 SoftwareMgmtGuide-V4.2 SWV2.4.3
No ratings yet
Tsunami8100 SoftwareMgmtGuide-V4.2 SWV2.4.3
250 pages
Guia de Usuario Routers Tp-link-WR840N (EU) - V5 - UG
No ratings yet
Guia de Usuario Routers Tp-link-WR840N (EU) - V5 - UG
120 pages
Vyos PDF
No ratings yet
Vyos PDF
285 pages
Administration Manual OpenScape Desk Phone IP OpenScape Voice PDF
No ratings yet
Administration Manual OpenScape Desk Phone IP OpenScape Voice PDF
334 pages
User Guide: 300Mbps Wireless N Router TL-WR841N
No ratings yet
User Guide: 300Mbps Wireless N Router TL-WR841N
184 pages
airOS UG
No ratings yet
airOS UG
68 pages
User Guide: AC1200 Wireless Dual Band Router Archer C50
No ratings yet
User Guide: AC1200 Wireless Dual Band Router Archer C50
87 pages
Westermo MG 6623-3210 BRD-MRD
No ratings yet
Westermo MG 6623-3210 BRD-MRD
278 pages
The Value of Narrativity in The Represe
No ratings yet
The Value of Narrativity in The Represe
54 pages
NB3700 Manual 3.7.0.101
No ratings yet
NB3700 Manual 3.7.0.101
202 pages
Orinoco Ap-700 Access Point User Guide: Downloaded From Manuals Search Engine
No ratings yet
Orinoco Ap-700 Access Point User Guide: Downloaded From Manuals Search Engine
221 pages
BridgeandRoutingGuide 765-00271 v1.2
No ratings yet
BridgeandRoutingGuide 765-00271 v1.2
45 pages
EdgeOS User Guide
No ratings yet
EdgeOS User Guide
57 pages
Tsunami A2MP-81XX-CPE - ReferenceManualv2.2 - SWv2.3.5
No ratings yet
Tsunami A2MP-81XX-CPE - ReferenceManualv2.2 - SWv2.3.5
88 pages
Pma 152lc Initial Test Experience (17may2023)
No ratings yet
Pma 152lc Initial Test Experience (17may2023)
5 pages
Practice Essay Topics For Much Ado About Nothing
No ratings yet
Practice Essay Topics For Much Ado About Nothing
5 pages
Android Controlled Arduino Robot Car: Jie Hou
No ratings yet
Android Controlled Arduino Robot Car: Jie Hou
27 pages
HP SN6000 Fibre Channel Switch Installation PDF
No ratings yet
HP SN6000 Fibre Channel Switch Installation PDF
94 pages
airOS UG V80 PDF
No ratings yet
airOS UG V80 PDF
56 pages
Kerio Control Admin Guide en 7.1.2 2333
No ratings yet
Kerio Control Admin Guide en 7.1.2 2333
299 pages
A. Preparation Prayer
No ratings yet
A. Preparation Prayer
4 pages
Guia PDF Access Orinoco 7700
No ratings yet
Guia PDF Access Orinoco 7700
258 pages
Kerio Control Adminguide en 7.3.1 4142 PDF
No ratings yet
Kerio Control Adminguide en 7.3.1 4142 PDF
272 pages
Axxess IPdevices Install Manual
No ratings yet
Axxess IPdevices Install Manual
230 pages
Spark Handbook, Module 5
No ratings yet
Spark Handbook, Module 5
26 pages
WORKTEXT
No ratings yet
WORKTEXT
6 pages
CCA - Module 2 - CC Architecture
No ratings yet
CCA - Module 2 - CC Architecture
25 pages
1744959877813-Understanding The Conda Environment
No ratings yet
1744959877813-Understanding The Conda Environment
8 pages
3kb04.muhammad Sandhi Khadafi.T2
No ratings yet
3kb04.muhammad Sandhi Khadafi.T2
91 pages
Revised Chapter End Test of Articles and Degrees of Comparison
No ratings yet
Revised Chapter End Test of Articles and Degrees of Comparison
8 pages
6th Year Final Exam 2024
No ratings yet
6th Year Final Exam 2024
6 pages
Lesson 3 - Question Forms
No ratings yet
Lesson 3 - Question Forms
32 pages
Hastarekha v1
No ratings yet
Hastarekha v1
50 pages
The Art of Music Production - The Theory and Practice (PDFDrive) - 105-119
No ratings yet
The Art of Music Production - The Theory and Practice (PDFDrive) - 105-119
15 pages
Test 1101
No ratings yet
Test 1101
6 pages
Unit 2 - Lecture 10 - RDBMS
No ratings yet
Unit 2 - Lecture 10 - RDBMS
15 pages
Example, Showing Entries in Different Databases: Relocatable
No ratings yet
Example, Showing Entries in Different Databases: Relocatable
15 pages
Unit 3 Opener
No ratings yet
Unit 3 Opener
6 pages
Planificare Engleza 8A L1
No ratings yet
Planificare Engleza 8A L1
11 pages
Grade 9 3rd Quarter
No ratings yet
Grade 9 3rd Quarter
8 pages
A Biographical Timeline
No ratings yet
A Biographical Timeline
7 pages
ELTE 224. Project
No ratings yet
ELTE 224. Project
7 pages
Commas For Extra Detail
No ratings yet
Commas For Extra Detail
1 page
Rubrik Penilaian Pembentangan
No ratings yet
Rubrik Penilaian Pembentangan
3 pages
GlideAjax Example 1 Word
No ratings yet
GlideAjax Example 1 Word
1 page
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
1/5 (1)
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.