Hirschmann GREYHOUND GRS1020 Reference Manual Download Page 73

Page: 73 / 619

Device Security

[ Device Security > Authentication List ]

RM GUI GRS

Release

8.0

09/2019

Possible values:



local

(default setting)

The device authenticates the users by using the local user management. See the

Device

Security > User Management

dialog.

You cannot assign this value to the authentication list

defaultDot1x8021AuthList



radius

The device authenticates the users with a RADIUS server in the network. You specify the

RADIUS server in the

Network Security > RADIUS > Authentication Server

dialog.



reject

The device accepts or rejects the authentication depending on which policy you try first. The

following list contains authentication scenarios:

–

If the first policy in the authentication list is

local

and the device accepts the credentials of

the user, then it logs the user in without attempting the other polices.

–

If the first policy in the authentication list is

local

and the device denies the credentials of

the user, then it attempts to log the user in using the other polices in the order specified.

–

If the first policy in the authentication list is

radius

and the device rejects a login, then the

If there is no response from the RADIUS server, then the device attempts to authenticate the

user with the next policy.

–

If the first policy in the authentication list is

reject

, then the devices immediately rejects the

user login without attempting another policy.

–

Verify that the authentication list

defaultV24AuthList

contains at least one policy different

from

reject



ias

The device authenticates the end devices logging in via 802.1X with the integrated

authentication server (IAS). The integrated authentication server manages the log in data in a

separate database. See the

Network Security > 802.1X Port Authentication > Integrated Authentication

Server

dialog.

You can only assign this value to the authentication list

defaultDot1x8021AuthList

Dedicated applications

Displays the dedicated applications. When users access the device with the relevant application,

the device uses the specified policies for the authentication.

To allocate another application to the list or remove the allocation, click the button and then the

Allocate applications

item. The device lets you assign each application to exactly one list.

Active

Activates/deactivates the list.

Possible values:



marked

The list is activated. The device uses the policies in this list when users access the device with

the relevant application.



unmarked

(default setting)

The list is deactivated.

Summary of Contents for GREYHOUND GRS1020

Page 1: ...Hirschmann Automation and Control GmbH Reference Manual Graphical User Interface User Manual Configuration GRS1020 1030 HiOS 2S Rel 08000 ...

Page 2: ...RM GUI GRS Release 8 0 09 2019 Technical support https hirschmann support belden com Reference Manual Graphical User Interface Greyhound Switch GRS1020 1030 HiOS 2S ...

Page 3: ...rformance features described here are binding only if they have been expressly agreed when the contract was made This document was produced by Hirschmann Automation and Control GmbH according to the best of the company s knowledge Hirschmann reserves the right to change the contents of this document without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy of ...

Page 4: ... 66 3 2 Authentication List 71 3 3 Management Access 74 3 3 1 Server 75 3 3 2 IP Access Restriction 88 3 3 3 Web 91 3 3 4 Command Line Interface 92 3 3 5 SNMPv1 v2 Community 95 3 4 Pre login Banner 96 4 Network Security 98 4 1 Network Security Overview 98 4 2 Port Security 100 4 3 802 1X Port Authentication 105 4 3 1 802 1X Global 106 4 3 2 802 1X Port Configuration 108 4 3 3 802 1X Port Clients 1...

Page 5: ...64 5 4 5 IGMP Snooping Multicasts 167 5 5 MRP IEEE 168 5 5 1 MRP IEEE Configuration 169 5 5 2 MRP IEEE Multiple MAC Registration Protocol 170 5 5 3 MRP IEEE Multiple VLAN Registration Protocol 174 5 6 GARP 177 5 6 1 GMRP 178 5 6 2 GVRP 180 5 7 QoS Priority 181 5 7 1 QoS Priority Global 182 5 7 2 QoS Priority Port Configuration 183 5 7 3 802 1D p Mapping 185 5 7 4 IP DSCP Mapping 187 5 7 5 Queue Ma...

Page 6: ... 269 6 4 2 TP cable diagnosis 271 6 4 3 Port Monitor 273 6 4 4 Auto Disable 285 6 4 5 Port Mirroring 289 6 5 LLDP 291 6 5 1 LLDP Configuration 292 6 5 2 LLDP Topology Discovery 296 6 6 Report 299 6 6 1 Report Global 300 6 6 2 Persistent Logging 304 6 6 3 System Log 307 6 6 4 Audit Trail 308 7 Advanced 310 7 1 DHCP L2 Relay 310 7 1 1 DHCP L2 Relay Configuration 311 7 1 2 DHCP L2 Relay Statistics 31...

Page 7: ...led machine actions caused by data loss configure all the data transmission devices individually Before you start any machine which is controlled via data transmission be sure to complete the configuration of all data transmission devices Failure to follow these instructions can result in death serious injury or equipment damage ...

Page 8: ......

Page 9: ...ce The Graphical User Interface reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device The Command Line Interface reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device The Industrial HiVision Network Management software provides you with add...

Page 10: ...ngs List Work step Link Cross reference with link Note A note emphasizes a significant fact or draws your attention to a dependency Courier Representation of a CLI command or field contents in the graphical user interface Execution in the Graphical User Interface Execution in the Command Line Interface ...

Page 11: ...bar The toolbar at the top of the navigation area contains several buttons When you position the mouse pointer over a button a tooltip displays further information If the connection to the device is lost then the toolbar is grayed out The device automatically refreshes the toolbar information every 5 seconds Clicking the button refreshes the toolbar manually When you position the mouse pointer ove...

Page 12: ...hose occurrence was recorded first Security Status This section displays a compressed view of the Security status frame in the Basic Settings System dialog The section displays the alarm that is currently active and whose occurrence was recorded first Boot Parameter If you permanently save changes to the settings and at least one boot parameter differs from the configuration profile used during th...

Page 13: ...ing the display If a dialog remains opened for a longer time then the values in the device have possibly changed in the meantime To update the display in the dialog click the button Unsaved information in the dialog is lost Saving the settings To transfer the changed settings to the volatile memory RAM of the device click the button To keep the changed settings even after restarting the device pro...

Page 14: ...content matches the specified filter criteria of the selected column You recognize filtered table entries by an emphasized column header You have the option of selecting multiple table entries simultaneously and subsequently applying an action to them This is useful when you are going to remove multiple table entries at the same time Select several consecutive table entries Click the first desired...

Page 15: ... profile designated as Selected in the non volatile memory NVM When in the Basic Settings External Memory dialog the checkbox in the Backup config when saving column is marked then the device generates a copy of the configuration profile in the external memory Displays a submenu with menu items corresponding to the respective dialog Opens the Wizard dialog Adds a new table entry Removes the highli...

Page 16: ......

Page 17: ... connect only one power supply unit for the supply voltage to a device with a redundant power supply unit then the device reports an alarm To help avoid this alarm you deactivate the monitoring of the missing power supply units in the Diagnostics Status Configuration Device Status dialog Alarm counter Displays the number of currently existing alarms When there is at least one currently existing al...

Page 18: ...alarms Signal contact status The fields in this frame display the signal contact status and inform you about alarms that have occurred When an alarm currently exists the frame is highlighted You specify the parameters that the device monitors in the Diagnostics Status Configuration Signal Contact Signal Contact 1 Signal Contact 2 dialog Alarm counter Displays the number of currently existing alarm...

Page 19: ...e not every system compares the case in the FQDN Verify that this name is unique in the whole network DHCP client Syslog IEC61850 MMS Location Specifies the location of the device Possible values Alphanumeric ASCII character string with 0 255 characters Contact person Specifies the contact person for this device Possible values Alphanumeric ASCII character string with 0 255 characters Device type ...

Page 20: ...eger If the temperature in the device falls below this value then the device generates an alarm LED status This frame displays the states of the device status LEDs at the time of the last update The Installation user manual contains detailed information about the device status LEDs Parameters Color Meaning Status There is currently no device status alarm The device status is OK There is currently ...

Page 21: ...uttons on page 13 ACA No external memory connected The external memory is connected but not ready for operation The external memory is connected and ready for operation Parameters Statu s Meaning Port number The port is inactive The port does not send or receive any data The port is inactive The cable is connected Active link The port is active No cable connected or no active link The port is acti...

Page 22: ...phical User Interface click the button The Ethernet module status column displays the value physical for the installed Ethernet module To temporarily save the changes click the button Activate Deactivate a slot On a deactivated slot the device recognizes the installed module and port configuration is possible The module establishes no network connections on a deactivated slot Perform the following...

Page 23: ...of n a indicates that the slot is empty Description Specifies a short description of the installed module Version Displays the version of the installed module Ports Displays how many ports are available on the installed module Serial number Displays the serial number of the installed module A value of n a indicates that the slot is empty Ethernet module status Displays the status of the slot Possi...

Page 24: ...asic Settings Modules 23 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 Remove Ethernet module Removes the selected Ethernet module from the table ...

Page 25: ...s the DHCP name or other parameters of the device then assigns the IP parameters Note If there is no response from the BOOTP or DHCP server then the device sets the IP address to 0 0 0 0 and makes another attempt to obtain a valid IP address VLAN ID Specifies the VLAN in which the device management is accessible through the network The device management is accessible through ports that are members...

Page 26: ...ess these devices even if they have invalid or no IP parameters assigned The HiDiscovery software lets you assign or change the IP parameters in the device Note With the HiDiscovery software you access the device only through ports that are members of the same VLAN as the device management You specify which VLAN a certain port is assigned to in the Switching VLAN Configuration dialog Operation Ena...

Page 27: ...r This frame lets you assign the IP parameters manually If you have selected the Local radio button in the Management interface frame IP address assignment option list then these fields can be edited IP address Specifies the IP address under which the device management can be accessed through the network Possible values Valid IPv4 address Netmask Specifies the netmask Possible values Valid IPv4 ne...

Page 28: ...at the device loaded during the last restart and is currently running Backup version Displays the version number and creation date of the device software saved as a backup in the flash memory The device copied this device software into the backup memory during the last software update or after you clicked the Restore button Restore Restores the device software saved as a backup In the process the ...

Page 29: ... scp or sftp IP address path file name When you click the Start button the device displays the Credentials window There you enter User name and Password to log on to the server scp or sftp user password IP address path file name Start Updates the device software The device installs the selected file in the flash memory replacing the previously saved device software Upon restart the device loads th...

Page 30: ... the device loads this device software 2 The device copied this device software into the backup area during the last software update File name Displays the device internal file name of the device software Firmware Displays the version number and creation date of the device software Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 31: ...pted format Unintentional changes to the settings can terminate the connection between your PC and the device To keep the device accessible enable the Undo configuration modifications function before changing any settings If the connection is lost then the device loads the configuration profile saved in the non volatile memory NVM after the specified time External memory Selected external memory D...

Page 32: ...e password in plain text instead of asterisks mark the Display content checkbox In the New password field enter the password To display the password in plain text instead of asterisks mark the Display content checkbox Mark the Save configuration afterwards checkbox to use encryption also for the Selected configuration profile in the non volatile memory NVM and in the external memory Note If a maxi...

Page 33: ...rmation NVM in sync with running config Displays whether the configuration profile in the volatile memory RAM and the Selected configuration profile in the non volatile memory NVM are the same Possible values marked The configuration profiles are the same unmarked The configuration profiles differ External memory in sync with NVM Displays whether the Selected configuration profile in the external ...

Page 34: ...fig xml The device supports the following wildcards d System date in the format YYYY mm dd t System time in the format HH_MM_SS i IP address of the device m MAC address of the device in the format AA BB CC DD EE FF p Product name of the device Set credentials Opens the Credentials window which helps you to enter the credentials needed to authenticate on the remote server In the User name field ent...

Page 35: ...gnated as Selected Off default setting The function is disabled Disable the function again before you close the Graphical User Interface You thus help prevent the device from restoring the configuration profile designated as Selected Note Before you enable the function save the settings in the configuration profile Current changes that are saved temporarily are therefore maintained in the device T...

Page 36: ... config Name of the configuration profile in the volatile memory RAM config Name of the factory setting configuration profile in the non volatile memory NVM User defined name The device lets you save a configuration profile with a user specified name by highlighting an existing configuration profile in the table clicking the button and then the Save As item To export the configuration profile as a...

Page 37: ...ing the configuration profile Fingerprint Displays the checksum saved in the configuration profile When saving the settings the device calculates the checksum and inserts it into the configuration profile Fingerprint verified Displays whether the checksum saved in the configuration profile is valid The device calculates the checksum of the configuration profile marked as Selected and compares it w...

Page 38: ...ation profiles either unencrypted or encrypted with the same password If in the Basic Settings External Memory dialog the checkbox in the Backup config when saving column is marked then the device designates the configuration profile of the same name in the external memory as Selected Activate Loads the settings of the configuration profile highlighted in the table to the volatile memory RAM The d...

Page 39: ...ry as Selected Import Opens the Import window to import a configuration profile The prerequisite is that you have exported the configuration profile using the Export button or using the link in the Profile name column In the Select source drop down list select from where the device imports the configuration profile PC URL The device imports the configuration profile from the local PC or from a rem...

Page 40: ...the configuration profile was exported on an other device then The device takes over the settings which it can interpret based on its hardware equipment and software level The remaining settings the device takes over from its running config configuration profile Regarding configuration profile encryption also read the help text of the Configuration encryption frame The device imports a configurati...

Page 41: ...r When the file is located on an SCP or SFTP server specify the URL for the file in one of the following forms scp or sftp IP address path file name Save running config as script Saves the running config configuration profile as a script file on the local PC This lets you backup your current device settings or to use them on various devices Back to factory Resets the settings in the device to the ...

Page 42: ... Device and external memory communicate in the high speed mode 480 Mbit s compatibility USB 1 1 compatibility mode Device and external memory communicate in the full speed mode 12 Mbit s Note The external memory ACA21 operates only in the USB 1 1 compatibility mode If you use this external memory then specify the value compatibility Information Current USB mode Displays the mode the device current...

Page 43: ...te access to the external memory unmarked The device has read only access to the external memory Possibly the write protection is activated in the external memory Software auto update Activates deactivates the automatic device software update during the restart Possible values marked default setting The automatic device software update during the restart is activated The device updates the device ...

Page 44: ...ory it loads the configuration profile from the non volatile memory NVM Note When loading the configuration profile from the external memory ENVM the device overwrites the settings of the Selected configuration profile in the non volatile memory NVM If the Config priority column has the value first and the configuration profile is unencrypted then the Security status frame in the Basic Settings Sy...

Page 45: ...lays the version number specified by the memory manufacturer Name Displays the product name specified by the memory manufacturer Serial number Displays the serial number specified by the memory manufacturer Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 46: ...wing tabs Configuration Statistics Utilization Configuration Table Port Displays the port number Name Name of the port Possible values Alphanumeric ASCII character string with 0 64 characters The following characters are allowed space 0 9 a z A Z _ Port on Activates deactivates the port Possible values marked default setting The port is active unmarked The port is inactive The port does not send o...

Page 47: ...power down The port changes to the energy saving mode unsupported The port does not support this function and remains activated Automatic configuration Activates deactivates the automatic selection of the operating mode for the port Possible values marked default setting The automatic selection of the operating mode is active The port negotiates the operating mode independently using autonegotiati...

Page 48: ...tion 1000 Mbit s FDX Full duplex connection Note The operating modes of the port actually available depend on the device configuration and the media module used Manual cable crossing Auto conf off Specifies the devices connected to a TP port The prerequisite is that the Automatic configuration function is disabled Possible values mdi The device interchanges the send and receive line pairs on the p...

Page 49: ...the same time it is possible that the redundancy function operates differently than intended Send trap Link up down Activates deactivates the sending of SNMP traps when the device detects changes in the link up down status for this port Possible values marked default setting The sending of SNMP traps is active When the device detects a link up down status change the device sends an SNMP trap unmar...

Page 50: ...d multicast packets Received broadcast packets Number of data packets bytes sent from the device Transmitted packets Transmitted octets Transmitted unicast packets Transmitted multicast packets Transmitted broadcast packets Number of errors detected by the device Received fragments Detected CRC errors Detected collisions Number of data packets per size category received on the device Packets 64 by...

Page 51: ...e port number Utilization Displays the current utilization in percent in relation to the time interval specified in the Control interval s column The utilization is the relationship of the received data quantity to the maximum possible data quantity at the currently configured data rate Lower threshold Specifies a lower threshold for the utilization If the utilization of the port falls below this ...

Page 52: ...d in the Upper threshold column The device sends an SNMP trap unmarked The utilization of the port is above the value specified in the Lower threshold column and below the value specified in the Upper threshold column The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics Status Configuration Alarms Traps dialog and specify at least 1 trap destination Buttons Yo...

Page 53: ...he Restart in field you specify the delay time for the delayed restart Possible values 00 00 00 596 31 23 default setting 00 00 00 When the delay time elapsed the device restarts and goes through the following phases If you activate the function in the Diagnostics System Selftest dialog then the device performs a RAM test The device starts the device software that the Stored version field displays...

Page 54: ...ics to 0 See the Basic Settings Port dialog Statistics tab Reset IGMP snooping data Removes the IGMP Snooping entries and resets the counter in the Information frame to 0 See the Switching IGMP Snooping Global dialog Delete log file Removes the logged events from the log file See the Diagnostics Report System Log dialog Delete persistent log file Removes the log files from the external memory See ...

Page 55: ...least 5 minutes beforehand In this dialog you specify time related settings independently of the time synchronization protocol specified The dialog contains the following tabs Global Daylight saving time Global In this tab you specify the system time in the device and the time zone Configuration System time UTC Displays the current date and time with reference to Universal Time Coordinated UTC Set...

Page 56: ...ing and the end of summertime using a pre defined profile or you specify these settings individually During summertime the device puts the local time forward by 1 hour Operation Daylight saving time Enables disables the Daylight saving time mode Possible values On The Daylight saving time mode is enabled The device automatically changes between summertime and wintertime Off default setting The Day...

Page 57: ...e entered here the device switches to summertime Week Specifies the week in the current month Possible values none default setting first second third fourth last Day Specifies the day of the week Possible values none default setting Sunday Monday Tuesday Wednesday Thursday Friday Saturday Month Specifies the month Possible values none default setting January February March April May June July Augu...

Page 58: ...e time When the time in the System time field reaches the value entered here the device switches to wintertime Week Specifies the week in the current month Possible values none default setting first second third fourth last Day Specifies the day of the week Possible values none default setting Sunday Monday Tuesday Wednesday Thursday Friday Saturday Month Specifies the month Possible values none d...

Page 59: ... the standard buttons in section Buttons on page 13 2 2 SNTP Time SNTP The Simple Network Time Protocol SNTP is a procedure described in the RFC 4330 for time synchronization in the network The device lets you synchronize the system time in the device as an SNTP client As the SNTP server the device makes the time information available to other devices The menu contains the following dialogs SNTP C...

Page 60: ... known and configured in the network Unicast mode or passively waits for the time information from a random SNTP server Broadcast mode Possible values unicast default setting The device takes the time information only from the configured SNTP server The device sends Unicast requests to the SNTP server and evaluates its responses broadcast The device obtains the time information from one or more SN...

Page 61: ...e SNTP client remains active after successful time synchronization State State Displays the status of the SNTP client Possible values disabled The SNTP client is disabled notSynchronized The SNTP client is not synchronized with any SNTP or NTP server synchronizedToRemoteServer The SNTP client is synchronized with an SNTP or NTP server Table In the table you specify the settings for up to 4 SNTP se...

Page 62: ...ng 0 0 0 0 Destination UDP port Specifies the UDP Port on which the SNTP server expects the time information Possible values 1 65535 default setting 123 Exception Port 2222 is reserved for internal functions Status Displays the connection status between the SNTP client and the SNTP server Possible values success The device has successfully synchronized the time with the SNTP server badDateEncoded ...

Page 63: ... server are incompatible with each other synchronization failed Active Activates deactivates the connection to the SNTP server Possible values marked The connection to the SNTP server is activated The SNTP client has access to the SNTP server unmarked default setting The connection to the SNTP server is deactivated The SNTP client has no access to the SNTP server Buttons You find the description o...

Page 64: ... as an SNTP server Off default setting The SNTP Server function is disabled Note the setting in the Disable server at local time source checkbox in the Configuration frame Configuration UDP port Specifies the number of the UDP port on which the SNTP server of the device receives requests from other clients Possible values 1 65535 default setting 123 Exception Port 2222 is reserved for internal fun...

Page 65: ...gs Network dialog 1 4042 default setting 1 Broadcast send interval s Specifies the time interval at which the SNTP server of the device sends SNTP broadcast packets Possible values 64 1024 default setting 128 Disable server at local time source Activates deactivates the disabling of the SNTP server when the device is synchronized to the local clock Possible values marked The disabling of the SNTP ...

Page 66: ...al reference time source syncToLocal The SNTP server is synchronized with the hardware clock of the device syncToRefclock The SNTP server is synchronized with an external reference time source syncToRemoteServer The SNTP server is synchronized with an SNTP server that is higher than the device in a cascade Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 67: ...ds that the device uses for the authentication you specify in the Device Security Authentication List dialog Configuration This frame lets you specify settings for the login Login attempts Number of login attempts possible Possible values 0 5 default setting 0 If the user makes one more unsuccessful login attempt then the device locks access for the user The device lets only users with the adminis...

Page 68: ...ccepts the password if it contains at least as many upper case letters as specified here Possible values 0 16 default setting 1 The value 0 deactivates this setting Lower case characters min The device accepts the password if it contains at least as many lower case letters as specified here Possible values 0 16 default setting 1 The value 0 deactivates this setting Digits min The device accepts th...

Page 69: ...hen one user account exists with the administrator access role this user account is constantly active Password Displays asterisks instead of the password with which the user logs in To change the password click the relevant field Possible values Alphanumeric ASCII character string with 6 64 characters The following characters are allowed a z A Z 0 9 _ The minimum length of the password is specifie...

Page 70: ... the settings The device assigns the Service Type transferred in the response of a RADIUS server as follows to a user role Administrative User administrator Login User operator NAS Prompt User guest User locked Unlocks the user account Possible values marked The user account is locked The user has no access to the device management If the user makes too many unsuccessful log in attempts then the d...

Page 71: ...Specifies the encryption protocol that the device applies for user access via SNMPv3 Possible values none No encryption des default value DES encryption aesCfb128 AES128 encryption Buttons You find the description of the standard buttons in section Buttons on page 13 Opens the Create window to add a new entry to the table In the User name field you specify the name of the user account Possible val...

Page 72: ... the default setting the following authentication lists are available defaultDot1x8021AuthList defaultLoginAuthList defaultV24AuthList Table Note If the table does not contain a list then the access to the device management is only possible using the Command Line Interface through the serial interface of the device In this case the device authenticates the user by using the local user management S...

Page 73: ...using another policy If there is no response from the RADIUS server then the device attempts to authenticate the user with the next policy If the first policy in the authentication list is reject then the devices immediately rejects the user login without attempting another policy Verify that the authentication list defaultV24AuthList contains at least one policy different from reject ias The devi...

Page 74: ...that can be allocated to the highlighted list The right field displays the applications that are allocated to the highlighted list Buttons Moves every entry to the right field Moves the highlighted entries from the left field to the right field Moves the highlighted entries from the right field to the left field Moves every entry to the left field Note When you move the entry WebInterface to the l...

Page 75: ...rity Management Access 74 RM GUI GRS Release 8 0 09 2019 3 3 Management Access Device Security Management Access The menu contains the following dialogs Server IP Access Restriction Web Command Line Interface SNMPv1 v2 Community ...

Page 76: ...es are enabled Table SNMPv1 Displays whether the server service is active or inactive which authorizes access to the device using SNMP version 1 See the SNMP tab Possible values marked Server service is active unmarked Server service is inactive SNMPv2 Displays whether the server service is active or inactive which authorizes access to the device using SNMP version 2 See the SNMP tab Possible valu...

Page 77: ...hich authorizes access to the device using Secure Shell See the SSH tab Possible values marked Server service is active unmarked Server service is inactive HTTP server Displays whether the server service is active or inactive which authorizes access to the device using the Graphical User Interface through HTTP See the HTTP tab Possible values marked Server service is active unmarked Server service...

Page 78: ...lues marked default setting Access is activated unmarked Access is deactivated You specify the community names in the Device Security Management Access SNMPv1 v2 Community dialog SNMPv2 Activates deactivates the access to the device with SNMP version 2 Possible values marked default setting Access is activated unmarked Access is deactivated You specify the community names in the Device Security Ma...

Page 79: ...ctive configuration profile Click the button to save the current changes Restart the device SNMPover802 Activates deactivates the access to the device through SNMP over IEEE 802 Possible values marked Access is activated unmarked default setting Access is deactivated Buttons You find the description of the standard buttons in section Buttons on page 13 Telnet This tab lets you enable disable the T...

Page 80: ...ng 23 Exception Port 2222 is reserved for internal functions The server restarts automatically after the port is changed Existing connections remain in place Connections Displays how many Telnet connections are currently established to the device Connections max Specifies the maximum number of Telnet connections to the device that can be set up simultaneously Possible values 1 5 default setting 5 ...

Page 81: ...n keys to the device in PEM format As an alternative the device lets you load the RSA key host key from an external memory upon restart You activate this function in the Basic Settings External Memory dialog SSH key auto upload column Operation Operation Enables disables the SSH server Possible values On default setting The SSH server is enabled The access to the device management is possible thro...

Page 82: ...e a user logs on to the device Possible values 0 Deactivates the function The connection remains established in the case of inactivity 1 160 default setting 5 Fingerprint The fingerprint is an easy to verify string that uniquely identifies the host key of the SSH server After importing a new host key the device continues to display the existing fingerprint until you restart the server RSA Fingerpr...

Page 83: ...f it has the following key length 2048 bit RSA The device gives you the following options for copying the key to the device Import from the PC When the host key is located on your PC or on a network drive drag and drop the file that contains the key in the area Alternatively click in the area to select the file Import from an FTP server When the key is on an FTP server specify the URL for the file...

Page 84: ...ts every opened connection To continue working with the Graphical User Interface login again Operation Operation Enables disables the HTTP protocol for the web server Possible values On default setting The HTTP protocol is enabled The access to the device management is possible through an unencrypted HTTP connection When the HTTPS protocol is also enabled the device automatically redirects the req...

Page 85: ...ns using HTTP or HTTPS Note If you change the settings in this tab and click the button then the device ends the session and disconnects every opened connection To continue working with the Graphical User Interface login again Operation Operation Enables disables the HTTPS protocol for the web server Possible values On default setting The HTTPS protocol is enabled The access to the device manageme...

Page 86: ...Fingerprint field displays Possible values sha1 The Fingerprint field displays the SHA1 fingerprint of the certificate sha256 The Fingerprint field displays the SHA256 fingerprint of the certificate Fingerprint Character sequence of the digital certificate used by the server When you change the settings in the Fingerprint type field click afterwards the button and then the button to update the dis...

Page 87: ...te Until restarting the web server uses the previous certificate Oper status Displays whether the device currently generates or deletes a digital certificate It is possible that another user has triggered the action Possible values none The device does currently not generate or delete a certificate delete The device currently deletes a certificate generate The device currently generates a certific...

Page 88: ...P address port path file name Import from a TFTP server When the certificate is on a TFTP server specify the URL for the file in the following form tftp IP address path file name Import from an SCP or SFTP server When the certificate is on an SCP or SFTP server specify the URL for the file in the following form scp or sftp IP address path file name When you click the Start button the device displa...

Page 89: ...verify that at least one active entry in the table lets you access Otherwise if you change the settings then the connection to the device terminates The access to the device management is possible only using the Command Line Interface through the serial interface Operation Enables disables the IP Access Restriction function Possible values On The IP Access Restriction function is enabled The acces...

Page 90: ... adjacent IP address range unmarked Access is deactivated HTTPS Activates deactivates the HTTPS access Possible values marked default setting Access is activated for the adjacent IP address range unmarked Access is deactivated SNMP Activates deactivates the SNMP access Possible values marked default setting Access is activated for the adjacent IP address range unmarked Access is deactivated Telnet...

Page 91: ...e unmarked Access is deactivated Modbus TCP Activates deactivates the access to the Modbus TCP server Possible values marked default setting Access is activated for the adjacent IP address range unmarked Access is deactivated Active Activates deactivates the table entry Possible values marked default setting Table entry is activated The device restricts the access to the device management to the a...

Page 92: ...er Interface Configuration Web interface session timeout min Specifies the timeout in minutes After the device has been inactive for this time it ends the session for the user logged on Possible values 0 160 default setting 5 The value 0 deactivates the function and the user remains logged on when inactive Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 93: ...t the device displays in the Command Line Interface at the start of every command line Possible values Alphanumeric ASCII character string with 0 128 characters 0x20 0x7E including space characters Wildcards d date i IP address m MAC address p product name t time Default setting GRS Changes to this setting are immediately effective in the active Command Line Interface session Serial interface time...

Page 94: ...ecurity Pre login Banner dialog Operation Operation Enables disables the Login banner function Possible values On The Login banner function is enabled The device displays the text information specified in the Banner text field to the users that login to the device using the Command Line Interface Off default setting The Login banner function is disabled The start screen displays information about ...

Page 95: ...Device Security Device Security Management Access CLI 94 RM GUI GRS Release 8 0 09 2019 Possible values 1024 0 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 96: ...via SNMPv1 v2 in the Device Security Management Access Server dialog Table Community Displays the authorization for SNMPv1 v2 applications to the device Write For requests with the community name entered the application receives read and write authorization for the device Read For requests with the community name entered the application receives read authorization for the device Name Specifies the...

Page 97: ...evice displays a greeting or information text in the login dialog of the Graphical User Interface and of the Command Line Interface Possible values On The Pre login Banner function is enabled The device displays the text specified in the Banner text field in the login dialog Off default setting The Pre login Banner function is disabled The device does not display a text in the login dialog When yo...

Page 98: ...Device Security Device Security Pre login Banner 97 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 99: ...lt setting The device displays the VLAN and port based rules specified by you Port Port Number The device displays port based rules for a specific port This selection is available when you specified one or more rules for this port VLAN VLAN ID The device displays VLAN based rules for a specific VLAN This selection is available when you specified one or more rules for this VLAN ACL Displays the ACL...

Page 100: ...Network Security Network Security Overview 99 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 101: ...own as Dynamic entries When a user defined upper limit has been reached Dynamic limit the device stops the learning on the relevant port and transmits only the data packets of the senders already recorded When you adjust the upper limit to the number of expected senders you thus make MAC Flooding attacks more difficult Note With the automatic recording of the Dynamic entries the device constantly ...

Page 102: ...o disable Activates deactivates the Auto Disable function for the parameters that the Port Security function is monitoring on the port Possible values marked default setting The Auto Disable function is active on the port The prerequisite is that you mark the checkbox Auto disable in the Configuration frame If the port registers source MAC addresses that are not allowed or more source MAC addresse...

Page 103: ...tomatically registered sources Dynamic entries When the upper limit is reached the device stops learning on this port Adjust the value to the number of expected sources If the port registers more senders than specified here then the port disables the Auto Disable function The prerequisite is that you mark the checkbox in the Auto disable column and the Auto disable checkbox in the Configuration fr...

Page 104: ...ns in section Buttons on page 13 Port security Wizard The Wizard window helps you to connect the ports with one or more desired sources After you specify the settings click the Finish button Note The device saves the sources connected with the port until you deactivate the checking of the source on the relevant port or in the Operation frame After closing the Wizard window click the button to save...

Page 105: ...umber of senders connected to the port and the upper limit You specify the upper limit for the number of entries in the table Static limit field Note You cannot assign a MAC address that you assign to this port to any other port Remove Removes the entries highlighted in the Static entries field Moves the entries highlighted in the Dynamic entries field to the Static entries field Moves every entry...

Page 106: ...authenticator and the end devices communicate via the EAPoL Extensible Authentication Protocol over LANs authentication protocol The device supports the following methods to authenticate end devices radius A RADIUS server in the network authenticates the end devices ias The Integrated Authentication Server IAS implemented in the device authenticates the end devices Compared to RADIUS the IAS provi...

Page 107: ... a VLAN This function lets you provide selected services to the connected end device in this VLAN Possible values marked The assigning is active If the end device successfully authenticates itself then the device assigns to the relevant port the VLAN ID transferred by the RADIUS authentication server unmarked default setting The assigning is inactive The relevant port is assigned to the VLAN speci...

Page 108: ...ugh they did not login successfully The prerequisite is that you activate the Monitor mode function See the Configuration frame Non monitor mode clients Displays the number of end devices to which the device gave network access after successful login Policy 1 Displays the method that the device currently uses to authenticate the end devices using IEEE 802 1X You specify the method used in the Devi...

Page 109: ...lue to unmarked again unmarked default setting The port initialization is inactive The device keeps the current port status Port reauthentication Activates deactivates the one time reauthentication request Use this function only on ports in which the Port control column contains the value auto The device also lets you periodically request the end device to login again See the Periodic reauthentica...

Page 110: ...ecifies how the device grants access to the network Port control mode Possible values forceUnauthorized The device blocks the access to the network You use this setting if an end device is connected to the port that does not receive access to the network auto The device grants access to the network if the end device logged in successfully You use this setting if an end device is connected to the p...

Page 111: ...cifies the period in seconds for which the authenticator waits for the response from the authentication server RADIUS or IAS Possible values 1 65535 default setting 30 Requests max Specifies how many times the authenticator requests the end device to login until the time specified in the Supplicant timeout period s column has elapsed The device sends an EAP request identity data packet to the end ...

Page 112: ... VLAN or Guest VLAN to the end device then this setting becomes ineffective unmarked default setting The periodic reauthentication requests are inactive The device keeps the end device logged in Guest VLAN ID Specifies the ID of the VLAN that the authenticator assigns to the port if the end device does not log in during the time period specified in the Guest VLAN period column This value applies o...

Page 113: ...lly This value applies only on ports in which the Port control column contains the value auto This function lets you grant end devices without valid login data access to selected services in the network Possible values 0 4042 default setting 0 The effect of the value 0 is that the authenticator does not assign a Unauthenticated VLAN to the port Note Assign to the port a VLAN set up statically in t...

Page 114: ... device Assignment reason Displays the reason for the assignment of the VLAN Possible values default radius unauthenticatedVlan guestVlan monitorVlan invalid The field only displays a valid value as long as the client is authenticated Session timeout Displays the remaining time in seconds until the log in of the end device expires This value applies only if for the port in the Network Security 802...

Page 115: ... Network Security 802 1X Port Authentication Port Clients 114 RM GUI GRS Release 8 0 09 2019 Possible values default reauthenticate Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 116: ...tart data packets that the device received on the port Logoff packets Displays the number of EAPOL logoff data packets that the device received on the port Response ID packets Displays the number of EAP response identity data packets that the device received on the port Response packets Displays the number of valid EAP response data packets that the device received on the port without EAP response...

Page 117: ...on the port Packet version Displays the protocol version number of the EAPOL data packet that the device last received on the port Source of last received packet Displays the sender MAC address of the EAPOL data packet that the device last received on the port The value 00 00 00 00 00 00 means that the port has not received any EAPOL data packets yet Buttons You find the description of the standar...

Page 118: ...nticated the end device Result age Displays since when this entry has been entered in the table MAC address Displays the MAC address of the end device VLAN ID Displays the ID of the VLAN that was assigned to the end device before the login Authentication status Displays the status of the authentication on the port Possible values success The authentication was successful failure The authentication...

Page 119: ...reason Displays the reason for the assignment of the VLAN ID and the VLAN type 802 1X Port Authentication History Port Simplifies the table and displays only the entries relating to the port selected here This makes it easier for you to record the table and sort it as you desire Possible values all The table displays the entries for every port Port number The table displays the entries that apply ...

Page 120: ...in data To authenticate the end devices through the Integrated Authentication Server you assign in the Device Security Authentication List dialog the ias policy to the 8021x list Table User name Displays the user name of the end device To create a new user click the button Password Specifies the password with which the user authenticates Possible values Alphanumeric ASCII character string with 0 6...

Page 121: ...c data that has occurred during the port authentication according to IEEE 802 1X This enables you to subsequently determine which services the users have used and to what extent If you assign the radius policy to an application in the Device Security Authentication List dialog then the device operates in the role of the RADIUS client The device forwards the users login data to the primary authenti...

Page 122: ...tes deactivates the accounting Possible values marked Accounting is active The device sends the traffic data to an accounting server specified in the Network Security RADIUS Accounting Server dialog unmarked default setting Accounting is inactive NAS IP address attribute 4 Specifies the IP address that the device transfers to the authentication server as attribute 4 Specify the IP address of the d...

Page 123: ... Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 Reset Deletes the statistics in the Network Security RADIUS Authentication Statistics dialog and in the Network Security RADIUS Accounting Statistics dialog ...

Page 124: ...he table Table Index Displays the index number to which the table entry relates Name Displays the name of the server To change the value click the relevant field Possible values Alphanumeric ASCII character string with 1 32 characters default setting Default RADIUS Server Address Specifies the IP address of the server Possible values Valid IPv4 address Destination UDP port Specifies the number of ...

Page 125: ...n server the device sends the login data to the secondary authentication server Active Activates deactivates the connection to the server The device uses the server if you specify in the Device Security Authentication List dialog the value radius in one of the rows Policy 1 to Policy 5 Possible values marked default setting The connection is active The device sends the login data for authenticatin...

Page 126: ...isplays the index number to which the table entry relates Possible values 1 8 Name Displays the name of the server To change the value click the relevant field Possible values Alphanumeric ASCII character string with 1 32 characters default setting Default RADIUS Server Address Specifies the IP address of the server Possible values Valid IPv4 address Destination UDP port Specifies the number of th...

Page 127: ... sends traffic data to this server if the preconditions named above are fulfilled unmarked The connection is inactive The device does not send any traffic data to this server Buttons You find the description of the standard buttons in section Buttons on page 13 Opens the Create window to add a new entry to the table In the Index field you specify the index number In the Address field you specify t...

Page 128: ...d from the server Access Reply Access Challenge and the corresponding data packet sent Access Request Access requests Displays the number of access data packets that the device sent to the server This value does not take repetitions into account Retransmitted access request packets Displays the number of access data packets that the device retransmitted to the server Access accepts Displays the nu...

Page 129: ...r to which it has not yet received a response from the server Timeouts Displays how many times no response to the server was received before the specified waiting time elapsed Unknown types Displays the number data packets with an unknown data type that the device received from the server on the authentication port Packets dropped Displays the number of data packets that the device received from t...

Page 130: ...nt Accounting Request Accounting request packets Displays the number of accounting request data packets that the device sent to the server This value does not take repetitions into account Retransmitted accounting request packets Displays the number of accounting request data packets that the device retransmitted to the server Received packets Displays the number of accounting response data packet...

Page 131: ...ckets dropped Displays the number of data packets that the device received from the server on the accounting port and then discarded them Buttons You find the description of the standard buttons in section Buttons on page 13 4 5 DoS Network Security DoS Denial of Service DoS is a cyber attack that aims to bring down specific services or devices In this dialog you can set up several filters to help...

Page 132: ...acks TCP SYN attacks L4 Port attacks Minimal Header scans Null Scan filter Activates deactivates the Null Scan filter The Null Scan filter detects incoming data packets with no TCP flags set and discards them Possible values marked The filter is active unmarked default setting The filter is inactive Xmas filter Activates deactivates the Xmas filter The Xmas filter detects incoming data packets wit...

Page 133: ...s the TCP SYN protection The TCP SYN protection detects incoming data packets with the TCP flag SYN set and a L4 source port 1024 and discards them Possible values marked The protection is active unmarked default setting The protection is inactive L4 Port protection Activates deactivates the L4 Port protection The L4 Port protection detects incoming TCP and UDP data packets whose source port numbe...

Page 134: ...rds these data packets Land Attack filter Activates deactivates the Land Attack filter The Land Attack filter detects incoming IP data packets whose source and destination IP address are identical and discards them Possible values marked The filter is active unmarked default setting The filter is inactive ICMP This dialog provides you with filter options for the following ICMP parameters Fragmente...

Page 135: ...tream on its ports or VLANs If a data packet complies with the criteria of one or more rules then the device applies the action specified in the first rule that applies to the data stream The device ignores the rules following Possible actions include permit The device transmits the data packet to a port or to a VLAN deny The device drops the data packet In the default setting the device forwards ...

Page 136: ...Network Security Network Security ACL 135 RM GUI GRS Release 8 0 09 2019 The menu contains the following dialogs ACL IPv4 Rule ACL MAC Rule ACL Assignment ...

Page 137: ...ource or destination port of a data packet Table Group name Displays the name of the Access Control List The Access Control List contains the rules Index Displays the number of the rule within the Access Control List If the Access Control List contains multiple rules then the device processes the rule with the lowest value first Match every packet Specifies to which IP data packets the device appl...

Page 138: ...ng The device applies the rule to IP data packets with any destination address Valid IPv4 address The device applies the rule to IP data packets with the specified destination address You use the character as a wild card Example 192 32 The device applies the rule to IP data packets whose source address begins with 192 and ends with 32 Valid IPv4 address bit mask The device applies the rule to IP d...

Page 139: ...ort 1 65535 The device applies the rule only to IP data packets containing the specified destination port Action Specifies how the device handles received IP data packets when the device applies the rule Possible values permit default setting The device transmits the IP data packets deny The device drops the IP data packets Log Activates deactivates the logging in the log file See the Diagnostics ...

Page 140: ...n page 13 Opens the Create window to add a new entry to the table In the Group name field you specify the name of the Access Control List to which the rule belongs In the Index field you specify the number of the rule within the Access Control List If the Access Control List contains multiple rules then the device processes the rule with the lowest value first ...

Page 141: ...vice applies the rule Possible values marked default setting The device applies the rule to every MAC data packet unmarked The device applies the rule to MAC data packets depending on the value in the fields Source MAC address and Destination MAC address Source MAC address Specifies the source address of the MAC data packets to which the device applies the rule Possible values default setting The ...

Page 142: ...e with bit level accuracy Example 00 11 22 33 44 54 FF FF FF FF FF FC The device applies the rule to MAC data packets with a destination address in the range from 00 11 22 33 44 54 to 57 Action Specifies how the device handles received MAC data packets when the device applies the rule Possible values permit default setting The device transmits the MAC data packets deny The device discards the MAC ...

Page 143: ... page 13 Opens the Create window to add a new entry to the table In the Group name field you specify the name of the Access Control List to which the rule belongs In the Index field you specify the number of the rule within the Access Control List If the Access Control List contains multiple rules then the device processes the rule with the lowest value first ...

Page 144: ...Note Before you enable the function verify that at least one active entry in the table lets you access Otherwise the connection to the device terminates if you change the settings To access the device management is possible only using the CLI through the serial interface of the device Table Group name Displays the name of the Access Control List The Access Control List contains the rules Type Disp...

Page 145: ...he same priority then the device applies the rules to the port first Active Activates deactivates the Access Control List on the port or in the VLAN Possible values marked default setting The Access Control List is active unmarked The Access Control List is inactive Buttons You find the description of the standard buttons in section Buttons on page 13 Opens the Create dialog to assign a rule to a ...

Page 146: ......

Page 147: ...ompletely full the device signals to the connected devices that it is not accepting any more data packets from them In full duplex mode the device sends a pause data packet In half duplex mode the device simulates a collision Then the connected devices do not send any more data packets for as long as the signaling takes On uplink ports this can possibly cause undesired sending breaks in the higher...

Page 148: ...rates differently than intended VLAN unaware mode Activates deactivates the VLAN unaware mode Possible values marked The VLAN unaware mode is active The device works in the VLAN Unaware bridging mode 802 1Q The device ignores the VLAN settings in the device and the VLAN tags in the data packets The device transmits the data packets based on their destination MAC address or destination IP address i...

Page 149: ...Switching Switching Global 148 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 150: ...The threshold value specifies the maximum amount of traffic the port receives If the traffic on this port exceeds the threshold value then the device discards the excess traffic on this port Table Port Displays the port number Threshold Specifies the threshold value for broadcast multicast and unicast traffic on this port Possible values 0 default setting The Rate Limiter function is deactivated o...

Page 151: ...oadcast data packets on this port Multicast mode Activates deactivates the rate limiter function for received multicast data packets Possible values marked unmarked default setting If the threshold value is exceeded then the device discards the excess multicast data packets on this port Unknown unicast mode Activates deactivates the rate limiter function for received unicast data packets with an u...

Page 152: ...lays the port number Bandwidth Specifies the egress transmission rate Possible values 0 default setting The bandwidth limitation is disabled 1 100 The bandwidth limitation is enabled This value specifies the percentage of overall link speed for the port in 1 increments Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 153: ... every other port Table To delete the learned MAC addresses from the address table click in the Basic Settings Restart dialog the Reset MAC address table button Address Displays the destination MAC address to which the table entry applies VLAN ID Displays the ID of the VLAN to which the table entry applies The device learns the MAC addresses for every VLAN separately independent VLAN learning Stat...

Page 154: ...its data packets to the destination address A user created the filter Buttons You find the description of the standard buttons in section Buttons on page 13 Opens the Create window to add a new entry to the table In the Address field you specify the destination MAC address In the VLAN ID field you specify the ID of the VLAN In the Port field you specify the port Select one port if the destination ...

Page 155: ...ed This reduces the network load The device evaluates the IGMP data packets transmitted on Layer 3 and uses the information on Layer 2 Activate the IGMP Snooping function not until the following conditions are fulfilled There is a Multicast router in the network that creates IGMP queries periodic queries The devices participating in IGMP Snooping forward the IGMP queries The device links the IGMP ...

Page 156: ...leave data packets without evaluating them Received data packets with a Multicast destination address are transmitted to every port by the device Information Multicast control packets processed Displays the number of Multicast control data packets processed This statistic encompasses the following packet types IGMP Reports IGMP Queries version V1 IGMP Queries version V2 IGMP Queries version V3 IGM...

Page 157: ...al 156 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 Reset IGMP snooping counters Removes the IGMP Snooping entries and resets the counter in the Information frame to 0 ...

Page 158: ...is VLAN The VLAN has joined the Multicast data stream unmarked default setting IGMP Snooping is deactivated for this VLAN The VLAN has left the Multicast data stream Group membership interval Specifies the time in seconds for which a VLAN from a dynamic Multicast group remains entered in the address table when the device does not receive any more report data packets from the VLAN Specify a value l...

Page 159: ...s MRP expiration time Multicast Router Present Expiration Time Specifies the time in seconds for which the device waits for a query on this port that belongs to a VLAN When the port does not receive a query data packet the device removes the port from the list of ports with connected multicast routers You have the option of configuring this parameter only if the port belongs to an existing VLAN Po...

Page 160: ...ng to the query at the same time Possible values 1 25 default setting 10 Specify a value lower than the value in the Group membership interval column MRP expiration time Specifies the Multicast Router Present Expiration Time The MRP expiration time is the time in seconds for which the device waits for a query packet on this port When the port does not receive a query data packet the device removes...

Page 161: ...t in the VLANs that are set up unmarked default setting The Static query port mode is inactive The port is not a static query port The device transmits IGMP report messages to the port only if it receives IGMP queries VLAN IDs Displays the ID of the VLANs to which the table entry applies Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 162: ... configure the port as Learn by LLDP S Static manual setting A user specified the port as a static query port The device transmits IGMP reports only to ports on which it previously received IGMP queries and to statically configured query ports To assign this value proceed as follows Open the Wizard window On the Configuration page mark the Static checkbox P Learn by LLDP manual setting A user spec...

Page 163: ...ain other values than A only the table displays with the symbol Learned by LLDP P The table displays cells which contain the value P and possibly further values Cells which contain other values than P only the table displays with the symbol Forward all F The table displays cells which contain the value F and possibly further values Cells which contain other values than F only the table displays wi...

Page 164: ...smits IGMP report messages to the ports at which it receives IGMP queries This lets you also transmit IGMP report messages to other selected ports enable or connected Hirschmann devices Automatic Learn by LLDP Specifies the port as Learn by LLDP Lets the device detect directly connected Hirschmann devices using LLDP and learn the related ports as a query port Forward all Specifies the port as Forw...

Page 165: ...t This dialog lets you configure the Snooping Querier settings globally and for the VLANs that are set up Operation Operation Enables disables the IGMP Querier function globally in the device Possible values On Off default setting Configuration In this frame you specify the IGMP Snooping Querier settings for the general query data packets Protocol version Specifies the IGMP version of the general ...

Page 166: ...e IGMP Snooping Querier function for this VLAN Possible values marked The IGMP Snooping Querier function is active for this VLAN unmarked default setting The IGMP Snooping Querier function is inactive for this VLAN Current state Displays whether the Snooping Querier is active for this VLAN Possible values marked The Snooping Querier is active for this VLAN unmarked The Snooping Querier is inactive...

Page 167: ... specify a random time within the response time This helps prevent every Multicast group member to respond to the query at the same time Last querier address Displays the IP address of the Multicast router from which the last received IGMP query was sent out Last querier version Displays the IGMP version that the Multicast router used when sending out the last IGMP query received in this VLAN Butt...

Page 168: ...ts with an unknown MAC IP Multicast address Send to all ports default setting The device forwards data packets with an unknown MAC IP Multicast address to the registered ports Send to query ports The device forwards data packets with an unknown MAC IP Multicast address to the query ports Table In the table you specify the settings for known Multicasts for the VLANs that are set up VLAN ID Displays...

Page 169: ...VLAN Registration Protocol MVRP replace these protocols MRP IEEE helps confine traffic to the required areas of the LAN To confine traffic the MRP IEEE applications distribute attribute values to participating MRP IEEE devices across a LAN registering and de registering multicast group membership and VLAN identifiers Registering group participants lets you reserve resources for specific traffic tr...

Page 170: ...the volume of rejoining traffic generated following a LeaveAll event specify the value for the LeaveAll timer larger than the LeaveTime value Table Port Displays the port number Join time 1 100s Specifies the Join timer which controls the interval between transmit opportunities applied to the Applicant state machine Possible values 10 100 default setting 20 Leave time 1 100s Specifies the Leave ti...

Page 171: ...nd the 2 end devices in the same multicast group You then specify the MMRP settings on the ports to send the multicast group packets to the 2 end devices The dialog contains the following tabs Configuration Service requirement Statistics Configuration In this tab you select active MMRP port participants and set the device to transmit periodic events The dialog also lets you enable VLAN registered ...

Page 172: ...of dynamic MAC address registration using MMRP on the port Possible values marked If enabled and a static filter entry for the MAC address exists on the VLAN concerned then the device registers the MAC address attributes dynamically unmarked default setting Activates deactivates the restriction of dynamic MAC address registration using MMRP on the port Buttons You find the description of the stand...

Page 173: ...VLAN the device blocks traffic destined to MMRP registered multicast MAC addresses on this port Furthermore the device blocks MMRP service request for changing this value on this port default setting Disables the forwarding functions on this port Learned Displays values setup by MMRP service requests Buttons You find the description of the standard buttons in section Buttons on page 13 Statistics ...

Page 174: ...umber of MMRPDUs received on the port Received bad header PDU Displays the number of MMRPDUs with a bad header that were received on the port Received bad format PDU Displays the number of MMRPDUs with a bad data field that were not transmitted on the port Transmission failed Displays the number of MMRPDUs not transmitted on the port Last received MAC address Displays the last MAC address from whi...

Page 175: ... MVRP port participants and set the device to transmit periodic events A periodic state machine exists for each port and transmits periodic events regularly to the applicant state machines associated with active ports Periodic events contain information indicating the status of the VLANs associated with the active port Using the periodic events MVRP enabled switches dynamically maintain the VLANs ...

Page 176: ...ation Possible values marked default setting With MVRP enabled globally and on this port the device distributes VLAN membership information to MVRP aware devices connected to this port unmarked Disables the port MVRP participation Restricted VLAN registration Activates deactivates the Restricted VLAN registration function on this port Possible values marked If enabled and a static VLAN registratio...

Page 177: ... in the device Received bad format PDU Displays the number of MVRPDUs with a bad data field that the device blocked Transmission failed Displays the number of failures while adding a message into the MVRP queue Message queue failures Displays the number of MVRPDUs that the device blocked Table Port Displays the port number Transmitted MVRP PDU Displays the number of MVRPDUs transmitted on the port...

Page 178: ... to provide a generic framework so switches can register and deregister attribute values such as VLAN identifiers and multicast group membership When an attribute for a participant is registered or deregistered according to GARP the participant is modified according to specific rules The participants are a set of reachable end stations and network devices The defined set of participants at any giv...

Page 179: ...ng services GMRP and GARP are industry standard protocols defined by the IEEE 802 1P Operation Operation Enables disables the global GMRP function in the device The device participates in GMRP message exchanges Possible values On GMRP is enabled Off default setting The device ignores GMRP messages Multicasts Unknown multicasts Enables disables the unknown multicast data to be either flooded or dis...

Page 180: ...rts on which multicast forwarding applies Possible values Forward all unregistered groups default setting The device forwards data destined to GMRP registered multicast MAC addresses on the VLAN The device forwards data to the unregistered groups Forward all groups The device forwards data destined to every group registered or unregistered Buttons You find the description of the standard buttons i...

Page 181: ...t and unknown unicast traffic Exchanging VLAN configuration information also lets you dynamically create and manage VLANs connected through the 802 1Q trunk ports Operation Operation Enables disables the GVRP function globally in the device The device participates in GVRP message exchanges If the function is disabled then the device ignores GVRP messages Possible values On The GVRP function is ena...

Page 182: ...given preference when transmitted by devices in the network You transfer data packets with lower priority when there are no data packets with a higher priority to be transmitted The device provides the following setting options You specify how the device evaluates QoS prioritization information for inbound data packets For outbound packets you specify which QoS prioritization information the devic...

Page 183: ...c class to every VLAN priority IP DSCP value for management packets Specifies the IP DSCP value for sending management data packets Depending on the IP DSCP value the device assigns the data packet to a specific traffic class and thus to a specific priority queue of the port Possible values 0 be cs0 63 default setting 0 be cs0 Some values in the list also have a DSCP keyword for example 0 be cs0 1...

Page 184: ...nformation contained in the data packet In the Switching QoS Priority 802 1D p Mapping dialog you assign a traffic class to every VLAN priority trustDot1p default setting The device transmits the data packet according to the priority information in the VLAN tag In the Switching QoS Priority 802 1D p Mapping dialog you assign a traffic class to every VLAN priority trustIpDscp If the data packet is ...

Page 185: ...Switching Switching QoS Priority Port Configuration 184 RM GUI GRS Release 8 0 09 2019 Possible values 0 7 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 186: ...ority Possible values 0 7 0 assigned to the priority queue with the lowest priority 7 assigned to the priority queue with the highest priority Note Among other things redundancy mechanisms use the highest traffic class Therefore select another traffic class for application data Buttons You find the description of the standard buttons in section Buttons on page 13 Default assignment of the VLAN pri...

Page 187: ...8 0 09 2019 5 5 Video Video transmission with delays and jitter 100 ms 6 6 Voice Voice transmission with delays and jitter 10 ms 7 7 Network Control Data for network management and redundancy mechanisms VLAN Priority Traffic class Content description according to IEEE 802 1D ...

Page 188: ...the DSCP value Traffic class Specifies the traffic class which is assigned to the DSCP value Possible values 0 7 0 assigned to the priority queue with the lowest priority 7 assigned to the priority queue with the highest priority Buttons You find the description of the standard buttons in section Buttons on page 13 Default assignment of the DSCP values to traffic classes DSCP Value DSCP Name Traff...

Page 189: ...Switching Switching QoS Priority IP DSCP Mapping 188 RM GUI GRS Release 8 0 09 2019 40 CS5 5 41 42 43 44 45 47 5 46 EF 5 48 CS6 6 49 55 6 56 CS7 7 57 63 7 DSCP Value DSCP Name Traffic class ...

Page 190: ...ese data packets When you select this setting for a traffic class the device also enables the function for traffic classes with a higher priority Use this setting for applications such as VoIP or video that require the least possible delay unmarked The processing of the port priority queue with Strict priority is inactive The device uses Weighted Fair Queuing Weighted Round Robin WRR to process th...

Page 191: ...time sensitive applications such as VoIP phone calls When the data packets and Broadcasts are distributed in small network segments instead of in the entire network the network load is considerably reduced Increased security The distribution of the data traffic among individual logical networks makes unwanted accessing more difficult and strengthens the system against attacks such as MAC Flooding ...

Page 192: ... of VLANs possible See the Switching VLAN Configuration dialog VLANs Number of VLANs currently configured in the device See the Switching VLAN Configuration dialog The VLAN ID 1 is constantly present in the device Buttons You find the description of the standard buttons in section Buttons on page 13 Clear Resets the VLAN settings of the device to the default setting Note that you lose your connect...

Page 193: ...VLAN based on the messages of neighboring devices Note The settings are effective only if the VLAN Unaware Mode is disabled See the Switching Global dialog Table VLAN ID ID of the VLAN The device supports up to 128 VLANs simultaneously set up Possible values 1 4042 Status Displays how the VLAN is set up Possible values other VLAN 1 or VLAN set up using the 802 1X Port Authentication function See t...

Page 194: ...f this VLAN Additionally the device helps prevent the port from becoming a VLAN member through the MVRP function U Untagged default setting for VLAN 1 The port is a member of the VLAN and transmits the data packets without a VLAN tag Use this setting if the connected device does not evaluate any VLAN tags for example on end ports LU Untagged Learned The port is a member of the VLAN and transmits t...

Page 195: ...effective only if the VLAN Unaware Mode is disabled See the Switching Global dialog Table Port Displays the port number Port VLAN ID Specifies the ID of the VLAN which the devices assigns to data packets without a VLAN tag The prerequisite is that you specify in the Acceptable packet types column the value admitAll Possible values ID of a VLAN you set up default setting 1 If you use the MRP functi...

Page 196: ...log If the VLAN ID in the data packet matches one of these VLANs then the port transmits the data packet Otherwise the device discards the data packet unmarked default setting The ingress filtering is inactive The device transmits received data packets without comparing the VLAN ID Thus the port also transmits data packets with a VLAN ID of which the port is not a member Buttons You find the descr...

Page 197: ...ty information via LLDP MED from the device As a result the VoIP phone sends voice data tagged as priority or untagged This depends on the configured Voice VLAN Interface mode You activate Voice VLAN on the port which is connecting to the VoIP phone Operation Operation Enables disables the VLAN Voice function of the device globally Possible values On Off default setting Table Port Displays the por...

Page 198: ...the data traffic uses the normal priority with this setting untrust If voice traffic is present and the Voice VLAN mode is set to dot1p priority then the data has the priority 0 If the interface only transmits data then the data has the normal priority Status Displays the status of the Voice VLAN on the port Possible values marked The Voice VLAN is enabled unmarked The Voice VLAN is disabled VLAN ...

Page 199: ...etwork Security 802 1X Port Authentication Global dialog then set the Port control parameter for this port to the multiClient value before activating this function The parameter Port control you find in the Network Security 802 1X Port Authentication Global dialog unmarked Buttons You find the description of the standard buttons in section Buttons on page 13 5 9 L2 Redundancy Switching L2 Redundan...

Page 200: ...bone in a line structure to a redundant ring Note Spanning Tree and Ring Redundancy have an effect on each other Deactivate the Spanning Tree protocol for the ports connected to the MRP ring See the Switching L2 Redundancy Spanning Tree Port dialog Operation Operation Enables disables the MRP function After you configured the parameters for the MRP ring enable the function here Possible values On ...

Page 201: ...etting The Ring port 2 backup function is inactive When the ring is closed the ring manager continues to send data on the secondary ring port Configuration Ring manager Enables disables the Ring manager function If there is one device at each end of the line then you activate this function Possible values On The Ring manager function is enabled The device operates as a ring manager Off default set...

Page 202: ... Switching VLAN Configuration dialog the device creates an entry in the table for the VLAN and assigns the value T to the ring ports Information Information Displays messages for the redundancy configuration and the possible causes of errors When the device operates as a ring client or a ring manager the following messages are possible Redundancy available The redundancy is set up When a component...

Page 203: ...rk component becomes inoperable on the path then the device calculates the new topology and reactivates these paths The Rapid Spanning Tree Protocol RSTP enables fast switching to a newly calculated topology without interrupting existing connections RSTP gets average reconfiguration times of less than a second When you use RSTP in a ring with 10 to 20 devices you can get reconfiguration times in t...

Page 204: ...data packets like multicast data packets to the ports Variant Variant Displays the protocol used for the Spanning Tree function Possible values rstp The protocol RSTP is active With RSTP IEEE 802 1Q 2005 the Spanning Tree function operates for the underlying physical layer Traps Send trap Activates deactivates the sending of SNMP traps for the following events Another bridge takes over the root br...

Page 205: ...e device takes over the role of the root bridge then the other devices in the network use the value specified here Otherwise the device uses the value specified by the root bridge See the Root information frame Due to the interaction with the Tx holds parameter we recommend that you do not change the default setting Forward delay s Specifies the delay time for the status change in seconds Possible...

Page 206: ...ncrements a counter on this port If the counter reaches the value specified here then the port stops sending BPDUs On the one hand this reduces the load generated by RSTP and on the other when the device does not receive BPDUs a communication interruption can be caused The device decrements the counter by 1 every second In the following second the device sends a maximum of 1 new BPDU BPDU guard Ac...

Page 207: ... in Spanning Tree operations The device does not send STP BPDUs on these ports The device drops any STP BPDUs received on these ports unmarked default setting The global BPDU filter is inactive You have the option to explicitly activate the BPDU filter for single ports See the Port BPDU filter column in the Switching L2 Redundancy Spanning Tree Port dialog Auto disable Activates deactivates the Au...

Page 208: ...set up by the root bridge for status changes Possible values 4 30 The device uses this specified value See the Bridge configuration frame In the RSTP protocol the bridges negotiate a status change without a specified delay The Spanning Tree protocol uses the parameter to delay the status change between the statuses disabled discarding learning forwarding Max age Specifies the maximum permitted bra...

Page 209: ... path cost Specifies the path cost for the path that leads from the root port of the device to the root bridge of the layer 2 network Possible values 0 200000000 If the value 0 is specified then the device takes over the role of the root bridge Topology changes Displays how many times the device has put a port into the forwarding status using the Spanning Tree function since the Spanning Tree inst...

Page 210: ...on the ports that are participating in other Layer 2 redundancy protocols Otherwise it is possible that the redundancy protocols operate differently than intended This can cause loops Table Port Displays the port number STP active Activates deactivates the Spanning Tree function on the port Possible values marked default setting unmarked If the Spanning Tree function is enabled in the device and d...

Page 211: ...the device automatically calculates the path costs depending on the data rate of the port Port priority Specifies the priority of the port Possible values 16 240 in steps of 16 default setting 128 This value represents the first 4 bits of the port ID Received bridge ID Displays the bridge ID of the device from which this port last received an STP BPDU Possible values For ports with the designated ...

Page 212: ...f the designated port role If a port has no connection or if it did not receive any STP BDPUs yet then the device displays the values that the port can send with the designated role Admin edge port Activates deactivates the Admin edge port mode If the port is connected to an end device then use the Admin edge port mode This setting lets the edge port change faster to the forwarding state after lin...

Page 213: ...true The port is connected directly to an STP device via a full duplex link The direct decentralized communication between 2 bridges enables short reconfiguration times false The port is connected in another way for example via a half duplex link or via a hub Port BPDU filter Activates deactivates the filtering of STP BPDUs on the port explicitly The prerequisite is that the port is a manually spe...

Page 214: ...ode is also active for these ports Possible values marked The BPDU flood mode is active The device floods STP BPDUs received on the port to the ports for which the Spanning Tree function is inactive unmarked default setting The BPDU flood mode is inactive Buttons You find the description of the standard buttons in section Buttons on page 13 Guards This tab lets you specify the settings for various...

Page 215: ...tting The monitoring of Topology Change Notifications is disabled If the device receives STP BPDUs with a Topology Change flag then the device deletes the address table of the port and forwards the Topology Change Notifications Loop guard Activates deactivates the monitoring of loops on the port The prerequisite is that the Root guard function is inactive With this setting the device helps prevent...

Page 216: ...Port dialog the checkbox for this port in the Admin edge port column is marked In the Switching L2 Redundancy Spanning Tree Global dialog the BPDU Guard function is active Possible values marked The port is an edge port and received an STP BPDU The device deactivates the port For this port in the Basic Settings Port dialog Configuration tab the checkbox in the Port on column is unmarked unmarked T...

Page 217: ...on function In this case the device aggregates the links based on the link link speed and duplex setting Table Trunk port Displays the LAG interface number Name Specifies the name of the LAG interface Possible values Alphanumeric ASCII character string with 1 15 characters Link Status Displays the current operating state of the LAG interface and the physical ports Possible values up lag row The LA...

Page 218: ...regation Activates deactivates the Static link aggregation function on the LAG interface The device aggregates the assigned physical ports to the LAG interface even if the remote site does not support LACP Possible values marked The Static link aggregation function is active on this LAG interface The device aggregates an assigned physical port to the LAG interface as soon as the physical port gets...

Page 219: ... setting The sending of SNMP traps is active If the device detects a link up down status change then the device sends an SNMP trap unmarked The sending of SNMP traps is inactive The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics Status Configuration Alarms Traps dialog and specify at least 1 trap destination LACP admin key Specifies the LAG interface key The...

Page 220: ...the LAG interface specified in the LACP admin key column then the device only aggregates this physical port to the LAG interface LACP actor admin state Specifies the actor state values that the LAG interface transmits in the LACPDUs This lets you control the LACPDU parameters The device lets you mix the values In the drop down list select one or more values Possible values ACT LACP_Activity state ...

Page 221: ...T Distributing state When visible distribution of outgoing frames is enabled on this link otherwise disabled DFT Defaulted state When visible the link uses defaulted operational information administratively specified for the Partner Otherwise the link uses the operational information received from a LACPDU EXP Expired state When visible the link receiver is in the EXPIRED state LACP partner oper S...

Page 222: ...e standard buttons in section Buttons on page 13 Opens the Create window to add a new LAG interface entry to the table or to assign a physical port to a LAG interface In the Trunk port drop down list you select the LAG interface number In the Port drop down list you select the number of a physical port to assign to the LAG interface After you create a LAG interface the device adds the LAG interfac...

Page 223: ...traffic on the primary port This process helps protect the device from causing loops in the network Operation Operation Enables disables the Link Backup function globally in the device Possible values On Enables the Link Backup function Off default setting Disables the Link Backup function Table Primary port Displays the primary port of the interface pair When you enable the Link Backup function t...

Page 224: ... disabled in the software shutdown unknown The Link Backup feature is globally disabled or the port pair is inactive Therefore the device ignores the port pair settings Fail back Activates deactivates the automatic fail back Possible values marked default setting The automatic fail back is active After the delay timer expires the backup port changes to blocking and the primary port changes to forw...

Page 225: ...nd forwards traffic according to the pair configuration unmarked default setting The Link Backup pair is inactive The ports forward traffic according to standard switching Buttons You find the description of the standard buttons in section Buttons on page 13 Create Primary port Specifies the primary port of the backup interface pair During normal operation this port is responsible for forwarding t...

Page 226: ...he following table to select the FuseNet coupling protocol to be used in your network Explanation The menu contains the following dialogs Sub Ring Main Ring Connected Network MRP RSTP HIPER Ring MRP Sub Ring1 RSTP no suitable coupling protocol 1 with MRP configured on different VLANs ...

Page 227: ...egation in the subring No spanning tree on subring ports Same MRP domain on devices within a subring Different VLANs for base ring and subring Specify the VLAN settings as follows VLAN X for base ring on the ring ports of the base ring participants on the base ring ports of the subring manager VLAN Y for subring on the ring ports of the subring participants on the subring ports of the subring mana...

Page 228: ...tatus Displays the operational state of the subring configuration Possible values noError The device detects an acceptable subring configuration ringPortLinkError The ring port has no link One of the subring lines is connected to one more port of the device But the subring line is not connected to one of the ring ports of the device multipleSRM The subring manager receives packets from more than o...

Page 229: ... closed 1 manager blocks its subring port Possible values manager default setting The subring port forwards data packets When this value is set on both devices that couple the subring to the base ring the device with the higher MAC address functions as the redundantManager redundantManager The subring port is blocked while the subring is physically closed If the subring is interrupted then the sub...

Page 230: ...ed by the selected ring protocol specified to pass blocked ports The port passes frames from other protocols specified to pass blocked ports not connected The port link is down VLAN Specifies the VLAN to which this subring is assigned If no VLAN exists under the VLAN ID entered then the device automatically creates it Possible values Available configured VLANs default setting 0 If you do not want ...

Page 231: ...Switching Switching L2 Redundancy FuseNet Sub Ring 230 RM GUI GRS Release 8 0 09 2019 Possible values iec 62439 mrp Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 232: ......

Page 233: ... 6 Diagnostics The menu contains the following dialogs Status Configuration System Syslog Ports LLDP Report 6 1 Status Configuration Diagnostics Status Configuration The menu contains the following dialogs Device Status Security Status Signal Contact MAC Notification Alarms Traps ...

Page 234: ...he dialog contains the following tabs Global Port Status Global Device status Device status Displays the current status of the device The device determines the status from the individual monitored parameters Possible values error The device displays this value to indicate a detected error in one of the monitored parameters ok Traps Send trap Activates deactivates the sending of SNMP traps when the...

Page 235: ...undancy function becomes active loss of redundancy reserve The device is a normal ring participant and detects an error in its settings unmarked default setting Monitoring is inactive Connection errors Activates deactivates the monitoring of the link status of the port interface Possible values marked Monitoring is active If the link interrupts on a monitored port interface then in the Device stat...

Page 236: ...following situations The configuration profile only exists in the device The configuration profile in the device differs from the configuration profile in the external memory unmarked default setting Monitoring is inactive Power supply Activates deactivates the monitoring of the power supply unit Possible values marked default setting Monitoring is active If the device has a detected power supply ...

Page 237: ...lues marked Monitoring is active If the link on the selected port interface is interrupted then in the Device status frame the value changes to error unmarked default setting Monitoring is inactive This setting takes effect when you mark the Connection errors checkbox in the Global tab Buttons You find the description of the standard buttons in section Buttons on page 13 Status Table Timestamp Dis...

Page 238: ...Diagnostics Diagnostics Status Configuration Device Status 237 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 239: ...urity status Security status Displays the current status of the security relevant settings in the device The device determines the status from the individual monitored parameters Possible values error The device displays this value to indicate a detected error in one of the monitored parameters ok Traps Send trap Activates deactivates the sending of SNMP traps when the device detects changes in th...

Page 240: ...e value for the Min password length policy is less than 8 then in the Security status frame the value changes to error unmarked Monitoring is inactive You specify the Min password length policy in the Device Security User Management dialog in the Configuration frame Password policy settings deactivated Activates deactivates the monitoring of the Password policies settings Possible values marked de...

Page 241: ...arked default setting Monitoring is active If you enable the Telnet server then in the Security status frame the value changes to error unmarked Monitoring is inactive You enable disable the Telnet server in the Device Security Management Access Server dialog Telnet tab HTTP server active Activates deactivates the monitoring of the HTTP server Possible values marked default setting Monitoring is a...

Page 242: ...to change to the system monitor via a serial connection Possible values marked Monitoring is active If you activate the system monitor then in the Security status frame the value changes to error unmarked default setting Monitoring is inactive You activate deactivate the system monitor in the Diagnostics System Selftest dialog Saving the configuration profile on the external memory possible Activa...

Page 243: ...ive If the link interrupts on an active port then in the Security status frame the value changes to error In the Port tab you have the option of selecting the ports to be monitored individually unmarked default setting Monitoring is inactive Access with HiDiscovery possible Activates deactivates the monitoring of the HiDiscovery function Possible values marked default setting Monitoring is active ...

Page 244: ...he Advanced Industrial Protocols Modbus TCP dialog Operation frame Self signed HTTPS certificate present Activates deactivates the monitoring of the HTTPS certificate Possible values marked default setting Monitoring is active If the HTTPS server uses a self created digital certificate then in the Security status frame the value changes to error unmarked Monitoring is inactive Buttons You find the...

Page 245: ...tatus Table Timestamp Displays the date and time of the event in the format Month Day Year hh mm ss AM PM Cause Displays the event which caused the SNMP trap Buttons You find the description of the standard buttons in section Buttons on page 13 6 1 3 Signal Contact Diagnostics Status Configuration Signal Contact The signal contact is a potential free relay contact The device thus lets you perform ...

Page 246: ...signal contact for example to turn on or off a remote device See the Contact option list Monitoring correct operation default setting Using this setting the signal contact indicates the status of the parameters specified in the table below Device status Using this setting the signal contact indicates the status of the parameters monitored in the Diagnostics Status Configuration Device Status dialo...

Page 247: ...MP traps when the device detects changes in the monitored functions Possible values marked The sending of SNMP traps is active If the device detects a change in the monitored functions then the device sends an SNMP trap unmarked default setting The sending of SNMP traps is inactive The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics Status Configuration Alarm...

Page 248: ...ring participant and detects an error in its settings unmarked default setting Monitoring is inactive Connection errors Activates deactivates the monitoring of the link status of the port interface Possible values marked Monitoring is active If the link interrupts on a monitored port interface then the signal contact opens In the Port tab you have the option of selecting the ports interfaces to be...

Page 249: ... configuration profile in the device differs from the configuration profile in the external memory unmarked default setting Monitoring is inactive Power supply Activates deactivates the monitoring of the power supply unit Possible values marked default setting Monitoring is active If the device has a detected power supply fault then the signal contact opens unmarked Monitoring is inactive Module A...

Page 250: ...e selected port interface then the signal contact opens unmarked default setting Monitoring is inactive This setting takes effect when you mark the Connection errors checkbox in the Global tab Buttons You find the description of the standard buttons in section Buttons on page 13 Status Table Timestamp Displays the date and time of the event in the format Month Day Year hh mm ss AM PM Cause Display...

Page 251: ... changes infrequently Operation Operation Enables disables the MAC Notification function in the device Possible values On The MAC Notification function is enabled Off default setting The MAC Notification function is disabled Configuration Interval s Specifies the send interval in seconds If the device un learns the MAC address of a dis connected device then the device sends an SNMP trap after this...

Page 252: ...ics Status Configuration Alarms Traps dialog and specify at least 1 trap destination Last MAC address Displays the MAC address of the device last connected on or disconnected from the port The device detects the MAC addresses of devices which are connected as follows directly connected to the port connected to the port through other devices in the network Last MAC status Displays the status of the...

Page 253: ...gnostics Status Configuration MAC Notification dialog Operation Operation Enables disables the sending of SNMP traps to the trap destinations Possible values On default setting The sending of SNMP traps is enabled Off The sending of SNMP traps is disabled Table Name Specifies the name of the trap destination Possible values Alphanumeric ASCII character string with 1 32 characters Address Specifies...

Page 254: ...buttons in section Buttons on page 13 Opens the Create window to add a new entry to the table In the Name field you specify a name for the trap destination In the Address field you specify the IP address and the port number of the trap destination If you choose not to enter a port number then the device automatically adds the port number 162 ...

Page 255: ...gnostics System 254 RM GUI GRS Release 8 0 09 2019 6 2 System Diagnostics System The menu contains the following dialogs System Information Hardware State Configuration Check IP Address Conflict Detection ARP Selftest ...

Page 256: ...f individual components in the device The displayed values are a snapshot they represent the operating condition at the time the dialog was loaded to the page Buttons You find the description of the standard buttons in section Buttons on page 13 Save system information Opens the HTML page in a new web browser window or tab You can save the HTML page on your PC using the appropriate web bowser comm...

Page 257: ... device since it was delivered Possible values d h m s Day s Hour s Minute s Second s Table Flash region Displays the name of the respective memory area Description Displays a description of what the device uses the memory area for Flash sectors Displays how many sectors are assigned to the memory area Sector erase operations Displays how many times the device has overwritten the sectors of the me...

Page 258: ...up 40 or more VLANs in the device then check the congruence of the further VLANs manually if necessary Note A neighboring device without LLDP support which forwards LLDP packets can be the cause of equivocal messages in the dialog This occurs if the neighboring device is a hub or a switch without management which ignores the IEEE 802 1D 2004 standard In this case the dialog displays the devices re...

Page 259: ...ween the following access statuses INFORMATION The performance of the communication between the two devices is not impaired WARNING The performance of the communication between the two devices is possibly impaired ERROR The communication between the two devices is impaired Message Displays the information warnings and errors having occurred more precisely Buttons You find the description of the st...

Page 260: ... is disabled Configuration Detection mode Specifies the procedure with which the device detects address conflicts Possible values active and passive default setting The device uses active and passive address conflict detection active Active address conflict detection The device actively helps avoid communicating with an IP address that already exists in the network The address conflict detection b...

Page 261: ...cks if the address conflict still exists When the device resolves the address conflict the device management returns to the network again Send periodic ARP probes Activates deactivates the periodic address conflict detection Possible values marked default setting The periodic address conflict detection is active The device periodically sends an ARP probe data packet every 90 to 150 seconds and wai...

Page 262: ...ed default setting The sending of SNMP traps is inactive The prerequisite for sending SNMP traps is that you enable the function in the Diagnostics Status Configuration Alarms Traps dialog and specify at least 1 trap destination Information Conflict detected Displays whether an address conflict currently exists Possible values marked The device detects an address conflict unmarked The device does ...

Page 263: ...Diagnostics Diagnostics System IP Address Conflict Detection 262 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 264: ...he current settings of the entry were registered in the ARP table Type Displays the type of the ARP entry Possible values static Static ARP entry When the ARP table is deleted the device keeps the ARP entry dynamic Dynamic ARP entry When the Aging time s has been exceeded and the device does not receive any data from this device during this time the device deletes the ARP entry local IP and MAC ad...

Page 265: ...ssword set in the device To have the device unlocked again contact your sales partner RAM test Activates deactivates the RAM memory check during the restart Possible values marked default setting The RAM memory check is activated During the restart the device checks the RAM memory unmarked The RAM memory check is deactivated This shortens the start time for the device SysMon1 is available Activate...

Page 266: ...cuted for example if a task terminates or is not available resource The device detects errors in the resources available for example if the memory is becoming scarce software The device detects software errors for example error in the consistency check hardware The device detects hardware errors for example in the chip set Action Specifies how the device behaves if the adjacent event occurs Possib...

Page 267: ...in the table to the specified syslog servers Off default setting The sending of events is disabled Table Index Displays the index number to which the table entry relates When you delete a table entry this leaves a gap in the numbering When you create a new table entry the device fills the first gap Possible values 1 8 IP address Specifies the IP address of the syslog server Possible values Valid I...

Page 268: ...syslog server Possible values emergency alert critical error warning default setting notice informational debug Type Specifies the type of the log entry transmitted by the device Possible values systemlog default setting audittrail Active Activates deactivates the transmission of events to the syslog server marked The device sends events to the syslog server unmarked default setting The transmissi...

Page 269: ...Diagnostics Diagnostics Ports 268 RM GUI GRS Release 8 0 09 2019 6 4 Ports Diagnostics Ports The menu contains the following dialogs SFP TP cable diagnosis Port Monitor Auto Disable Port Mirroring ...

Page 270: ... Type of the SFP transceiver for example M SFP SX LC Serial number Displays the serial number of the SFP transceiver Connector type Displays the connector type Supported Displays whether the device supports the SFP transceiver Temperature C Operating temperature of the SFP transceiver in Celsius Tx power mW Transmission power of the SFP transceiver in mW Rx power mW Receiving power of the SFP tran...

Page 271: ...Diagnostics Diagnostics Ports SFP 270 RM GUI GRS Release 8 0 09 2019 Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 272: ...rt Displays the port number Status Status of the Virtual Cable Tester Possible values active Cable testing is in progress To start the test click the button and then the Start cable diagnosis item This action opens the Select port dialog success The device displays this entry after performing a successful test failure The device displays this entry after an interruption in the test uninitialized T...

Page 273: ...nitialized then the device displays the value 0 Max length Displays the maximum estimated length of the cable in meters If the cable length is unknown or in the Information frame the Status field displays the value active failure or uninitialized then the device displays the value0 Distance m Displays the estimated distance in meters from the end of the cable to the failure location If the cable l...

Page 274: ... combinations of speed and duplex mode for each port Global tab Specify for each port an action that the device carries out if the Port Monitor function detects that the parameters have been exceeded Auto disable tab Mark the Auto disable checkbox for the monitored parameters if you have specified the auto disable action at least once The dialog contains the following tabs Global Auto disable Link...

Page 275: ...e port Possible values marked Monitoring is active The Port Monitor function monitors CRC fragment errors on the port If the device detects too many CRC fragment errors then the device executes the action specified in the Action column On the CRC Fragments tab specify the parameters to be monitored unmarked default setting Monitoring is inactive Duplex mismatch detection active Activates deactivat...

Page 276: ...detects an unpermitted combination of link speed and duplex mode then the device executes the action specified in the Action column On the Link speed Duplex mode detection tab specify the parameters to be monitored unmarked default setting Monitoring is inactive Active condition Displays the monitored parameter that led to the action on the port Possible values No monitored parameter The device do...

Page 277: ...port and sends an SNMP trap The Link status LED for the port flashes 3 per period The prerequisite is that on the Auto disable tab the checkbox for the monitored parameter is marked The Diagnostics Ports Auto Disable dialog displays which ports are currently disabled due to the parameters being exceeded The Auto Disable function reactivates the port automatically For this you go to the Diagnostics...

Page 278: ...tive If the adjacent parameters are exceeded and the value auto disable is specified in the Action column then the device carries out the Auto Disable function unmarked default setting The Auto Disable function for the adjacent parameters is inactive Buttons You find the description of the standard buttons in section Buttons on page 13 Reset Enables the port highlighted in the table again and rese...

Page 279: ...nges If the Port Monitor function detects this number of link changes in the monitored period then the device performs the specified action Possible values 1 100 default setting 5 Last sampling interval Displays the number of errors that the device has detected during the period that has elapsed Total Displays the total number of errors that the device has detected since the port was enabled Butto...

Page 280: ... Table Port Displays the port number Sampling interval s Specifies in seconds the period during which the Port Monitor function monitors a parameter to detect discrepancies Possible values 5 180 default setting 10 CRC Fragments count ppm Specifies the fragment error rate in parts per million If the Port Monitor function detects this fragment error rate in the monitored period then the device perfo...

Page 281: ...nitors a parameter to detect discrepancies You also see the number of data packets that the device has detected up to now The Port Monitor function monitors those ports for which the checkbox in the Overload detection on column is marked on the Global tab The Port Monitor function does not monitor any ports that are members of a link aggregation group Table Port Displays the port number Traffic ty...

Page 282: ...onitored period then the device performs the specified action Possible values 0 10000000 default setting 0 Interval s Specifies in seconds the period that the Port Monitor function observes a parameter to detect that a parameter is being exceeded Possible values 1 20 default setting 1 Packets Displays the number of Broadcast Multicast and Unicast packets that the device has detected during the per...

Page 283: ... port The Port Monitor function monitors those ports for which the checkbox in the Link speed Duplex mode detection on column is marked on the Global tab The Port Monitor function monitors only enabled physical ports Table Port Displays the port number 10 Mbit s HDX Activates deactivates the port monitor to accept a half duplex and 10 Mbit s data rate combination on the port Possible values marked...

Page 284: ... on the port then the device executes the action specified in the Global tab 100 Mbit s FDX Activates deactivates the port monitor to accept a full duplex and 100 Mbit s data rate combination on the port Possible values marked The port monitor takes into consideration the speed and duplex combination unmarked If the port monitor detects the speed and duplex combination on the port then the device ...

Page 285: ... the standard buttons in section Buttons on page 13 Reset Enables the port highlighted in the table again and resets its counter to 0 This affects the counters in the following dialogs Diagnostics Ports Port Monitor dialog Link flap tab CRC Fragments tab Overload detection tab Diagnostics Ports Auto Disable dialog ...

Page 286: ...arameters being exceeded If the parameters are no longer being exceeded and you specify a waiting period in the Reset timer s column then the Auto Disable function automatically enables the relevant port again Table Port Displays the port number Reset timer s Specifies the waiting period in seconds after which the Auto Disable function enables the port again Possible values 0 default setting The t...

Page 287: ...Fragments tab duplex mismatch Duplex mismatch detected See the Diagnostics Ports Port Monitor dialog Global tab bpdu rate STP BPDUs received See the Switching L2 Redundancy Spanning Tree Global dialog mac based port security Too many data packets from undesired senders See the Network Security Port Security dialog overload detection Overload See the Diagnostics Ports Port Monitor dialog Overload d...

Page 288: ...arameter belongs to the Port Monitor function See the Diagnostics Port Port Monitor dialog network security The parameter belongs to the functions in the Network Security menu l2 redundancy The parameter belongs to the L2 Redundancy functions See the Switching L2 Redundancy dialog Auto disable Displays whether the Auto Disable function is activated deactivated for the adjacent parameter Possible v...

Page 289: ... the standard buttons in section Buttons on page 13 Reset Enables the port highlighted in the table again and resets its counter to 0 This affects the counters in the following dialogs Diagnostics Ports Port Monitor dialog Link flap tab CRC Fragments tab Overload detection tab Diagnostics Ports Auto Disable dialog ...

Page 290: ...e data packets from the selected source ports to the destination port Off default setting The Port Mirroring function is disabled Destination port Primary port Specifies the destination port Suitable ports are those ports that are not used for the following purposes Source port L2 redundancy protocols Possible values no Port default setting No destination port selected Port number Number of the de...

Page 291: ...unchanged The prerequisite for access to the device management using the destination port is that the destination port is not a member of the VLAN of the device management unmarked default setting The access to the device management using the destination port is inactive The device prohibits the access to the device management using the destination port Table Source port Specifies the port number ...

Page 292: ...are at 50 capacity respectively On the destination port the device adds a VLAN tag to the data packets that the source port transmits The destination port transmits unmodified the data packets that the source port receives Buttons You find the description of the standard buttons in section Buttons on page 13 Reset config Resets the settings in the dialog to the default settings and transfers the c...

Page 293: ...e interval in seconds at which the device transmits LLDP data packets Possible values 5 32768 default setting 30 Transmit interval multiplier Specifies the factor for determining the time to live value for the LLDP data packets Possible values 2 10 default setting 4 The time to live value coded in the LLDP header results from multiplying this value with the value in the Transmit interval s field R...

Page 294: ...re transmitting the next notification trap Table Port Displays the port number Operation Specifies whether the port transmits and receives LLDP data packets Possible values transmit The port transmits LLDP data packets but does not save any information about neighboring devices receive The port receives LLDP data packets but does not transmit any information to neighboring devices receive and tran...

Page 295: ...The device does not transmit a TLV with the device name Transmit system description Activates deactivates the transmitting of the TLV Type Length Value with the system description Possible values marked default setting The transmitting of the TLV is active The device transmits the TLV with the system description unmarked The transmitting of the TLV is inactive The device does not transmit a TLV wi...

Page 296: ...evices on this port The device uses the MAC address only if there is no other entry in the address table FDB Forwarding Database for this port both The device uses LLDP data packets and learned MAC addresses to record neighboring devices on this port autoDetect default setting If the device receives LLDP data packets at this port then the device operates the same as with the lldpOnly setting Other...

Page 297: ...management station to map the structure of your network When devices both with and without an active topology discovery function are connected to a port the topology table hides the devices without active topology discovery When only devices without active topology discovery are connected to a port the table contains one line for this port to represent every device This line contains the number of...

Page 298: ...m name Displays the device name of the neighboring device Neighbor system description Displays a description for the neighboring device Port ID Displays the ID of the port through which the neighboring device is connected to the device Autonegotiation supported Displays whether the port of the neighboring device supports autonegotiation Autonegotiation Displays whether autonegotiation is enabled o...

Page 299: ...of networkConnectivity indicates that the device has network connectivity device capabilities VLAN ID Displays the extension of the VLAN Identifier for the remote system connected to this port as defined in IEEE 802 3 The device uses a value from 1 through 4042 to specify a valid Port VLAN ID The device displays the value 0 for priority tagged packets This means that only the 802 1D priority is si...

Page 300: ...re revision string as advertised by the remote endpoint Software revision Displays the vendor specific software revision string as advertised by the remote endpoint Serial number Displays the vendor specific serial number as advertised by the remote endpoint Manufacturer name Displays the vendor specific manufacturer name as advertised by the remote endpoint Model name Displays the vendor specific...

Page 301: ... you specify which events the device registers The dialog lets you save a ZIP archive with system information on your PC Console logging Operation Enables disables the Console logging function Possible values On The Console logging function is enabled The device logs the events on the console Off default setting The Console logging function is disabled Severity Specifies the minimum severity for t...

Page 302: ...SNMP requests to a syslog server you have a number of options to change the default settings Select the ones that meet your requirements best Set the severity for which the device creates SNMP requests as events to warning or error and change the minimum severity for a syslog entry for one or more syslog servers to the same value You also have the option of creating a separate syslog server entry ...

Page 303: ...his event Off default setting The logging is disabled Severity get request Specifies the severity of the event that the device registers for SNMP Get requests Possible values emergency alert critical error warning notice default setting informational debug Severity set request Specifies the severity of the event that the device registers for SNMP Set requests Possible values emergency alert critic...

Page 304: ...e Format Comments audittrail html HTML Contains the chronological recording of the system events and saved user changes in the Audit Trail defaultconfig xml XML Contains the configuration profile with the default settings script TEXT Contains the output of the command show running config script runningconfig xml XML Contains the configuration profile with the current operating settings supportinfo...

Page 305: ...mory is connected To verify if an external memory is connected see the Status column in the Basic Settings External Memory dialog We recommend to monitor the external memory connection using the Device Status function see the External memory removal parameter in the Diagnostics Status Configuration Device Status dialog Operation Operation Enables disables the Persistent Logging function Only activ...

Page 306: ...ce saves the log entry for events with this severity and with more urgent severities in the log file in the external memory Possible values emergency alert critical error warning default setting notice informational debug Log file target Specifies the external memory device for logging Possible values usb External USB memory ACA21 ACA22 Table Index Displays the index number to which the table entr...

Page 307: ...RS Release 8 0 09 2019 File size byte Displays the size of the log file in the external memory in bytes Buttons You find the description of the standard buttons in section Buttons on page 13 Delete persistent log file Removes the log files from the external memory ...

Page 308: ... order to search the log file for search terms use the search function of your web browser The log file is kept until a restart is performed in the device After the restart the device creates the file again Buttons You find the description of the standard buttons in section Buttons on page 13 Save log file Opens the HTML page in a new web browser window or tab You can save the HTML page on your PC...

Page 309: ...mand Line Interface apart from show commands Changes to configuration variables Changes to the system time File transfer operations including firmware updates Configuration changes via HiDiscovery Firmware updates and automatic configuration of the device via the external memory Opening and closing of SNMP via an HTTPS tunnel The device does not log passwords The logged entries are write protected...

Page 310: ......

Page 311: ... dialog to the packets before it relays DHCP requests from the clients to the server The Option 82 fields provide unique information about the client and relay This unique identifier consists of a Circuit ID for the client and a Remote ID for the relay In addition to the type length and multicast fields the Circuit ID includes the VLAN ID unit number slot number and port number for the connected c...

Page 312: ...llowing tabs Interface VLAN ID Operation Operation Enables disables the DHCP L2 Relay function of the device globally Possible values On Enables the DHCP Layer 2 Relay function of the device Off default setting Disables the DHCP Layer 2 Relay function of the device Interface Table Port Displays the port number Active Activates deactivates the DHCP L2 Relay function on the port The prerequisite is ...

Page 313: ...to which the table entry relates Active Activates deactivates the DHCP Layer 2 Relay function on the VLAN The prerequisite is that you enable the function globally Possible values marked The DHCP Layer 2 Relay function is active unmarked default setting The DHCP Layer 2 Relay function is inactive Circuit ID Activates or deactivates the addition of the Circuit ID to the Option 82 information Possib...

Page 314: ...ess of the device as Remote ID client id Specifies the system name of the device as Remote ID other When you use this value enter in the Remote ID column user defined information Remote ID Displays the Remote ID for the VLAN When you specify the value other in the Remote ID type column specify the identifier Buttons You find the description of the standard buttons in section Buttons on page 13 ...

Page 315: ... received with Option 82 information on the untrusted interface Untrusted client messages with Option 82 Displays the number of DHCP client messages received with Option 82 information on the untrusted interface Trusted server messages without Option 82 Displays the number of DHCP server messages received without Option 82 information on the trusted interface Trusted client messages without Option...

Page 316: ...erver also allocates configuration information appropriate for that client The configuration information specifies for example which IP address DNS server and the default route a client uses The DHCP server assigns an IP address to a client for a user defined interval The DHCP client is responsible for renewing the IP address before the interval expires When the DHCP client is unable to renew the ...

Page 317: ...rver function of the device globally Possible values On Off default setting Table Port Displays the port number DHCP server active Activates deactivates the DHCP server function on this port The prerequisite is that you enable the function globally Possible values marked default setting The DHCP server function is active unmarked The DHCP server function is inactive Buttons You find the descriptio...

Page 318: ... contacts the device with a known hardware ID the DHCP server allocates the static IP address In dynamic allocation when a DHCP client makes contact on a port the DHCP server assigns an available IP address from a pool for this port For dynamic allocation create a pool for the ports by assigning an IP address range Specify the first and last IP addresses for the IP address range Leave the MAC addr...

Page 319: ...1 22 33 44 55 separated by colons for example 00 11 22 33 44 55 separated by hyphens for example 00 11 22 33 44 55 separated by points for example 00 11 22 33 44 55 separated by points after every 4th character for example 0011 2233 4455 For the IP address assignment the server ignores this variable DHCP relay Specifies the IP address of the DHCP relay through which the clients transmit their requ...

Page 320: ...rves only Hirschmann devices Hirschmann multicasts are activated unmarked default setting In this IP address range the device serves the devices of different manufacturers Hirschmann multicasts are deactivated Configuration URL Specifies the protocol to be used as well as the name and path of the configuration file Possible values Alphanumeric ASCII character string with 0 70 characters Example tf...

Page 321: ...BIOS names A value of 0 0 0 0 disables the attachment of the option field in the DHCP message Possible values Valid IPv4 address DNS server Specifies the IP address of the DNS server A value of 0 0 0 0 disables the attachment of the option field in the DHCP message Possible values Valid IPv4 address Hostname Specifies the hostname When you leave this field blank the device leaves this option field...

Page 322: ...empting to discover a DHCP server for IP address allocation offering The DHCP server is validating that the IP address is suitable for the client requesting A DHCP client is acquiring the offered IP address bound The DHCP server is leasing the IP address to a client renewing The DHCP client is requesting an extension to the lease rebinding The DHCP server is assigning the IP address to the client ...

Page 323: ...emote ID Displays the remote identifier of the device leasing the IP address Circuit ID Displays the Circuit ID of the device leasing the IP address Buttons You find the description of the standard buttons in section Buttons on page 13 7 3 Industrial Protocols Advanced Industrial Protocols The menu contains the following dialogs IEC61850 MMS Modbus TCP ...

Page 324: ... any authentication mechanisms If the write access for IEC61850 MMS is activated then every client that can access the device using TCP IP is capable of changing the settings of the device This in turn can result in an incorrect configuration of the device and to failures in the network Activate the write access only if you have taken additional measures for example Firewall VPN etc to reduce poss...

Page 325: ...acters The following characters are allowed _ 0 9 a z A Z default setting KEY To get the MMS server to use the IED name click the button and restart the MMS server The connection to connected clients is then interrupted TCP port Specifies TCP port for MMS server access Possible values 1 65535 default setting 102 Exception Port 2222 is reserved for internal functions Note The server restarts automa...

Page 326: ... 325 RM GUI GRS Release 8 0 09 2019 stopping halted error Active sessions Displays the number of active MMS server connections Buttons You find the description of the standard buttons in section Buttons on page 13 Download Copies the ICD file to your PC ...

Page 327: ...ace HMI polls for data You can also specify the number of sessions allowed to be open at the same time Note Activating the Modbus TCP write access can cause an unavoidable security risk because the protocol does not authenticate user access To help minimize the unavoidable security risks specify the IP address range located in the Device Security Management Access dialog Enter only the IP addresse...

Page 328: ...nmarked The Modbus TCP server read only access is active TCP port Specifies the TCP port number that the Modbus TCP server uses for communication Possible values TCP Port number default setting 502 Specifying 0 is not allowed Sessions max Specifies the maximum number of concurrent sessions that the Modbus TCP server maintains Possible values 1 5 default setting 5 Buttons You find the description o...

Page 329: ...lient application which registers a handler for URLs starting with ssh in your operating system Buttons You find the description of the standard buttons in section Buttons on page 13 Open SSH connection Opens the SSH capable client application When you click the button the web application passes the URL of the device starting with ssh and the user name of the currently logged on user If the web br...

Page 330: ......

Page 331: ...71 Auto disable 100 206 276 277 285 B Bridge 203 C Cable diagnosis 271 Certificate 18 40 85 86 243 CLI 92 Command line interface 92 Community names 95 Configuration check 257 Configuration profile 12 30 Context menu 12 Counter reset 52 D Daylight saving time 55 Device software 27 Device software backup 27 Device status 16 233 DHCP L2 relay 310 DHCP server 315 DoS 130 DSCP 187 E EAPOL 115 Egress ra...

Page 332: ... 242 308 Host key 82 HTML 255 307 HTTP 83 HTTP server 240 HTTPS 84 I IAS 71 119 IEC61850 MMS 242 323 IEEE 802 1X 71 IGMP snooping 154 Industrial HiVision 8 77 Ingress filtering 194 Ingress rate limiter 149 Integrated authentication server 71 119 IP access restriction 88 IP address conflict detection 259 IP DSCP mapping 187 IPv4 rule 136 L L2 relay 310 Link aggregation 216 Link backup 222 LLDP 291 ...

Page 333: ...twork load 50 NVM 11 12 20 28 35 P Password 67 239 Password length 67 239 Persistent logging 304 Port clients 113 Port configuration 108 183 Port mirroring 289 Port monitor 285 Port priority 183 Port security 100 Port statistics 115 Port VLAN 194 Port based access control 105 Power supply 18 235 248 Pre Login banner 96 Priority queue 182 Q Queue management 189 Queues 182 R RADIUS 71 120 RAM 35 RAM...

Page 334: ...r 80 Subring 226 Switch dump 303 Syslog 266 System information 255 System log 307 System monitor 264 System time 54 T Technical questions 334 Telnet server 78 240 Temperature 19 234 246 Threshold values network load 149 Topology discovery 296 Training courses 334 Trap destination 252 Traps 48 101 203 218 233 238 246 252 261 276 Trust mode 183 Twisted pair 271 U Unaware mode 146 User administration...

Page 335: ...s are available at doc hirschmann com Hirschmann Competence Center The Hirschmann Competence Center is ahead of its competitors on three counts with its complete range of innovative services Consulting incorporates comprehensive technical advice from system evaluation through network planning to project planning Training offers you an introduction to the basics product briefing and user training w...

Page 336: ...uct Your comments and suggestions help us to further improve the quality of our documentation Your assessment of this manual Did you discover any errors in this manual If so on what page Suggestions for improvement and additional information Very Good Good Satisfactory Mediocre Poor Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O O O...

Page 337: ...Please fill out and return this page as a fax to the number 49 0 7127 14 1600 or per mail to Hirschmann Automation and Control GmbH Department 01RD NT Stuttgarter Str 45 51 72654 Neckartenzlingen Germany Company Department Name Telephone number Street Zip code City E mail Date Signature ...

Page 338: ...Readers Comments 337 RM GUI GRS Release 8 0 09 2019 ...

Page 339: ......

Page 340: ......

Page 341: ...UM Config GRS Release 8 0 09 2019 Technical support https hirschmann support belden com User Manual Configuration Greyhound Switch GRS1020 1030 HiOS 2S ...

Page 342: ...erformance features described here are binding only if they have been expressly agreed when the contract was made This document was produced by Hirschmann Automation and Control GmbH according to the best of the company s knowledge Hirschmann reserves the right to change the contents of this document without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy of...

Page 343: ... 33 1 2 12 Data entry elements 34 1 2 13 Use cases 35 1 2 14 Service Shell 37 1 3 System monitor 40 1 3 1 Functional scope 40 1 3 2 Starting the System Monitor 40 2 Specifying the IP parameters 42 2 1 IP parameter basics 42 2 1 1 IP address version 4 42 2 1 2 Netmask 43 2 1 3 Classless Inter Domain Routing 45 2 2 Specifying the IP parameters using the Command Line Interface 46 2 3 Specifying the I...

Page 344: ...ernal memory 75 4 3 3 Importing a configuration profile 77 4 4 Reset the device to the factory defaults 79 4 4 1 Using the Graphical User Interface or Command Line Interface 79 4 4 2 Using the System Monitor 79 5 Loading software updates 81 5 1 Software update from the PC 81 5 2 Software update from a server 82 5 3 Software update from the external memory 83 5 3 1 Manually initiated by the adminis...

Page 345: ...es 113 10 1 3 Static address entries 114 10 2 Multicasts 116 10 2 1 Example of a Multicast application 116 10 2 2 IGMP snooping 116 10 3 Rate limiter 121 10 4 QoS Priority 122 10 4 1 Description of prioritization 122 10 4 2 Handling of received priority information 123 10 4 3 VLAN tagging 123 10 4 4 IP ToS Type of Service 124 10 4 5 Handling of traffic classes 125 10 4 6 Queue management 126 10 4 ...

Page 346: ...xample Configuration 178 12 7 FuseNet 180 12 8 Subring 181 12 8 1 Subring description 181 12 8 2 Subring example 183 12 8 3 Subring example configuration 184 13 Operation diagnosis 186 13 1 Sending SNMP traps 186 13 1 1 List of SNMP traps 187 13 1 2 SNMP traps for configuration activity 188 13 1 3 SNMP trap setting 188 13 1 4 ICMP messaging 188 13 2 Monitoring the Device Status 189 13 2 1 Events w...

Page 347: ... 1 Circuit and Remote IDs 224 14 2 2 DHCP L2 Relay configuration 225 14 3 GARP 227 14 3 1 Configuring GMRP 227 14 3 2 Configuring GVRP 228 14 4 MRP IEEE 229 14 4 1 MRP operation 229 14 4 2 MRP timers 229 14 4 3 MMRP 230 14 4 4 MVRP 231 15 Industry Protocols 234 15 1 IEC 61850 MMS 235 15 1 1 Switch model for IEC 61850 235 15 1 2 Integration into a Control System 236 15 2 Modbus TCP 238 15 2 1 Clien...

Page 348: ... 257 B 3 Management Information Base MIB 258 B 4 List of RFCs 261 B 5 Underlying IEEE Standards 263 B 6 Underlying IEC Norms 264 B 7 Underlying ANSI Norms 265 B 8 Technical Data 266 B 9 Copyright of integrated Software 267 B 10 Abbreviations used 268 C Index 269 D Further support 274 E Readers Comments 275 ...

Page 349: ...lled machine actions caused by data loss configure all the data transmission devices individually Before you start any machine which is controlled via data transmission be sure to complete the configuration of all data transmission devices Failure to follow these instructions can result in death serious injury or equipment damage ...

Page 350: ......

Page 351: ...vice The Graphical User Interface reference manual contains detailed information on using the graphical user interface to operate the individual functions of the device The Command Line Interface reference manual contains detailed information on using the Command Line Interface to operate the individual functions of the device The Industrial HiVision Network Management software provides you with a...

Page 352: ...nings List Work step Link Cross reference with link Note A note emphasizes a significant fact or draws your attention to a dependency Courier Representation of a CLI command or field contents in the graphical user interface Execution in the Graphical User Interface Execution in the Command Line Interface ...

Page 353: ...roduction The device has been developed for use in a harsh industrial environment Accordingly the installation process has been kept simple Thanks to the selected default settings you only have to enter a few settings before starting to operate the device ...

Page 354: ......

Page 355: ...e Graphical User Interface The prerequisite for starting the Graphical User Interface is that the IP parameters are configured in the device See Specifying the IP parameters on page 42 Start your web browser Type the IP address of the device in the address field of the web browser Use the following form https xxx xxx xxx xxx The web browser sets up the connection to the device and displays the Log...

Page 356: ...evice can be found in the Installation user manual Connect the device with the network The prerequisite for a successful data connection is the correct setting of the network parameters You can access the user interface of the Command Line Interface for example with the freeware program PuTTY This program is provided on the product CD Install the PuTTY program on your computer 1 2 2 Access to the ...

Page 357: ...nts To select the connection type select the Telnet radio button in the Connection type range Click the Open button to set up the data connection to your device The Command Line Interface appears on the screen with a window for entering the user name The device enables up to 5 users to have access to the Command Line Interface at the same time Note This device is a security relevant product Change...

Page 358: ...bH All rights reserved GRS1020 Release 8 0 Build date 2019 02 05 19 17 System Name GRS ECE555B996DC Management IP 192 168 1 5 Subnet Mask 255 255 255 0 Base MAC EC E5 55 01 02 03 System Time 2019 01 01 17 39 01 NOTE Enter for Command Help Command help displays all options that are valid for the particular mode For the syntax of a particular command form please consult the documentation GRS ...

Page 359: ...s follows Start the PuTTY program on your computer Figure 4 PuTTY input screen In the Host Name or IP address field you enter the IP address of your device The IP address consists of 4 decimal numbers with values from 0 to 255 The 4 decimal numbers are separated by points To specify the connection type select the SSH radio button in the Connection type range After selecting and setting the require...

Page 360: ...elps protect yourself from unwelcome guests When the fingerprint matches the fingerprint of the device key click the Yes button The device lets you display the finger prints of the device keys with the command show ssh or in the Device Security Management Access Server dialog SSH tab The Command Line Interface appears on the screen with a window for entering the user name The device enables up to ...

Page 361: ...and to the system monitor login as admin admin 192 168 1 5 s password Copyright c 2011 2019 Hirschmann Automation and Control GmbH All rights reserved GRS1020 Release 8 0 Build date 2019 02 05 19 17 System Name GRS ECE555B996DC Management IP 192 168 1 5 Subnet Mask 255 255 255 0 Base MAC EC E5 55 01 02 03 System Time 2019 01 01 17 39 01 NOTE Enter for Command Help Command help displays all options...

Page 362: ...ection to the device with the serial interface using the PuTTY program Press the Enter key Figure 7 Serial data connection with the serial interface using the PuTTY program Press any key on your terminal keyboard a number of times until the login screen indicates the CLI mode Enter the user name The default user name is admin Press the Enter key Enter the password The default password is private P...

Page 363: ...s a user also depend on the Command Line Interface mode in which you are currently working See Mode based command hierarchy on page 24 Copyright c 2011 2019 Hirschmann Automation and Control GmbH All rights reserved GRS1020 Release 8 0 Build date 2019 02 05 19 17 System Name GRS ECE555B996DC Management IP 192 168 1 5 Subnet Mask 255 255 255 0 Base MAC EC E5 55 01 02 03 System Time 2019 01 01 17 39...

Page 364: ...d Exec mode too Table 2 Access roles and scope of user authorizations Access role User authorizations User Users logged on with the access role User are authorized to monitor the device Auditor Users logged on with the access role Auditor are authorized to monitor the device and to save the log file in the Diagnostics Report Audit Trail dialog Operator Users logged on with the access role Operator...

Page 365: ...mmands you enter the Privileged Exec mode If you login as a privileged user then you are able to enter the Privileged Exec mode In the Privileged Exec mode you are able to execute the User Exec mode commands too Command prompt GRS VLAN mode The VLAN mode contains VLAN related commands Command prompt GRS VLAN User Exec Mode Privileged Exec Mode Global Configuration Mode The User Exec commands are a...

Page 366: ... you switch from the Global Config mode to the Interface Range mode the command prompt changes as follows GRS config interface 1 2 1 4 GRS Interface 1 2 1 4 A list of single ports Command prompt GRS interface interface list Example When you switch from the Global Config mode to the Interface Range mode the command prompt changes as follows GRS config interface 1 2 1 4 1 5 GRS Interface 1 2 1 4 1 5...

Page 367: ...xec mode enter the command Configure GRS enable GRS configure GRS config To quit the Global Config mode and return to the Privileged Exec mode you enter exit GRS config exit GRS To then quit the Privileged Exec mode and return to the User Exec mode you enter exit again GRS exit GRS Interface Range mode From the Global Config mode you enter the command interface all slot port interface range interf...

Page 368: ...e Interface checks the input When you entered the command and the parameters correctly and completely you execute the command with the Enter key After you entered the command and the required parameters the other parameters entered are treated as optional parameters When one of the parameters is unknown the Command Line Interface displays a syntax message The command tree branches for the required...

Page 369: ... options Choice1 Choice2 Elements separated by a vertical line and enclosed in curved brackets indicate an obligatory selection option option1 or option2 param1 Choice1 Choice2 Displays an optional parameter that contains an obligatory selection a b c d Small letters are wild cards You enter parameters with the notation a b c d with decimal points for example IP addresses cr You press the Enter ke...

Page 370: ...racter Space characters are not valid user defined strings You enter a space character in a parameter between quotation marks Example GRS cli prompt Device name Error Invalid command name GRS cli prompt Device name Device name 1 2 9 Examples of commands Example 1 clear arp table switch Command for clearing the ARP table of the management agent cache clear arp table switch is the command name The c...

Page 371: ...igure the encrypted shared secret cr Press Enter to execute the command radius server auth modify is the command name The parameter 1 8 RADIUS server index is required The value range is 1 8 integer The parameters name port msgauth primary status secret and encrypted are optional 1 2 10 Input prompt Command mode With the input prompt the Command Line Interface displays which of the three modes you...

Page 372: ...d the parameters during the boot phase are different GRS Exclamation point An exclamation point at the beginning of the input prompt displays the password for the user or admin user account corresponds with the default setting GRS Wildcards The device lets you change the command line prompt The Command Line Interface supports the following wildcards Table 7 Using wildcards within the Command Line ...

Page 373: ...ption CTRL H Backspace Delete previous character CTRL A Go to beginning of line CTRL E Go to end of line CTRL F Go forward one character CTRL B Go backward one character CTRL D Delete current character CTRL U X Delete to beginning of line CTRL K Delete to end of line CTRL W Delete previous word CTRL P Go to previous line in history buffer CTRL R Rewrite or paste the line CTRL N Go to next line in ...

Page 374: ...b or Space the Command Line Interface completes the command up to the end of the uniqueness When several commands exist and you press Tab or Space again the Command Line Interface provides you with a list of options Example GRS Config lo GRS Config log logging logout When you enter lo and Tab or Space the Command Line Interface completes the command up to the end of the uniqueness to log When you ...

Page 375: ...cter in front of the question mark the device displays the help text for the command itself GRS Config show show Display device options and settings 1 2 13 Use cases Saving the Configuration To help ensure that your password settings and your other configuration changes are kept after the device is reset or after an interruption of the voltage supply you save the configuration To save your current...

Page 376: ...nfig mode See Mode based command hierarchy on page 24 The prerequisite for executing the command You have the Administrator access role Syntax of commands and parameters See Structure of a command on page 28 Examples for executable commands radius server auth add 1 ip 192 168 30 40 radius server auth add 2 ip 192 168 40 50 name radiusserver2 radius server auth add 3 ip 192 168 50 60 port 1813 radi...

Page 377: ... GRS Perform the following steps Enter enable and press the Enter key To reduce the effort when typing Enter e and press the Tab key Enter serviceshell start and press the Enter key To reduce the effort when typing Enter ser and press the Tab key Enter s and press the Tab key Working with the Service Shell When the Service Shell is active the timeout of the Command Line Interface is inactive To he...

Page 378: ...technician has no possibility to access internal functions of your device The deactivation is irreversible the Service Shell remains permanently deactivated In order to reactivate the Service Shell the device requires disassembly by the manufacturer The prerequisites are The Service Shell is not started You are in User Exec mode GRS Perform the following steps Enter enable and press the Enter key ...

Page 379: ... reduce the effort when typing Enter ser and press the Tab key Enter dea and press the Tab key This step is irreversible Press the Y key GRS enable GRS serviceshell deactivate Notice If you continue then the Service Shell is permanently deactivated This step is irreversible For details refer to the Configuration Manual Are you sure Y N ...

Page 380: ...nal cable for connecting the device to your PC available as an optional accessory PC with VT100 terminal emulation such as the PuTTY program or serial terminal Perform the following steps Use the terminal cable to connect the serial interface of the device with the COM port of the PC Start the VT100 terminal emulation on the PC Specify the following transmission parameters Set up a connection to t...

Page 381: ...tem by entering the number To leave a submenu and return to the main menu of System Monitor 1 press the ESC key System Monitor 1 Selected OS 8 0 2019 02 05 19 17 1 Manage operating system 2 Update operating system 3 Start selected operating system 4 Manage configurations 5 Show boot code information q End reset and reboot sysMon1 ...

Page 382: ...method You need a BOOTP server for this method The BOOTP server assigns the configuration data to the device using its MAC address The DHCP mode is the default mode for the configuration data reference Configuration using DHCP To configure the installed device using DHCP you choose this In Band method You need a DHCP server for this method The DHCP server assigns the configuration data to the devi...

Page 383: ...ro it belongs to class B for example the first octet is between 128 and 191 When the first 2 bits of an IP address are a one it belongs to class C for example the first octet is higher than 191 Assigning the host address host ID is the responsibility of the network operator The network operator alone is responsible for the uniqueness of the assigned IP addresses 2 1 2 Netmask Routers and Gateways ...

Page 384: ...fore puts his message in an envelope and writes Juliet s IP address as the destination address for the source address he writes his own IP address on the envelope Romeo then places this envelope in a second one with Lorenzo s MAC address as the destination and his own MAC address as the source This process is comparable to going from Layer 3 to Layer 2 of the ISO OSI base reference model Finally R...

Page 385: ...h the IP addresses in a further envelope with Lorenzo s MAC destination address The letter now travels back to Romeo via Lorenzo the same way the first letter traveled from Romeo to Juliet 2 1 3 Classless Inter Domain Routing Class C with a maximum of 254 addresses was too small and class B with a maximum of 65534 addresses was too large for most users Resulting in an ineffective usage of the avai...

Page 386: ...ou have the option of performing the configuration over the serial interface using the Command Line Interface The device lets you specify the IP parameters using the HiDiscovery protocol or using the Command Line Interface over the serial interface Figure 15 Flow chart for entering IP addresses Entering IP addresses Connect the PC with terminal program started to the RJ11 socket Command Line Inter...

Page 387: ... This entry is only required in cases where the device and the network management station or TFTP server are located in different subnetworks see on page 44 Example of how the netmask is used Specify the IP address of the Gateway between the subnetwork with the device and the path to the network management station In the default setting the IP address is 0 0 0 0 Save the configuration specified us...

Page 388: ...HiDiscovery is started HiDiscovery automatically searches the network for those devices which support the HiDiscovery protocol HiDiscovery uses the first network interface found for the PC When your computer has several network cards you can select the one you desire in the HiDiscovery toolbar HiDiscovery displays a line for every device that responds to a HiDiscovery protocol inquiry HiDiscovery ...

Page 389: ...parameters using HiDiscovery 49 UM Config GRS Release 8 0 09 2019 Note Disable the HiDiscovery function in the device after you have assigned the IP parameters to the device Note Save the settings so that you will still have the entries after a restart ...

Page 390: ... In the Local mode the device uses the network parameters from the internal device memory Note When you change the allocation mode of the IP address the device activates the new mode immediately after you click the button In the VLAN ID column you specify the VLAN in which the device management can be accessed over the network Note here that you can only access the device management using ports th...

Page 391: ...he BOOTP function activated the device sends a boot request message to the BOOTP server The boot request message contains the Client ID configured in the Basic Settings Network dialog The BOOTP server enters the Client ID into a database and assigns an IP address The server answers with a boot reply message The boot reply message contains the assigned IP address ...

Page 392: ...Sever assigns the IP address the device permanently saves the configuration data in non volatile memory The advantage of using DHCP instead of BOOTP is that the DHCP server can restrict the validity of the configuration parameters Lease to a specific time period known as dynamic address allocation Before this period Lease Duration elapses the DHCP client can attempt to renew this lease Alternative...

Page 393: ...C address host berta hardware ethernet 00 80 63 08 65 42 fixed address 10 1 112 82 Host hugo requests IP configuration with his client identifier host hugo option dhcp client identifier hugo option dhcp client identifier 00 68 75 67 6f fixed address 10 1 112 83 server name 10 1 112 11 filename agent config dat Lines beginning with the character contain comments The lines preceding the individually...

Page 394: ... and make another check after the configured release delay time When you disable active detection the device sends 2 gratuitous APR announcements in 2 s intervals Using the ARP announcements with passive detection enabled the device polls the network to determine whether there is an address conflict After resolving an address conflict or after expired release delay time the device reconnects to th...

Page 395: ...e Command Line Interface using Telnet Telnet Access to the Graphical User Interface WebInterface The device also provides an application to control the access to the network from connected end devices using port based access control 8021x 3 1 2 Policies When a user logs in with valid login data the device lets the user have access to its device management The device authenticates the users using t...

Page 396: ...tions by means of which no access to the device is performed for example 8021x Open the Device Security Authentication List dialog The dialog displays the authentication lists that are set up show authlists Displays the authentication lists that are set up In the Active column of the authentication list defaultDot1x8021AuthList unmark the checkbox To save the changes temporarily click the button a...

Page 397: ...he Ok button The device adds a new table entry enable Change to the Privileged EXEC mode configure Change to the Configuration mode authlists add loginGUI Creates the authentication list loginGUI In the Policy 1 column select the value radius In the Policy 2 column select the value local In the Policy 3 to Policy 5 columns select the value reject to help prevent further fall back In the Active col...

Page 398: ...ons column of authentication list loginGUI displays the application WebInterface The Dedicated applications column of authentication list defaultLoginAuthList does not display the application WebInterface anymore To save the changes temporarily click the button show appllists Displays the applications and the allocated lists appllists set authlist WebInterface loginGUI Assigns the loginGUI applica...

Page 399: ...o an authentication list see the Device Security Authentication List dialog In the local user management you manage the user accounts One user account is usually allocated to each user 3 2 1 Access roles The device lets you use a role based authorization model to specifically control the access to the device management Users to whom a specific authorization profile is allocated are allowed to use ...

Page 400: ...s using the Command Line Interface Enable disable CLI logging and SNMP logging External memory activation and deactivation System monitor activation and deactivation Enable disable the services for the access to the device management for example SNMP Configure access restrictions to the Graphical User Interface or the Command Line Interface based on the IP addresses Operator The user is authorized...

Page 401: ... Change the password for the admin user account before making the device available in the network Open the Device Security User Management dialog The dialog displays the user accounts that are set up show users Displays the user accounts that are set up Table 12 Default settings for the factory setting user accounts Parameter Default setting User name admin user Password private public Role admini...

Page 402: ...d field Enter a password of at least 6 characters Up to 64 alphanumeric characters are allowed The device differentiates between upper and lower case The minimum length of the password is specified in the Configuration frame The device constantly checks the minimum length of the password To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to ...

Page 403: ...ssword field enter a password of at least 6 characters Up to 64 alphanumeric characters are allowed The device differentiates between upper and lower case The minimum length of the password is specified in the Configuration frame The device constantly checks the minimum length of the password In the Role column select the user role In this example we select the value operator To activate the user ...

Page 404: ...count Open the Device Security User Management dialog The dialog displays the user accounts that are set up In the row for the relevant user account unmark the checkbox in the Active column To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode users disable user To disable user account show users Displays the user acco...

Page 405: ...ogin attempts field The field lets you define this value in the range 0 5 In the above example the value 0 deactivates the function The Min password length field lets you enter values in the range 1 64 The dialog displays the policy set up in the Password policy frame Adjust the values to meet your requirements Values in the range 1 through 16 are allowed The value 0 deactivates the relevant polic...

Page 406: ...esses are preset in the device If SNMPv1 v2 is enabled then the device lets anyone who knows the community name have access to the device Make the following basic provisions to make undesired access to the device more difficult Change the default community names in the device Treat the community names with discretion Anyone who knows the community name for write access has the ability to change th...

Page 407: ...ters of the user account settings to the settings in your network management system perform the following steps Open the Device Security User Management dialog The dialog displays the user accounts that are set up Click the row of the relevant user account in the SNMP auth type field Select the desired setting Click the row of the relevant user account in the SNMP encryption type field Select the ...

Page 408: ...M remains unchanged until you save it Until then the configuration profiles in memory and non volatile memory are different This device helps you recognize changed settings When the configuration profile in the memory RAM is different from the selected configuration profile in the non volatile memory NVM you can recognize the difference based on the following criteria When the copy in the external...

Page 409: ...uration profile The device stores the settings in the selected configuration profile in the non volatile memory NVM Perform the following steps Open the Basic Settings Load Save dialog Verify that the required configuration profile is Selected You can recognize the selected configuration profile because the checkbox in the Selected column is marked Click the button show config profiles nvm Display...

Page 410: ... the proposed name the device will overwrite an existing configuration profile of the same name Click the Ok button The new configuration profile is designated as Selected show config profiles nvm Displays the configuration profiles contained in the non volatile memory nvm enable Change to the Privileged EXEC mode copy config running config nvm profile string Save the current settings in the confi...

Page 411: ...name of the configuration profile save Save the settings in the non volatile memory nvm in the selected configuration profile Open the Basic Settings External Memory dialog Mark the checkbox in the Backup config when saving column in order to enable the device to automatically save a copy in the external memory during the saving process To deactivate the function unmark the checkbox in the Backup ...

Page 412: ...nter the credentials needed to authenticate on the remote server In the Operation option list enable the function To save the changes temporarily click the button enable Change to the Privileged EXEC mode show config remote backup Check status of the function configure Change to the Configuration mode config remote backup destination Enter the destination URL for the configuration profile backup c...

Page 413: ...ou click the Ok button the device displays the Credentials window There you enter User name and Password to log on to the server Click the Ok button The configuration profile is now saved as an XML file in the specified location show config profiles nvm Displays the configuration profiles contained in the non volatile memory nvm enable Change to the Privileged EXEC mode copy config running config ...

Page 414: ...ration profile Click the button and then the Activate item The device copies the settings to the memory RAM and disconnects from the Graphical User Interface The device immediately uses the settings of the configuration profile Reload the Graphical User Interface Log in again In the Selected column the checkbox of the configuration profile that was activated before is marked show config profiles n...

Page 415: ...nnected before you start the device The root directory of the external memory contains a text file startup txt with the content script file_name The placeholder file_name represents the script file that the device executes during the boot process The root directory of the external memory contains the script file You have the option to save Open the Basic Settings External Memory dialog In the Conf...

Page 416: ...iguration priority settings After applying the script the device automatically saves the configuration profile from the script file as an XML file in the external memory When you type the appropriate command into the script file you have the option to disable this function no config envm config save usb The device does not create a copy in the external USB memory When the script file contains an i...

Page 417: ...ports the configuration profile from the external memory Import the configuration profile When the file is located on an FTP server specify the URL for the file in the following form ftp user password IP address port file name When the file is located on a TFTP server specify the URL for the file in the following form tftp IP address path file name When the file is located on an SCP or SFTP server...

Page 418: ...disconnects the connection to the Command Line Interface The device immediately uses the settings of the imported configuration profile copy config remote tftp IP_address path file_name running config Import and activate the settings of a configuration profile saved on a TFTP server The device copies the settings into the volatile memory and disconnects the connection to the Command Line Interface...

Page 419: ...ress the 1 key within 3 seconds when prompted during reboot The device loads the System Monitor To change from the main menu to the Manage configurations menu press the 4 key To execute the Clear configs and boot params command press the 1 key Open the Basic Settings Load Save dialog Click the button then Back to factory The dialog displays a message Click the Ok button The device deletes the conf...

Page 420: ...s press the Enter key The device deletes the configuration profiles in the memory RAM and in the non volatile memory NVM If an external memory is connected then the device also deletes the configuration profiles saved in the external memory To change to the main menu press the q key To reboot the device with factory settings press the q key ...

Page 421: ... installed software 5 1 Software update from the PC The prerequisite is that the image file of the device software is saved on a data carrier which is accessible from your PC Perform the following steps Open the Basic Settings Software dialog The field Running version displays the version number and creation date of the device software that the device loaded during the last restart and is currentl...

Page 422: ...ress path image_file_name bin When the image file is saved on a SCP or SFTP server scp or sftp IP_address path image_file_name bin scp or sftp username password IP_address path image_file_name bin When you enter the URL without the user name and password the device displays the Credentials window There you enter credentials needed to log on to the server To start the update procedure click the Sta...

Page 423: ...rtup txt file in the text editor and add the following line autoUpdate Image_file_name bin Install the external memory in the device Restart the device During the booting process the device checks automatically the following criteria Is an external memory connected Is a startup txt file in the main directory of the external memory Does the image file exist which is specified in the startup txt fil...

Page 424: ...og dialog contains one of the following messages S_watson_AUTOMATIC_SWUPDATE_SUCCESS Software update completed successfully S_watson_AUTOMATIC_SWUPDATE_ABORTED Software update aborted S_watson_AUTOMATIC_SWUPDATE_ABORTED_WRONG_FILE Software update aborted due to wrong image file S_watson_AUTOMATIC_SWUPDATE_ABORTED_SAVING_FILE Software update aborted because the device did not save the image file ...

Page 425: ... 2019 5 4 Loading a previous software version The device lets you replace the device software with a previous version The basic settings in the device are kept after replacing the device software Note Only the settings for functions which are available in the newer device software version are lost ...

Page 426: ...d For a higher level of access security disable unconnected ports Perform the following steps Open the Basic Settings Port dialog Configuration tab To enable a port mark the checkbox in the Port on column To disable a port unmark the checkbox in the Port on column To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode i...

Page 427: ...evice connected to this port requires a fixed setting then perform the following steps Deactivate the function Unmark the checkbox in the Automatic configuration column In the Manual configuration column enter the desired operating mode transmission rate duplex mode To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode...

Page 428: ... SNMPv1 v2 is enabled then the device lets anyone who knows the community name access the device The community names public for read accesses and private for write accesses are preset If you are using SNMPv1 or SNMPv2 then change the default community name Treat the community names with discretion Perform the following steps Open the Device Security Management Access SNMPv1 v2 Community dialog The...

Page 429: ...ng steps Open the Device Security Management Access Server dialog SNMP tab The dialog displays the settings of the SNMP server To deactivate the SNMPv1 protocol you unmark the SNMPv1 checkbox To deactivate the SNMPv2 protocol you unmark the SNMPv2 checkbox To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode no snmp a...

Page 430: ...ss bar of the web browser enter the string https before the IP address of the device If the HTTPS protocol is disabled and you also disable HTTP then the Graphical User Interface is unaccessible To work with the Graphical User Interface enable the HTTPS server using the Command Line Interface Perform the following steps Open the Device Security Management Access Server dialog HTTP tab To disable t...

Page 431: ...nly possible through the serial interface of the device To work remotely with the Command Line Interface enable SSH Perform the following steps Open the Device Security Management Access Server dialog Telnet tab To disable the Telnet server select the Off radio button in the Operation frame To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change ...

Page 432: ...o read only or to disable HiDiscovery access completely Perform the following steps Open the Basic Settings Network dialog To take away write permission from the HiDiscovery software in the HiDiscovery protocol v1 v2 frame specify the value readOnly in the Access field To disable HiDiscovery access completely select the Off radio button in the HiDiscovery protocol v1 v2 frame To save the changes t...

Page 433: ...es and selected IP based protocols Example The device is to be accessible only from the company network using the Graphical User Interface The administrator has additional remote access using SSH The company network has the address range 192 168 1 0 24 and remote access from a mobile network with the IP address range 109 237 176 0 24 The SSH application program knows the fingerprint of the RSA key...

Page 434: ...e access Otherwise if you change the settings then the connection to the device terminates Access to the device management is only possible using the Command Line Interface through the serial interface of the device To enable IP access restriction select the On radio button in the Operation frame To save the changes temporarily click the button enable Change to the Privileged EXEC mode show networ...

Page 435: ...ress range of the mobile phone network Repeat the operation for every unwanted protocol no network management access status 1 Deactivate the default entry This entry lets users have access to the device from any IP address and the supported protocols network management access status 2 Activate an entry for the address range of the company network network management access status 3 Activate an entr...

Page 436: ...mmand Line Interface sessions using a Telnet connection Perform the following steps Open the Device Security Management Access Server dialog SSH tab Specify the timeout period in minutes in the Configuration frame Session timeout min field To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode ssh timeout 0 160 Specify ...

Page 437: ...frame Serial interface timeout min field To save the changes temporarily click the button enable Change to the Privileged EXEC mode cli serial timeout 0 160 Specify the timeout period in minutes for Command Line Interface sessions using a serial connection Open the Device Security Management Access Web dialog Specify the timeout period in minutes in the Configuration frame Web interface session ti...

Page 438: ...ault settings allow access to the network To help prevent unauthorized network access deactivate the unused slots The module establishes no network connections on a deactivated slot Perform the following steps Open the Basic Settings Modules dialog To deactivate the slot and deny network access unmark the Active checkbox To save the changes temporarily click the button ...

Page 439: ... to the next rule ACL if permit or accept then progress to the next rule 8 1 Helping protect against unauthorized access With this function the device supports you in helping protect against invalid or falsified data packets targeted at causing the failure of certain services or devices You have the option of specifying filters in order to restrict data stream for protection against denial of serv...

Page 440: ...cts fragmented ICMP packets and discards them Using the Allowed payload size byte parameter you can also specify the maximum permissible size of the payload of the ICMP packets The device discards data packets that exceed this byte specification Note You can combine the filters in any way in the Network Security DoS Global dialog When several filters are selected a logical Or applies If the first ...

Page 441: ...ilter the data stream The device applies the MAC ACL rules only after the packets are filtered through the IP ACL The priority of an ACL is independent of the index of a rule Within an ACL the device processes the rules in order The index of the respective rule determines the order in which the device filters the data stream When you assign an ACL to a port or VLAN you can specify its priority wit...

Page 442: ...column Note The prerequisite for changing the value in the Redirection port and Mirror port column is that you specify the value permit in the Action column Open the Network Security ACL IPv4 Rule dialog Click the button The dialog displays the Create window To create a group specify a meaningful name in the Group name field You can combine several rules in one group To add a rule to an existing g...

Page 443: ...es of the IP ACL with the ID 1 ip acl add 2 filter2 Adds an IP ACL with the ID 2 and the name filter2 ip acl rule add 2 1 deny src 10 0 1 13 0 0 0 0 dst 10 0 1 158 0 0 0 0 Adds a rule to position 1 of the IP ACL with the ID 2 denying IP data packets from 10 0 1 13 to 10 0 1 158 ip acl rule add 2 2 permit src any any dst any any Adds a rule to position 2 of the IP ACL with the ID 2 admitting IP dat...

Page 444: ...w acl ip assignment 2 Displays the assignment of the IP ACL with ID 2 Open the Network Security ACL MAC Rule dialog Click the button The dialog displays the Create window To create a group specify a meaningful name in the Group name field You can combine several rules in one group To add a rule to an existing group select the name of the group in the Group name field In the Index field you specify...

Page 445: ...e 0x8138 IPX mac acl rule add 1 4 permit src any any dst any any Adds a rule to position 4 of the MAC ACL with the ID 1 forwarding packets show acl mac rules 1 Displays the rules of the MAC ACL with the ID 1 interface 1 1 1 2 1 3 1 4 1 5 1 6 Change to the interface configuration mode of the interfaces 1 1 to 1 6 acl mac assign 1 in 1 Assigns the MAC ACL with the ID 1 to incoming data packets 1 1 o...

Page 446: ...the application area Examples of application areas include Log entries Time stamping of production data Process control The device lets you synchronize the time on the network using the following options The Simple Network Time Protocol SNTP is a simple solution for low accuracy requirements Under ideal conditions SNTP achieves an accuracy in the millisecond range The accuracy depends on the signa...

Page 447: ...e field click the Set time from PC button Based on the value in the Local offset min field the device calculates the time in the System time UTC field The System time UTC comes from the System time minus the Local offset min value and a possible shift due to daylight saving time The Time source field displays the origin of the time data The device automatically selects the source with the greatest...

Page 448: ...ght saving time click the Profile button in the Operation frame When no matching daylight saving time profile is available you specify the changeover times in the Summertime begin and Summertime end fields For both time points you specify the month the week within this month the weekday and the time of day To enable the function select the On radio button in the Operation frame To save the changes...

Page 449: ...te Statements in this chapter relating to external SNTP servers also apply to NTP servers SNTP knows the following operation modes for the transmission of time Unicast In Unicast operation mode an SNTP client sends requests to an SNTP server and expects a response from this server Broadcast In Broadcast operation mode an SNTP server sends SNTP messages to the network in specified intervals SNTP cl...

Page 450: ...uters and switches that forward the SNTP packets with a low and uniform transmission time latency An SNTP client sends its requests to up to 4 configured SNTP servers When there is no response from the 1st SNTP server the SNTP client sends its requests to the 2nd SNTP server When this request is also unsuccessful it sends the request to the 3rd and finally the 4th SNTP server If none of these SNTP...

Page 451: ...ul sync checkbox After synchronization the device disables the SNTP Client function The table displays the SNTP server to which the SNTP client sends a request in Unicast operation mode The table contains up to four SNTP server definitions To add a table entry click the button Specify the connection data of the SNTP server To enable the function select the On radio button in the Operation frame To...

Page 452: ...ss In the Broadcast UDP port field you specify the number of the UDP port to which the SNTP server sends the SNTP packets in Broadcast operation mode In the Broadcast VLAN ID field you specify the ID of the VLAN to which the SNTP server sends the SNTP packets in Broadcast operation mode In the Broadcast send interval s field you enter the time interval at which the SNTP server of the device sends ...

Page 453: ... 1 Learning MAC addresses When the device receives a data packet it checks whether the MAC address of the sender is already stored in the MAC address table FDB When the MAC address of the sender is unknown the device generates a new entry The device then compares the destination MAC address of the data packet with the entries stored in the MAC address table FDB The device forwards packets with a k...

Page 454: ... In the VLAN ID field specify the ID of the VLAN In the Port list select the ports to which the device forwards data packets with the specified destination MAC address in the specified VLAN When you have defined a Unicast MAC address in the Address field select only one port When you have defined a Multicast MAC address in the Address field select one or more ports If you want the device to discar...

Page 455: ...uration mode of interface 1 1 no mac filter MAC address VLAN ID Cancel the assignment of the MAC address filter on the port exit Change to the Configuration mode no mac filter MAC address VLAN ID Deleting the MAC address filter consisting of a MAC address and VLAN ID exit Change to the Privileged EXEC mode save Save the settings in the non volatile memory nvm in the selected configuration profile ...

Page 456: ...3 IGMP Snooping describes the function of a switch of continuously monitoring IGMP traffic and optimizing its own transmission settings for this data traffic The IGMP Snooping function in the device operates according to RFC 4541 Considerations for Internet Group Management Protocol IGMP and Multicast Listener Discovery MLD Snooping Switches Multicast routers with an active IGMP function periodica...

Page 457: ...eceive query packets You also have the option of additionally sending known Multicast packets to query ports Setting IGMP snooping Perform the following steps Specifying the settings for a port Specifying the settings for a VLAN Open the Switching IGMP Snooping Global dialog To enable the function select the On radio button in the Operation frame When the IGMP Snooping function is disabled the dev...

Page 458: ...mann devices and configures the IGMP Snooping Querier function accordingly The ALA entry indicates that the Learn by LLDP function is activated When the device has found another Hirschmann device on this port in this VLAN the entry also displays an A automatic Forward All With this setting the device forwards the data packets addressed to a Multicast address to this port The setting is suitable in...

Page 459: ...ng protocols For each VLAN you specify the sending of Multicast packets to known Multicast addresses individually The following options can be selected The device forwards known Multicasts to the ports that have previously received query messages query ports and to the registered ports Registered ports are ports with Multicast receivers registered with the corresponding Multicast group This option...

Page 460: ...ckets to unknown Multicast addresses send to registered ports The device forwards packets with unknown Multicast address to every query port send to query and registered ports The device forwards packets with unknown Multicast address to every port In the Known multicasts column you specify how the device sends data packets to known Multicast addresses in the corresponding VLAN Click the relevant ...

Page 461: ... and Unicasts with an unknown destination address Limit the outbound data traffic instead of the inbound traffic The outbound rate limitation works better with TCP flow control due to device internal buffering of the data packets Increase the aging time for learned Unicast addresses Perform the following steps Open the Switching Rate Limiter dialog Activate the rate limiter and set limits for the ...

Page 462: ... traffic classification The device takes the following classification criteria into account Methods according to which the device carries out assignment of received data packets to traffic classes trustDot1p The device uses the priority of the data packet contained in the VLAN tag trustIpDscp The device uses the QoS information contained in the IP header ToS DiffServ untrusted The device ignores p...

Page 463: ...on using the following options trustDot1p The device assigns VLAN tagged data packets to the different traffic classes according to their VLAN priorities The corresponding allocation is configurable The device assigns the priority of the receiving port to data packets it receives without a VLAN tag trustIpDscp The device assigns the IP packets to the different traffic classes according to the DSCP...

Page 464: ...rvice The Type of Service field ToS in the IP header was already part of the IP protocol from the start and is used to differentiate different services in IP networks Even back then there were ideas about differentiated treatment of IP packets due to the limited bandwidth available and the unreliable connection paths Because of the continuous increase in the available bandwidth there was no need t...

Page 465: ...also called Weighted Round Robin WRR the user assigns a minimum or reserved bandwidth to each traffic class This helps ensure that data packets with a lower priority are also sent although the network is very busy The reserved values range from 0 through 100 of the available bandwidth in steps of 1 A reservation of 0 is equivalent to a no bandwidth setting The sum of the individual bandwidths can ...

Page 466: ... To activate Strict Priority for Traffic class 3 proceed as follows Mark the checkbox in the Strict priority column To activate Weighted Fair Queuing for Traffic class 4 proceed as follows Unmark the checkbox in the Strict priority column In the Min bandwidth column specify the value 10 To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to t...

Page 467: ... QoS Priority Port Configuration dialog In the Port priority column you specify the priority with which the device forwards the data packets received on this port without a VLAN tag In the Trust mode column you specify the criteria the device uses to assign a traffic class to data packets received To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure ...

Page 468: ...untrusted Assigning the untrusted mode to the interface classofservice dot1p mapping 0 2 classofservice dot1p mapping 1 2 Assigning a VLAN priority of 0 to traffic class 2 Assigning a VLAN priority of 1 to traffic class 2 vlan priority 1 Specifying the value 1 for the port priority exit Change to the Configuration mode exit Change to the Privileged EXEC mode show classofservice trust Displaying th...

Page 469: ...ileged EXEC mode configure Change to the Configuration mode interface 1 1 Change to the interface configuration mode of interface 1 1 classofservice trust ip dscp Assigning the trust ip dscp mode globally exit Change to the Configuration mode show classofservice trust Displaying the Trust mode of the ports interfaces Interface Trust Mode 1 1 ip dscp 1 2 dot1p 1 3 dot1p 1 5 dot1p Open the Switching...

Page 470: ...d IPv4 Network Management VLAN priority 7 Open the Switching QoS Priority Global dialog In the IP DSCP value for management packets field specify the DSCP value with which the device sends management data packets To save the changes temporarily click the button enable Change to the Privileged EXEC mode network management priority ip dscp 56 Assigning the DSCP value of 56 to management packets The ...

Page 471: ...ations 1 2 and 3 want to simultaneously transmit a large amount of data to Workstation 4 The combined bandwidth of Workstations 1 2 and 3 is greater than the bandwidth of Workstation 4 This causes an overflow on the receive queue of port 4 The left funnel symbolizes this status When the flow control function on ports 1 2 and 3 of the device is enabled the device reacts before the funnel overflows ...

Page 472: ...following steps Note When you are using a redundancy function you deactivate the flow control on the participating ports If the flow control and the redundancy function are active at the same time it is possible that the redundancy function operates differently than intended Open the Switching Global dialog Mark the Flow control checkbox With this setting you enable flow control in the device Open...

Page 473: ...ally than cable connections The device supports independent VLAN learning in accordance with the IEEE 802 1Q standard which defines the VLAN function Using VLANs has many benefits The following list displays the top benefits Network load limiting VLANs reduce the network load considerably as the devices transmit Broadcast Multicast and Unicast packets with unknown unlearned destination addresses o...

Page 474: ...devices to a transmission device and assigned them to 2 VLANs This effectively prohibits any data transmission between the VLANs whose members communicate only within their own VLANs Figure 23 Example of a simple port based VLAN When setting up the VLANs you create communication rules for every port which you enter in ingress incoming and egress outgoing tables The ingress table specifies which VL...

Page 475: ...g displays the Create window In the VLAN ID field specify the value 2 Click the Ok button For the VLAN specify the name VLAN2 Double click in the Name column and specify the name For VLAN 1 in the Name column change the value Default to VLAN1 Repeat the previous steps to create a VLAN 3 with the name VLAN3 enable Change to the Privileged EXEC mode vlan database Change to the VLAN configuration mod...

Page 476: ... save the changes temporarily click the button Open the Switching VLAN Port dialog In the Port VLAN ID column specify the VLAN ID of the related VLAN 2 or 3 Because end devices usually interpret untagged data packets in the Acceptable packet types column you specify the value admitAll for end device ports To save the changes temporarily click the button The value in the Ingress filtering column ha...

Page 477: ...rt 1 3 becomes a member of the VLAN 3 and transmits the data packets without a VLAN tag vlan pvid 3 Assign the port VLAN ID 1 3 to port 3 exit Change to the Configuration mode interface 1 4 Change to the interface configuration mode of interface 1 4 vlan participation include 2 The port 1 4 becomes a member of the VLAN 2 and transmits the data packets without a VLAN tag vlan pvid 2 Assign the port...

Page 478: ...to the ingress and egress tables from example 1 Create new ingress and egress tables for the right switch as described in the first example The egress table specifies on which ports the device sends the packets from this VLAN T Tagged with a tag field marked U Untagged without a tag field unmarked In this example tagged packets are used in the communication between the transmission devices Uplink ...

Page 479: ...AN 2 and can thus communicate with each other The behavior is the same for the end devices on ports 2 and 3 of the left device and the end devices on ports 3 and 5 of the right device These belong to VLAN 3 The end devices see their respective part of the network Participants outside this VLAN cannot be reached The device also sends Broadcast Multicast and Unicast packets with unknown unlearned de...

Page 480: ...LAN specify the name VLAN2 Double click in the Name column and specify the name For VLAN 1 in the Name column change the value Default to VLAN1 Repeat the previous steps to create a VLAN 3 with the name VLAN3 enable Change to the Privileged EXEC mode vlan database Change to the VLAN configuration mode vlan add 2 Creates a new VLAN with the VLAN ID 2 name 2 VLAN2 Assign the name 2 to the VLAN VLAN2...

Page 481: ... uplink ports to evaluate VLAN tags on this port To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode interface 1 1 Change to the interface configuration mode of interface 1 1 vlan participation include 1 The port 1 1 becomes a member of the VLAN 1 and transmits the data packets without a VLAN tag vlan participation i...

Page 482: ...tag vlan pvid 2 Assigning the Port VLAN ID 2 to port 1 4 exit Change to the Configuration mode interface 1 5 Change to the interface configuration mode of interface 1 5 vlan participation include 3 The port 1 5 becomes a member of the VLAN 3 and transmits the data packets without a VLAN tag vlan pvid 3 Assigning the Port VLAN ID 3 to port 1 5 exit Change to the Configuration mode exit Change to th...

Page 483: ...wing the supplicants to access to external networks An Unauthenticated VLAN lets the device provide service to 802 1x capable supplicants which authenticate incorrectly This function lets the unauthorized supplicants have access to limited services If you configure an Unauthenticated VLAN on a port with 802 1x port authentication and the global operation enabled then the device places the port in ...

Page 484: ...ecurity 802 1X Port Authentication Port Configuration dialog Specify the following settings for port 1 4 The value auto in the Port control column The value 10 in the Guest VLAN ID column The value 20 in the Unauthenticated VLAN ID column To save the changes temporarily click the button enable Change to the Privileged EXEC mode vlan database Change to the VLAN configuration mode vlan add 10 Create...

Page 485: ...ADIUS VLAN ID attribute to be associated with an authenticated client When a client authenticates successfully and the RADIUS server sends a VLAN attribute the device associates the client with the RADIUS assigned VLAN As a result the device adds the physical port as an untagged member to the appropriate VLAN and sets the port VLAN ID PVID with the given value ...

Page 486: ...ing Voice VLAN interface modes are possible The first 3 methods segregate and prioritize voice and data traffic Traffic segregation results in an increased voice traffic quality during high traffic periods Configuring the port to using the vlan mode lets the device tag the voice data coming from a VoIP phone with the user defined voice VLAN ID The device assigns regular data to the default port VL...

Page 487: ... network administrator When the device forwards packets it uses VLAN tagging in combination with the IP or Ethernet address The device processes inbound and outbound packets according to the defined rules VLAN configuration is a manual process Use the VLAN unaware mode to forward traffic as received without any modification When the device receives packets as tagged it transmits tagged packets Whe...

Page 488: ...Redundancy protocols help ensure that the additional connections remain switched off while the original connection is still working When the connection fails the redundancy protocol generates a new path from the sender to the receiver via the alternative connection To introduce redundancy onto Layer 2 of a network you first define which network topology you require Depending on the network topolog...

Page 489: ...t the same time it is possible that the redundancy function operates differently than intended Table 25 Overview of redundancy protocols Redundancy protocol Network topology Comments MRP Ring The switching time can be selected and is practically independent of the number of devices An MRP Ring consists of up to 50 devices that support the MRP protocol according to IEC 62439 When you only use Hirsc...

Page 490: ...edundancies Table 26 Overview of redundancy protocols MRP RSTP Link Aggreg Link Backup Subring HIPER Ring MRP RSTP 1 Link Aggreg 2 2 Link Backup Subring 2 Symbol Meaning Combination applicable 1 Redundant coupling between these network topologies will possibly lead to data loops 2 Combination applicable on the same port ...

Page 491: ...ixed MRP redundant port Fixed Backup and the primary ring link fails the Ring Manager forwards data to the secondary ring link When the primary link is restored the secondary link continues to be in use 12 2 1 Network Structure The concept of ring redundancy lets you construct high availability ring shaped network structures With the help of the RM RingManager function the two ends of a backbone i...

Page 492: ...e setting up an MRP Ring verify that the following conditions are fulfilled All ring participants support MRP The ring participants are connected to each other via the ring ports Apart from the device s neighbors no other ring participants are connected to the respective device All ring participants support the configuration time specified in the Ring Manager There is exactly 1 Ring Manager in the...

Page 493: ... line The following example configuration describes the configuration of the Ring Manager device 1 You configure the 2 other devices 2 to 3 in the same way but without activating the Ring manager function This example does not use a VLAN You specify 200 ms as the ring recovery time Every device supports the advanced mode of the Ring Manager Set up the network to meet your demands Configure every p...

Page 494: ...ctive at the same time it is possible that the redundancy function operates differently than intended Default setting flow control deactivated globally and activated on every port Disable Spanning Tree on every device in the network Enable MRP on every device in the network In the Command Line Interface you first define an additional parameter the MRP domain ID Configure every ring participant wit...

Page 495: ...he ring is restored mark the Fixed backup checkbox Note When the device reverts back to the primary port the maximum ring recovery time can be exceeded When you unmark the Fixed backup checkbox and the ring is restored the Ring Manager blocks the secondary port and unblocks the primary port mrp domain modify port secondary 1 2 fixed backup enable Activates the Fixed backup function on the secondar...

Page 496: ...nnected No connection exists The Information field displays messages for the redundancy configuration and the possible causes of errors When the device is operating as a ring client or a Ring Manager the following messages are possible Redundancy available The redundancy is set up When a component of the ring is down the redundant line takes over its function Configuration error Error on ringport ...

Page 497: ...g egress rules in the Switching VLAN Configuration dialog If the MRP Ring is not assigned to a VLAN like in this example then leave the VLAN ID as 0 In the Switching VLAN Configuration dialog specify the VLAN membership as U untagged for the ring ports in VLAN 1 If the MRP Ring is assigned to a VLAN then enter a VLAN ID 0 In the Switching VLAN Configuration dialog specify the VLAN membership as T ...

Page 498: ...igure This is no longer acceptable in time sensitive applications RSTP achieves average reconfiguration times of less than a second When you use RSTP in a ring topology with 10 to 20 devices you can even achieve reconfiguration times in the order of milliseconds Note RSTP reduces a layer 2 network topology with redundant paths into a tree structure Spanning Tree that does not contain any more redu...

Page 499: ...a data path the tree structure is stabilized up to the maximum network size stabilization of the topology within a short time period topology can be specified and reproduced by the administrator transparency for the end devices low network load relative to the available transmission capacity due to the tree structure created Bridge parameters In the context of Spanning Tree each bridge and its con...

Page 500: ...ntifier for the port of this bridge The second higher value part is the port priority which is specified by the Administrator default value 128 It also applies here that the port with the smallest number for the port identifier has the highest priority Figure 33 Port Identifier Table 28 Recommended path costs for RSTP based on the data rate Data rate Recommended value Recommended range Possible ra...

Page 501: ...er that can be achieved 19 When you set the maximum value of 40 for MaxAge the maximum diameter that can be achieved 39 MaxAge Every STP BPDU contains a MessageAge counter When a bridge is passed through the counter increases by 1 Before forwarding a STP BPDU the bridge compares the MessageAge counter with the MaxAge value specified in the device When MessageAge MaxAge the bridge forwards the STP ...

Page 502: ...Bridge Protocol Data Unit to the other bridges The contents of a BPDU include Bridge identifier Root path costs Port identifier see IEEE 802 1D Setting up the tree structure The bridge with the smallest number for the bridge identifier is called the root bridge It is or will become the root of the tree structure The structure of the tree depends on the root path costs Spanning Tree selects the str...

Page 503: ... from the root uses the port identifier of the other bridge as the last criterion see figure 33 In the process the bridge blocks the port that leads to the port with the numerically higher ID a numerically higher ID is the logically worse one When 2 ports have the same priority the port with the higher port number has the numerically higher ID which is logically the worse one Figure 36 Flow diagra...

Page 504: ...dge 5 and bridge 3 creates the same root path costs as the path via bridge 4 and bridge 2 STP selects the path using the bridge that has the lowest MAC address in the bridge identification bridge 4 in the illustration There are also 2 paths between bridge 6 and bridge 4 The port identifier is decisive here Port 1 Port 3 Figure 37 Example of determining the root path Note When the current root brid...

Page 505: ... root bridge would mean higher path costs The path from bridge 6 to the root bridge is interesting The bridges select the path via bridge 5 because the value 28672 for the priority in the bridge identifier is smaller than value 32768 Figure 38 Example of manipulating the root path Example of manipulating the tree structure The Management Administrator soon discovers that this configuration with br...

Page 506: ...is the configuration shown here see figure 39 The path costs for most of the bridges to the root bridge have decreased Figure 39 Example of manipulating the tree structure 5 P BID 32768 7 P BID 32768 P BID 32768 3 P BID 32768 1 P BID 32768 2 P BID 16384 P BID 32768 6 4 Port 1 Port 2 Root Bridge MAC 00 01 02 03 04 06 MAC 00 01 02 03 04 05 Root path Interrupted path P BID Priority of the bridge iden...

Page 507: ... root designated bridge to decide which port it selects locally as the root port see figure 36 The root bridge itself does not have a root port Designated port The bridge in a network segment that has the lowest root path costs is the designated bridge When more than 1 bridge has the same root path costs the bridge with the smallest value bridge identifier becomes the designated bridge The designa...

Page 508: ...arning in FDB no data traffic except for STP BPDUs Port 1 Port 2 2 BID 20480 3 BID 24576 5 BID 32768 1 BID 16384 7 BID 40960 BID 28672 4 P BID Priority of the bridge identifikation BID BID without MAC Address Root path Interrupted path Root port Designated port Alternate port Backup port Edge port Table 29 Relationship between port state values for STP and RSTP STP port state Administrative bridge...

Page 509: ...e Hello Time to elapse When the user verifies that an end device is and remains connected to this port there are no waiting times at this port in the case of a reconfiguration Introduction of alternate ports As the port roles are already distributed in normal operation a bridge can immediately switch from the root port to the alternate port after the connection to the root bridge is lost Communica...

Page 510: ...es Define the settings for the device that takes over the role of the root bridge Open the Switching L2 Redundancy Spanning Tree Global dialog Enable the function To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode spanning tree operation Enables Spanning Tree show spanning tree global Displays the parameters for che...

Page 511: ... Time field Check the following values in the other devices Bridge ID bridge priority and MAC address of the corresponding device and the root bridge Number of the device port that leads to the root bridge Path cost from the root port of the device to the root bridge spanning tree forward time 4 30 Specifies the delay time for the status change in seconds spanning tree max age 6 40 Specifies the m...

Page 512: ...al device ports do not normally receive any STP BPDUs If an attacker still attempts to feed in STP BPDUs on this port then the device deactivates the device port Root Guard for designated ports You activate this protection function separately for every device port When a designated port receives an STP BPDU with better path information to the root bridge the device discards the STP BPDU and sets t...

Page 513: ...orts You activate this protection function separately for every device port If the port does not receive any more STP BPDUs then this protection function helps prevent the transmission status of a port from unintentionally being changed to forwarding If this situation occurs then the device designates the loop status of the port as inconsistent but does not forward any data packets Activating the ...

Page 514: ...uard Activate the device port again Open the Switching L2 Redundancy Spanning Tree Port dialog Switch to the CIST tab For end device ports mark the checkbox in the Admin edge portcolumn To save the changes temporarily click the button interface x y Change to the interface configuration mode of interface x y spanning tree edge port Designates the port as a terminal device port edge port show spanni...

Page 515: ... If you try to activate the Root guard function while the Loop guard function is active then the device deactivates the Loop guard function To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode interface x y Change to the interface configuration mode of interface x y spanning tree guard root Switches the Root Guard on ...

Page 516: ...on column the checkbox is unmarked In the Active ports min column the value is 1 12 5 1 Methods of Operation The device operates on the Single Switch method The Single Switch method provides you an inexpensive way to grow your network The single switch method states that you need 1 device on each side of a link to provide the physical ports The device balances the traffic load across the group mem...

Page 517: ...link aggregation group In the Port drop down list select the port 1 1 Click the Ok button Repeat the preceding steps and select the port 1 2 Click the Ok button To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode link aggregation add lag 1 Creates a Link Aggregation Group lag 1 link aggregation modify lag 1 addport 1...

Page 518: ... is disabled on the Link Backup ports 12 6 1 Fail Back Description Link Backup also lets you set up a Fail Back option When you activate the fail back function and the primary link returns to normal operation the device first blocks traffic on the backup port and then forwards traffic on the primary port This process helps protect the device from causing loops in the network When the primary port ...

Page 519: ... Fail back checkbox Set the fail back timer for the link backup pair enter 30 s in Fail back delay s To activate the link backup pair mark the Active checkbox To enable the function select the On radio button in the Operation frame enable Change to the Privileged EXEC mode configure Change to the Configuration mode interface 2 3 Change to the interface configuration mode of interface 2 3 link back...

Page 520: ...STP Note When you use the Ring Network Coupling protocol to couple a network to the main ring verify that the networks contain only Hirschmann devices Use the following table to select the FuseNet coupling protocol to be used in your network Explanation Main Ring Connected Network MRP RSTP HIPER ring MRP Sub Ring1 RSTP no suitable coupling protocol 1 with MRP configured on different VLANs ...

Page 521: ...cases are typically 100 ms 12 8 1 Subring description The subring concept lets you couple new network segments to suitable devices in an existing ring main ring The devices with which you couple the subring to the main ring are Subring Managers SRM Figure 43 Example of a subring structure blue ring Main ring orange ring Subring red line Redundant link SRM Subring Manager RM Ring Manager The Subrin...

Page 522: ... instances The Subring Manager is capable of managing up to 2 instances Figure 46 Special case a Subring Manager manages both ends of a subring on different ports Single Subring Manger Note In the previous examples the Subring Managers only couple subrings to existing main rings The Sub Ring function prohibits cascaded subrings for example coupling a new subring to another existing subring RM SRM ...

Page 523: ...to the existing devices of the main ring using the following configuration types Figure 47 Example of a subring structure orange line Main ring members in VLAN 1 black line Subring members in VLAN 2 orange dash line Main ring loop open black dash line Subring loop open red line Redundant link member in VLAN 1 SRM Subring Manager RM Ring Manager Proceed as follows to configure a subring Configure t...

Page 524: ...main ring devices For the devices participating in the subring use the step above and configure the 2 ring ports participating in the subring on the subring devices Assign the same MRP domain ID to the main ring and subring devices When you only use Hirschmann devices the default values suffice for the MRP domain ID Note The MRP domain is a sequence of 16 numbers in the range from 0 to 255 The def...

Page 525: ...ng with the subring ID 1 sub ring modify 1 port 1 3 Specify port 1 3 as subring port sub ring modify 1 name Test Assign the name Test to the subring 1 sub ring modify 1 mode manager Assign the manager mode to the subring 1 show sub ring ring Display the subrings state on this device show sub ring global Display the subring global state on this device Configure the 2nd Subring Manager in the same w...

Page 526: ...he device immediately reports unusual events which occur during normal operation to the network management station This is done by messages called SNMP traps that bypass the polling procedure polling means querying the data stations at regular intervals SNMP traps allow you to react quickly to unusual events Examples of such events are Hardware reset Changes to the configuration Segmentation of a ...

Page 527: ...eshold When the RMON input goes below its lower threshold this trap is sent hm2AgentPortSecurityViolat ion When a MAC address detected on this port does not match the current settings of the parameter hm2AgentPortSecurityEntry this trap is sent hm2DiagSelftestActionTrap When a self test for the four categories task resource software and hardware is performed according to the configured settings th...

Page 528: ... Status Configuration Device Status dialog Diagnostics Status Configuration Security Status dialog Diagnostics Status Configuration Signal Contact dialog Diagnostics Status Configuration MAC Notification dialog Diagnostics System IP Address Conflict Detection dialog Diagnostics System Selftest dialog Diagnostics Ports Port Monitor dialog 13 1 4 ICMP messaging The device lets you use the Internet C...

Page 529: ... least one port for this feature When the link is down you specify which ports the device signals in the Port tab of the Diagnostics Status Configuration Device Status dialog in the Propagate connection error row The removal of the external memory The configuration in the external memory is out of sync with the configuration in the device The removal of a module Select the corresponding entries to...

Page 530: ...tion mode device status trap When the device status changes send an SNMP trap device status monitor envm not in sync Monitors the configuration profiles in the device and in the external memory The Device status changes to error in the following situations The configuration profile only exists in the device The configuration profile in the device differs from the configuration profile in the exter...

Page 531: ...When you remove a module from the device the value in the Device status frame changes to error device status module 1 Monitors module 1 When you remove the module 1 from the device the value in the Device status frame changes to error Open the Diagnostics Status Configuration Device Status dialog Global tab For the Connection errors parameter mark the checkbox in the Monitor column Open the Diagno...

Page 532: ... Config GRS Release 8 0 09 2019 13 2 3 Displaying the Device Status Perform the following steps Open the Basic Settings System dialog show device status all In the EXEC Privilege mode Displays the device status and the setting for the device status determination ...

Page 533: ...ase security When active and the default passwords remain unchanged the device displays an alarm Min password length 8 Create passwords more than 8 characters long to maintain a high security posture When active the device monitors the Min password length setting Password policy settings deactivated The device monitors the settings located in the Device Security User Management dialog for password...

Page 534: ...to the Configuration mode security status monitor pwd change Monitors the password for the locally set up user accounts user and admin When the password for the user or admin user accounts is the default setting the value in the Security status frame changes to error security status monitor pwd min length Monitors the value specified in the Min password length policy When the value for the Min pas...

Page 535: ... external non volatile memory update security status monitor iec61850 mms enabled Monitors the IEC61850 MMS function When you enable the IEC61850 MMS function the value in the Security status frame changes to error security status trap When the device status changes it sends an SNMP trap Open the Diagnostics Status Configuration Security Status dialog Global tab For the Link interrupted on enabled...

Page 536: ...S Release 8 0 09 2019 13 3 3 Displaying the Security Status Perform the following steps Open the Basic Settings System dialog show security status all In the EXEC Privilege mode display the security status and the setting for the security status determination ...

Page 537: ...erruption In the default setting link monitoring is inactive The removal of the external memory The configuration in the external memory does not match the configuration in the device The removal of a module Select the corresponding entries to decide which events the device status includes Note With a non redundant voltage supply the device reports the absence of a supply voltage To disable this m...

Page 538: ...ode for signal contact 1 signal contact 1 state open Open signal contact 1 signal contact 1 state closed Close signal contact 1 Open the Diagnostics Status Configuration Signal Contact dialog Global tab To monitor the device functions using the signal contact in the Configuration frame specify the value Monitoring correct operation in the Mode field For the parameters to be monitored mark the chec...

Page 539: ...ations The configuration profile only exists in the device The configuration profile in the device differs from the configuration profile in the external memory signal contact 1 monitor power supply 1 Monitors the power supply unit 1 When the device has a detected power supply fault the signal contact opens signal contact 1 monitor module removal 1 Monitors module 1 When you remove module 1 from t...

Page 540: ...hich the Propagate connection error checkbox is active Ethernet module removal Enable this global function to monitor the removal of a module Also enable the individual module to monitor External memory not in sync with NVM The device monitors synchronization between the device configuration and the configuration stored on the ENVM External memory removed Enable this function to monitor the presen...

Page 541: ...ying the status of the ports Criterion Symbol Bandwidth of the port 10 Mbit s Port activated connection okay full duplex mode 100 Mbit s Port activated connection okay full duplex mode 1000 Mbit s Port activated connection okay full duplex mode Operating state Half duplex mode enabled See the Basic Settings Port dialog Configuration tab Automatic configuration checkbox Manual configuration field a...

Page 542: ...lot of CRC errors and the connection falls significantly below its nominal capacity The device lets you detect this situation and report it to the network management station In the process the device evaluates the error counters of the port in the context of the port settings Possible causes of port error events The following table lists the duplex operating modes for TX ports with the possible fa...

Page 543: ...Possible causes 1 marked Half duplex None OK 2 marked Half duplex Collisions OK 3 marked Half duplex Late Collisions Duplex problem detected Duplex problem EMI network extension 4 marked Half duplex CRC Error OK EMI 5 marked Full duplex None OK 6 marked Full duplex Collisions OK EMI 7 marked Full duplex Late Collisions OK EMI 8 marked Full duplex CRC Error OK EMI 9 unmarked Half duplex None OK 10 ...

Page 544: ... port after a user defined time When this function enables a port the device sends an SNMP trap with the port number but without a value for the Reason parameter The Auto Disable function serves the following purposes It assists the network administrator in port analysis It reduces the possibility that this port causes the network to be instable The Auto Disable function is available for the follo...

Page 545: ... due to detected threshold violations mark the checkbox in the CRC error column Open the Diagnostics Ports Port Monitor dialog Port tab Specify the delay time as 120 s in the Reset timer s column for the ports you want to enable Note The Reset item lets you enable the port before the time specified in the Reset timer s column counts down enable Change to the Privileged EXEC mode configure Change t...

Page 546: ... the SFP status The SFP status display lets you look at the current SFP module connections and their properties The properties include module type serial number of media module temperature in º C transmission power in mW receive power in mW Perform the following steps Open the Diagnostics Ports SFP dialog ...

Page 547: ...s VLAN ID of the port Auto negotiation status on the port Medium half full duplex setting and port speed setting Information about the VLANs installed in the device VLAN ID and VLAN name irrespective of whether the port is a VLAN participant A network management station can call up this information from devices with activated LLDP This information enables the network management station to map the ...

Page 548: ... The device supports the following TLV messages capabilities TLV Lets the LLDP MED endpoints determine the capabilities that the connected device supports and what capabilities the device has enabled Network policy TLV Lets both network connectivity devices and endpoints advertise VLAN configurations and associated attributes for the specific application on that port For example the device notifie...

Page 549: ...ation You have the option here to specify the magnitude of the loop effects that trigger the device to send a report BPDU frames sent from the designated port and received on either a different port of the same device or the same port within a short time is a typical effect of a loop Open the Switching L2 Redundancy Spanning Tree Port dialog CIST tab Check the value in the fields Port state and Po...

Page 550: ...e Download support information This button lets you download system information as a ZIP archive In service situations these reports provide the technician with the necessary information 13 11 1 Global settings Using this dialog you enable or disable where the device sends reports for example to a Console a Syslog Server or a connection to the Command Line Interface You also set at which severity ...

Page 551: ...o html systeminfo html systemlog html The device creates the file name of the ZIP archive automatically in the format IP_address _ system_name zip Perform the following steps Enable the Log SNMP get request function for the device in order to send SNMP Read requests as events to the Syslog server To enable the function select the On radio button in the SNMP logging frame Enable the Log SNMP set re...

Page 552: ...er Mark the checkbox in the Active column To enable the function select the On radio button in the Operation frame To save the changes temporarily click the button Open the Diagnostics Report Global dialog Enable the Log SNMP get request function for the device in order to send SNMP Read requests as events to the Syslog server To enable the function select the On radio button in the SNMP logging f...

Page 553: ... up to 8 Syslog servers to which the device sends Audit Trails No Server IP Port Max Severity Type Status 1 10 0 1 159 514 error systemlog active configure Change to the Configuration mode logging snmp requests get operation Logs SNMP GET requests logging snmp requests get severity 5 The value 5 specifies the severity level of the event that the device logs in case of SNMP GET requests The value 5...

Page 554: ... events locking a user after several unsuccessful login attempts User login either locally or remote using the Command Line Interface Manual user initiated logout Timed logout after a user defined period of inactivity in the Command Line Interface file transfer operation including a Firmware Update Configuration changes using HiDiscovery Automatic configuration or firmware updates using the extern...

Page 555: ...on a network A couple of reasons for sniffing traffic on a network is to verify connectivity between hosts or to analyze the traffic traversing the network TCPDump in the device provides the possibility to decode or capture packets received and transmitted by the Management CPU This function is available using the debug command Refer to the Command Line Interface reference manual for further infor...

Page 556: ...rt for example an RMON probe The function has no affect on the data traffic running on the source ports Figure 48 Example On the destination port the device only forwards the data packets copied from the source ports Before you switch on the Port Mirroring function mark the checkbox Allow management to access the device management via the destination port The device lets users access the device ma...

Page 557: ...fy the destination port In the Destination port frame select the desired port in the Primary port drop down list The drop down list only displays available ports Ports that are already specified as source ports are unavailable When needed specify a second destination port In the Destination port frame select the desired port in the Secondary port drop down list The prerequisite is that you have al...

Page 558: ...d action The following categories are available for configuration task Action to be taken in case a task is unsuccessful resource Action to be taken due to the lack of resources software Action taken for loss of software integrity for example code segment checksum or access violations hardware Action taken due to hardware degradation Configure each category to produce an action in case the device ...

Page 559: ...ile that you are loading differs from the password set in the device To have the device unlocked again contact your sales partner Open the Diagnostics System Selftest dialog In the Action column specify the action to perform for a cause To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode selftest action task log only...

Page 560: ...it The test interrupts traffic flow when in progress on this port The table displays the state and lengths of each individual pair The device returns a result with the following meaning normal indicates that the cable is operating properly open indicates an interruption in the cable short circuit indicates a short circuit in the cable untested indicates an untested cable Unknown cable unplugged ...

Page 561: ...create entries for either a port or a VLAN When creating an entry to assign an IP address to a VLAN the port entry grays out When creating an entry to assign an IP address to a port the VLAN entry grays out Static allocation means that the DHCP server assigns the same IP address to a specific client The DHCP server identifies the client using a unique hardware ID A static address entry contains 1 ...

Page 562: ...g For port 1 1 mark the checkbox in the DHCP server active column To enable the function select the On radio button in the Operation frame To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode dhcp server pool add 1 static 192 168 23 42 Creating an entry with index 1 and adding the IP address 192 168 23 42 to the stati...

Page 563: ...Global dialog For port 1 2 mark the checkbox in the DHCP server active column To enable the function select the On radio button in the Operation frame To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to the Configuration mode dhcp server pool add 2 dynamic 192 198 23 92 192 168 23 142 Add a dynamic pool with an IP range from 192 168 23 92 ...

Page 564: ...3 Relay agent and DHCP server require to perform their roles in address and configuration assignment The following list contains the default settings for this function Global setting Active setting disable Interface settings Active setting disable Trusted Port disable VLAN settings Active setting disable Circuit ID enable Remote ID Type mac Remote ID blank 14 2 1 Circuit and Remote IDs Before forw...

Page 565: ...g Interface tab For port 1 1 specify the settings as follows Mark the checkbox in the Active column For port 1 2 specify the settings as follows Mark the checkbox in the Active column Mark the checkbox in the Trusted port column Open the Advanced DHCP L2 Relay Configuration dialog VLAN tab Specify the settings for VLAN 2 as follows Mark the checkbox in the Active column Mark the checkbox in the Ci...

Page 566: ... the DHCP L2 Relay function on the port exit Change to the Configuration mode interface 1 2 Change to the interface configuration mode of interface 1 2 dhcp l2relay trust Specify the port as Trusted port dhcp l2relay mode Activate the DHCP L2 Relay function on the port exit Change to the Configuration mode dhcp l2relay mode Enable the DHCP L2 Relay function in the device enable Change to the Privi...

Page 567: ...Attribute Registration Protocol GARP that provides a mechanism allowing network devices and end stations to dynamically register group membership The devices register group membership information with the devices attached to the same LAN segment The GARP function also lets the devices disseminate the information across the network devices that support extended filtering services Note Before you en...

Page 568: ... the GVRP function The device lets you exchange VLAN configuration information with other GVRP devices Perform the following steps Open the Switching GARP GVRP dialog To exchange VLAN configuration information with other GVRP devices mark checkbox in the GVRP active column for the port To save the changes temporarily click the button enable Change to the Privileged EXEC mode configure Change to th...

Page 569: ...ncodes and transmits the attributes to other participants in MRP Data Units MRPDU In the switch an MRP Attribute Propagation MAP component distributes the attributes to participating ports A participant exists for each MRP application and each LAN port For example a participant application exists on an end device and another application exists on a switch port The Applicant state machine records t...

Page 570: ...o reach Group member LANs Switches facilitate the group distribution mechanisms based on the Open Host Group concept receiving packets on the active ports and forwarding only to ports with group members This way any MMRP participants requiring packets transmitted to a particular group or groups requests membership in the group MAC service users send packets to a particular group from anywhere on t...

Page 571: ...ons of bandwidth consumption and convergence time in large VLAN networks Open the Switching MRP IEEE MMRP dialog Configuration tab To activate port 1 and port 2 as MMRP participants mark the checkbox in the MMRP column for port 1 and port 2 on switch 1 To activate port 3 and port 4 as MMRP participants mark the checkbox in the MMRP column for port 3 and port 4 on switch 2 To activate port 5 and po...

Page 572: ...P functions and ports on switches 2 3 and 4 Open the Switching MRP IEEE MVRP dialog Configuration tab To activate the ports 1 through 3 as MVRP participants mark the checkbox in the MVRP column for the ports 1 through 3 on switch 1 To activate the ports 2 through 4 as MVRP participants mark the checkbox in the MVRP column for the ports 2 through 4 on switch 2 To activate the ports 3 through 6 as M...

Page 573: ...on the port interface 1 2 Change to the interface configuration mode of interface 1 2 mrp ieee mvrp operation Enabling the MVRP function on the port exit Change to the Configuration mode mrp ieee mvrp periodic state machine Enabling the Periodic state machine function globally mrp ieee mvrp operation Enabling the MVRP function globally ...

Page 574: ...s and the communication properties have moved closer together The high bandwidths now available in Ethernet technology and the protocols they support enable large quantities to be transferred and exact transfer times to be specified With the creation of the first optical LAN to be active worldwide at the University of Stuttgart in 1984 Hirschmann laid the foundation for industry compatible office ...

Page 575: ...d with SCL are stored in the ICD file in the device 15 1 1 Switch model for IEC 61850 The Technical Report IEC 61850 90 4 specifies a bridge model The bridge model represents the functions of a switch as objects of an Intelligent Electronic Device IED An MMS client for example the control room software uses these objects to monitor and configure the device Figure 53 Bridge model based on Technical...

Page 576: ...em LN LCCF Channel Communication Filtering logical node Defines the VLAN and Multicast settings for the higher level Communication Channel LN LBSP Port Spanning Tree Protocol logical node Defines the Spanning Tree statuses and settings for the respective physical device port LN LPLD Port Layer Discovery logical node Defines the LLDP statuses and settings for the respective physical device port LN ...

Page 577: ... changes PhyHealth When the status of the LPHD TmpAlm RCB object changes the status changes LN LPHD TmpAlm When the temperature measured in the device exceeds or falls below the set temperature thresholds the status changes PwrSupAlm When 1 of the redundant power supplies fails or starts operating again the status changes PhyHealth When the status of the LPHD PwrSupAlm or LPHD TmpAlm RCB object ch...

Page 578: ...unavailable the server sends an Exception Response to notify the client of the error detected during the processing The Exception Response contains an exception code indicating the reason for the detected error Modbus TCP IP Confirmation the client receives a response from the server containing the requested information 15 2 2 Supported Functions and Memory Mapping The device supports functions wi...

Page 579: ...rt counters and retrieve specific information from the device registers Port Information Table 40 Port Information Address Qty Description MIn Max Step Unit Format 0400 1 Port 1 Type 0 6 1 F4 0401 1 Port 2 Type 0 6 1 F4 043F 1 Port 64 Type 0 6 1 F4 0440 1 Port 1 Link Status 0 1 1 F1 0441 1 Port 2 Link Status 0 1 1 F1 047F 1 Port 64 Link Status 0 1 1 F1 0480 1 Port 1 STP State 0 1 1 F1 0481 1 Port ...

Page 580: ...95 1 F9 0816 1 Port1 Number of jabber frames received 0 4294967295 1 F9 0818 1 Port1 Number of collisions occurred 0 4294967295 1 F9 081A 1 Port1 Number of late collisions occurred 0 4294967295 1 F9 081C 1 Port1 Number of 64 byte frames rcvd sent 0 4294967295 1 F9 081E 1 Port1 Number of 65 127 byte frames rcvd sent 0 4294967295 1 F9 0820 1 Port1 Number of 128 255 byte frames rcvd sent 0 4294967295...

Page 581: ...table entry click the button Specify the IP address range in Index row 2 enter 10 17 1 0 29 in the IP address range column Verify that the Modbus TCP function is enabled To activate the range mark the Active checkbox Open the Diagnostics Status Configuration Security Status dialog Global tab Verify that the Modbus TCP active checkbox is marked Open the Advanced Industrial Protocols Modbus TCP dial...

Page 582: ...onitor Display the security status settings Device Security Settings Monitor Password default settings unchanged monitored Write access using HiDiscovery is possible monitored Loading unencrypted configuration from ENVM monitored IEC 61850 MMS is enabled monitored Modbus TCP IP server active monitored show security status event Display occurred security status events Time stamp Event Info 2014 01 ...

Page 583: ...nt to purchase a license To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under Additional Software select haneWIN DHCP Server To carry out the installation follow the installation assistant Start the haneWIN DHCP Server program Figure 55 Start window of the haneWIN DHCP Server program Note When Windows is activated the installation procedure includes a serv...

Page 584: ...r the configuration profiles select Options Configuration Profiles in the menu bar Specify the name for the new configuration profile Click the Add button Figure 57 Adding configuration profiles Specify the netmask Click the Apply button Figure 58 Netmask in the configuration profile Select the Boot tab Enter the IP address of your tftp server ...

Page 585: ...ftp server Add a profile for each device type When devices of the same type have different configurations you add a profile for each configuration To complete the addition of the configuration profiles click the OK button Figure 60 Managing configuration profiles To enter the static addresses in the main window click the Static button Figure 61 Static address input Click the Add button Figure 62 A...

Page 586: ...lease 8 0 09 2019 Enter the IP address of the device Select the configuration profile of the device Click the Apply button and then the OK button Figure 63 Entries for static addresses Add an entry for each device that will get its parameters from the DHCP server Figure 64 DHCP server with entries ...

Page 587: ...se To install the DHCP servers on your PC put the product CD in the CD drive of your PC and under Additional Software select haneWIN DHCP Server To carry out the installation follow the installation assistant Start the haneWIN DHCP Server program Figure 65 Start window of the haneWIN DHCP Server program Note When Windows is activated the installation procedure includes a service that is automatica...

Page 588: ...llowing form cicl hh vvvvssmmpprirlxxxxxxxxxxxx ci Sub identifier for the type of the Circuit ID cl Length of the Circuit ID hh Hirschmann identifier 01 when a Hirschmann device is connected to the port otherwise 00 vvvv VLAN ID of the DHCP request Default setting 0001 VLAN 1 ss Socket of device at which the module with that port is located to which the device is connected Specify the value 00 mm ...

Page 589: ... A 2 Setting up a DHCP server with Option 82 249 UM Config GRS Release 8 0 09 2019 Figure 70 Application example of using Option 82 PLC Switch Option 82 IP 192 168 112 100 IP 192 168 112 100 MAC 00 80 63 10 9a d7 DHCP Server IP 192 168 112 1 ...

Page 590: ...ice The device lets you generate the key directly in the device Perform the following steps Open the Device Security Management Access Server dialog SSH tab Disable the SSH server To disable the function select the Off radio button in the Operation frame To save the changes temporarily click the button To create a RSA key in the Signature frame click the Create button Enable the SSH server To enab...

Page 591: ... using SSH This program is provided on the product CD Perform the following steps Start the program by double clicking on it Open the Device Security Management Access Server dialog SSH tab Disable the SSH server To disable the function select the Off radio button in the Operation frame To save the changes temporarily click the button When the host key is located on your PC or on a network drive d...

Page 592: ...set up the data connection to your device Before the connection is established the PuTTY program displays a security alarm message and lets you check the key fingerprint Figure 72 Security alert prompt for the fingerprint Check the fingerprint of the key to help ensure that you have actually connected to the desired device When the fingerprint matches your key click the Yes button For experienced ...

Page 593: ...y Management Access Server dialog HTTPS tab Note Third party software such as web browsers validate certificates based on criteria such as their expiration date and current cryptographic parameter recommendations Old certificates can cause errors for example an expired certificate or cryptographic recommendations change To solve validation conflicts with third party software transfer your own up t...

Page 594: ...temporarily click the button Restart the HTTPS server to activate the key Restart the server using the Command Line Interface enable Change to the Privileged EXEC mode configure Change to the Configuration mode https certificate generate Generate a https X 509 PEM Certificate no https server Disable the HTTPS function https server Enable the HTTPS function Open the Device Security Management Acces...

Page 595: ...ocol and establishes a new data connection When the user logs out at the end of the session the device terminates the data connection Open the Device Security Management Access Server dialog HTTPS tab To enable the function select the On radio button in the Operation frame To access the device by HTTPS enter HTTPS instead of HTTP in your browser followed by the IP address of the device enable Chan...

Page 596: ...Literature references Optische Übertragungstechnik in industrieller Praxis Christoph Wrobel ed Hüthig Buch Verlag Heidelberg ISBN 3 7785 2262 0 Hirschmann Manual Basics of Industrial ETHERNET and TCP IP 280 710 834 TCP IP Illustrated Vol 1 W R Stevens Addison Wesley 1994 ISBN 0 201 63346 9 ...

Page 597: ... is continually working on improving and developing their software Check regularly whether there is an updated version of the software that provides you with additional benefits You find information and software downloads on the Hirschmann product pages on the Internet at www hirschmann com ...

Page 598: ... called generic object classes When this is required for unique identification the generic object classes are instantiated that means the abstract structure is mapped onto reality by specifying the port or the source address Values integers time ticks counters or octet strings are assigned to these instances these values can be read and in some cases modified The object description or object ID OI...

Page 599: ...1 1 2 1 returns the response 1 which means that the power supply is ready for operation Definition of the syntax terms used Integer An integer in the range 231 231 1 IP address xxx xxx xxx xxx xxx integer in the range 0 255 MAC address 12 digit hexadecimal number in accordance with ISO IEC 8802 3 Object Identifier x x x x for example 1 3 6 1 1 4 1 248 Octet String ASCII character string PSID Power...

Page 600: ... can be found on the product CD provided with the device 1 internet 1 iso 3 org 6 dod 2 mgmt 1 enterprises 248 hirschmann 4 private 3 modules 10 Framework 6 snmp V2 1 mib 2 4 ip 2 interfaces 1 system 5 icmp 6 tcp 7 udp 16 rmon 11 snmp 26 snmpDot3MauMGT 17 dot1dBridge 11 hm2Configuration 12 hm2Platform5 3 at 13 Notification 11 mpd 15 usm 16 vacm 12 Target ...

Page 601: ...06 Transport Mappings for SNMP v2 RFC 1945 HTTP 1 0 RFC 2068 HTTP 1 1 protocol as updated by draft ietf http v11 spec rev 03 RFC 2131 DHCP RFC 2132 DHCP Options RFC 2233 The Interfaces Group MIB using SMI v2 RFC 2236 IGMPv2 RFC 2246 The TLS Protocol Version 1 0 RFC 2346 AES Ciphersuites for Transport Layer Security RFC 2365 Administratively Scoped IP Multicast RFC 2578 SMIv2 RFC 2579 Textual Conve...

Page 602: ...Protocol SNMP RFC 3580 802 1X RADIUS Usage Guidelines RFC 3584 Coexistence between Version 1 Version 2 and Version 3 of the Internet standard Network Management Framework RFC 4022 Management Information Base for the Transmission Control Protocol TCP RFC 4113 Management Information Base for the User Datagram Protocol UDP RFC 4188 Definitions of Managed Objects for Bridges RFC 4251 SSH protocol arch...

Page 603: ...dards IEEE 802 1AB Station and Media Access Control Connectivity Discovery IEEE 802 1D MAC Bridges switching function IEEE 802 1Q Virtual LANs VLANs MRP Spanning Tree IEEE 802 1X Port Authentication IEEE 802 3 Ethernet IEEE 802 3ac VLAN Tagging IEEE 802 3x Flow Control IEEE 802 3af Power over Ethernet ...

Page 604: ...Appendix B 6 Underlying IEC Norms 264 UM Config GRS Release 8 0 09 2019 B 6 Underlying IEC Norms IEC 62439 High availability automation networks MRP Media Redundancy Protocol based on a ring topology ...

Page 605: ...Appendix B 7 Underlying ANSI Norms 265 UM Config GRS Release 8 0 09 2019 B 7 Underlying ANSI Norms ANSI TIA 1057 Link Layer Discovery Protocol for Media Endpoint Devices April 2006 ...

Page 606: ...dress entries MMRP 64 Number of priority queues 8 Queues Port priorities that can be set 0 7 MTU max length of packets 1518 Bytes VLAN VLAN ID range 1 4042 Number of VLANs max 128 simultaneously per device max 128 simultaneously per port Access Control Lists ACL Max number of ACLs 50 Max number of rules per port 18 Max number of rules per ACL 18 Number of total configurable rules 900 50x18 Max num...

Page 607: ...9 2019 B 9 Copyright of integrated Software The product contains among other things Open Source Software files developed by third parties and licensed under an Open Source Software license You can find the license terms in the Graphical User Interface in the Help Licenses dialog ...

Page 608: ...ent Protocol IP Internet Protocol LED Light Emitting Diode LLDP Link Layer Discovery Protocol MAC Media Access Control MIB Management Information Base MRP Media Redundancy Protocol NMS Network Management System PC Personal Computer QoS Quality of Service RFC Request For Comment RM Redundancy Manager RSTP Rapid Spanning Tree Protocol SCP Secure Copy SFP Small Form factor Pluggable SFTP SSH File Tra...

Page 609: ...ier 159 Bridge Protocol Data Unit 162 C CD ROM 243 247 CIDR 45 Classless inter domain routing 45 Closed circuit 197 Command Line Interface 16 Command tree 28 Compatibility STP 169 Configuration file 52 Configuration modifications 186 D Data traffic 99 Daylight saving time 108 Delay time MRP 152 Denial of Service 99 Denial of service 99 Designated bridge 167 Designated port 167 172 Destination tabl...

Page 610: ...ddress 43 I IANA 43 IAS 55 IEC 61850 235 IEEE 802 1X 55 IEEE MAC Adresse 207 IGMP snooping 116 Industrial HiVision 11 Instantiation 258 Integrated authentication server 55 IP address 43 47 52 IP header 122 124 ISO OSI layer model 45 L LACNIC 43 Leave message 116 Link Aggration 149 Link monitoring 189 197 Login page 15 Loop guard 173 175 M MAC address filter 113 MAC destination address 45 MaxAge 16...

Page 611: ...ect ID 258 OpenSSH Suite 19 Operation monitoring 197 Option 82 247 P Password 17 20 22 Path costs 160 162 Polling 186 Port Identifier 159 160 Port mirroring 216 Port number 160 Port priority 128 Port priority Spanning Tree 160 Port roles RSTP 167 Port State 168 Priority 124 Priority queue 125 Priority tagged frames 124 Privileged Exec mode 25 Protection functions guards 172 PuTTY 16 Q QoS 123 Quer...

Page 612: ...ot Bridge 162 Root guard 172 175 Root path 164 165 Root Path Cost 159 Root port 167 173 Router 43 RST BPDU 167 169 RSTP 170 S Secure shell 16 19 Segmentation 186 Serial interface 16 21 Service 210 Service Shell deactivation 38 Setting the time 107 SFP module 206 Signal contact 197 SNMP 186 SNMP trap 186 188 SNTP 106 Software version 81 SSH 16 19 Starting the graphical user interface 15 Store and f...

Page 613: ...Traffic class 125 128 Training courses 274 Transmission reliability 186 Trap 186 188 Trap destination table 186 Tree structure Spanning Tree 162 165 Type of Service 124 U Update 40 User Exec mode 25 User name 17 20 22 V Video 125 VLAN 133 VLAN priority 127 VLAN tag 124 133 VoIP 125 VT100 22 W Weighted Fair Queuing 125 Weighted Round Robin 125 ...

Page 614: ...cts are available at doc hirschmann com Hirschmann Competence Center The Hirschmann Competence Center is ahead of its competitors on three counts with its complete range of innovative services Consulting incorporates comprehensive technical advice from system evaluation through network planning to project planning Training offers you an introduction to the basics product briefing and user training...

Page 615: ...duct Your comments and suggestions help us to further improve the quality of our documentation Your assessment of this manual Did you discover any errors in this manual If so on what page Suggestions for improvement and additional information Very Good Good Satisfactory Mediocre Poor Precise description O O O O O Readability O O O O O Understandability O O O O O Examples O O O O O Structure O O O ...

Page 616: ...r Please fill out and return this page as a fax to the number 49 0 7127 14 1600 or per mail to Hirschmann Automation and Control GmbH Department 01RD NT Stuttgarter Str 45 51 72654 Neckartenzlingen Germany Company Department Name Telephone number Street Zip code City E mail Date Signature ...

Page 617: ...Readers Comments 277 UM Config GRS Release 8 0 09 2019 ...

Page 618: ......

Page 619: ......

Search results

Summary of Contents for GREYHOUND GRS1020

Reviews:

Related manuals for GREYHOUND GRS1020

Brands by name

Popular brands

Hirschmann GREYHOUND GRS1020, Reference Manual

Search results

Summary of Contents for GREYHOUND GRS1020

Reviews:

Related manuals for GREYHOUND GRS1020

Brands by name

Popular brands